^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-or-later
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /* audit.c -- Auditing support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * System-call specific features have moved to auditsc.c
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * All Rights Reserved.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * Written by Rickard E. (Rik) Faith <faith@redhat.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) * Goals: 1) Integrate fully with Security Modules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * 2) Minimal run-time overhead:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * a) Minimal when syscall auditing is disabled (audit_enable=0).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) * b) Small when syscall auditing is enabled and no audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * is generated (defer as much work as possible to record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) * generation time):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) * i) context is allocated,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * ii) names from getname are stored without a copy, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * iii) inode information stored from path_lookup.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * 3) Ability to disable syscall auditing at boot time (audit=0).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * 4) Usable by other parts of the kernel (if audit_log* is called,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * then a syscall record will be generated automatically for the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * current syscall).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) * 5) Netlink interface to user-space.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * 6) Support low-overhead kernel-based filtering to minimize the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) * information that must be passed to user-space.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) * Audit userspace, documentation, tests, and bug/issue trackers:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) * https://github.com/linux-audit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) #include <linux/file.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) #include <linux/init.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) #include <linux/types.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) #include <linux/atomic.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) #include <linux/mm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) #include <linux/export.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) #include <linux/err.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) #include <linux/kthread.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) #include <linux/syscalls.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) #include <linux/spinlock.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) #include <linux/rcupdate.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) #include <linux/mutex.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) #include <linux/gfp.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) #include <linux/pid.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) #include <linux/audit.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #include <net/sock.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) #include <net/netlink.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) #include <linux/skbuff.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) #ifdef CONFIG_SECURITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) #include <linux/security.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) #include <linux/freezer.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) #include <linux/pid_namespace.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) #include <net/netns/generic.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) #include "audit.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) /* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) * (Initialization happens after skb_init is called.) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) #define AUDIT_DISABLED -1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) #define AUDIT_UNINITIALIZED 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) #define AUDIT_INITIALIZED 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) static int audit_initialized;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) u32 audit_enabled = AUDIT_OFF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) bool audit_ever_enabled = !!AUDIT_OFF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) EXPORT_SYMBOL_GPL(audit_enabled);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) /* Default state when kernel boots without any parameters. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) static u32 audit_default = AUDIT_OFF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) /* If auditing cannot proceed, audit_failure selects what happens. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) static u32 audit_failure = AUDIT_FAIL_PRINTK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) /* private audit network namespace index */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) static unsigned int audit_net_id;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) * struct audit_net - audit private network namespace data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) * @sk: communication socket
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) struct audit_net {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) struct sock *sk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) * struct auditd_connection - kernel/auditd connection state
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) * @pid: auditd PID
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) * @portid: netlink portid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) * @net: the associated network namespace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) * @rcu: RCU head
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) * This struct is RCU protected; you must either hold the RCU lock for reading
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) * or the associated spinlock for writing.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) struct auditd_connection {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) struct pid *pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) u32 portid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) struct net *net;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) struct rcu_head rcu;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) static struct auditd_connection __rcu *auditd_conn;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) static DEFINE_SPINLOCK(auditd_conn_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) /* If audit_rate_limit is non-zero, limit the rate of sending audit records
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) * to that number per second. This prevents DoS attacks, but results in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) * audit records being dropped. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) static u32 audit_rate_limit;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) /* Number of outstanding audit_buffers allowed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) * When set to zero, this means unlimited. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) static u32 audit_backlog_limit = 64;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) /* The identity of the user shutting down the audit system. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) static kuid_t audit_sig_uid = INVALID_UID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) static pid_t audit_sig_pid = -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) static u32 audit_sig_sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) /* Records can be lost in several ways:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 0) [suppressed in audit_alloc]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 2) out of memory in audit_log_move [alloc_skb]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 3) suppressed due to audit_rate_limit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 4) suppressed due to audit_backlog_limit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) static atomic_t audit_lost = ATOMIC_INIT(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) /* Monotonically increasing sum of time the kernel has spent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) * waiting while the backlog limit is exceeded.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) static atomic_t audit_backlog_wait_time_actual = ATOMIC_INIT(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) /* Hash for inode-based rules */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) static struct kmem_cache *audit_buffer_cache;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) /* queue msgs to send via kauditd_task */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) static struct sk_buff_head audit_queue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) /* queue msgs due to temporary unicast send problems */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) static struct sk_buff_head audit_retry_queue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) /* queue msgs waiting for new auditd connection */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) static struct sk_buff_head audit_hold_queue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) /* queue servicing thread */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) static struct task_struct *kauditd_task;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) /* waitqueue for callers who are blocked on the audit backlog */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) .mask = -1,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) .features = 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) .lock = 0,};
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) static char *audit_feature_names[2] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) "only_unset_loginuid",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) "loginuid_immutable",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) * struct audit_ctl_mutex - serialize requests from userspace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) * @lock: the mutex used for locking
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) * @owner: the task which owns the lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) * This is the lock struct used to ensure we only process userspace requests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) * in an orderly fashion. We can't simply use a mutex/lock here because we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) * need to track lock ownership so we don't end up blocking the lock owner in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) * audit_log_start() or similar.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) static struct audit_ctl_mutex {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) struct mutex lock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) void *owner;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) } audit_cmd_mutex;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) * audit records. Since printk uses a 1024 byte buffer, this buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) * should be at least that large. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) #define AUDIT_BUFSIZ 1024
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) /* The audit_buffer is used when formatting an audit record. The caller
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) * locks briefly to get the record off the freelist or to allocate the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) * buffer, and locks briefly to send the buffer to the netlink layer or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) * to place it on a transmit queue. Multiple audit_buffers can be in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) * use simultaneously. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) struct audit_buffer {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) struct sk_buff *skb; /* formatted skb ready to send */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) struct audit_context *ctx; /* NULL or associated context */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) gfp_t gfp_mask;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) struct audit_reply {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) __u32 portid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) struct net *net;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) * auditd_test_task - Check to see if a given task is an audit daemon
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) * @task: the task to check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) * Return 1 if the task is a registered audit daemon, 0 otherwise.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) int auditd_test_task(struct task_struct *task)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) struct auditd_connection *ac;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) ac = rcu_dereference(auditd_conn);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) rc = (ac && ac->pid == task_tgid(task) ? 1 : 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) * audit_ctl_lock - Take the audit control lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) void audit_ctl_lock(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) mutex_lock(&audit_cmd_mutex.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) audit_cmd_mutex.owner = current;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) * audit_ctl_unlock - Drop the audit control lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) void audit_ctl_unlock(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) audit_cmd_mutex.owner = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) mutex_unlock(&audit_cmd_mutex.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) * audit_ctl_owner_current - Test to see if the current task owns the lock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) * Return true if the current task owns the audit control lock, false if it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) * doesn't own the lock.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) static bool audit_ctl_owner_current(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) return (current == audit_cmd_mutex.owner);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) * auditd_pid_vnr - Return the auditd PID relative to the namespace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) * Returns the PID in relation to the namespace, 0 on failure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) static pid_t auditd_pid_vnr(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) pid_t pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) const struct auditd_connection *ac;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) ac = rcu_dereference(auditd_conn);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) if (!ac || !ac->pid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) pid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) pid = pid_vnr(ac->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) return pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) * audit_get_sk - Return the audit socket for the given network namespace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) * @net: the destination network namespace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) * Returns the sock pointer if valid, NULL otherwise. The caller must ensure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) * that a reference is held for the network namespace while the sock is in use.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) static struct sock *audit_get_sk(const struct net *net)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) struct audit_net *aunet;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) if (!net)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) aunet = net_generic(net, audit_net_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) return aunet->sk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) void audit_panic(const char *message)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) switch (audit_failure) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) case AUDIT_FAIL_SILENT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) case AUDIT_FAIL_PRINTK:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) if (printk_ratelimit())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) pr_err("%s\n", message);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) case AUDIT_FAIL_PANIC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) panic("audit: %s\n", message);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) static inline int audit_rate_check(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) static unsigned long last_check = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) static int messages = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) static DEFINE_SPINLOCK(lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) unsigned long now;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) unsigned long elapsed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) int retval = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) if (!audit_rate_limit) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) spin_lock_irqsave(&lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) if (++messages < audit_rate_limit) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) retval = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) now = jiffies;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) elapsed = now - last_check;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) if (elapsed > HZ) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) last_check = now;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) messages = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) retval = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) spin_unlock_irqrestore(&lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) return retval;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) * audit_log_lost - conditionally log lost audit message event
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) * @message: the message stating reason for lost audit message
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) * Emit at least 1 message per second, even if audit_rate_check is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) * throttling.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) * Always increment the lost messages counter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) void audit_log_lost(const char *message)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) static unsigned long last_msg = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) static DEFINE_SPINLOCK(lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) unsigned long now;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) int print;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) atomic_inc(&audit_lost);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) if (!print) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) spin_lock_irqsave(&lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) now = jiffies;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) if (now - last_msg > HZ) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) print = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) last_msg = now;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) spin_unlock_irqrestore(&lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) if (print) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) if (printk_ratelimit())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) atomic_read(&audit_lost),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) audit_rate_limit,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) audit_backlog_limit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) audit_panic(message);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) static int audit_log_config_change(char *function_name, u32 new, u32 old,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) int allow_changes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) int rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) if (unlikely(!ab))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) audit_log_session_info(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) rc = audit_log_task_context(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) allow_changes = 0; /* Something weird, deny request */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) audit_log_format(ab, " res=%d", allow_changes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) static int audit_do_config_change(char *function_name, u32 *to_change, u32 new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) int allow_changes, rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) u32 old = *to_change;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) /* check if we are locked */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) if (audit_enabled == AUDIT_LOCKED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) allow_changes = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) allow_changes = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) if (audit_enabled != AUDIT_OFF) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) rc = audit_log_config_change(function_name, new, old, allow_changes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) allow_changes = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) /* If we are allowed, make the change */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) if (allow_changes == 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) *to_change = new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) /* Not allowed, update reason */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) else if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) rc = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) static int audit_set_rate_limit(u32 limit)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) static int audit_set_backlog_limit(u32 limit)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) static int audit_set_backlog_wait_time(u32 timeout)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) return audit_do_config_change("audit_backlog_wait_time",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) &audit_backlog_wait_time, timeout);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) static int audit_set_enabled(u32 state)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) if (state > AUDIT_LOCKED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) rc = audit_do_config_change("audit_enabled", &audit_enabled, state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) if (!rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) audit_ever_enabled |= !!state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) static int audit_set_failure(u32 state)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) if (state != AUDIT_FAIL_SILENT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) && state != AUDIT_FAIL_PRINTK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) && state != AUDIT_FAIL_PANIC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) return audit_do_config_change("audit_failure", &audit_failure, state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) * auditd_conn_free - RCU helper to release an auditd connection struct
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) * @rcu: RCU head
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) * Drop any references inside the auditd connection tracking struct and free
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) * the memory.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) static void auditd_conn_free(struct rcu_head *rcu)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) struct auditd_connection *ac;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) ac = container_of(rcu, struct auditd_connection, rcu);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) put_pid(ac->pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) put_net(ac->net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) kfree(ac);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) * auditd_set - Set/Reset the auditd connection state
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) * @pid: auditd PID
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) * @portid: auditd netlink portid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) * @net: auditd network namespace pointer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) * This function will obtain and drop network namespace references as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) * necessary. Returns zero on success, negative values on failure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) static int auditd_set(struct pid *pid, u32 portid, struct net *net)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) struct auditd_connection *ac_old, *ac_new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) if (!pid || !net)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) ac_new = kzalloc(sizeof(*ac_new), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) if (!ac_new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) ac_new->pid = get_pid(pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) ac_new->portid = portid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) ac_new->net = get_net(net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) spin_lock_irqsave(&auditd_conn_lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) ac_old = rcu_dereference_protected(auditd_conn,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) lockdep_is_held(&auditd_conn_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) rcu_assign_pointer(auditd_conn, ac_new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) spin_unlock_irqrestore(&auditd_conn_lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) if (ac_old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) call_rcu(&ac_old->rcu, auditd_conn_free);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) * kauditd_print_skb - Print the audit record to the ring buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) * @skb: audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) * Whatever the reason, this packet may not make it to the auditd connection
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) * so write it via printk so the information isn't completely lost.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) static void kauditd_printk_skb(struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) struct nlmsghdr *nlh = nlmsg_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) char *data = nlmsg_data(nlh);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) * kauditd_rehold_skb - Handle a audit record send failure in the hold queue
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) * @skb: audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) * @error: error code (unused)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) * This should only be used by the kauditd_thread when it fails to flush the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) * hold queue.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) static void kauditd_rehold_skb(struct sk_buff *skb, __always_unused int error)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) /* put the record back in the queue */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) skb_queue_tail(&audit_hold_queue, skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) * kauditd_hold_skb - Queue an audit record, waiting for auditd
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) * @skb: audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) * @error: error code
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) * Queue the audit record, waiting for an instance of auditd. When this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) * function is called we haven't given up yet on sending the record, but things
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) * are not looking good. The first thing we want to do is try to write the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) * record via printk and then see if we want to try and hold on to the record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) * and queue it, if we have room. If we want to hold on to the record, but we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) * don't have room, record a record lost message.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) static void kauditd_hold_skb(struct sk_buff *skb, int error)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) /* at this point it is uncertain if we will ever send this to auditd so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) * try to send the message via printk before we go any further */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) kauditd_printk_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) /* can we just silently drop the message? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) if (!audit_default)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) goto drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) /* the hold queue is only for when the daemon goes away completely,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) * not -EAGAIN failures; if we are in a -EAGAIN state requeue the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) * record on the retry queue unless it's full, in which case drop it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) if (error == -EAGAIN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) if (!audit_backlog_limit ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) skb_queue_len(&audit_retry_queue) < audit_backlog_limit) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) skb_queue_tail(&audit_retry_queue, skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) audit_log_lost("kauditd retry queue overflow");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) goto drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) /* if we have room in the hold queue, queue the message */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) if (!audit_backlog_limit ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) skb_queue_len(&audit_hold_queue) < audit_backlog_limit) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) skb_queue_tail(&audit_hold_queue, skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) /* we have no other options - drop the message */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) audit_log_lost("kauditd hold queue overflow");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) drop:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) kfree_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) * @skb: audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) * @error: error code (unused)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) * Not as serious as kauditd_hold_skb() as we still have a connected auditd,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) * but for some reason we are having problems sending it audit records so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) * queue the given record and attempt to resend.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) static void kauditd_retry_skb(struct sk_buff *skb, __always_unused int error)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) if (!audit_backlog_limit ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) skb_queue_len(&audit_retry_queue) < audit_backlog_limit) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) skb_queue_tail(&audit_retry_queue, skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) /* we have to drop the record, send it via printk as a last effort */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) kauditd_printk_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) audit_log_lost("kauditd retry queue overflow");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) kfree_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) * auditd_reset - Disconnect the auditd connection
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) * @ac: auditd connection state
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) * Break the auditd/kauditd connection and move all the queued records into the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) * hold queue in case auditd reconnects. It is important to note that the @ac
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) * pointer should never be dereferenced inside this function as it may be NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) * or invalid, you can only compare the memory address! If @ac is NULL then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) * the connection will always be reset.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) static void auditd_reset(const struct auditd_connection *ac)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) struct auditd_connection *ac_old;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) /* if it isn't already broken, break the connection */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) spin_lock_irqsave(&auditd_conn_lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) ac_old = rcu_dereference_protected(auditd_conn,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) lockdep_is_held(&auditd_conn_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) if (ac && ac != ac_old) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) /* someone already registered a new auditd connection */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) spin_unlock_irqrestore(&auditd_conn_lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) rcu_assign_pointer(auditd_conn, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) spin_unlock_irqrestore(&auditd_conn_lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) if (ac_old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) call_rcu(&ac_old->rcu, auditd_conn_free);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) /* flush the retry queue to the hold queue, but don't touch the main
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) * queue since we need to process that normally for multicast */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) while ((skb = skb_dequeue(&audit_retry_queue)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) kauditd_hold_skb(skb, -ECONNREFUSED);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) * auditd_send_unicast_skb - Send a record via unicast to auditd
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) * @skb: audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) * Send a skb to the audit daemon, returns positive/zero values on success and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) * negative values on failure; in all cases the skb will be consumed by this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) * function. If the send results in -ECONNREFUSED the connection with auditd
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) * will be reset. This function may sleep so callers should not hold any locks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) * where this would cause a problem.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) static int auditd_send_unicast_skb(struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) u32 portid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) struct net *net;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) struct sock *sk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) struct auditd_connection *ac;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) /* NOTE: we can't call netlink_unicast while in the RCU section so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) * take a reference to the network namespace and grab local
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) * copies of the namespace, the sock, and the portid; the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) * namespace and sock aren't going to go away while we hold a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) * reference and if the portid does become invalid after the RCU
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) * section netlink_unicast() should safely return an error */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) ac = rcu_dereference(auditd_conn);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) if (!ac) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) kfree_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) rc = -ECONNREFUSED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) net = get_net(ac->net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) sk = audit_get_sk(net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) portid = ac->portid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) rc = netlink_unicast(sk, skb, portid, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) put_net(net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) if (rc < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) if (ac && rc == -ECONNREFUSED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) auditd_reset(ac);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) * kauditd_send_queue - Helper for kauditd_thread to flush skb queues
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) * @sk: the sending sock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) * @portid: the netlink destination
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) * @queue: the skb queue to process
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) * @retry_limit: limit on number of netlink unicast failures
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) * @skb_hook: per-skb hook for additional processing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) * @err_hook: hook called if the skb fails the netlink unicast send
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) * Run through the given queue and attempt to send the audit records to auditd,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) * returns zero on success, negative values on failure. It is up to the caller
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) * to ensure that the @sk is valid for the duration of this function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) static int kauditd_send_queue(struct sock *sk, u32 portid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) struct sk_buff_head *queue,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) unsigned int retry_limit,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) void (*skb_hook)(struct sk_buff *skb),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) void (*err_hook)(struct sk_buff *skb, int error))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) int rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) struct sk_buff *skb = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) struct sk_buff *skb_tail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) unsigned int failed = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) /* NOTE: kauditd_thread takes care of all our locking, we just use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) * the netlink info passed to us (e.g. sk and portid) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) skb_tail = skb_peek_tail(queue);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) while ((skb != skb_tail) && (skb = skb_dequeue(queue))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) /* call the skb_hook for each skb we touch */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) if (skb_hook)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) (*skb_hook)(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) /* can we send to anyone via unicast? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) if (!sk) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) if (err_hook)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) (*err_hook)(skb, -ECONNREFUSED);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) retry:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) /* grab an extra skb reference in case of error */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) skb_get(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) rc = netlink_unicast(sk, skb, portid, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) if (rc < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) /* send failed - try a few times unless fatal error */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) if (++failed >= retry_limit ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) rc == -ECONNREFUSED || rc == -EPERM) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) sk = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) if (err_hook)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) (*err_hook)(skb, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) if (rc == -EAGAIN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) /* continue to drain the queue */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) goto retry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) /* skb sent - drop the extra reference and continue */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) consume_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) failed = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) return (rc >= 0 ? 0 : rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) * kauditd_send_multicast_skb - Send a record to any multicast listeners
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) * @skb: audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) * Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) * Write a multicast message to anyone listening in the initial network
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) * namespace. This function doesn't consume an skb as might be expected since
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) * it has to copy it anyways.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) static void kauditd_send_multicast_skb(struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) struct sk_buff *copy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) struct sock *sock = audit_get_sk(&init_net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) struct nlmsghdr *nlh;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804) /* NOTE: we are not taking an additional reference for init_net since
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) * we don't have to worry about it going away */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) * The seemingly wasteful skb_copy() rather than bumping the refcount
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) * using skb_get() is necessary because non-standard mods are made to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) * the skb by the original kaudit unicast socket send routine. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) * existing auditd daemon assumes this breakage. Fixing this would
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) * require co-ordinating a change in the established protocol between
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) * the kaudit kernel subsystem and the auditd userspace code. There is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) * no reason for new multicast clients to continue with this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) * non-compliance.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) copy = skb_copy(skb, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) if (!copy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) nlh = nlmsg_hdr(copy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) nlh->nlmsg_len = skb->len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830) * kauditd_thread - Worker thread to send audit records to userspace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) * @dummy: unused
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) static int kauditd_thread(void *dummy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) u32 portid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) struct net *net = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838) struct sock *sk = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) struct auditd_connection *ac;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) #define UNICAST_RETRIES 5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) set_freezable();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) while (!kthread_should_stop()) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) /* NOTE: see the lock comments in auditd_send_unicast_skb() */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) ac = rcu_dereference(auditd_conn);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848) if (!ac) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) goto main_queue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) net = get_net(ac->net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853) sk = audit_get_sk(net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) portid = ac->portid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) /* attempt to flush the hold queue */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858) rc = kauditd_send_queue(sk, portid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) &audit_hold_queue, UNICAST_RETRIES,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) NULL, kauditd_rehold_skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) if (rc < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) sk = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863) auditd_reset(ac);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864) goto main_queue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867) /* attempt to flush the retry queue */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868) rc = kauditd_send_queue(sk, portid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869) &audit_retry_queue, UNICAST_RETRIES,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870) NULL, kauditd_hold_skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871) if (rc < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872) sk = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) auditd_reset(ac);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) goto main_queue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877) main_queue:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878) /* process the main queue - do the multicast send and attempt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879) * unicast, dump failed record sends to the retry queue; if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) * sk == NULL due to previous failures we will just do the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881) * multicast send and move the record to the hold queue */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882) rc = kauditd_send_queue(sk, portid, &audit_queue, 1,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) kauditd_send_multicast_skb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884) (sk ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885) kauditd_retry_skb : kauditd_hold_skb));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) if (ac && rc < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887) auditd_reset(ac);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888) sk = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) /* drop our netns reference, no auditd sends past this line */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) if (net) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892) put_net(net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893) net = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896) /* we have processed all the queues so wake everyone */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) wake_up(&audit_backlog_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899) /* NOTE: we want to wake up if there is anything on the queue,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 900) * regardless of if an auditd is connected, as we need to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 901) * do the multicast send and rotate records from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 902) * main queue to the retry/hold queues */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 903) wait_event_freezable(kauditd_wait,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 904) (skb_queue_len(&audit_queue) ? 1 : 0));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 905) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 906)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 907) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 908) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 909)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 910) int audit_send_list_thread(void *_dest)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 911) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 912) struct audit_netlink_list *dest = _dest;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 913) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 914) struct sock *sk = audit_get_sk(dest->net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 915)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 916) /* wait for parent to finish and send an ACK */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 917) audit_ctl_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 918) audit_ctl_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 919)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 920) while ((skb = __skb_dequeue(&dest->q)) != NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 921) netlink_unicast(sk, skb, dest->portid, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 922)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 923) put_net(dest->net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 924) kfree(dest);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 925)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 926) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 927) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 928)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 929) struct sk_buff *audit_make_reply(int seq, int type, int done,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 930) int multi, const void *payload, int size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 931) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 932) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 933) struct nlmsghdr *nlh;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 934) void *data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 935) int flags = multi ? NLM_F_MULTI : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 936) int t = done ? NLMSG_DONE : type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 937)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 938) skb = nlmsg_new(size, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 939) if (!skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 940) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 941)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 942) nlh = nlmsg_put(skb, 0, seq, t, size, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 943) if (!nlh)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 944) goto out_kfree_skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 945) data = nlmsg_data(nlh);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 946) memcpy(data, payload, size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 947) return skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 948)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 949) out_kfree_skb:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 950) kfree_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 951) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 952) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 953)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 954) static void audit_free_reply(struct audit_reply *reply)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 955) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 956) if (!reply)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 957) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 958)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 959) kfree_skb(reply->skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 960) if (reply->net)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 961) put_net(reply->net);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 962) kfree(reply);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 963) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 964)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 965) static int audit_send_reply_thread(void *arg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 966) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 967) struct audit_reply *reply = (struct audit_reply *)arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 968)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 969) audit_ctl_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 970) audit_ctl_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 971)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 972) /* Ignore failure. It'll only happen if the sender goes away,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 973) because our timeout is set to infinite. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 974) netlink_unicast(audit_get_sk(reply->net), reply->skb, reply->portid, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 975) reply->skb = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 976) audit_free_reply(reply);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 977) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 978) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 979)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 980) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 981) * audit_send_reply - send an audit reply message via netlink
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 982) * @request_skb: skb of request we are replying to (used to target the reply)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 983) * @seq: sequence number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 984) * @type: audit message type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 985) * @done: done (last) flag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 986) * @multi: multi-part message flag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 987) * @payload: payload data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 988) * @size: payload size
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 989) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 990) * Allocates a skb, builds the netlink message, and sends it to the port id.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 991) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 992) static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 993) int multi, const void *payload, int size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 994) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 995) struct task_struct *tsk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 996) struct audit_reply *reply;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 997)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 998) reply = kzalloc(sizeof(*reply), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 999) if (!reply)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1000) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1001)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1002) reply->skb = audit_make_reply(seq, type, done, multi, payload, size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1003) if (!reply->skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1004) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1005) reply->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1006) reply->portid = NETLINK_CB(request_skb).portid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1007)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1008) tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1009) if (IS_ERR(tsk))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1010) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1011)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1012) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1013)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1014) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1015) audit_free_reply(reply);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1016) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1017)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1018) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1019) * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1020) * control messages.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1021) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1022) static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1023) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1024) int err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1025)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1026) /* Only support initial user namespace for now. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1027) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1028) * We return ECONNREFUSED because it tricks userspace into thinking
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1029) * that audit was not configured into the kernel. Lots of users
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1030) * configure their PAM stack (because that's what the distro does)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1031) * to reject login if unable to send messages to audit. If we return
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1032) * ECONNREFUSED the PAM stack thinks the kernel does not have audit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1033) * configured in and will let login proceed. If we return EPERM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1034) * userspace will reject all logins. This should be removed when we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1035) * support non init namespaces!!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1036) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1037) if (current_user_ns() != &init_user_ns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1038) return -ECONNREFUSED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1039)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1040) switch (msg_type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1041) case AUDIT_LIST:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1042) case AUDIT_ADD:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1043) case AUDIT_DEL:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1044) return -EOPNOTSUPP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1045) case AUDIT_GET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1046) case AUDIT_SET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1047) case AUDIT_GET_FEATURE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1048) case AUDIT_SET_FEATURE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1049) case AUDIT_LIST_RULES:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1050) case AUDIT_ADD_RULE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1051) case AUDIT_DEL_RULE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1052) case AUDIT_SIGNAL_INFO:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1053) case AUDIT_TTY_GET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1054) case AUDIT_TTY_SET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1055) case AUDIT_TRIM:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1056) case AUDIT_MAKE_EQUIV:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1057) /* Only support auditd and auditctl in initial pid namespace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1058) * for now. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1059) if (task_active_pid_ns(current) != &init_pid_ns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1060) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1061)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1062) if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1063) err = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1064) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1065) case AUDIT_USER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1066) case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1067) case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1068) if (!netlink_capable(skb, CAP_AUDIT_WRITE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1069) err = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1070) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1071) default: /* bad msg */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1072) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1073) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1074)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1075) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1076) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1077)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1078) static void audit_log_common_recv_msg(struct audit_context *context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1079) struct audit_buffer **ab, u16 msg_type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1080) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1081) uid_t uid = from_kuid(&init_user_ns, current_uid());
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1082) pid_t pid = task_tgid_nr(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1083)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1084) if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1085) *ab = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1086) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1087) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1088)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1089) *ab = audit_log_start(context, GFP_KERNEL, msg_type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1090) if (unlikely(!*ab))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1091) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1092) audit_log_format(*ab, "pid=%d uid=%u ", pid, uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1093) audit_log_session_info(*ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1094) audit_log_task_context(*ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1095) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1096)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1097) static inline void audit_log_user_recv_msg(struct audit_buffer **ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1098) u16 msg_type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1099) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1100) audit_log_common_recv_msg(NULL, ab, msg_type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1101) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1102)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1103) int is_audit_feature_set(int i)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1104) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1105) return af.features & AUDIT_FEATURE_TO_MASK(i);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1106) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1108)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1109) static int audit_get_feature(struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1110) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1111) u32 seq;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1113) seq = nlmsg_hdr(skb)->nlmsg_seq;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1114)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1115) audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1116)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1117) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1118) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1120) static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1121) u32 old_lock, u32 new_lock, int res)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1122) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1123) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1125) if (audit_enabled == AUDIT_OFF)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1126) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1127)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1128) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FEATURE_CHANGE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1129) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1130) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1131) audit_log_task_info(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1132) audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1133) audit_feature_names[which], !!old_feature, !!new_feature,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1134) !!old_lock, !!new_lock, res);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1135) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1136) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1138) static int audit_set_feature(struct audit_features *uaf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1139) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1140) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1142) BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1144) /* if there is ever a version 2 we should handle that here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1145)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1146) for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1147) u32 feature = AUDIT_FEATURE_TO_MASK(i);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1148) u32 old_feature, new_feature, old_lock, new_lock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1149)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1150) /* if we are not changing this feature, move along */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1151) if (!(feature & uaf->mask))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1152) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1153)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1154) old_feature = af.features & feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1155) new_feature = uaf->features & feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1156) new_lock = (uaf->lock | af.lock) & feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1157) old_lock = af.lock & feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1159) /* are we changing a locked feature? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1160) if (old_lock && (new_feature != old_feature)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1161) audit_log_feature_change(i, old_feature, new_feature,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1162) old_lock, new_lock, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1163) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1164) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1165) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1166) /* nothing invalid, do the changes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1167) for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1168) u32 feature = AUDIT_FEATURE_TO_MASK(i);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1169) u32 old_feature, new_feature, old_lock, new_lock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1170)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1171) /* if we are not changing this feature, move along */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1172) if (!(feature & uaf->mask))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1173) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1174)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1175) old_feature = af.features & feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1176) new_feature = uaf->features & feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1177) old_lock = af.lock & feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1178) new_lock = (uaf->lock | af.lock) & feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1180) if (new_feature != old_feature)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1181) audit_log_feature_change(i, old_feature, new_feature,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1182) old_lock, new_lock, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1184) if (new_feature)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1185) af.features |= feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1186) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1187) af.features &= ~feature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1188) af.lock |= new_lock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1189) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1190)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1191) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1194) static int audit_replace(struct pid *pid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1195) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1196) pid_t pvnr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1197) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1198)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1199) pvnr = pid_vnr(pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1200) skb = audit_make_reply(0, AUDIT_REPLACE, 0, 0, &pvnr, sizeof(pvnr));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1201) if (!skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1202) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1203) return auditd_send_unicast_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1204) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1206) static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1207) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1208) u32 seq;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1209) void *data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1210) int data_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1211) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1212) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1213) u16 msg_type = nlh->nlmsg_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1214) struct audit_sig_info *sig_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1215) char *ctx = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1216) u32 len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1217)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1218) err = audit_netlink_ok(skb, msg_type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1219) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1220) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1221)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1222) seq = nlh->nlmsg_seq;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1223) data = nlmsg_data(nlh);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1224) data_len = nlmsg_len(nlh);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1225)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1226) switch (msg_type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1227) case AUDIT_GET: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1228) struct audit_status s;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1229) memset(&s, 0, sizeof(s));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1230) s.enabled = audit_enabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1231) s.failure = audit_failure;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1232) /* NOTE: use pid_vnr() so the PID is relative to the current
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1233) * namespace */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1234) s.pid = auditd_pid_vnr();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1235) s.rate_limit = audit_rate_limit;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1236) s.backlog_limit = audit_backlog_limit;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1237) s.lost = atomic_read(&audit_lost);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1238) s.backlog = skb_queue_len(&audit_queue);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1239) s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1240) s.backlog_wait_time = audit_backlog_wait_time;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1241) s.backlog_wait_time_actual = atomic_read(&audit_backlog_wait_time_actual);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1242) audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1243) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1244) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1245) case AUDIT_SET: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1246) struct audit_status s;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1247) memset(&s, 0, sizeof(s));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1248) /* guard against past and future API changes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1249) memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1250) if (s.mask & AUDIT_STATUS_ENABLED) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1251) err = audit_set_enabled(s.enabled);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1252) if (err < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1253) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1254) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1255) if (s.mask & AUDIT_STATUS_FAILURE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1256) err = audit_set_failure(s.failure);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1257) if (err < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1258) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1259) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1260) if (s.mask & AUDIT_STATUS_PID) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1261) /* NOTE: we are using the vnr PID functions below
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1262) * because the s.pid value is relative to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1263) * namespace of the caller; at present this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1264) * doesn't matter much since you can really only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1265) * run auditd from the initial pid namespace, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1266) * something to keep in mind if this changes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1267) pid_t new_pid = s.pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1268) pid_t auditd_pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1269) struct pid *req_pid = task_tgid(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1270)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1271) /* Sanity check - PID values must match. Setting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1272) * pid to 0 is how auditd ends auditing. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1273) if (new_pid && (new_pid != pid_vnr(req_pid)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1274) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1275)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1276) /* test the auditd connection */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1277) audit_replace(req_pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1278)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1279) auditd_pid = auditd_pid_vnr();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1280) if (auditd_pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1281) /* replacing a healthy auditd is not allowed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1282) if (new_pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1283) audit_log_config_change("audit_pid",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1284) new_pid, auditd_pid, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1285) return -EEXIST;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1286) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1287) /* only current auditd can unregister itself */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1288) if (pid_vnr(req_pid) != auditd_pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1289) audit_log_config_change("audit_pid",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1290) new_pid, auditd_pid, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1291) return -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1292) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1293) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1294)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1295) if (new_pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1296) /* register a new auditd connection */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1297) err = auditd_set(req_pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1298) NETLINK_CB(skb).portid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1299) sock_net(NETLINK_CB(skb).sk));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1300) if (audit_enabled != AUDIT_OFF)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1301) audit_log_config_change("audit_pid",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1302) new_pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1303) auditd_pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1304) err ? 0 : 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1305) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1306) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1307)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1308) /* try to process any backlog */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1309) wake_up_interruptible(&kauditd_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1310) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1311) if (audit_enabled != AUDIT_OFF)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1312) audit_log_config_change("audit_pid",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1313) new_pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1314) auditd_pid, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1315)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1316) /* unregister the auditd connection */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1317) auditd_reset(NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1318) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1319) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1320) if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1321) err = audit_set_rate_limit(s.rate_limit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1322) if (err < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1323) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1324) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1325) if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1326) err = audit_set_backlog_limit(s.backlog_limit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1327) if (err < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1328) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1329) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1330) if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1331) if (sizeof(s) > (size_t)nlh->nlmsg_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1332) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1333) if (s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1334) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1335) err = audit_set_backlog_wait_time(s.backlog_wait_time);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1336) if (err < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1337) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1338) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1339) if (s.mask == AUDIT_STATUS_LOST) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1340) u32 lost = atomic_xchg(&audit_lost, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1341)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1342) audit_log_config_change("lost", 0, lost, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1343) return lost;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1344) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1345) if (s.mask == AUDIT_STATUS_BACKLOG_WAIT_TIME_ACTUAL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1346) u32 actual = atomic_xchg(&audit_backlog_wait_time_actual, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1347)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1348) audit_log_config_change("backlog_wait_time_actual", 0, actual, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1349) return actual;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1350) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1351) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1352) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1353) case AUDIT_GET_FEATURE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1354) err = audit_get_feature(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1355) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1356) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1357) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1358) case AUDIT_SET_FEATURE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1359) if (data_len < sizeof(struct audit_features))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1360) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1361) err = audit_set_feature(data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1362) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1363) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1364) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1365) case AUDIT_USER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1366) case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1367) case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1368) if (!audit_enabled && msg_type != AUDIT_USER_AVC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1369) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1370) /* exit early if there isn't at least one character to print */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1371) if (data_len < 2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1372) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1373)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1374) err = audit_filter(msg_type, AUDIT_FILTER_USER);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1375) if (err == 1) { /* match or error */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1376) char *str = data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1377)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1378) err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1379) if (msg_type == AUDIT_USER_TTY) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1380) err = tty_audit_push();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1381) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1382) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1383) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1384) audit_log_user_recv_msg(&ab, msg_type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1385) if (msg_type != AUDIT_USER_TTY) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1386) /* ensure NULL termination */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1387) str[data_len - 1] = '\0';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1388) audit_log_format(ab, " msg='%.*s'",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1389) AUDIT_MESSAGE_TEXT_MAX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1390) str);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1391) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1392) audit_log_format(ab, " data=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1393) if (data_len > 0 && str[data_len - 1] == '\0')
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1394) data_len--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1395) audit_log_n_untrustedstring(ab, str, data_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1396) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1397) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1398) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1399) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1400) case AUDIT_ADD_RULE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1401) case AUDIT_DEL_RULE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1402) if (data_len < sizeof(struct audit_rule_data))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1403) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1404) if (audit_enabled == AUDIT_LOCKED) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1405) audit_log_common_recv_msg(audit_context(), &ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1406) AUDIT_CONFIG_CHANGE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1407) audit_log_format(ab, " op=%s audit_enabled=%d res=0",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1408) msg_type == AUDIT_ADD_RULE ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1409) "add_rule" : "remove_rule",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1410) audit_enabled);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1411) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1412) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1413) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1414) err = audit_rule_change(msg_type, seq, data, data_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1415) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1416) case AUDIT_LIST_RULES:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1417) err = audit_list_rules_send(skb, seq);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1418) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1419) case AUDIT_TRIM:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1420) audit_trim_trees();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1421) audit_log_common_recv_msg(audit_context(), &ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1422) AUDIT_CONFIG_CHANGE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1423) audit_log_format(ab, " op=trim res=1");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1424) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1425) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1426) case AUDIT_MAKE_EQUIV: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1427) void *bufp = data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1428) u32 sizes[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1429) size_t msglen = data_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1430) char *old, *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1431)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1432) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1433) if (msglen < 2 * sizeof(u32))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1434) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1435) memcpy(sizes, bufp, 2 * sizeof(u32));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1436) bufp += 2 * sizeof(u32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1437) msglen -= 2 * sizeof(u32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1438) old = audit_unpack_string(&bufp, &msglen, sizes[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1439) if (IS_ERR(old)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1440) err = PTR_ERR(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1441) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1442) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1443) new = audit_unpack_string(&bufp, &msglen, sizes[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1444) if (IS_ERR(new)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1445) err = PTR_ERR(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1446) kfree(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1447) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1448) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1449) /* OK, here comes... */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1450) err = audit_tag_tree(old, new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1451)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1452) audit_log_common_recv_msg(audit_context(), &ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1453) AUDIT_CONFIG_CHANGE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1454) audit_log_format(ab, " op=make_equiv old=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1455) audit_log_untrustedstring(ab, old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1456) audit_log_format(ab, " new=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1457) audit_log_untrustedstring(ab, new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1458) audit_log_format(ab, " res=%d", !err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1459) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1460) kfree(old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1461) kfree(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1462) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1463) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1464) case AUDIT_SIGNAL_INFO:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1465) len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1466) if (audit_sig_sid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1467) err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1468) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1469) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1470) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1471) sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1472) if (!sig_data) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1473) if (audit_sig_sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1474) security_release_secctx(ctx, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1475) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1476) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1477) sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1478) sig_data->pid = audit_sig_pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1479) if (audit_sig_sid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1480) memcpy(sig_data->ctx, ctx, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1481) security_release_secctx(ctx, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1482) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1483) audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1484) sig_data, sizeof(*sig_data) + len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1485) kfree(sig_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1486) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1487) case AUDIT_TTY_GET: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1488) struct audit_tty_status s;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1489) unsigned int t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1490)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1491) t = READ_ONCE(current->signal->audit_tty);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1492) s.enabled = t & AUDIT_TTY_ENABLE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1493) s.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1494)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1495) audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1496) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1497) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1498) case AUDIT_TTY_SET: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1499) struct audit_tty_status s, old;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1500) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1501) unsigned int t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1502)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1503) memset(&s, 0, sizeof(s));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1504) /* guard against past and future API changes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1505) memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1506) /* check if new data is valid */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1507) if ((s.enabled != 0 && s.enabled != 1) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1508) (s.log_passwd != 0 && s.log_passwd != 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1509) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1510)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1511) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1512) t = READ_ONCE(current->signal->audit_tty);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1513) else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1514) t = s.enabled | (-s.log_passwd & AUDIT_TTY_LOG_PASSWD);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1515) t = xchg(¤t->signal->audit_tty, t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1516) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1517) old.enabled = t & AUDIT_TTY_ENABLE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1518) old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1519)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1520) audit_log_common_recv_msg(audit_context(), &ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1521) AUDIT_CONFIG_CHANGE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1522) audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1523) " old-log_passwd=%d new-log_passwd=%d res=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1524) old.enabled, s.enabled, old.log_passwd,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1525) s.log_passwd, !err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1526) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1527) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1528) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1529) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1530) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1531) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1532) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1533)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1534) return err < 0 ? err : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1535) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1536)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1537) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1538) * audit_receive - receive messages from a netlink control socket
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1539) * @skb: the message buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1540) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1541) * Parse the provided skb and deal with any messages that may be present,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1542) * malformed skbs are discarded.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1543) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1544) static void audit_receive(struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1545) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1546) struct nlmsghdr *nlh;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1547) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1548) * len MUST be signed for nlmsg_next to be able to dec it below 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1549) * if the nlmsg_len was not aligned
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1550) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1551) int len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1552) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1553)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1554) nlh = nlmsg_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1555) len = skb->len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1556)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1557) audit_ctl_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1558) while (nlmsg_ok(nlh, len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1559) err = audit_receive_msg(skb, nlh);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1560) /* if err or if this message says it wants a response */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1561) if (err || (nlh->nlmsg_flags & NLM_F_ACK))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1562) netlink_ack(skb, nlh, err, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1563)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1564) nlh = nlmsg_next(nlh, &len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1565) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1566) audit_ctl_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1567)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1568) /* can't block with the ctrl lock, so penalize the sender now */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1569) if (audit_backlog_limit &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1570) (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1571) DECLARE_WAITQUEUE(wait, current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1572)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1573) /* wake kauditd to try and flush the queue */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1574) wake_up_interruptible(&kauditd_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1575)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1576) add_wait_queue_exclusive(&audit_backlog_wait, &wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1577) set_current_state(TASK_UNINTERRUPTIBLE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1578) schedule_timeout(audit_backlog_wait_time);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1579) remove_wait_queue(&audit_backlog_wait, &wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1580) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1581) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1582)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1583) /* Log information about who is connecting to the audit multicast socket */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1584) static void audit_log_multicast(int group, const char *op, int err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1585) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1586) const struct cred *cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1587) struct tty_struct *tty;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1588) char comm[sizeof(current->comm)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1589) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1590)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1591) if (!audit_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1592) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1593)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1594) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1595) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1596) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1597)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1598) cred = current_cred();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1599) tty = audit_get_tty();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1600) audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1601) task_pid_nr(current),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1602) from_kuid(&init_user_ns, cred->uid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1603) from_kuid(&init_user_ns, audit_get_loginuid(current)),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1604) tty ? tty_name(tty) : "(none)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1605) audit_get_sessionid(current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1606) audit_put_tty(tty);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1607) audit_log_task_context(ab); /* subj= */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1608) audit_log_format(ab, " comm=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1609) audit_log_untrustedstring(ab, get_task_comm(comm, current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1610) audit_log_d_path_exe(ab, current->mm); /* exe= */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1611) audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1612) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1613) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1614)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1615) /* Run custom bind function on netlink socket group connect or bind requests. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1616) static int audit_multicast_bind(struct net *net, int group)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1617) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1618) int err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1619)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1620) if (!capable(CAP_AUDIT_READ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1621) err = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1622) audit_log_multicast(group, "connect", err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1623) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1624) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1625)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1626) static void audit_multicast_unbind(struct net *net, int group)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1627) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1628) audit_log_multicast(group, "disconnect", 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1629) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1630)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1631) static int __net_init audit_net_init(struct net *net)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1632) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1633) struct netlink_kernel_cfg cfg = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1634) .input = audit_receive,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1635) .bind = audit_multicast_bind,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1636) .unbind = audit_multicast_unbind,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1637) .flags = NL_CFG_F_NONROOT_RECV,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1638) .groups = AUDIT_NLGRP_MAX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1639) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1640)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1641) struct audit_net *aunet = net_generic(net, audit_net_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1642)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1643) aunet->sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1644) if (aunet->sk == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1645) audit_panic("cannot initialize netlink socket in namespace");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1646) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1647) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1648) /* limit the timeout in case auditd is blocked/stopped */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1649) aunet->sk->sk_sndtimeo = HZ / 10;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1650)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1651) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1652) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1653)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1654) static void __net_exit audit_net_exit(struct net *net)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1655) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1656) struct audit_net *aunet = net_generic(net, audit_net_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1657)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1658) /* NOTE: you would think that we would want to check the auditd
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1659) * connection and potentially reset it here if it lives in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1660) * namespace, but since the auditd connection tracking struct holds a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1661) * reference to this namespace (see auditd_set()) we are only ever
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1662) * going to get here after that connection has been released */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1663)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1664) netlink_kernel_release(aunet->sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1665) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1666)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1667) static struct pernet_operations audit_net_ops __net_initdata = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1668) .init = audit_net_init,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1669) .exit = audit_net_exit,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1670) .id = &audit_net_id,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1671) .size = sizeof(struct audit_net),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1672) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1673)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1674) /* Initialize audit support at boot time. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1675) static int __init audit_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1676) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1677) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1678)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1679) if (audit_initialized == AUDIT_DISABLED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1680) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1681)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1682) audit_buffer_cache = kmem_cache_create("audit_buffer",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1683) sizeof(struct audit_buffer),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1684) 0, SLAB_PANIC, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1685)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1686) skb_queue_head_init(&audit_queue);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1687) skb_queue_head_init(&audit_retry_queue);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1688) skb_queue_head_init(&audit_hold_queue);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1689)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1690) for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1691) INIT_LIST_HEAD(&audit_inode_hash[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1692)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1693) mutex_init(&audit_cmd_mutex.lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1694) audit_cmd_mutex.owner = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1695)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1696) pr_info("initializing netlink subsys (%s)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1697) audit_default ? "enabled" : "disabled");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1698) register_pernet_subsys(&audit_net_ops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1699)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1700) audit_initialized = AUDIT_INITIALIZED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1701)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1702) kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1703) if (IS_ERR(kauditd_task)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1704) int err = PTR_ERR(kauditd_task);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1705) panic("audit: failed to start the kauditd thread (%d)\n", err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1706) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1707)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1708) audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1709) "state=initialized audit_enabled=%u res=1",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1710) audit_enabled);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1711)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1712) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1713) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1714) postcore_initcall(audit_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1715)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1716) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1717) * Process kernel command-line parameter at boot time.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1718) * audit={0|off} or audit={1|on}.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1719) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1720) static int __init audit_enable(char *str)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1721) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1722) if (!strcasecmp(str, "off") || !strcmp(str, "0"))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1723) audit_default = AUDIT_OFF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1724) else if (!strcasecmp(str, "on") || !strcmp(str, "1"))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1725) audit_default = AUDIT_ON;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1726) else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1727) pr_err("audit: invalid 'audit' parameter value (%s)\n", str);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1728) audit_default = AUDIT_ON;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1729) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1730)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1731) if (audit_default == AUDIT_OFF)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1732) audit_initialized = AUDIT_DISABLED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1733) if (audit_set_enabled(audit_default))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1734) pr_err("audit: error setting audit state (%d)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1735) audit_default);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1736)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1737) pr_info("%s\n", audit_default ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1738) "enabled (after initialization)" : "disabled (until reboot)");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1739)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1740) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1741) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1742) __setup("audit=", audit_enable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1743)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1744) /* Process kernel command-line parameter at boot time.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1745) * audit_backlog_limit=<n> */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1746) static int __init audit_backlog_limit_set(char *str)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1747) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1748) u32 audit_backlog_limit_arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1749)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1750) pr_info("audit_backlog_limit: ");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1751) if (kstrtouint(str, 0, &audit_backlog_limit_arg)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1752) pr_cont("using default of %u, unable to parse %s\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1753) audit_backlog_limit, str);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1754) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1755) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1756)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1757) audit_backlog_limit = audit_backlog_limit_arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1758) pr_cont("%d\n", audit_backlog_limit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1759)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1760) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1761) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1762) __setup("audit_backlog_limit=", audit_backlog_limit_set);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1763)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1764) static void audit_buffer_free(struct audit_buffer *ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1765) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1766) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1767) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1768)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1769) kfree_skb(ab->skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1770) kmem_cache_free(audit_buffer_cache, ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1771) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1772)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1773) static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1774) gfp_t gfp_mask, int type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1775) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1776) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1777)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1778) ab = kmem_cache_alloc(audit_buffer_cache, gfp_mask);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1779) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1780) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1781)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1782) ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1783) if (!ab->skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1784) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1785) if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1786) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1787)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1788) ab->ctx = ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1789) ab->gfp_mask = gfp_mask;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1790)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1791) return ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1792)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1793) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1794) audit_buffer_free(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1795) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1796) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1797)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1798) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1799) * audit_serial - compute a serial number for the audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1800) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1801) * Compute a serial number for the audit record. Audit records are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1802) * written to user-space as soon as they are generated, so a complete
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1803) * audit record may be written in several pieces. The timestamp of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1804) * record and this serial number are used by the user-space tools to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1805) * determine which pieces belong to the same audit record. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1806) * (timestamp,serial) tuple is unique for each syscall and is live from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1807) * syscall entry to syscall exit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1808) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1809) * NOTE: Another possibility is to store the formatted records off the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1810) * audit context (for those records that have a context), and emit them
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1811) * all at syscall exit. However, this could delay the reporting of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1812) * significant errors until syscall exit (or never, if the system
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1813) * halts).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1814) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1815) unsigned int audit_serial(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1816) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1817) static atomic_t serial = ATOMIC_INIT(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1818)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1819) return atomic_add_return(1, &serial);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1820) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1821)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1822) static inline void audit_get_stamp(struct audit_context *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1823) struct timespec64 *t, unsigned int *serial)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1824) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1825) if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1826) ktime_get_coarse_real_ts64(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1827) *serial = audit_serial();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1828) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1829) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1830)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1831) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1832) * audit_log_start - obtain an audit buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1833) * @ctx: audit_context (may be NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1834) * @gfp_mask: type of allocation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1835) * @type: audit message type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1836) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1837) * Returns audit_buffer pointer on success or NULL on error.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1838) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1839) * Obtain an audit buffer. This routine does locking to obtain the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1840) * audit buffer, but then no locking is required for calls to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1841) * audit_log_*format. If the task (ctx) is a task that is currently in a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1842) * syscall, then the syscall is marked as auditable and an audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1843) * will be written at syscall exit. If there is no associated task, then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1844) * task context (ctx) should be NULL.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1845) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1846) struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1847) int type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1848) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1849) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1850) struct timespec64 t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1851) unsigned int serial;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1852)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1853) if (audit_initialized != AUDIT_INITIALIZED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1854) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1855)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1856) if (unlikely(!audit_filter(type, AUDIT_FILTER_EXCLUDE)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1857) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1858)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1859) /* NOTE: don't ever fail/sleep on these two conditions:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1860) * 1. auditd generated record - since we need auditd to drain the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1861) * queue; also, when we are checking for auditd, compare PIDs using
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1862) * task_tgid_vnr() since auditd_pid is set in audit_receive_msg()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1863) * using a PID anchored in the caller's namespace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1864) * 2. generator holding the audit_cmd_mutex - we don't want to block
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1865) * while holding the mutex, although we do penalize the sender
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1866) * later in audit_receive() when it is safe to block
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1867) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1868) if (!(auditd_test_task(current) || audit_ctl_owner_current())) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1869) long stime = audit_backlog_wait_time;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1870)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1871) while (audit_backlog_limit &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1872) (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1873) /* wake kauditd to try and flush the queue */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1874) wake_up_interruptible(&kauditd_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1875)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1876) /* sleep if we are allowed and we haven't exhausted our
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1877) * backlog wait limit */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1878) if (gfpflags_allow_blocking(gfp_mask) && (stime > 0)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1879) long rtime = stime;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1880)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1881) DECLARE_WAITQUEUE(wait, current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1882)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1883) add_wait_queue_exclusive(&audit_backlog_wait,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1884) &wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1885) set_current_state(TASK_UNINTERRUPTIBLE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1886) stime = schedule_timeout(rtime);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1887) atomic_add(rtime - stime, &audit_backlog_wait_time_actual);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1888) remove_wait_queue(&audit_backlog_wait, &wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1889) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1890) if (audit_rate_check() && printk_ratelimit())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1891) pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1892) skb_queue_len(&audit_queue),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1893) audit_backlog_limit);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1894) audit_log_lost("backlog limit exceeded");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1895) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1896) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1897) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1898) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1899)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1900) ab = audit_buffer_alloc(ctx, gfp_mask, type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1901) if (!ab) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1902) audit_log_lost("out of memory in audit_log_start");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1903) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1904) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1905)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1906) audit_get_stamp(ab->ctx, &t, &serial);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1907) audit_log_format(ab, "audit(%llu.%03lu:%u): ",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1908) (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1909)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1910) return ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1911) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1912)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1913) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1914) * audit_expand - expand skb in the audit buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1915) * @ab: audit_buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1916) * @extra: space to add at tail of the skb
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1917) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1918) * Returns 0 (no space) on failed expansion, or available space if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1919) * successful.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1920) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1921) static inline int audit_expand(struct audit_buffer *ab, int extra)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1922) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1923) struct sk_buff *skb = ab->skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1924) int oldtail = skb_tailroom(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1925) int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1926) int newtail = skb_tailroom(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1927)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1928) if (ret < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1929) audit_log_lost("out of memory in audit_expand");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1930) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1931) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1932)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1933) skb->truesize += newtail - oldtail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1934) return newtail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1935) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1936)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1937) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1938) * Format an audit message into the audit buffer. If there isn't enough
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1939) * room in the audit buffer, more room will be allocated and vsnprint
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1940) * will be called a second time. Currently, we assume that a printk
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1941) * can't format message larger than 1024 bytes, so we don't either.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1942) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1943) static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1944) va_list args)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1945) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1946) int len, avail;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1947) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1948) va_list args2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1949)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1950) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1951) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1952)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1953) BUG_ON(!ab->skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1954) skb = ab->skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1955) avail = skb_tailroom(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1956) if (avail == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1957) avail = audit_expand(ab, AUDIT_BUFSIZ);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1958) if (!avail)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1959) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1960) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1961) va_copy(args2, args);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1962) len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1963) if (len >= avail) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1964) /* The printk buffer is 1024 bytes long, so if we get
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1965) * here and AUDIT_BUFSIZ is at least 1024, then we can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1966) * log everything that printk could have logged. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1967) avail = audit_expand(ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1968) max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1969) if (!avail)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1970) goto out_va_end;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1971) len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1972) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1973) if (len > 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1974) skb_put(skb, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1975) out_va_end:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1976) va_end(args2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1977) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1978) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1979) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1980)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1981) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1982) * audit_log_format - format a message into the audit buffer.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1983) * @ab: audit_buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1984) * @fmt: format string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1985) * @...: optional parameters matching @fmt string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1986) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1987) * All the work is done in audit_log_vformat.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1988) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1989) void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1990) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1991) va_list args;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1992)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1993) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1994) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1995) va_start(args, fmt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1996) audit_log_vformat(ab, fmt, args);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1997) va_end(args);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1998) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1999)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2000) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2001) * audit_log_n_hex - convert a buffer to hex and append it to the audit skb
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2002) * @ab: the audit_buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2003) * @buf: buffer to convert to hex
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2004) * @len: length of @buf to be converted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2005) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2006) * No return value; failure to expand is silently ignored.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2007) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2008) * This function will take the passed buf and convert it into a string of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2009) * ascii hex digits. The new string is placed onto the skb.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2010) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2011) void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2012) size_t len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2013) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2014) int i, avail, new_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2015) unsigned char *ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2016) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2017)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2018) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2019) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2020)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2021) BUG_ON(!ab->skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2022) skb = ab->skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2023) avail = skb_tailroom(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2024) new_len = len<<1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2025) if (new_len >= avail) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2026) /* Round the buffer request up to the next multiple */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2027) new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2028) avail = audit_expand(ab, new_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2029) if (!avail)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2030) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2031) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2032)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2033) ptr = skb_tail_pointer(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2034) for (i = 0; i < len; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2035) ptr = hex_byte_pack_upper(ptr, buf[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2036) *ptr = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2037) skb_put(skb, len << 1); /* new string is twice the old string */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2038) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2039)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2040) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2041) * Format a string of no more than slen characters into the audit buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2042) * enclosed in quote marks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2043) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2044) void audit_log_n_string(struct audit_buffer *ab, const char *string,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2045) size_t slen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2046) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2047) int avail, new_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2048) unsigned char *ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2049) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2050)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2051) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2052) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2053)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2054) BUG_ON(!ab->skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2055) skb = ab->skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2056) avail = skb_tailroom(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2057) new_len = slen + 3; /* enclosing quotes + null terminator */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2058) if (new_len > avail) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2059) avail = audit_expand(ab, new_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2060) if (!avail)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2061) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2062) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2063) ptr = skb_tail_pointer(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2064) *ptr++ = '"';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2065) memcpy(ptr, string, slen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2066) ptr += slen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2067) *ptr++ = '"';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2068) *ptr = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2069) skb_put(skb, slen + 2); /* don't include null terminator */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2070) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2071)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2072) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2073) * audit_string_contains_control - does a string need to be logged in hex
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2074) * @string: string to be checked
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2075) * @len: max length of the string to check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2076) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2077) bool audit_string_contains_control(const char *string, size_t len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2078) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2079) const unsigned char *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2080) for (p = string; p < (const unsigned char *)string + len; p++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2081) if (*p == '"' || *p < 0x21 || *p > 0x7e)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2082) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2083) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2084) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2085) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2086)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2087) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2088) * audit_log_n_untrustedstring - log a string that may contain random characters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2089) * @ab: audit_buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2090) * @len: length of string (not including trailing null)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2091) * @string: string to be logged
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2092) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2093) * This code will escape a string that is passed to it if the string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2094) * contains a control character, unprintable character, double quote mark,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2095) * or a space. Unescaped strings will start and end with a double quote mark.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2096) * Strings that are escaped are printed in hex (2 digits per char).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2097) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2098) * The caller specifies the number of characters in the string to log, which may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2099) * or may not be the entire string.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2100) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2101) void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2102) size_t len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2103) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2104) if (audit_string_contains_control(string, len))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2105) audit_log_n_hex(ab, string, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2106) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2107) audit_log_n_string(ab, string, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2108) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2110) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2111) * audit_log_untrustedstring - log a string that may contain random characters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2112) * @ab: audit_buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2113) * @string: string to be logged
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2114) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2115) * Same as audit_log_n_untrustedstring(), except that strlen is used to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2116) * determine string length.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2117) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2118) void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2119) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2120) audit_log_n_untrustedstring(ab, string, strlen(string));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2121) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2123) /* This is a helper-function to print the escaped d_path */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2124) void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2125) const struct path *path)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2126) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2127) char *p, *pathname;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2129) if (prefix)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2130) audit_log_format(ab, "%s", prefix);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2132) /* We will allow 11 spaces for ' (deleted)' to be appended */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2133) pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2134) if (!pathname) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2135) audit_log_format(ab, "\"<no_memory>\"");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2136) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2137) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2138) p = d_path(path, pathname, PATH_MAX+11);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2139) if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2140) /* FIXME: can we save some information here? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2141) audit_log_format(ab, "\"<too_long>\"");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2142) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2143) audit_log_untrustedstring(ab, p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2144) kfree(pathname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2145) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2146)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2147) void audit_log_session_info(struct audit_buffer *ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2148) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2149) unsigned int sessionid = audit_get_sessionid(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2150) uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2151)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2152) audit_log_format(ab, "auid=%u ses=%u", auid, sessionid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2153) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2154)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2155) void audit_log_key(struct audit_buffer *ab, char *key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2156) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2157) audit_log_format(ab, " key=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2158) if (key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2159) audit_log_untrustedstring(ab, key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2160) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2161) audit_log_format(ab, "(null)");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2162) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2163)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2164) int audit_log_task_context(struct audit_buffer *ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2165) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2166) char *ctx = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2167) unsigned len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2168) int error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2169) u32 sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2170)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2171) security_task_getsecid(current, &sid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2172) if (!sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2173) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2174)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2175) error = security_secid_to_secctx(sid, &ctx, &len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2176) if (error) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2177) if (error != -EINVAL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2178) goto error_path;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2179) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2180) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2181)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2182) audit_log_format(ab, " subj=%s", ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2183) security_release_secctx(ctx, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2184) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2186) error_path:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2187) audit_panic("error in audit_log_task_context");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2188) return error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2189) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2190) EXPORT_SYMBOL(audit_log_task_context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2191)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2192) void audit_log_d_path_exe(struct audit_buffer *ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2193) struct mm_struct *mm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2194) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2195) struct file *exe_file;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2196)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2197) if (!mm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2198) goto out_null;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2200) exe_file = get_mm_exe_file(mm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2201) if (!exe_file)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2202) goto out_null;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2203)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2204) audit_log_d_path(ab, " exe=", &exe_file->f_path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2205) fput(exe_file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2206) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2207) out_null:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2208) audit_log_format(ab, " exe=(null)");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2209) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2210)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2211) struct tty_struct *audit_get_tty(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2212) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2213) struct tty_struct *tty = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2214) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2215)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2216) spin_lock_irqsave(¤t->sighand->siglock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2217) if (current->signal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2218) tty = tty_kref_get(current->signal->tty);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2219) spin_unlock_irqrestore(¤t->sighand->siglock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2220) return tty;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2221) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2223) void audit_put_tty(struct tty_struct *tty)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2224) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2225) tty_kref_put(tty);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2226) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2227)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2228) void audit_log_task_info(struct audit_buffer *ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2229) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2230) const struct cred *cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2231) char comm[sizeof(current->comm)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2232) struct tty_struct *tty;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2233)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2234) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2235) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2236)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2237) cred = current_cred();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2238) tty = audit_get_tty();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2239) audit_log_format(ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2240) " ppid=%d pid=%d auid=%u uid=%u gid=%u"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2241) " euid=%u suid=%u fsuid=%u"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2242) " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2243) task_ppid_nr(current),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2244) task_tgid_nr(current),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2245) from_kuid(&init_user_ns, audit_get_loginuid(current)),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2246) from_kuid(&init_user_ns, cred->uid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2247) from_kgid(&init_user_ns, cred->gid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2248) from_kuid(&init_user_ns, cred->euid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2249) from_kuid(&init_user_ns, cred->suid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2250) from_kuid(&init_user_ns, cred->fsuid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2251) from_kgid(&init_user_ns, cred->egid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2252) from_kgid(&init_user_ns, cred->sgid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2253) from_kgid(&init_user_ns, cred->fsgid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2254) tty ? tty_name(tty) : "(none)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2255) audit_get_sessionid(current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2256) audit_put_tty(tty);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2257) audit_log_format(ab, " comm=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2258) audit_log_untrustedstring(ab, get_task_comm(comm, current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2259) audit_log_d_path_exe(ab, current->mm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2260) audit_log_task_context(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2261) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2262) EXPORT_SYMBOL(audit_log_task_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2263)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2264) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2265) * audit_log_path_denied - report a path restriction denial
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2266) * @type: audit message type (AUDIT_ANOM_LINK, AUDIT_ANOM_CREAT, etc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2267) * @operation: specific operation name
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2268) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2269) void audit_log_path_denied(int type, const char *operation)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2270) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2271) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2272)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2273) if (!audit_enabled || audit_dummy_context())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2274) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2275)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2276) /* Generate log with subject, operation, outcome. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2277) ab = audit_log_start(audit_context(), GFP_KERNEL, type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2278) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2279) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2280) audit_log_format(ab, "op=%s", operation);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2281) audit_log_task_info(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2282) audit_log_format(ab, " res=0");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2283) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2284) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2285)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2286) /* global counter which is incremented every time something logs in */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2287) static atomic_t session_id = ATOMIC_INIT(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2288)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2289) static int audit_set_loginuid_perm(kuid_t loginuid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2290) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2291) /* if we are unset, we don't need privs */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2292) if (!audit_loginuid_set(current))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2293) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2294) /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2295) if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2296) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2297) /* it is set, you need permission */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2298) if (!capable(CAP_AUDIT_CONTROL))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2299) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2300) /* reject if this is not an unset and we don't allow that */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2301) if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2302) && uid_valid(loginuid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2303) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2304) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2305) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2306)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2307) static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2308) unsigned int oldsessionid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2309) unsigned int sessionid, int rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2310) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2311) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2312) uid_t uid, oldloginuid, loginuid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2313) struct tty_struct *tty;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2314)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2315) if (!audit_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2316) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2317)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2318) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOGIN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2319) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2320) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2321)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2322) uid = from_kuid(&init_user_ns, task_uid(current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2323) oldloginuid = from_kuid(&init_user_ns, koldloginuid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2324) loginuid = from_kuid(&init_user_ns, kloginuid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2325) tty = audit_get_tty();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2327) audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2328) audit_log_task_context(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2329) audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2330) oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2331) oldsessionid, sessionid, !rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2332) audit_put_tty(tty);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2333) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2334) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2335)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2336) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2337) * audit_set_loginuid - set current task's loginuid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2338) * @loginuid: loginuid value
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2339) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2340) * Returns 0.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2341) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2342) * Called (set) from fs/proc/base.c::proc_loginuid_write().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2343) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2344) int audit_set_loginuid(kuid_t loginuid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2345) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2346) unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2347) kuid_t oldloginuid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2348) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2349)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2350) oldloginuid = audit_get_loginuid(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2351) oldsessionid = audit_get_sessionid(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2353) rc = audit_set_loginuid_perm(loginuid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2354) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2355) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2356)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2357) /* are we setting or clearing? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2358) if (uid_valid(loginuid)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2359) sessionid = (unsigned int)atomic_inc_return(&session_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2360) if (unlikely(sessionid == AUDIT_SID_UNSET))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2361) sessionid = (unsigned int)atomic_inc_return(&session_id);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2362) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2364) current->sessionid = sessionid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2365) current->loginuid = loginuid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2366) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2367) audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2368) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2369) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2370)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2371) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2372) * audit_signal_info - record signal info for shutting down audit subsystem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2373) * @sig: signal value
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2374) * @t: task being signaled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2375) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2376) * If the audit subsystem is being terminated, record the task (pid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2377) * and uid that is doing that.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2378) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2379) int audit_signal_info(int sig, struct task_struct *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2380) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2381) kuid_t uid = current_uid(), auid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2382)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2383) if (auditd_test_task(t) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2384) (sig == SIGTERM || sig == SIGHUP ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2385) sig == SIGUSR1 || sig == SIGUSR2)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2386) audit_sig_pid = task_tgid_nr(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2387) auid = audit_get_loginuid(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2388) if (uid_valid(auid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2389) audit_sig_uid = auid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2390) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2391) audit_sig_uid = uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2392) security_task_getsecid(current, &audit_sig_sid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2393) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2394)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2395) return audit_signal_info_syscall(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2396) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2397)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2398) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2399) * audit_log_end - end one audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2400) * @ab: the audit_buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2401) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2402) * We can not do a netlink send inside an irq context because it blocks (last
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2403) * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2404) * queue and a tasklet is scheduled to remove them from the queue outside the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2405) * irq context. May be called in any context.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2406) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2407) void audit_log_end(struct audit_buffer *ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2408) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2409) struct sk_buff *skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2410) struct nlmsghdr *nlh;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2411)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2412) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2413) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2414)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2415) if (audit_rate_check()) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2416) skb = ab->skb;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2417) ab->skb = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2418)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2419) /* setup the netlink header, see the comments in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2420) * kauditd_send_multicast_skb() for length quirks */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2421) nlh = nlmsg_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2422) nlh->nlmsg_len = skb->len - NLMSG_HDRLEN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2423)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2424) /* queue the netlink packet and poke the kauditd thread */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2425) skb_queue_tail(&audit_queue, skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2426) wake_up_interruptible(&kauditd_wait);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2427) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2428) audit_log_lost("rate limit exceeded");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2429)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2430) audit_buffer_free(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2431) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2432)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2433) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2434) * audit_log - Log an audit record
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2435) * @ctx: audit context
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2436) * @gfp_mask: type of allocation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2437) * @type: audit message type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2438) * @fmt: format string to use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2439) * @...: variable parameters matching the format string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2440) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2441) * This is a convenience function that calls audit_log_start,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2442) * audit_log_vformat, and audit_log_end. It may be called
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2443) * in any context.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2444) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2445) void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2446) const char *fmt, ...)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2447) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2448) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2449) va_list args;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2450)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2451) ab = audit_log_start(ctx, gfp_mask, type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2452) if (ab) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2453) va_start(args, fmt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2454) audit_log_vformat(ab, fmt, args);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2455) va_end(args);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2456) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2457) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2458) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2459)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2460) EXPORT_SYMBOL(audit_log_start);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2461) EXPORT_SYMBOL(audit_log_end);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2462) EXPORT_SYMBOL(audit_log_format);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2463) EXPORT_SYMBOL(audit_log);
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags