^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) /* auditsc.c -- System-call auditing support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) * Handles all system-call specific auditing features.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright 2005 Hewlett-Packard Development Company, L.P.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * Copyright (C) 2005, 2006 IBM Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * All Rights Reserved.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * This program is free software; you can redistribute it and/or modify
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * it under the terms of the GNU General Public License as published by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) * the Free Software Foundation; either version 2 of the License, or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * (at your option) any later version.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) * This program is distributed in the hope that it will be useful,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * but WITHOUT ANY WARRANTY; without even the implied warranty of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) * GNU General Public License for more details.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * You should have received a copy of the GNU General Public License
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * along with this program; if not, write to the Free Software
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * Written by Rickard E. (Rik) Faith <faith@redhat.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * Many of the ideas implemented here are from Stephen C. Tweedie,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) * especially the idea of avoiding a copy by using getname.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) * The method for actual interception of syscall entry and exit (not in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) * this file -- see entry.S) is based on a GPL'd patch written by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) * okir@suse.de and Copyright 2003 SuSE Linux AG.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) * 2006.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) * The support of additional filter rules compares (>, <, >=, <=) was
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) * filesystem information.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) * Subject and object context labeling support added by <danjones@us.ibm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) #include <linux/init.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) #include <asm/types.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) #include <linux/atomic.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) #include <linux/fs.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) #include <linux/namei.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) #include <linux/mm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #include <linux/export.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) #include <linux/mount.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) #include <linux/socket.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) #include <linux/mqueue.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) #include <linux/audit.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) #include <linux/personality.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) #include <linux/time.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) #include <linux/netlink.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) #include <linux/compiler.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) #include <asm/unistd.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) #include <linux/security.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) #include <linux/list.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) #include <linux/binfmts.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) #include <linux/highmem.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) #include <linux/syscalls.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) #include <asm/syscall.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) #include <linux/capability.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) #include <linux/fs_struct.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) #include <linux/compat.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) #include <linux/ctype.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) #include <linux/string.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) #include <linux/uaccess.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) #include <linux/fsnotify_backend.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) #include <uapi/linux/limits.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) #include <uapi/linux/netfilter/nf_tables.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) #include "audit.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) /* flags stating the success for a syscall */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) #define AUDITSC_INVALID 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) #define AUDITSC_SUCCESS 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) #define AUDITSC_FAILURE 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) /* no execve audit message should be longer than this (userspace limits),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) * see the note near the top of audit_log_execve_info() about this value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) #define MAX_EXECVE_AUDIT_LEN 7500
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) /* max length to print of cmdline/proctitle value during audit */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) #define MAX_PROCTITLE_AUDIT_LEN 128
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) /* number of audit rules */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) int audit_n_rules;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) /* determines whether we collect data for signals sent */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) int audit_signals;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) struct audit_aux_data {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) struct audit_aux_data *next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) int type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) #define AUDIT_AUX_IPCPERM 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) /* Number of target pids per aux struct. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) #define AUDIT_AUX_PIDS 16
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) struct audit_aux_data_pids {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) struct audit_aux_data d;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) pid_t target_pid[AUDIT_AUX_PIDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) kuid_t target_auid[AUDIT_AUX_PIDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) kuid_t target_uid[AUDIT_AUX_PIDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) unsigned int target_sessionid[AUDIT_AUX_PIDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) u32 target_sid[AUDIT_AUX_PIDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) int pid_count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) struct audit_aux_data_bprm_fcaps {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) struct audit_aux_data d;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) struct audit_cap_data fcap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) unsigned int fcap_ver;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) struct audit_cap_data old_pcap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) struct audit_cap_data new_pcap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) struct audit_tree_refs {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) struct audit_tree_refs *next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) struct audit_chunk *c[31];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) struct audit_nfcfgop_tab {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) enum audit_nfcfgop op;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) const char *s;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) static const struct audit_nfcfgop_tab audit_nfcfgs[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) { AUDIT_XT_OP_REGISTER, "xt_register" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) { AUDIT_XT_OP_REPLACE, "xt_replace" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) { AUDIT_XT_OP_UNREGISTER, "xt_unregister" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) { AUDIT_NFT_OP_TABLE_REGISTER, "nft_register_table" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) { AUDIT_NFT_OP_TABLE_UNREGISTER, "nft_unregister_table" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) { AUDIT_NFT_OP_CHAIN_REGISTER, "nft_register_chain" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) { AUDIT_NFT_OP_CHAIN_UNREGISTER, "nft_unregister_chain" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) { AUDIT_NFT_OP_RULE_REGISTER, "nft_register_rule" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) { AUDIT_NFT_OP_RULE_UNREGISTER, "nft_unregister_rule" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) { AUDIT_NFT_OP_SET_REGISTER, "nft_register_set" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) { AUDIT_NFT_OP_SET_UNREGISTER, "nft_unregister_set" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) { AUDIT_NFT_OP_SETELEM_REGISTER, "nft_register_setelem" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) { AUDIT_NFT_OP_SETELEM_UNREGISTER, "nft_unregister_setelem" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) { AUDIT_NFT_OP_GEN_REGISTER, "nft_register_gen" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) { AUDIT_NFT_OP_OBJ_REGISTER, "nft_register_obj" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) { AUDIT_NFT_OP_OBJ_UNREGISTER, "nft_unregister_obj" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) { AUDIT_NFT_OP_OBJ_RESET, "nft_reset_obj" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) { AUDIT_NFT_OP_FLOWTABLE_REGISTER, "nft_register_flowtable" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, "nft_unregister_flowtable" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) { AUDIT_NFT_OP_INVALID, "nft_invalid" },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) static int audit_match_perm(struct audit_context *ctx, int mask)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) unsigned n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) if (unlikely(!ctx))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) n = ctx->major;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) switch (audit_classify_syscall(ctx->arch, n)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) case 0: /* native */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) if ((mask & AUDIT_PERM_WRITE) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) audit_match_class(AUDIT_CLASS_WRITE, n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) if ((mask & AUDIT_PERM_READ) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) audit_match_class(AUDIT_CLASS_READ, n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) if ((mask & AUDIT_PERM_ATTR) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) audit_match_class(AUDIT_CLASS_CHATTR, n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) case 1: /* 32bit on biarch */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) if ((mask & AUDIT_PERM_WRITE) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) audit_match_class(AUDIT_CLASS_WRITE_32, n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) if ((mask & AUDIT_PERM_READ) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) audit_match_class(AUDIT_CLASS_READ_32, n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) if ((mask & AUDIT_PERM_ATTR) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) audit_match_class(AUDIT_CLASS_CHATTR_32, n))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) case 2: /* open */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) return mask & ACC_MODE(ctx->argv[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) case 3: /* openat */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) return mask & ACC_MODE(ctx->argv[2]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) case 4: /* socketcall */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) case 5: /* execve */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) return mask & AUDIT_PERM_EXEC;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) static int audit_match_filetype(struct audit_context *ctx, int val)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) umode_t mode = (umode_t)val;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) if (unlikely(!ctx))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) if ((n->ino != AUDIT_INO_UNSET) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) ((n->mode & S_IFMT) == mode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) * ->first_trees points to its beginning, ->trees - to the current end of data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) * ->tree_count is the number of free entries in array pointed to by ->trees.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) * it's going to remain 1-element for almost any setup) until we free context itself.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) * References in it _are_ dropped - at the same time we free/drop aux stuff.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) static void audit_set_auditable(struct audit_context *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) if (!ctx->prio) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) ctx->prio = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) ctx->current_state = AUDIT_RECORD_CONTEXT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) struct audit_tree_refs *p = ctx->trees;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) int left = ctx->tree_count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) if (likely(left)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) p->c[--left] = chunk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) ctx->tree_count = left;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) if (!p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) p = p->next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) if (p) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) p->c[30] = chunk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) ctx->trees = p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) ctx->tree_count = 30;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) static int grow_tree_refs(struct audit_context *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) struct audit_tree_refs *p = ctx->trees;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) if (!ctx->trees) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) ctx->trees = p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) if (p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) p->next = ctx->trees;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) ctx->first_trees = ctx->trees;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) ctx->tree_count = 31;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) static void unroll_tree_refs(struct audit_context *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) struct audit_tree_refs *p, int count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) struct audit_tree_refs *q;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) int n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) if (!p) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) /* we started with empty chain */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) p = ctx->first_trees;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) count = 31;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) /* if the very first allocation has failed, nothing to do */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) if (!p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) n = count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) for (q = p; q != ctx->trees; q = q->next, n = 31) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) while (n--) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) audit_put_chunk(q->c[n]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) q->c[n] = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) while (n-- > ctx->tree_count) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) audit_put_chunk(q->c[n]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) q->c[n] = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) ctx->trees = p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) ctx->tree_count = count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) static void free_tree_refs(struct audit_context *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) struct audit_tree_refs *p, *q;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) for (p = ctx->first_trees; p; p = q) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) q = p->next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) kfree(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) struct audit_tree_refs *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) int n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) if (!tree)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) /* full ones */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) for (n = 0; n < 31; n++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) if (audit_tree_match(p->c[n], tree))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) /* partial */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) if (p) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) for (n = ctx->tree_count; n < 31; n++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) if (audit_tree_match(p->c[n], tree))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) static int audit_compare_uid(kuid_t uid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) struct audit_names *name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) struct audit_field *f,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) struct audit_context *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) rc = audit_uid_comparator(uid, f->op, name->uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) rc = audit_uid_comparator(uid, f->op, n->uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) static int audit_compare_gid(kgid_t gid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) struct audit_names *name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) struct audit_field *f,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) struct audit_context *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) rc = audit_gid_comparator(gid, f->op, name->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) rc = audit_gid_comparator(gid, f->op, n->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) static int audit_field_compare(struct task_struct *tsk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) const struct cred *cred,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) struct audit_field *f,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) struct audit_context *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) struct audit_names *name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) switch (f->val) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) /* process to file object comparisons */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) case AUDIT_COMPARE_UID_TO_OBJ_UID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) return audit_compare_uid(cred->uid, name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) case AUDIT_COMPARE_GID_TO_OBJ_GID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) return audit_compare_gid(cred->gid, name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) case AUDIT_COMPARE_EUID_TO_OBJ_UID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) return audit_compare_uid(cred->euid, name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) case AUDIT_COMPARE_EGID_TO_OBJ_GID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) return audit_compare_gid(cred->egid, name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) case AUDIT_COMPARE_AUID_TO_OBJ_UID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) case AUDIT_COMPARE_SUID_TO_OBJ_UID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) return audit_compare_uid(cred->suid, name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) case AUDIT_COMPARE_SGID_TO_OBJ_GID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) return audit_compare_gid(cred->sgid, name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) return audit_compare_uid(cred->fsuid, name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) return audit_compare_gid(cred->fsgid, name, f, ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) /* uid comparisons */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) case AUDIT_COMPARE_UID_TO_AUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) return audit_uid_comparator(cred->uid, f->op,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) audit_get_loginuid(tsk));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) case AUDIT_COMPARE_UID_TO_EUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) return audit_uid_comparator(cred->uid, f->op, cred->euid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) case AUDIT_COMPARE_UID_TO_SUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) return audit_uid_comparator(cred->uid, f->op, cred->suid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) case AUDIT_COMPARE_UID_TO_FSUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) /* auid comparisons */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) case AUDIT_COMPARE_AUID_TO_EUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) cred->euid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) case AUDIT_COMPARE_AUID_TO_SUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) cred->suid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) case AUDIT_COMPARE_AUID_TO_FSUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) cred->fsuid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) /* euid comparisons */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) case AUDIT_COMPARE_EUID_TO_SUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) return audit_uid_comparator(cred->euid, f->op, cred->suid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) case AUDIT_COMPARE_EUID_TO_FSUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) /* suid comparisons */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) case AUDIT_COMPARE_SUID_TO_FSUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) /* gid comparisons */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) case AUDIT_COMPARE_GID_TO_EGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) return audit_gid_comparator(cred->gid, f->op, cred->egid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) case AUDIT_COMPARE_GID_TO_SGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) return audit_gid_comparator(cred->gid, f->op, cred->sgid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) case AUDIT_COMPARE_GID_TO_FSGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) /* egid comparisons */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) case AUDIT_COMPARE_EGID_TO_SGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) return audit_gid_comparator(cred->egid, f->op, cred->sgid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) case AUDIT_COMPARE_EGID_TO_FSGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) /* sgid comparison */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) case AUDIT_COMPARE_SGID_TO_FSGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) /* Determine if any context name data matches a rule's watch data */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) /* Compare a task_struct with an audit_rule. Return 1 on match, 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) * otherwise.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) * If task_creation is true, this is an explicit indication that we are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) * filtering a task rule at task creation time. This and tsk == current are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) * the only situations where tsk->cred may be accessed without an rcu read lock.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) static int audit_filter_rules(struct task_struct *tsk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) struct audit_krule *rule,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) struct audit_context *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) struct audit_names *name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) enum audit_state *state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) bool task_creation)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) const struct cred *cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) int i, need_sid = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) u32 sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) unsigned int sessionid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) for (i = 0; i < rule->field_count; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) struct audit_field *f = &rule->fields[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) int result = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) pid_t pid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) switch (f->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) case AUDIT_PID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) pid = task_tgid_nr(tsk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) result = audit_comparator(pid, f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) case AUDIT_PPID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) if (!ctx->ppid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) ctx->ppid = task_ppid_nr(tsk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) result = audit_comparator(ctx->ppid, f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) case AUDIT_EXE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) result = audit_exe_compare(tsk, rule->exe);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) if (f->op == Audit_not_equal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) result = !result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) case AUDIT_UID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) result = audit_uid_comparator(cred->uid, f->op, f->uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) case AUDIT_EUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) result = audit_uid_comparator(cred->euid, f->op, f->uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) case AUDIT_SUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) result = audit_uid_comparator(cred->suid, f->op, f->uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) case AUDIT_FSUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) case AUDIT_GID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) result = audit_gid_comparator(cred->gid, f->op, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) if (f->op == Audit_equal) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) if (!result)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) result = groups_search(cred->group_info, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) } else if (f->op == Audit_not_equal) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) if (result)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) result = !groups_search(cred->group_info, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) case AUDIT_EGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) result = audit_gid_comparator(cred->egid, f->op, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) if (f->op == Audit_equal) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) if (!result)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) result = groups_search(cred->group_info, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) } else if (f->op == Audit_not_equal) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) if (result)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) result = !groups_search(cred->group_info, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) case AUDIT_SGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) result = audit_gid_comparator(cred->sgid, f->op, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) case AUDIT_FSGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) case AUDIT_SESSIONID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) sessionid = audit_get_sessionid(tsk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) result = audit_comparator(sessionid, f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) case AUDIT_PERS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) result = audit_comparator(tsk->personality, f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) case AUDIT_ARCH:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) if (ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) result = audit_comparator(ctx->arch, f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) case AUDIT_EXIT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) if (ctx && ctx->return_valid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) result = audit_comparator(ctx->return_code, f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) case AUDIT_SUCCESS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) if (ctx && ctx->return_valid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) if (f->val)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) case AUDIT_DEVMAJOR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) audit_comparator(MAJOR(name->rdev), f->op, f->val))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) } else if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) case AUDIT_DEVMINOR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) audit_comparator(MINOR(name->rdev), f->op, f->val))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) } else if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) audit_comparator(MINOR(n->rdev), f->op, f->val)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) case AUDIT_INODE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) if (name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) result = audit_comparator(name->ino, f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) else if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) if (audit_comparator(n->ino, f->op, f->val)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) case AUDIT_OBJ_UID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) result = audit_uid_comparator(name->uid, f->op, f->uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) } else if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) if (audit_uid_comparator(n->uid, f->op, f->uid)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) case AUDIT_OBJ_GID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) result = audit_gid_comparator(name->gid, f->op, f->gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) } else if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) if (audit_gid_comparator(n->gid, f->op, f->gid)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) case AUDIT_WATCH:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) result = audit_watch_compare(rule->watch,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) name->ino,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) name->dev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) if (f->op == Audit_not_equal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) result = !result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) case AUDIT_DIR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) result = match_tree_refs(ctx, rule->tree);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) if (f->op == Audit_not_equal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) result = !result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) case AUDIT_LOGINUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) result = audit_uid_comparator(audit_get_loginuid(tsk),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) f->op, f->uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) case AUDIT_LOGINUID_SET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) case AUDIT_SADDR_FAM:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) if (ctx && ctx->sockaddr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) result = audit_comparator(ctx->sockaddr->ss_family,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) case AUDIT_SUBJ_USER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) case AUDIT_SUBJ_ROLE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) case AUDIT_SUBJ_TYPE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) case AUDIT_SUBJ_SEN:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) case AUDIT_SUBJ_CLR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) /* NOTE: this may return negative values indicating
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) a temporary error. We simply treat this as a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) match for now to avoid losing information that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) may be wanted. An error message will also be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) logged upon error */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) if (f->lsm_rule) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) if (need_sid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672) security_task_getsecid(tsk, &sid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) need_sid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) result = security_audit_rule_match(sid, f->type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) f->op,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) f->lsm_rule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) case AUDIT_OBJ_USER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) case AUDIT_OBJ_ROLE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) case AUDIT_OBJ_TYPE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) case AUDIT_OBJ_LEV_LOW:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) case AUDIT_OBJ_LEV_HIGH:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) also applies here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) if (f->lsm_rule) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) /* Find files that match */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) result = security_audit_rule_match(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) name->osid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) f->type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) f->op,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) f->lsm_rule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) } else if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) if (security_audit_rule_match(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) n->osid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) f->type,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) f->op,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) f->lsm_rule)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) /* Find ipc objects that match */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) if (!ctx || ctx->type != AUDIT_IPC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) if (security_audit_rule_match(ctx->ipc.osid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) f->type, f->op,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) f->lsm_rule))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) ++result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) case AUDIT_ARG0:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) case AUDIT_ARG1:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) case AUDIT_ARG2:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) case AUDIT_ARG3:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) if (ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) case AUDIT_FILTERKEY:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) /* ignore this field for filtering */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) result = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) case AUDIT_PERM:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) result = audit_match_perm(ctx, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) if (f->op == Audit_not_equal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) result = !result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) case AUDIT_FILETYPE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) result = audit_match_filetype(ctx, f->val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) if (f->op == Audit_not_equal)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) result = !result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) case AUDIT_FIELD_COMPARE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) result = audit_field_compare(tsk, cred, f, ctx, name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) if (!result)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) if (ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) if (rule->prio <= ctx->prio)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) if (rule->filterkey) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) kfree(ctx->filterkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) ctx->prio = rule->prio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) switch (rule->action) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) case AUDIT_NEVER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) *state = AUDIT_DISABLED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) case AUDIT_ALWAYS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) *state = AUDIT_RECORD_CONTEXT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) /* At process creation time, we can determine if system-call auditing is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) * completely disabled for this task. Since we only have the task
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) * structure at this point, we can only check uid and gid.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) struct audit_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) enum audit_state state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) &state, true)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) if (state == AUDIT_RECORD_CONTEXT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) return state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) return AUDIT_BUILD_CONTEXT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) int word, bit;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) if (val > 0xffffffff)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) word = AUDIT_WORD(val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) if (word >= AUDIT_BITMASK_SIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) bit = AUDIT_BIT(val);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) return rule->mask[word] & bit;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804) /* At syscall entry and exit time, this filter is called if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) * audit_state is not low enough that auditing cannot take place, but is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) * also not high enough that we already know we have to write an audit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) static enum audit_state audit_filter_syscall(struct task_struct *tsk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) struct audit_context *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) struct list_head *list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) struct audit_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) enum audit_state state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) if (auditd_test_task(tsk))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) return AUDIT_DISABLED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) list_for_each_entry_rcu(e, list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) if (audit_in_mask(&e->rule, ctx->major) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) audit_filter_rules(tsk, &e->rule, ctx, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) &state, false)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) ctx->current_state = state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) return state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830) return AUDIT_BUILD_CONTEXT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) * Given an audit_name check the inode hash table to see if they match.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) * Called holding the rcu read lock to protect the use of audit_inode_hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) static int audit_filter_inode_name(struct task_struct *tsk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838) struct audit_names *n,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) struct audit_context *ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840) int h = audit_hash_ino((u32)n->ino);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) struct list_head *list = &audit_inode_hash[h];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) struct audit_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) enum audit_state state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) list_for_each_entry_rcu(e, list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) if (audit_in_mask(&e->rule, ctx->major) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848) ctx->current_state = state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) /* At syscall exit time, this filter is called if any audit_names have been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) * collected during syscall processing. We only check rules in sublists at hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) * buckets applicable to the inode numbers in audit_names.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858) * Regarding audit_state, same rules apply as for audit_filter_syscall().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864) if (auditd_test_task(tsk))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869) list_for_each_entry(n, &ctx->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870) if (audit_filter_inode_name(tsk, n, ctx))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876) static inline void audit_proctitle_free(struct audit_context *context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878) kfree(context->proctitle.value);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879) context->proctitle.value = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) context->proctitle.len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) static inline void audit_free_module(struct audit_context *context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885) if (context->type == AUDIT_KERN_MODULE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) kfree(context->module.name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887) context->module.name = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) static inline void audit_free_names(struct audit_context *context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892) struct audit_names *n, *next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894) list_for_each_entry_safe(n, next, &context->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895) list_del(&n->list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896) if (n->name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) putname(n->name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898) if (n->should_free)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899) kfree(n);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 900) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 901) context->name_count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 902) path_put(&context->pwd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 903) context->pwd.dentry = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 904) context->pwd.mnt = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 905) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 906)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 907) static inline void audit_free_aux(struct audit_context *context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 908) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 909) struct audit_aux_data *aux;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 910)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 911) while ((aux = context->aux)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 912) context->aux = aux->next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 913) kfree(aux);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 914) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 915) while ((aux = context->aux_pids)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 916) context->aux_pids = aux->next;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 917) kfree(aux);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 918) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 919) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 920)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 921) static inline struct audit_context *audit_alloc_context(enum audit_state state)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 922) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 923) struct audit_context *context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 924)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 925) context = kzalloc(sizeof(*context), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 926) if (!context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 927) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 928) context->state = state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 929) context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 930) INIT_LIST_HEAD(&context->killed_trees);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 931) INIT_LIST_HEAD(&context->names_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 932) return context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 933) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 934)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 935) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 936) * audit_alloc - allocate an audit context block for a task
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 937) * @tsk: task
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 938) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 939) * Filter on the task information and allocate a per-task audit context
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 940) * if necessary. Doing so turns on system call auditing for the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 941) * specified task. This is called from copy_process, so no lock is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 942) * needed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 943) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 944) int audit_alloc(struct task_struct *tsk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 945) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 946) struct audit_context *context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 947) enum audit_state state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 948) char *key = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 949)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 950) if (likely(!audit_ever_enabled))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 951) return 0; /* Return if not auditing. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 952)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 953) state = audit_filter_task(tsk, &key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 954) if (state == AUDIT_DISABLED) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 955) clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 956) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 957) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 958)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 959) if (!(context = audit_alloc_context(state))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 960) kfree(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 961) audit_log_lost("out of memory in audit_alloc");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 962) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 963) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 964) context->filterkey = key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 965)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 966) audit_set_context(tsk, context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 967) set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 968) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 969) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 970)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 971) static inline void audit_free_context(struct audit_context *context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 972) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 973) audit_free_module(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 974) audit_free_names(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 975) unroll_tree_refs(context, NULL, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 976) free_tree_refs(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 977) audit_free_aux(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 978) kfree(context->filterkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 979) kfree(context->sockaddr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 980) audit_proctitle_free(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 981) kfree(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 982) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 983)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 984) static int audit_log_pid_context(struct audit_context *context, pid_t pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 985) kuid_t auid, kuid_t uid, unsigned int sessionid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 986) u32 sid, char *comm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 987) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 988) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 989) char *ctx = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 990) u32 len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 991) int rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 992)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 993) ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 994) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 995) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 996)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 997) audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 998) from_kuid(&init_user_ns, auid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 999) from_kuid(&init_user_ns, uid), sessionid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1000) if (sid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1001) if (security_secid_to_secctx(sid, &ctx, &len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1002) audit_log_format(ab, " obj=(none)");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1003) rc = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1004) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1005) audit_log_format(ab, " obj=%s", ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1006) security_release_secctx(ctx, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1007) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1008) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1009) audit_log_format(ab, " ocomm=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1010) audit_log_untrustedstring(ab, comm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1011) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1012)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1013) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1014) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1015)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1016) static void audit_log_execve_info(struct audit_context *context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1017) struct audit_buffer **ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1018) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1019) long len_max;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1020) long len_rem;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1021) long len_full;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1022) long len_buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1023) long len_abuf = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1024) long len_tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1025) bool require_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1026) bool encode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1027) unsigned int iter;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1028) unsigned int arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1029) char *buf_head;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1030) char *buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1031) const char __user *p = (const char __user *)current->mm->arg_start;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1032)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1033) /* NOTE: this buffer needs to be large enough to hold all the non-arg
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1034) * data we put in the audit record for this argument (see the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1035) * code below) ... at this point in time 96 is plenty */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1036) char abuf[96];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1037)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1038) /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1039) * current value of 7500 is not as important as the fact that it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1040) * is less than 8k, a setting of 7500 gives us plenty of wiggle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1041) * room if we go over a little bit in the logging below */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1042) WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1043) len_max = MAX_EXECVE_AUDIT_LEN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1044)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1045) /* scratch buffer to hold the userspace args */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1046) buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1047) if (!buf_head) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1048) audit_panic("out of memory for argv string");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1049) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1050) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1051) buf = buf_head;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1052)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1053) audit_log_format(*ab, "argc=%d", context->execve.argc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1054)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1055) len_rem = len_max;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1056) len_buf = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1057) len_full = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1058) require_data = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1059) encode = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1060) iter = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1061) arg = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1062) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1063) /* NOTE: we don't ever want to trust this value for anything
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1064) * serious, but the audit record format insists we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1065) * provide an argument length for really long arguments,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1066) * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1067) * to use strncpy_from_user() to obtain this value for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1068) * recording in the log, although we don't use it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1069) * anywhere here to avoid a double-fetch problem */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1070) if (len_full == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1071) len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1072)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1073) /* read more data from userspace */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1074) if (require_data) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1075) /* can we make more room in the buffer? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1076) if (buf != buf_head) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1077) memmove(buf_head, buf, len_buf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1078) buf = buf_head;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1079) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1080)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1081) /* fetch as much as we can of the argument */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1082) len_tmp = strncpy_from_user(&buf_head[len_buf], p,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1083) len_max - len_buf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1084) if (len_tmp == -EFAULT) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1085) /* unable to copy from userspace */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1086) send_sig(SIGKILL, current, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1087) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1088) } else if (len_tmp == (len_max - len_buf)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1089) /* buffer is not large enough */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1090) require_data = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1091) /* NOTE: if we are going to span multiple
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1092) * buffers force the encoding so we stand
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1093) * a chance at a sane len_full value and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1094) * consistent record encoding */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1095) encode = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1096) len_full = len_full * 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1097) p += len_tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1098) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1099) require_data = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1100) if (!encode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1101) encode = audit_string_contains_control(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1102) buf, len_tmp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1103) /* try to use a trusted value for len_full */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1104) if (len_full < len_max)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1105) len_full = (encode ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1106) len_tmp * 2 : len_tmp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1107) p += len_tmp + 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1108) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1109) len_buf += len_tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1110) buf_head[len_buf] = '\0';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1112) /* length of the buffer in the audit record? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1113) len_abuf = (encode ? len_buf * 2 : len_buf + 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1114) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1116) /* write as much as we can to the audit log */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1117) if (len_buf >= 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1118) /* NOTE: some magic numbers here - basically if we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1119) * can't fit a reasonable amount of data into the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1120) * existing audit buffer, flush it and start with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1121) * a new buffer */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1122) if ((sizeof(abuf) + 8) > len_rem) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1123) len_rem = len_max;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1124) audit_log_end(*ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1125) *ab = audit_log_start(context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1126) GFP_KERNEL, AUDIT_EXECVE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1127) if (!*ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1128) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1129) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1130)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1131) /* create the non-arg portion of the arg record */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1132) len_tmp = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1133) if (require_data || (iter > 0) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1134) ((len_abuf + sizeof(abuf)) > len_rem)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1135) if (iter == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1136) len_tmp += snprintf(&abuf[len_tmp],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1137) sizeof(abuf) - len_tmp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1138) " a%d_len=%lu",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1139) arg, len_full);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1140) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1141) len_tmp += snprintf(&abuf[len_tmp],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1142) sizeof(abuf) - len_tmp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1143) " a%d[%d]=", arg, iter++);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1144) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1145) len_tmp += snprintf(&abuf[len_tmp],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1146) sizeof(abuf) - len_tmp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1147) " a%d=", arg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1148) WARN_ON(len_tmp >= sizeof(abuf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1149) abuf[sizeof(abuf) - 1] = '\0';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1150)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1151) /* log the arg in the audit record */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1152) audit_log_format(*ab, "%s", abuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1153) len_rem -= len_tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1154) len_tmp = len_buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1155) if (encode) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1156) if (len_abuf > len_rem)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1157) len_tmp = len_rem / 2; /* encoding */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1158) audit_log_n_hex(*ab, buf, len_tmp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1159) len_rem -= len_tmp * 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1160) len_abuf -= len_tmp * 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1161) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1162) if (len_abuf > len_rem)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1163) len_tmp = len_rem - 2; /* quotes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1164) audit_log_n_string(*ab, buf, len_tmp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1165) len_rem -= len_tmp + 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1166) /* don't subtract the "2" because we still need
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1167) * to add quotes to the remaining string */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1168) len_abuf -= len_tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1169) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1170) len_buf -= len_tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1171) buf += len_tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1172) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1174) /* ready to move to the next argument? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1175) if ((len_buf == 0) && !require_data) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1176) arg++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1177) iter = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1178) len_full = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1179) require_data = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1180) encode = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1181) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1182) } while (arg < context->execve.argc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1184) /* NOTE: the caller handles the final audit_log_end() call */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1186) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1187) kfree(buf_head);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1188) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1189)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1190) static void audit_log_cap(struct audit_buffer *ab, char *prefix,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1191) kernel_cap_t *cap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1192) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1193) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1195) if (cap_isclear(*cap)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1196) audit_log_format(ab, " %s=0", prefix);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1197) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1198) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1199) audit_log_format(ab, " %s=", prefix);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1200) CAP_FOR_EACH_U32(i)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1201) audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1202) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1203)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1204) static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1205) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1206) if (name->fcap_ver == -1) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1207) audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1208) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1209) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1210) audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1211) audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1212) audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1213) name->fcap.fE, name->fcap_ver,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1214) from_kuid(&init_user_ns, name->fcap.rootid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1215) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1216)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1217) static void audit_log_time(struct audit_context *context, struct audit_buffer **ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1218) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1219) const struct audit_ntp_data *ntp = &context->time.ntp_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1220) const struct timespec64 *tk = &context->time.tk_injoffset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1221) static const char * const ntp_name[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1222) "offset",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1223) "freq",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1224) "status",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1225) "tai",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1226) "tick",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1227) "adjust",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1228) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1229) int type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1230)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1231) if (context->type == AUDIT_TIME_ADJNTPVAL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1232) for (type = 0; type < AUDIT_NTP_NVALS; type++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1233) if (ntp->vals[type].newval != ntp->vals[type].oldval) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1234) if (!*ab) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1235) *ab = audit_log_start(context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1236) GFP_KERNEL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1237) AUDIT_TIME_ADJNTPVAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1238) if (!*ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1239) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1240) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1241) audit_log_format(*ab, "op=%s old=%lli new=%lli",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1242) ntp_name[type],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1243) ntp->vals[type].oldval,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1244) ntp->vals[type].newval);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1245) audit_log_end(*ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1246) *ab = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1247) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1248) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1249) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1250) if (tk->tv_sec != 0 || tk->tv_nsec != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1251) if (!*ab) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1252) *ab = audit_log_start(context, GFP_KERNEL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1253) AUDIT_TIME_INJOFFSET);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1254) if (!*ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1255) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1256) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1257) audit_log_format(*ab, "sec=%lli nsec=%li",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1258) (long long)tk->tv_sec, tk->tv_nsec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1259) audit_log_end(*ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1260) *ab = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1261) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1262) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1263)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1264) static void show_special(struct audit_context *context, int *call_panic)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1265) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1266) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1267) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1268)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1269) ab = audit_log_start(context, GFP_KERNEL, context->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1270) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1271) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1272)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1273) switch (context->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1274) case AUDIT_SOCKETCALL: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1275) int nargs = context->socketcall.nargs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1276) audit_log_format(ab, "nargs=%d", nargs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1277) for (i = 0; i < nargs; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1278) audit_log_format(ab, " a%d=%lx", i,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1279) context->socketcall.args[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1280) break; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1281) case AUDIT_IPC: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1282) u32 osid = context->ipc.osid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1283)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1284) audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1285) from_kuid(&init_user_ns, context->ipc.uid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1286) from_kgid(&init_user_ns, context->ipc.gid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1287) context->ipc.mode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1288) if (osid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1289) char *ctx = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1290) u32 len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1291) if (security_secid_to_secctx(osid, &ctx, &len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1292) audit_log_format(ab, " osid=%u", osid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1293) *call_panic = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1294) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1295) audit_log_format(ab, " obj=%s", ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1296) security_release_secctx(ctx, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1297) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1298) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1299) if (context->ipc.has_perm) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1300) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1301) ab = audit_log_start(context, GFP_KERNEL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1302) AUDIT_IPC_SET_PERM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1303) if (unlikely(!ab))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1304) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1305) audit_log_format(ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1306) "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1307) context->ipc.qbytes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1308) context->ipc.perm_uid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1309) context->ipc.perm_gid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1310) context->ipc.perm_mode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1311) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1312) break; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1313) case AUDIT_MQ_OPEN:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1314) audit_log_format(ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1315) "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1316) "mq_msgsize=%ld mq_curmsgs=%ld",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1317) context->mq_open.oflag, context->mq_open.mode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1318) context->mq_open.attr.mq_flags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1319) context->mq_open.attr.mq_maxmsg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1320) context->mq_open.attr.mq_msgsize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1321) context->mq_open.attr.mq_curmsgs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1322) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1323) case AUDIT_MQ_SENDRECV:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1324) audit_log_format(ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1325) "mqdes=%d msg_len=%zd msg_prio=%u "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1326) "abs_timeout_sec=%lld abs_timeout_nsec=%ld",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1327) context->mq_sendrecv.mqdes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1328) context->mq_sendrecv.msg_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1329) context->mq_sendrecv.msg_prio,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1330) (long long) context->mq_sendrecv.abs_timeout.tv_sec,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1331) context->mq_sendrecv.abs_timeout.tv_nsec);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1332) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1333) case AUDIT_MQ_NOTIFY:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1334) audit_log_format(ab, "mqdes=%d sigev_signo=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1335) context->mq_notify.mqdes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1336) context->mq_notify.sigev_signo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1337) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1338) case AUDIT_MQ_GETSETATTR: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1339) struct mq_attr *attr = &context->mq_getsetattr.mqstat;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1340) audit_log_format(ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1341) "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1342) "mq_curmsgs=%ld ",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1343) context->mq_getsetattr.mqdes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1344) attr->mq_flags, attr->mq_maxmsg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1345) attr->mq_msgsize, attr->mq_curmsgs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1346) break; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1347) case AUDIT_CAPSET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1348) audit_log_format(ab, "pid=%d", context->capset.pid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1349) audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1350) audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1351) audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1352) audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1353) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1354) case AUDIT_MMAP:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1355) audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1356) context->mmap.flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1357) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1358) case AUDIT_EXECVE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1359) audit_log_execve_info(context, &ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1360) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1361) case AUDIT_KERN_MODULE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1362) audit_log_format(ab, "name=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1363) if (context->module.name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1364) audit_log_untrustedstring(ab, context->module.name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1365) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1366) audit_log_format(ab, "(null)");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1367)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1368) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1369) case AUDIT_TIME_ADJNTPVAL:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1370) case AUDIT_TIME_INJOFFSET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1371) /* this call deviates from the rest, eating the buffer */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1372) audit_log_time(context, &ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1373) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1374) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1375) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1376) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1377)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1378) static inline int audit_proctitle_rtrim(char *proctitle, int len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1379) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1380) char *end = proctitle + len - 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1381) while (end > proctitle && !isprint(*end))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1382) end--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1383)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1384) /* catch the case where proctitle is only 1 non-print character */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1385) len = end - proctitle + 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1386) len -= isprint(proctitle[len-1]) == 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1387) return len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1388) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1389)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1390) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1391) * audit_log_name - produce AUDIT_PATH record from struct audit_names
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1392) * @context: audit_context for the task
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1393) * @n: audit_names structure with reportable details
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1394) * @path: optional path to report instead of audit_names->name
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1395) * @record_num: record number to report when handling a list of names
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1396) * @call_panic: optional pointer to int that will be updated if secid fails
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1397) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1398) static void audit_log_name(struct audit_context *context, struct audit_names *n,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1399) const struct path *path, int record_num, int *call_panic)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1400) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1401) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1402)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1403) ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1404) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1405) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1406)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1407) audit_log_format(ab, "item=%d", record_num);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1408)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1409) if (path)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1410) audit_log_d_path(ab, " name=", path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1411) else if (n->name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1412) switch (n->name_len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1413) case AUDIT_NAME_FULL:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1414) /* log the full path */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1415) audit_log_format(ab, " name=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1416) audit_log_untrustedstring(ab, n->name->name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1417) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1418) case 0:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1419) /* name was specified as a relative path and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1420) * directory component is the cwd
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1421) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1422) audit_log_d_path(ab, " name=", &context->pwd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1423) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1424) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1425) /* log the name's directory component */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1426) audit_log_format(ab, " name=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1427) audit_log_n_untrustedstring(ab, n->name->name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1428) n->name_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1429) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1430) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1431) audit_log_format(ab, " name=(null)");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1432)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1433) if (n->ino != AUDIT_INO_UNSET)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1434) audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1435) n->ino,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1436) MAJOR(n->dev),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1437) MINOR(n->dev),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1438) n->mode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1439) from_kuid(&init_user_ns, n->uid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1440) from_kgid(&init_user_ns, n->gid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1441) MAJOR(n->rdev),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1442) MINOR(n->rdev));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1443) if (n->osid != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1444) char *ctx = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1445) u32 len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1446)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1447) if (security_secid_to_secctx(
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1448) n->osid, &ctx, &len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1449) audit_log_format(ab, " osid=%u", n->osid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1450) if (call_panic)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1451) *call_panic = 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1452) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1453) audit_log_format(ab, " obj=%s", ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1454) security_release_secctx(ctx, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1455) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1456) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1457)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1458) /* log the audit_names record type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1459) switch (n->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1460) case AUDIT_TYPE_NORMAL:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1461) audit_log_format(ab, " nametype=NORMAL");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1462) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1463) case AUDIT_TYPE_PARENT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1464) audit_log_format(ab, " nametype=PARENT");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1465) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1466) case AUDIT_TYPE_CHILD_DELETE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1467) audit_log_format(ab, " nametype=DELETE");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1468) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1469) case AUDIT_TYPE_CHILD_CREATE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1470) audit_log_format(ab, " nametype=CREATE");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1471) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1472) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1473) audit_log_format(ab, " nametype=UNKNOWN");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1474) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1475) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1476)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1477) audit_log_fcaps(ab, n);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1478) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1479) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1480)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1481) static void audit_log_proctitle(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1482) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1483) int res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1484) char *buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1485) char *msg = "(null)";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1486) int len = strlen(msg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1487) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1488) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1489)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1490) if (!context || context->dummy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1491) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1492)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1493) ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1494) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1495) return; /* audit_panic or being filtered */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1496)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1497) audit_log_format(ab, "proctitle=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1498)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1499) /* Not cached */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1500) if (!context->proctitle.value) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1501) buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1502) if (!buf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1503) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1504) /* Historically called this from procfs naming */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1505) res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1506) if (res == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1507) kfree(buf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1508) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1509) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1510) res = audit_proctitle_rtrim(buf, res);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1511) if (res == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1512) kfree(buf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1513) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1514) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1515) context->proctitle.value = buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1516) context->proctitle.len = res;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1517) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1518) msg = context->proctitle.value;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1519) len = context->proctitle.len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1520) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1521) audit_log_n_untrustedstring(ab, msg, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1522) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1523) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1524)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1525) static void audit_log_exit(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1526) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1527) int i, call_panic = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1528) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1529) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1530) struct audit_aux_data *aux;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1531) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1532)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1533) context->personality = current->personality;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1534)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1535) ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1536) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1537) return; /* audit_panic has been called */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1538) audit_log_format(ab, "arch=%x syscall=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1539) context->arch, context->major);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1540) if (context->personality != PER_LINUX)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1541) audit_log_format(ab, " per=%lx", context->personality);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1542) if (context->return_valid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1543) audit_log_format(ab, " success=%s exit=%ld",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1544) (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1545) context->return_code);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1546)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1547) audit_log_format(ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1548) " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1549) context->argv[0],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1550) context->argv[1],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1551) context->argv[2],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1552) context->argv[3],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1553) context->name_count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1554)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1555) audit_log_task_info(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1556) audit_log_key(ab, context->filterkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1557) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1558)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1559) for (aux = context->aux; aux; aux = aux->next) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1560)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1561) ab = audit_log_start(context, GFP_KERNEL, aux->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1562) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1563) continue; /* audit_panic has been called */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1564)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1565) switch (aux->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1566)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1567) case AUDIT_BPRM_FCAPS: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1568) struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1569) audit_log_format(ab, "fver=%x", axs->fcap_ver);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1570) audit_log_cap(ab, "fp", &axs->fcap.permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1571) audit_log_cap(ab, "fi", &axs->fcap.inheritable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1572) audit_log_format(ab, " fe=%d", axs->fcap.fE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1573) audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1574) audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1575) audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1576) audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1577) audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1578) audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1579) audit_log_cap(ab, "pe", &axs->new_pcap.effective);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1580) audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1581) audit_log_format(ab, " frootid=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1582) from_kuid(&init_user_ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1583) axs->fcap.rootid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1584) break; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1585)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1586) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1587) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1588) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1589)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1590) if (context->type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1591) show_special(context, &call_panic);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1592)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1593) if (context->fds[0] >= 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1594) ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1595) if (ab) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1596) audit_log_format(ab, "fd0=%d fd1=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1597) context->fds[0], context->fds[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1598) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1599) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1600) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1601)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1602) if (context->sockaddr_len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1603) ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1604) if (ab) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1605) audit_log_format(ab, "saddr=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1606) audit_log_n_hex(ab, (void *)context->sockaddr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1607) context->sockaddr_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1608) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1609) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1610) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1611)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1612) for (aux = context->aux_pids; aux; aux = aux->next) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1613) struct audit_aux_data_pids *axs = (void *)aux;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1614)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1615) for (i = 0; i < axs->pid_count; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1616) if (audit_log_pid_context(context, axs->target_pid[i],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1617) axs->target_auid[i],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1618) axs->target_uid[i],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1619) axs->target_sessionid[i],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1620) axs->target_sid[i],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1621) axs->target_comm[i]))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1622) call_panic = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1623) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1624)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1625) if (context->target_pid &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1626) audit_log_pid_context(context, context->target_pid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1627) context->target_auid, context->target_uid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1628) context->target_sessionid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1629) context->target_sid, context->target_comm))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1630) call_panic = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1631)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1632) if (context->pwd.dentry && context->pwd.mnt) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1633) ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1634) if (ab) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1635) audit_log_d_path(ab, "cwd=", &context->pwd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1636) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1637) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1638) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1639)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1640) i = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1641) list_for_each_entry(n, &context->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1642) if (n->hidden)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1643) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1644) audit_log_name(context, n, NULL, i++, &call_panic);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1645) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1646)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1647) audit_log_proctitle();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1648)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1649) /* Send end of event record to help user space know we are finished */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1650) ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1651) if (ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1652) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1653) if (call_panic)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1654) audit_panic("error converting sid to string");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1655) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1656)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1657) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1658) * __audit_free - free a per-task audit context
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1659) * @tsk: task whose audit context block to free
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1660) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1661) * Called from copy_process and do_exit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1662) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1663) void __audit_free(struct task_struct *tsk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1664) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1665) struct audit_context *context = tsk->audit_context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1666)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1667) if (!context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1668) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1669)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1670) if (!list_empty(&context->killed_trees))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1671) audit_kill_trees(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1672)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1673) /* We are called either by do_exit() or the fork() error handling code;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1674) * in the former case tsk == current and in the latter tsk is a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1675) * random task_struct that doesn't doesn't have any meaningful data we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1676) * need to log via audit_log_exit().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1677) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1678) if (tsk == current && !context->dummy && context->in_syscall) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1679) context->return_valid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1680) context->return_code = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1681)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1682) audit_filter_syscall(tsk, context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1683) &audit_filter_list[AUDIT_FILTER_EXIT]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1684) audit_filter_inodes(tsk, context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1685) if (context->current_state == AUDIT_RECORD_CONTEXT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1686) audit_log_exit();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1687) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1688)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1689) audit_set_context(tsk, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1690) audit_free_context(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1691) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1692)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1693) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1694) * __audit_syscall_entry - fill in an audit record at syscall entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1695) * @major: major syscall type (function)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1696) * @a1: additional syscall register 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1697) * @a2: additional syscall register 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1698) * @a3: additional syscall register 3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1699) * @a4: additional syscall register 4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1700) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1701) * Fill in audit context at syscall entry. This only happens if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1702) * audit context was created when the task was created and the state or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1703) * filters demand the audit context be built. If the state from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1704) * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1705) * then the record will be written at syscall exit time (otherwise, it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1706) * will only be written if another part of the kernel requests that it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1707) * be written).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1708) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1709) void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1710) unsigned long a3, unsigned long a4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1711) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1712) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1713) enum audit_state state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1714)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1715) if (!audit_enabled || !context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1716) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1717)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1718) BUG_ON(context->in_syscall || context->name_count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1719)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1720) state = context->state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1721) if (state == AUDIT_DISABLED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1722) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1723)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1724) context->dummy = !audit_n_rules;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1725) if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1726) context->prio = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1727) if (auditd_test_task(current))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1728) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1729) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1730)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1731) context->arch = syscall_get_arch(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1732) context->major = major;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1733) context->argv[0] = a1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1734) context->argv[1] = a2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1735) context->argv[2] = a3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1736) context->argv[3] = a4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1737) context->serial = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1738) context->in_syscall = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1739) context->current_state = state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1740) context->ppid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1741) ktime_get_coarse_real_ts64(&context->ctime);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1742) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1743)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1744) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1745) * __audit_syscall_exit - deallocate audit context after a system call
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1746) * @success: success value of the syscall
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1747) * @return_code: return value of the syscall
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1748) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1749) * Tear down after system call. If the audit context has been marked as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1750) * auditable (either because of the AUDIT_RECORD_CONTEXT state from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1751) * filtering, or because some other part of the kernel wrote an audit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1752) * message), then write out the syscall information. In call cases,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1753) * free the names stored from getname().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1754) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1755) void __audit_syscall_exit(int success, long return_code)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1756) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1757) struct audit_context *context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1758)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1759) context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1760) if (!context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1761) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1762)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1763) if (!list_empty(&context->killed_trees))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1764) audit_kill_trees(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1765)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1766) if (!context->dummy && context->in_syscall) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1767) if (success)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1768) context->return_valid = AUDITSC_SUCCESS;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1769) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1770) context->return_valid = AUDITSC_FAILURE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1771)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1772) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1773) * we need to fix up the return code in the audit logs if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1774) * actual return codes are later going to be fixed up by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1775) * arch specific signal handlers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1776) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1777) * This is actually a test for:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1778) * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1779) * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1780) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1781) * but is faster than a bunch of ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1782) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1783) if (unlikely(return_code <= -ERESTARTSYS) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1784) (return_code >= -ERESTART_RESTARTBLOCK) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1785) (return_code != -ENOIOCTLCMD))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1786) context->return_code = -EINTR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1787) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1788) context->return_code = return_code;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1789)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1790) audit_filter_syscall(current, context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1791) &audit_filter_list[AUDIT_FILTER_EXIT]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1792) audit_filter_inodes(current, context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1793) if (context->current_state == AUDIT_RECORD_CONTEXT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1794) audit_log_exit();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1795) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1796)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1797) context->in_syscall = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1798) context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1799)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1800) audit_free_module(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1801) audit_free_names(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1802) unroll_tree_refs(context, NULL, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1803) audit_free_aux(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1804) context->aux = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1805) context->aux_pids = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1806) context->target_pid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1807) context->target_sid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1808) context->sockaddr_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1809) context->type = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1810) context->fds[0] = -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1811) if (context->state != AUDIT_RECORD_CONTEXT) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1812) kfree(context->filterkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1813) context->filterkey = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1814) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1815) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1816)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1817) static inline void handle_one(const struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1818) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1819) struct audit_context *context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1820) struct audit_tree_refs *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1821) struct audit_chunk *chunk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1822) int count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1823) if (likely(!inode->i_fsnotify_marks))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1824) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1825) context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1826) p = context->trees;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1827) count = context->tree_count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1828) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1829) chunk = audit_tree_lookup(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1830) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1831) if (!chunk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1832) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1833) if (likely(put_tree_ref(context, chunk)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1834) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1835) if (unlikely(!grow_tree_refs(context))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1836) pr_warn("out of memory, audit has lost a tree reference\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1837) audit_set_auditable(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1838) audit_put_chunk(chunk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1839) unroll_tree_refs(context, p, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1840) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1841) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1842) put_tree_ref(context, chunk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1843) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1844)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1845) static void handle_path(const struct dentry *dentry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1846) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1847) struct audit_context *context;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1848) struct audit_tree_refs *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1849) const struct dentry *d, *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1850) struct audit_chunk *drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1851) unsigned long seq;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1852) int count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1853)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1854) context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1855) p = context->trees;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1856) count = context->tree_count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1857) retry:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1858) drop = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1859) d = dentry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1860) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1861) seq = read_seqbegin(&rename_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1862) for(;;) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1863) struct inode *inode = d_backing_inode(d);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1864) if (inode && unlikely(inode->i_fsnotify_marks)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1865) struct audit_chunk *chunk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1866) chunk = audit_tree_lookup(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1867) if (chunk) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1868) if (unlikely(!put_tree_ref(context, chunk))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1869) drop = chunk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1870) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1871) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1872) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1873) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1874) parent = d->d_parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1875) if (parent == d)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1876) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1877) d = parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1878) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1879) if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1880) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1881) if (!drop) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1882) /* just a race with rename */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1883) unroll_tree_refs(context, p, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1884) goto retry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1885) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1886) audit_put_chunk(drop);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1887) if (grow_tree_refs(context)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1888) /* OK, got more space */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1889) unroll_tree_refs(context, p, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1890) goto retry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1891) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1892) /* too bad */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1893) pr_warn("out of memory, audit has lost a tree reference\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1894) unroll_tree_refs(context, p, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1895) audit_set_auditable(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1896) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1897) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1898) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1899) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1900)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1901) static struct audit_names *audit_alloc_name(struct audit_context *context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1902) unsigned char type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1903) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1904) struct audit_names *aname;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1905)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1906) if (context->name_count < AUDIT_NAMES) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1907) aname = &context->preallocated_names[context->name_count];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1908) memset(aname, 0, sizeof(*aname));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1909) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1910) aname = kzalloc(sizeof(*aname), GFP_NOFS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1911) if (!aname)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1912) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1913) aname->should_free = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1914) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1915)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1916) aname->ino = AUDIT_INO_UNSET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1917) aname->type = type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1918) list_add_tail(&aname->list, &context->names_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1919)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1920) context->name_count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1921) return aname;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1922) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1923)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1924) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1925) * __audit_reusename - fill out filename with info from existing entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1926) * @uptr: userland ptr to pathname
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1927) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1928) * Search the audit_names list for the current audit context. If there is an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1929) * existing entry with a matching "uptr" then return the filename
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1930) * associated with that audit_name. If not, return NULL.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1931) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1932) struct filename *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1933) __audit_reusename(const __user char *uptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1934) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1935) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1936) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1937)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1938) list_for_each_entry(n, &context->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1939) if (!n->name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1940) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1941) if (n->name->uptr == uptr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1942) n->name->refcnt++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1943) return n->name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1944) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1945) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1946) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1947) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1948)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1949) inline void _audit_getcwd(struct audit_context *context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1950) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1951) if (!context->pwd.dentry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1952) get_fs_pwd(current->fs, &context->pwd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1953) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1954)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1955) void __audit_getcwd(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1956) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1957) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1958)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1959) if (context->in_syscall)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1960) _audit_getcwd(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1961) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1962)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1963) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1964) * __audit_getname - add a name to the list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1965) * @name: name to add
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1966) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1967) * Add a name to the list of audit names for this context.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1968) * Called from fs/namei.c:getname().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1969) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1970) void __audit_getname(struct filename *name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1971) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1972) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1973) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1974)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1975) if (!context->in_syscall)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1976) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1977)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1978) n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1979) if (!n)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1980) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1981)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1982) n->name = name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1983) n->name_len = AUDIT_NAME_FULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1984) name->aname = n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1985) name->refcnt++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1986)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1987) _audit_getcwd(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1988) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1989)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1990) static inline int audit_copy_fcaps(struct audit_names *name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1991) const struct dentry *dentry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1992) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1993) struct cpu_vfs_cap_data caps;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1994) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1995)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1996) if (!dentry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1997) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1998)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1999) rc = get_vfs_caps_from_disk(dentry, &caps);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2000) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2001) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2002)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2003) name->fcap.permitted = caps.permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2004) name->fcap.inheritable = caps.inheritable;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2005) name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2006) name->fcap.rootid = caps.rootid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2007) name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2008) VFS_CAP_REVISION_SHIFT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2009)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2010) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2011) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2012)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2013) /* Copy inode data into an audit_names. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2014) static void audit_copy_inode(struct audit_names *name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2015) const struct dentry *dentry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2016) struct inode *inode, unsigned int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2017) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2018) name->ino = inode->i_ino;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2019) name->dev = inode->i_sb->s_dev;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2020) name->mode = inode->i_mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2021) name->uid = inode->i_uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2022) name->gid = inode->i_gid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2023) name->rdev = inode->i_rdev;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2024) security_inode_getsecid(inode, &name->osid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2025) if (flags & AUDIT_INODE_NOEVAL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2026) name->fcap_ver = -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2027) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2028) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2029) audit_copy_fcaps(name, dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2030) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2031)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2032) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2033) * __audit_inode - store the inode and device from a lookup
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2034) * @name: name being audited
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2035) * @dentry: dentry being audited
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2036) * @flags: attributes for this particular entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2037) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2038) void __audit_inode(struct filename *name, const struct dentry *dentry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2039) unsigned int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2040) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2041) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2042) struct inode *inode = d_backing_inode(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2043) struct audit_names *n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2044) bool parent = flags & AUDIT_INODE_PARENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2045) struct audit_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2046) struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2047) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2048)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2049) if (!context->in_syscall)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2050) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2051)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2052) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2053) list_for_each_entry_rcu(e, list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2054) for (i = 0; i < e->rule.field_count; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2055) struct audit_field *f = &e->rule.fields[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2056)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2057) if (f->type == AUDIT_FSTYPE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2058) && audit_comparator(inode->i_sb->s_magic,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2059) f->op, f->val)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2060) && e->rule.action == AUDIT_NEVER) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2061) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2062) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2063) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2064) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2065) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2066) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2067)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2068) if (!name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2069) goto out_alloc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2070)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2071) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2072) * If we have a pointer to an audit_names entry already, then we can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2073) * just use it directly if the type is correct.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2074) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2075) n = name->aname;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2076) if (n) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2077) if (parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2078) if (n->type == AUDIT_TYPE_PARENT ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2079) n->type == AUDIT_TYPE_UNKNOWN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2080) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2081) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2082) if (n->type != AUDIT_TYPE_PARENT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2083) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2084) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2085) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2086)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2087) list_for_each_entry_reverse(n, &context->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2088) if (n->ino) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2089) /* valid inode number, use that for the comparison */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2090) if (n->ino != inode->i_ino ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2091) n->dev != inode->i_sb->s_dev)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2092) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2093) } else if (n->name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2094) /* inode number has not been set, check the name */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2095) if (strcmp(n->name->name, name->name))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2096) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2097) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2098) /* no inode and no name (?!) ... this is odd ... */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2099) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2101) /* match the correct record type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2102) if (parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2103) if (n->type == AUDIT_TYPE_PARENT ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2104) n->type == AUDIT_TYPE_UNKNOWN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2105) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2106) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2107) if (n->type != AUDIT_TYPE_PARENT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2108) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2109) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2110) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2112) out_alloc:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2113) /* unable to find an entry with both a matching name and type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2114) n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2115) if (!n)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2116) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2117) if (name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2118) n->name = name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2119) name->refcnt++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2120) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2121)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2122) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2123) if (parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2124) n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2125) n->type = AUDIT_TYPE_PARENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2126) if (flags & AUDIT_INODE_HIDDEN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2127) n->hidden = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2128) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2129) n->name_len = AUDIT_NAME_FULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2130) n->type = AUDIT_TYPE_NORMAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2131) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2132) handle_path(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2133) audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2134) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2135)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2136) void __audit_file(const struct file *file)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2137) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2138) __audit_inode(NULL, file->f_path.dentry, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2139) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2141) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2142) * __audit_inode_child - collect inode info for created/removed objects
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2143) * @parent: inode of dentry parent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2144) * @dentry: dentry being audited
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2145) * @type: AUDIT_TYPE_* value that we're looking for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2146) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2147) * For syscalls that create or remove filesystem objects, audit_inode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2148) * can only collect information for the filesystem object's parent.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2149) * This call updates the audit context with the child's information.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2150) * Syscalls that create a new filesystem object must be hooked after
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2151) * the object is created. Syscalls that remove a filesystem object
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2152) * must be hooked prior, in order to capture the target inode during
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2153) * unsuccessful attempts.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2154) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2155) void __audit_inode_child(struct inode *parent,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2156) const struct dentry *dentry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2157) const unsigned char type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2158) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2159) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2160) struct inode *inode = d_backing_inode(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2161) const struct qstr *dname = &dentry->d_name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2162) struct audit_names *n, *found_parent = NULL, *found_child = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2163) struct audit_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2164) struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2165) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2166)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2167) if (!context->in_syscall)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2168) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2169)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2170) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2171) list_for_each_entry_rcu(e, list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2172) for (i = 0; i < e->rule.field_count; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2173) struct audit_field *f = &e->rule.fields[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2174)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2175) if (f->type == AUDIT_FSTYPE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2176) && audit_comparator(parent->i_sb->s_magic,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2177) f->op, f->val)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2178) && e->rule.action == AUDIT_NEVER) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2179) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2180) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2181) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2182) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2183) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2184) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2186) if (inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2187) handle_one(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2189) /* look for a parent entry first */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2190) list_for_each_entry(n, &context->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2191) if (!n->name ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2192) (n->type != AUDIT_TYPE_PARENT &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2193) n->type != AUDIT_TYPE_UNKNOWN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2194) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2195)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2196) if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2197) !audit_compare_dname_path(dname,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2198) n->name->name, n->name_len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2199) if (n->type == AUDIT_TYPE_UNKNOWN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2200) n->type = AUDIT_TYPE_PARENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2201) found_parent = n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2202) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2203) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2204) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2206) /* is there a matching child entry? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2207) list_for_each_entry(n, &context->names_list, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2208) /* can only match entries that have a name */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2209) if (!n->name ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2210) (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2211) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2212)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2213) if (!strcmp(dname->name, n->name->name) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2214) !audit_compare_dname_path(dname, n->name->name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2215) found_parent ?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2216) found_parent->name_len :
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2217) AUDIT_NAME_FULL)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2218) if (n->type == AUDIT_TYPE_UNKNOWN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2219) n->type = type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2220) found_child = n;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2221) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2222) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2223) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2224)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2225) if (!found_parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2226) /* create a new, "anonymous" parent record */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2227) n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2228) if (!n)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2229) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2230) audit_copy_inode(n, NULL, parent, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2231) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2232)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2233) if (!found_child) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2234) found_child = audit_alloc_name(context, type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2235) if (!found_child)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2236) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2237)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2238) /* Re-use the name belonging to the slot for a matching parent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2239) * directory. All names for this context are relinquished in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2240) * audit_free_names() */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2241) if (found_parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2242) found_child->name = found_parent->name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2243) found_child->name_len = AUDIT_NAME_FULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2244) found_child->name->refcnt++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2245) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2246) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2247)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2248) if (inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2249) audit_copy_inode(found_child, dentry, inode, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2250) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2251) found_child->ino = AUDIT_INO_UNSET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2252) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2253) EXPORT_SYMBOL_GPL(__audit_inode_child);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2254)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2255) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2256) * auditsc_get_stamp - get local copies of audit_context values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2257) * @ctx: audit_context for the task
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2258) * @t: timespec64 to store time recorded in the audit_context
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2259) * @serial: serial value that is recorded in the audit_context
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2260) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2261) * Also sets the context as auditable.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2262) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2263) int auditsc_get_stamp(struct audit_context *ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2264) struct timespec64 *t, unsigned int *serial)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2265) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2266) if (!ctx->in_syscall)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2267) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2268) if (!ctx->serial)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2269) ctx->serial = audit_serial();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2270) t->tv_sec = ctx->ctime.tv_sec;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2271) t->tv_nsec = ctx->ctime.tv_nsec;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2272) *serial = ctx->serial;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2273) if (!ctx->prio) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2274) ctx->prio = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2275) ctx->current_state = AUDIT_RECORD_CONTEXT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2276) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2277) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2278) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2279)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2280) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2281) * __audit_mq_open - record audit data for a POSIX MQ open
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2282) * @oflag: open flag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2283) * @mode: mode bits
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2284) * @attr: queue attributes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2285) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2286) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2287) void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2288) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2289) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2290)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2291) if (attr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2292) memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2293) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2294) memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2295)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2296) context->mq_open.oflag = oflag;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2297) context->mq_open.mode = mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2298)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2299) context->type = AUDIT_MQ_OPEN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2300) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2301)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2302) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2303) * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2304) * @mqdes: MQ descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2305) * @msg_len: Message length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2306) * @msg_prio: Message priority
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2307) * @abs_timeout: Message timeout in absolute time
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2308) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2309) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2310) void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2311) const struct timespec64 *abs_timeout)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2312) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2313) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2314) struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2315)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2316) if (abs_timeout)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2317) memcpy(p, abs_timeout, sizeof(*p));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2318) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2319) memset(p, 0, sizeof(*p));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2321) context->mq_sendrecv.mqdes = mqdes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2322) context->mq_sendrecv.msg_len = msg_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2323) context->mq_sendrecv.msg_prio = msg_prio;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2324)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2325) context->type = AUDIT_MQ_SENDRECV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2326) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2327)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2328) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2329) * __audit_mq_notify - record audit data for a POSIX MQ notify
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2330) * @mqdes: MQ descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2331) * @notification: Notification event
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2332) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2333) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2334)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2335) void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2336) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2337) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2338)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2339) if (notification)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2340) context->mq_notify.sigev_signo = notification->sigev_signo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2341) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2342) context->mq_notify.sigev_signo = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2343)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2344) context->mq_notify.mqdes = mqdes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2345) context->type = AUDIT_MQ_NOTIFY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2346) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2347)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2348) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2349) * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2350) * @mqdes: MQ descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2351) * @mqstat: MQ flags
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2352) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2353) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2354) void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2355) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2356) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2357) context->mq_getsetattr.mqdes = mqdes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2358) context->mq_getsetattr.mqstat = *mqstat;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2359) context->type = AUDIT_MQ_GETSETATTR;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2360) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2361)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2362) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2363) * __audit_ipc_obj - record audit data for ipc object
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2364) * @ipcp: ipc permissions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2365) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2366) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2367) void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2368) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2369) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2370) context->ipc.uid = ipcp->uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2371) context->ipc.gid = ipcp->gid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2372) context->ipc.mode = ipcp->mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2373) context->ipc.has_perm = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2374) security_ipc_getsecid(ipcp, &context->ipc.osid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2375) context->type = AUDIT_IPC;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2376) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2377)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2378) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2379) * __audit_ipc_set_perm - record audit data for new ipc permissions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2380) * @qbytes: msgq bytes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2381) * @uid: msgq user id
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2382) * @gid: msgq group id
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2383) * @mode: msgq mode (permissions)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2384) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2385) * Called only after audit_ipc_obj().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2386) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2387) void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2388) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2389) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2390)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2391) context->ipc.qbytes = qbytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2392) context->ipc.perm_uid = uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2393) context->ipc.perm_gid = gid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2394) context->ipc.perm_mode = mode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2395) context->ipc.has_perm = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2396) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2397)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2398) void __audit_bprm(struct linux_binprm *bprm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2399) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2400) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2401)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2402) context->type = AUDIT_EXECVE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2403) context->execve.argc = bprm->argc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2404) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2405)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2406)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2407) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2408) * __audit_socketcall - record audit data for sys_socketcall
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2409) * @nargs: number of args, which should not be more than AUDITSC_ARGS.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2410) * @args: args array
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2411) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2412) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2413) int __audit_socketcall(int nargs, unsigned long *args)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2414) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2415) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2416)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2417) if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2418) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2419) context->type = AUDIT_SOCKETCALL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2420) context->socketcall.nargs = nargs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2421) memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2422) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2423) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2424)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2425) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2426) * __audit_fd_pair - record audit data for pipe and socketpair
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2427) * @fd1: the first file descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2428) * @fd2: the second file descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2429) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2430) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2431) void __audit_fd_pair(int fd1, int fd2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2432) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2433) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2434) context->fds[0] = fd1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2435) context->fds[1] = fd2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2436) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2437)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2438) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2439) * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2440) * @len: data length in user space
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2441) * @a: data address in kernel space
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2442) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2443) * Returns 0 for success or NULL context or < 0 on error.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2444) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2445) int __audit_sockaddr(int len, void *a)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2446) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2447) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2448)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2449) if (!context->sockaddr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2450) void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2451) if (!p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2452) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2453) context->sockaddr = p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2454) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2455)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2456) context->sockaddr_len = len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2457) memcpy(context->sockaddr, a, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2458) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2459) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2460)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2461) void __audit_ptrace(struct task_struct *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2462) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2463) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2464)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2465) context->target_pid = task_tgid_nr(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2466) context->target_auid = audit_get_loginuid(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2467) context->target_uid = task_uid(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2468) context->target_sessionid = audit_get_sessionid(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2469) security_task_getsecid(t, &context->target_sid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2470) memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2471) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2472)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2473) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2474) * audit_signal_info_syscall - record signal info for syscalls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2475) * @t: task being signaled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2476) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2477) * If the audit subsystem is being terminated, record the task (pid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2478) * and uid that is doing that.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2479) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2480) int audit_signal_info_syscall(struct task_struct *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2481) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2482) struct audit_aux_data_pids *axp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2483) struct audit_context *ctx = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2484) kuid_t t_uid = task_uid(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2485)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2486) if (!audit_signals || audit_dummy_context())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2487) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2488)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2489) /* optimize the common case by putting first signal recipient directly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2490) * in audit_context */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2491) if (!ctx->target_pid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2492) ctx->target_pid = task_tgid_nr(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2493) ctx->target_auid = audit_get_loginuid(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2494) ctx->target_uid = t_uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2495) ctx->target_sessionid = audit_get_sessionid(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2496) security_task_getsecid(t, &ctx->target_sid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2497) memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2498) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2499) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2500)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2501) axp = (void *)ctx->aux_pids;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2502) if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2503) axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2504) if (!axp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2505) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2506)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2507) axp->d.type = AUDIT_OBJ_PID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2508) axp->d.next = ctx->aux_pids;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2509) ctx->aux_pids = (void *)axp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2510) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2511) BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2513) axp->target_pid[axp->pid_count] = task_tgid_nr(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2514) axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2515) axp->target_uid[axp->pid_count] = t_uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2516) axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2517) security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2518) memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2519) axp->pid_count++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2520)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2521) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2522) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2523)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2524) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2525) * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2526) * @bprm: pointer to the bprm being processed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2527) * @new: the proposed new credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2528) * @old: the old credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2529) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2530) * Simply check if the proc already has the caps given by the file and if not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2531) * store the priv escalation info for later auditing at the end of the syscall
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2532) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2533) * -Eric
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2534) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2535) int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2536) const struct cred *new, const struct cred *old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2537) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2538) struct audit_aux_data_bprm_fcaps *ax;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2539) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2540) struct cpu_vfs_cap_data vcaps;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2541)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2542) ax = kmalloc(sizeof(*ax), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2543) if (!ax)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2544) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2545)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2546) ax->d.type = AUDIT_BPRM_FCAPS;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2547) ax->d.next = context->aux;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2548) context->aux = (void *)ax;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2549)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2550) get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2551)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2552) ax->fcap.permitted = vcaps.permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2553) ax->fcap.inheritable = vcaps.inheritable;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2554) ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2555) ax->fcap.rootid = vcaps.rootid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2556) ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2557)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2558) ax->old_pcap.permitted = old->cap_permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2559) ax->old_pcap.inheritable = old->cap_inheritable;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2560) ax->old_pcap.effective = old->cap_effective;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2561) ax->old_pcap.ambient = old->cap_ambient;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2562)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2563) ax->new_pcap.permitted = new->cap_permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2564) ax->new_pcap.inheritable = new->cap_inheritable;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2565) ax->new_pcap.effective = new->cap_effective;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2566) ax->new_pcap.ambient = new->cap_ambient;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2567) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2568) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2569)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2570) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2571) * __audit_log_capset - store information about the arguments to the capset syscall
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2572) * @new: the new credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2573) * @old: the old (current) credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2574) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2575) * Record the arguments userspace sent to sys_capset for later printing by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2576) * audit system if applicable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2577) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2578) void __audit_log_capset(const struct cred *new, const struct cred *old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2579) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2580) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2581) context->capset.pid = task_tgid_nr(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2582) context->capset.cap.effective = new->cap_effective;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2583) context->capset.cap.inheritable = new->cap_effective;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2584) context->capset.cap.permitted = new->cap_permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2585) context->capset.cap.ambient = new->cap_ambient;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2586) context->type = AUDIT_CAPSET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2587) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2588)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2589) void __audit_mmap_fd(int fd, int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2590) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2591) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2592) context->mmap.fd = fd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2593) context->mmap.flags = flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2594) context->type = AUDIT_MMAP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2595) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2596)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2597) void __audit_log_kern_module(char *name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2598) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2599) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2600)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2601) context->module.name = kstrdup(name, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2602) if (!context->module.name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2603) audit_log_lost("out of memory in __audit_log_kern_module");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2604) context->type = AUDIT_KERN_MODULE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2605) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2606)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2607) void __audit_fanotify(unsigned int response)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2608) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2609) audit_log(audit_context(), GFP_KERNEL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2610) AUDIT_FANOTIFY, "resp=%u", response);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2611) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2612)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2613) void __audit_tk_injoffset(struct timespec64 offset)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2614) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2615) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2616)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2617) /* only set type if not already set by NTP */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2618) if (!context->type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2619) context->type = AUDIT_TIME_INJOFFSET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2620) memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2621) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2622)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2623) void __audit_ntp_log(const struct audit_ntp_data *ad)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2624) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2625) struct audit_context *context = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2626) int type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2627)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2628) for (type = 0; type < AUDIT_NTP_NVALS; type++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2629) if (ad->vals[type].newval != ad->vals[type].oldval) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2630) /* unconditionally set type, overwriting TK */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2631) context->type = AUDIT_TIME_ADJNTPVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2632) memcpy(&context->time.ntp_data, ad, sizeof(*ad));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2633) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2634) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2635) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2636)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2637) void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2638) enum audit_nfcfgop op, gfp_t gfp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2639) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2640) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2641) char comm[sizeof(current->comm)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2642)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2643) ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2644) if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2645) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2646) audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2647) name, af, nentries, audit_nfcfgs[op].s);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2648)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2649) audit_log_format(ab, " pid=%u", task_pid_nr(current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2650) audit_log_task_context(ab); /* subj= */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2651) audit_log_format(ab, " comm=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2652) audit_log_untrustedstring(ab, get_task_comm(comm, current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2653) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2654) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2655) EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2656)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2657) static void audit_log_task(struct audit_buffer *ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2658) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2659) kuid_t auid, uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2660) kgid_t gid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2661) unsigned int sessionid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2662) char comm[sizeof(current->comm)];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2663)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2664) auid = audit_get_loginuid(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2665) sessionid = audit_get_sessionid(current);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2666) current_uid_gid(&uid, &gid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2667)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2668) audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2669) from_kuid(&init_user_ns, auid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2670) from_kuid(&init_user_ns, uid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2671) from_kgid(&init_user_ns, gid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2672) sessionid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2673) audit_log_task_context(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2674) audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2675) audit_log_untrustedstring(ab, get_task_comm(comm, current));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2676) audit_log_d_path_exe(ab, current->mm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2677) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2678)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2679) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2680) * audit_core_dumps - record information about processes that end abnormally
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2681) * @signr: signal value
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2682) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2683) * If a process ends with a core dump, something fishy is going on and we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2684) * should record the event for investigation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2685) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2686) void audit_core_dumps(long signr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2687) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2688) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2689)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2690) if (!audit_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2691) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2692)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2693) if (signr == SIGQUIT) /* don't care for those */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2694) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2695)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2696) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2697) if (unlikely(!ab))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2698) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2699) audit_log_task(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2700) audit_log_format(ab, " sig=%ld res=1", signr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2701) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2702) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2703)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2704) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2705) * audit_seccomp - record information about a seccomp action
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2706) * @syscall: syscall number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2707) * @signr: signal value
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2708) * @code: the seccomp action
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2709) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2710) * Record the information associated with a seccomp action. Event filtering for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2711) * seccomp actions that are not to be logged is done in seccomp_log().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2712) * Therefore, this function forces auditing independent of the audit_enabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2713) * and dummy context state because seccomp actions should be logged even when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2714) * audit is not in use.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2715) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2716) void audit_seccomp(unsigned long syscall, long signr, int code)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2717) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2718) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2719)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2720) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2721) if (unlikely(!ab))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2722) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2723) audit_log_task(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2724) audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2725) signr, syscall_get_arch(current), syscall,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2726) in_compat_syscall(), KSTK_EIP(current), code);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2727) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2728) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2729)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2730) void audit_seccomp_actions_logged(const char *names, const char *old_names,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2731) int res)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2732) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2733) struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2734)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2735) if (!audit_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2736) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2737)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2738) ab = audit_log_start(audit_context(), GFP_KERNEL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2739) AUDIT_CONFIG_CHANGE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2740) if (unlikely(!ab))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2741) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2742)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2743) audit_log_format(ab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2744) "op=seccomp-logging actions=%s old-actions=%s res=%d",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2745) names, old_names, res);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2746) audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2747) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2748)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2749) struct list_head *audit_killed_trees(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2750) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2751) struct audit_context *ctx = audit_context();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2752) if (likely(!ctx || !ctx->in_syscall))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2753) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2754) return &ctx->killed_trees;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2755) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags