linux/kernel/auditsc.c
<<
>>
Prefs
   1/* auditsc.c -- System-call auditing support
   2 * Handles all system-call specific auditing features.
   3 *
   4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
   5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   6 * Copyright (C) 2005, 2006 IBM Corporation
   7 * All Rights Reserved.
   8 *
   9 * This program is free software; you can redistribute it and/or modify
  10 * it under the terms of the GNU General Public License as published by
  11 * the Free Software Foundation; either version 2 of the License, or
  12 * (at your option) any later version.
  13 *
  14 * This program is distributed in the hope that it will be useful,
  15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17 * GNU General Public License for more details.
  18 *
  19 * You should have received a copy of the GNU General Public License
  20 * along with this program; if not, write to the Free Software
  21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  22 *
  23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  24 *
  25 * Many of the ideas implemented here are from Stephen C. Tweedie,
  26 * especially the idea of avoiding a copy by using getname.
  27 *
  28 * The method for actual interception of syscall entry and exit (not in
  29 * this file -- see entry.S) is based on a GPL'd patch written by
  30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
  31 *
  32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
  33 * 2006.
  34 *
  35 * The support of additional filter rules compares (>, <, >=, <=) was
  36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
  37 *
  38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
  39 * filesystem information.
  40 *
  41 * Subject and object context labeling support added by <danjones@us.ibm.com>
  42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
  43 */
  44
  45#include <linux/init.h>
  46#include <asm/types.h>
  47#include <asm/atomic.h>
  48#include <asm/types.h>
  49#include <linux/fs.h>
  50#include <linux/namei.h>
  51#include <linux/mm.h>
  52#include <linux/module.h>
  53#include <linux/mount.h>
  54#include <linux/socket.h>
  55#include <linux/mqueue.h>
  56#include <linux/audit.h>
  57#include <linux/personality.h>
  58#include <linux/time.h>
  59#include <linux/netlink.h>
  60#include <linux/compiler.h>
  61#include <asm/unistd.h>
  62#include <linux/security.h>
  63#include <linux/list.h>
  64#include <linux/tty.h>
  65#include <linux/selinux.h>
  66#include <linux/binfmts.h>
  67#include <linux/syscalls.h>
  68
  69#include "audit.h"
  70
  71extern struct list_head audit_filter_list[];
  72
  73/* No syscall auditing will take place unless audit_enabled != 0. */
  74extern int audit_enabled;
  75
  76/* AUDIT_NAMES is the number of slots we reserve in the audit_context
  77 * for saving names from getname(). */
  78#define AUDIT_NAMES    20
  79
  80/* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
  81 * audit_context from being used for nameless inodes from
  82 * path_lookup. */
  83#define AUDIT_NAMES_RESERVED 7
  84
  85/* Indicates that audit should log the full pathname. */
  86#define AUDIT_NAME_FULL -1
  87
  88/* number of audit rules */
  89int audit_n_rules;
  90
  91/* When fs/namei.c:getname() is called, we store the pointer in name and
  92 * we don't let putname() free it (instead we free all of the saved
  93 * pointers at syscall exit time).
  94 *
  95 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
  96struct audit_names {
  97        const char      *name;
  98        int             name_len;       /* number of name's characters to log */
  99        unsigned        name_put;       /* call __putname() for this name */
 100        unsigned long   ino;
 101        dev_t           dev;
 102        umode_t         mode;
 103        uid_t           uid;
 104        gid_t           gid;
 105        dev_t           rdev;
 106        u32             osid;
 107};
 108
 109struct audit_aux_data {
 110        struct audit_aux_data   *next;
 111        int                     type;
 112};
 113
 114#define AUDIT_AUX_IPCPERM       0
 115
 116struct audit_aux_data_mq_open {
 117        struct audit_aux_data   d;
 118        int                     oflag;
 119        mode_t                  mode;
 120        struct mq_attr          attr;
 121};
 122
 123struct audit_aux_data_mq_sendrecv {
 124        struct audit_aux_data   d;
 125        mqd_t                   mqdes;
 126        size_t                  msg_len;
 127        unsigned int            msg_prio;
 128        struct timespec         abs_timeout;
 129};
 130
 131struct audit_aux_data_mq_notify {
 132        struct audit_aux_data   d;
 133        mqd_t                   mqdes;
 134        struct sigevent         notification;
 135};
 136
 137struct audit_aux_data_mq_getsetattr {
 138        struct audit_aux_data   d;
 139        mqd_t                   mqdes;
 140        struct mq_attr          mqstat;
 141};
 142
 143struct audit_aux_data_ipcctl {
 144        struct audit_aux_data   d;
 145        struct ipc_perm         p;
 146        unsigned long           qbytes;
 147        uid_t                   uid;
 148        gid_t                   gid;
 149        mode_t                  mode;
 150        u32                     osid;
 151};
 152
 153struct audit_aux_data_execve {
 154        struct audit_aux_data   d;
 155        int argc;
 156        int envc;
 157        char mem[0];
 158};
 159
 160struct audit_aux_data_socketcall {
 161        struct audit_aux_data   d;
 162        int                     nargs;
 163        unsigned long           args[0];
 164};
 165
 166struct audit_aux_data_sockaddr {
 167        struct audit_aux_data   d;
 168        int                     len;
 169        char                    a[0];
 170};
 171
 172struct audit_aux_data_path {
 173        struct audit_aux_data   d;
 174        struct dentry           *dentry;
 175        struct vfsmount         *mnt;
 176};
 177
 178/* The per-task audit context. */
 179struct audit_context {
 180        int                 dummy;      /* must be the first element */
 181        int                 in_syscall; /* 1 if task is in a syscall */
 182        enum audit_state    state;
 183        unsigned int        serial;     /* serial number for record */
 184        struct timespec     ctime;      /* time of syscall entry */
 185        uid_t               loginuid;   /* login uid (identity) */
 186        int                 major;      /* syscall number */
 187        unsigned long       argv[4];    /* syscall arguments */
 188        int                 return_valid; /* return code is valid */
 189        long                return_code;/* syscall return code */
 190        int                 auditable;  /* 1 if record should be written */
 191        int                 name_count;
 192        struct audit_names  names[AUDIT_NAMES];
 193        char *              filterkey;  /* key for rule that triggered record */
 194        struct dentry *     pwd;
 195        struct vfsmount *   pwdmnt;
 196        struct audit_context *previous; /* For nested syscalls */
 197        struct audit_aux_data *aux;
 198
 199                                /* Save things to print about task_struct */
 200        pid_t               pid, ppid;
 201        uid_t               uid, euid, suid, fsuid;
 202        gid_t               gid, egid, sgid, fsgid;
 203        unsigned long       personality;
 204        int                 arch;
 205
 206#if AUDIT_DEBUG
 207        int                 put_count;
 208        int                 ino_count;
 209#endif
 210};
 211
 212#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
 213static inline int open_arg(int flags, int mask)
 214{
 215        int n = ACC_MODE(flags);
 216        if (flags & (O_TRUNC | O_CREAT))
 217                n |= AUDIT_PERM_WRITE;
 218        return n & mask;
 219}
 220
 221static int audit_match_perm(struct audit_context *ctx, int mask)
 222{
 223        unsigned n = ctx->major;
 224        switch (audit_classify_syscall(ctx->arch, n)) {
 225        case 0: /* native */
 226                if ((mask & AUDIT_PERM_WRITE) &&
 227                     audit_match_class(AUDIT_CLASS_WRITE, n))
 228                        return 1;
 229                if ((mask & AUDIT_PERM_READ) &&
 230                     audit_match_class(AUDIT_CLASS_READ, n))
 231                        return 1;
 232                if ((mask & AUDIT_PERM_ATTR) &&
 233                     audit_match_class(AUDIT_CLASS_CHATTR, n))
 234                        return 1;
 235                return 0;
 236        case 1: /* 32bit on biarch */
 237                if ((mask & AUDIT_PERM_WRITE) &&
 238                     audit_match_class(AUDIT_CLASS_WRITE_32, n))
 239                        return 1;
 240                if ((mask & AUDIT_PERM_READ) &&
 241                     audit_match_class(AUDIT_CLASS_READ_32, n))
 242                        return 1;
 243                if ((mask & AUDIT_PERM_ATTR) &&
 244                     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
 245                        return 1;
 246                return 0;
 247        case 2: /* open */
 248                return mask & ACC_MODE(ctx->argv[1]);
 249        case 3: /* openat */
 250                return mask & ACC_MODE(ctx->argv[2]);
 251        case 4: /* socketcall */
 252                return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
 253        case 5: /* execve */
 254                return mask & AUDIT_PERM_EXEC;
 255        default:
 256                return 0;
 257        }
 258}
 259
 260/* Determine if any context name data matches a rule's watch data */
 261/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 262 * otherwise. */
 263static int audit_filter_rules(struct task_struct *tsk,
 264                              struct audit_krule *rule,
 265                              struct audit_context *ctx,
 266                              struct audit_names *name,
 267                              enum audit_state *state)
 268{
 269        int i, j, need_sid = 1;
 270        u32 sid;
 271
 272        for (i = 0; i < rule->field_count; i++) {
 273                struct audit_field *f = &rule->fields[i];
 274                int result = 0;
 275
 276                switch (f->type) {
 277                case AUDIT_PID:
 278                        result = audit_comparator(tsk->pid, f->op, f->val);
 279                        break;
 280                case AUDIT_PPID:
 281                        if (ctx) {
 282                                if (!ctx->ppid)
 283                                        ctx->ppid = sys_getppid();
 284                                result = audit_comparator(ctx->ppid, f->op, f->val);
 285                        }
 286                        break;
 287                case AUDIT_UID:
 288                        result = audit_comparator(tsk->uid, f->op, f->val);
 289                        break;
 290                case AUDIT_EUID:
 291                        result = audit_comparator(tsk->euid, f->op, f->val);
 292                        break;
 293                case AUDIT_SUID:
 294                        result = audit_comparator(tsk->suid, f->op, f->val);
 295                        break;
 296                case AUDIT_FSUID:
 297                        result = audit_comparator(tsk->fsuid, f->op, f->val);
 298                        break;
 299                case AUDIT_GID:
 300                        result = audit_comparator(tsk->gid, f->op, f->val);
 301                        break;
 302                case AUDIT_EGID:
 303                        result = audit_comparator(tsk->egid, f->op, f->val);
 304                        break;
 305                case AUDIT_SGID:
 306                        result = audit_comparator(tsk->sgid, f->op, f->val);
 307                        break;
 308                case AUDIT_FSGID:
 309                        result = audit_comparator(tsk->fsgid, f->op, f->val);
 310                        break;
 311                case AUDIT_PERS:
 312                        result = audit_comparator(tsk->personality, f->op, f->val);
 313                        break;
 314                case AUDIT_ARCH:
 315                        if (ctx)
 316                                result = audit_comparator(ctx->arch, f->op, f->val);
 317                        break;
 318
 319                case AUDIT_EXIT:
 320                        if (ctx && ctx->return_valid)
 321                                result = audit_comparator(ctx->return_code, f->op, f->val);
 322                        break;
 323                case AUDIT_SUCCESS:
 324                        if (ctx && ctx->return_valid) {
 325                                if (f->val)
 326                                        result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
 327                                else
 328                                        result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
 329                        }
 330                        break;
 331                case AUDIT_DEVMAJOR:
 332                        if (name)
 333                                result = audit_comparator(MAJOR(name->dev),
 334                                                          f->op, f->val);
 335                        else if (ctx) {
 336                                for (j = 0; j < ctx->name_count; j++) {
 337                                        if (audit_comparator(MAJOR(ctx->names[j].dev),  f->op, f->val)) {
 338                                                ++result;
 339                                                break;
 340                                        }
 341                                }
 342                        }
 343                        break;
 344                case AUDIT_DEVMINOR:
 345                        if (name)
 346                                result = audit_comparator(MINOR(name->dev),
 347                                                          f->op, f->val);
 348                        else if (ctx) {
 349                                for (j = 0; j < ctx->name_count; j++) {
 350                                        if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
 351                                                ++result;
 352                                                break;
 353                                        }
 354                                }
 355                        }
 356                        break;
 357                case AUDIT_INODE:
 358                        if (name)
 359                                result = (name->ino == f->val);
 360                        else if (ctx) {
 361                                for (j = 0; j < ctx->name_count; j++) {
 362                                        if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
 363                                                ++result;
 364                                                break;
 365                                        }
 366                                }
 367                        }
 368                        break;
 369                case AUDIT_WATCH:
 370                        if (name && rule->watch->ino != (unsigned long)-1)
 371                                result = (name->dev == rule->watch->dev &&
 372                                          name->ino == rule->watch->ino);
 373                        break;
 374                case AUDIT_LOGINUID:
 375                        result = 0;
 376                        if (ctx)
 377                                result = audit_comparator(ctx->loginuid, f->op, f->val);
 378                        break;
 379                case AUDIT_SUBJ_USER:
 380                case AUDIT_SUBJ_ROLE:
 381                case AUDIT_SUBJ_TYPE:
 382                case AUDIT_SUBJ_SEN:
 383                case AUDIT_SUBJ_CLR:
 384                        /* NOTE: this may return negative values indicating
 385                           a temporary error.  We simply treat this as a
 386                           match for now to avoid losing information that
 387                           may be wanted.   An error message will also be
 388                           logged upon error */
 389                        if (f->se_rule) {
 390                                if (need_sid) {
 391                                        selinux_get_task_sid(tsk, &sid);
 392                                        need_sid = 0;
 393                                }
 394                                result = selinux_audit_rule_match(sid, f->type,
 395                                                                  f->op,
 396                                                                  f->se_rule,
 397                                                                  ctx);
 398                        }
 399                        break;
 400                case AUDIT_OBJ_USER:
 401                case AUDIT_OBJ_ROLE:
 402                case AUDIT_OBJ_TYPE:
 403                case AUDIT_OBJ_LEV_LOW:
 404                case AUDIT_OBJ_LEV_HIGH:
 405                        /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
 406                           also applies here */
 407                        if (f->se_rule) {
 408                                /* Find files that match */
 409                                if (name) {
 410                                        result = selinux_audit_rule_match(
 411                                                   name->osid, f->type, f->op,
 412                                                   f->se_rule, ctx);
 413                                } else if (ctx) {
 414                                        for (j = 0; j < ctx->name_count; j++) {
 415                                                if (selinux_audit_rule_match(
 416                                                      ctx->names[j].osid,
 417                                                      f->type, f->op,
 418                                                      f->se_rule, ctx)) {
 419                                                        ++result;
 420                                                        break;
 421                                                }
 422                                        }
 423                                }
 424                                /* Find ipc objects that match */
 425                                if (ctx) {
 426                                        struct audit_aux_data *aux;
 427                                        for (aux = ctx->aux; aux;
 428                                             aux = aux->next) {
 429                                                if (aux->type == AUDIT_IPC) {
 430                                                        struct audit_aux_data_ipcctl *axi = (void *)aux;
 431                                                        if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) {
 432                                                                ++result;
 433                                                                break;
 434                                                        }
 435                                                }
 436                                        }
 437                                }
 438                        }
 439                        break;
 440                case AUDIT_ARG0:
 441                case AUDIT_ARG1:
 442                case AUDIT_ARG2:
 443                case AUDIT_ARG3:
 444                        if (ctx)
 445                                result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
 446                        break;
 447                case AUDIT_FILTERKEY:
 448                        /* ignore this field for filtering */
 449                        result = 1;
 450                        break;
 451                case AUDIT_PERM:
 452                        result = audit_match_perm(ctx, f->val);
 453                        break;
 454                }
 455
 456                if (!result)
 457                        return 0;
 458        }
 459        if (rule->filterkey)
 460                ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
 461        switch (rule->action) {
 462        case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
 463        case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
 464        }
 465        return 1;
 466}
 467
 468/* At process creation time, we can determine if system-call auditing is
 469 * completely disabled for this task.  Since we only have the task
 470 * structure at this point, we can only check uid and gid.
 471 */
 472static enum audit_state audit_filter_task(struct task_struct *tsk)
 473{
 474        struct audit_entry *e;
 475        enum audit_state   state;
 476
 477        rcu_read_lock();
 478        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
 479                if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
 480                        rcu_read_unlock();
 481                        return state;
 482                }
 483        }
 484        rcu_read_unlock();
 485        return AUDIT_BUILD_CONTEXT;
 486}
 487
 488/* At syscall entry and exit time, this filter is called if the
 489 * audit_state is not low enough that auditing cannot take place, but is
 490 * also not high enough that we already know we have to write an audit
 491 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
 492 */
 493static enum audit_state audit_filter_syscall(struct task_struct *tsk,
 494                                             struct audit_context *ctx,
 495                                             struct list_head *list)
 496{
 497        struct audit_entry *e;
 498        enum audit_state state;
 499
 500        if (audit_pid && tsk->tgid == audit_pid)
 501                return AUDIT_DISABLED;
 502
 503        rcu_read_lock();
 504        if (!list_empty(list)) {
 505                int word = AUDIT_WORD(ctx->major);
 506                int bit  = AUDIT_BIT(ctx->major);
 507
 508                list_for_each_entry_rcu(e, list, list) {
 509                        if ((e->rule.mask[word] & bit) == bit &&
 510                            audit_filter_rules(tsk, &e->rule, ctx, NULL,
 511                                               &state)) {
 512                                rcu_read_unlock();
 513                                return state;
 514                        }
 515                }
 516        }
 517        rcu_read_unlock();
 518        return AUDIT_BUILD_CONTEXT;
 519}
 520
 521/* At syscall exit time, this filter is called if any audit_names[] have been
 522 * collected during syscall processing.  We only check rules in sublists at hash
 523 * buckets applicable to the inode numbers in audit_names[].
 524 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 525 */
 526enum audit_state audit_filter_inodes(struct task_struct *tsk,
 527                                     struct audit_context *ctx)
 528{
 529        int i;
 530        struct audit_entry *e;
 531        enum audit_state state;
 532
 533        if (audit_pid && tsk->tgid == audit_pid)
 534                return AUDIT_DISABLED;
 535
 536        rcu_read_lock();
 537        for (i = 0; i < ctx->name_count; i++) {
 538                int word = AUDIT_WORD(ctx->major);
 539                int bit  = AUDIT_BIT(ctx->major);
 540                struct audit_names *n = &ctx->names[i];
 541                int h = audit_hash_ino((u32)n->ino);
 542                struct list_head *list = &audit_inode_hash[h];
 543
 544                if (list_empty(list))
 545                        continue;
 546
 547                list_for_each_entry_rcu(e, list, list) {
 548                        if ((e->rule.mask[word] & bit) == bit &&
 549                            audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
 550                                rcu_read_unlock();
 551                                return state;
 552                        }
 553                }
 554        }
 555        rcu_read_unlock();
 556        return AUDIT_BUILD_CONTEXT;
 557}
 558
 559void audit_set_auditable(struct audit_context *ctx)
 560{
 561        ctx->auditable = 1;
 562}
 563
 564static inline struct audit_context *audit_get_context(struct task_struct *tsk,
 565                                                      int return_valid,
 566                                                      int return_code)
 567{
 568        struct audit_context *context = tsk->audit_context;
 569
 570        if (likely(!context))
 571                return NULL;
 572        context->return_valid = return_valid;
 573        context->return_code  = return_code;
 574
 575        if (context->in_syscall && !context->dummy && !context->auditable) {
 576                enum audit_state state;
 577
 578                state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
 579                if (state == AUDIT_RECORD_CONTEXT) {
 580                        context->auditable = 1;
 581                        goto get_context;
 582                }
 583
 584                state = audit_filter_inodes(tsk, context);
 585                if (state == AUDIT_RECORD_CONTEXT)
 586                        context->auditable = 1;
 587
 588        }
 589
 590get_context:
 591
 592        tsk->audit_context = NULL;
 593        return context;
 594}
 595
 596static inline void audit_free_names(struct audit_context *context)
 597{
 598        int i;
 599
 600#if AUDIT_DEBUG == 2
 601        if (context->auditable
 602            ||context->put_count + context->ino_count != context->name_count) {
 603                printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
 604                       " name_count=%d put_count=%d"
 605                       " ino_count=%d [NOT freeing]\n",
 606                       __FILE__, __LINE__,
 607                       context->serial, context->major, context->in_syscall,
 608                       context->name_count, context->put_count,
 609                       context->ino_count);
 610                for (i = 0; i < context->name_count; i++) {
 611                        printk(KERN_ERR "names[%d] = %p = %s\n", i,
 612                               context->names[i].name,
 613                               context->names[i].name ?: "(null)");
 614                }
 615                dump_stack();
 616                return;
 617        }
 618#endif
 619#if AUDIT_DEBUG
 620        context->put_count  = 0;
 621        context->ino_count  = 0;
 622#endif
 623
 624        for (i = 0; i < context->name_count; i++) {
 625                if (context->names[i].name && context->names[i].name_put)
 626                        __putname(context->names[i].name);
 627        }
 628        context->name_count = 0;
 629        if (context->pwd)
 630                dput(context->pwd);
 631        if (context->pwdmnt)
 632                mntput(context->pwdmnt);
 633        context->pwd = NULL;
 634        context->pwdmnt = NULL;
 635}
 636
 637static inline void audit_free_aux(struct audit_context *context)
 638{
 639        struct audit_aux_data *aux;
 640
 641        while ((aux = context->aux)) {
 642                if (aux->type == AUDIT_AVC_PATH) {
 643                        struct audit_aux_data_path *axi = (void *)aux;
 644                        dput(axi->dentry);
 645                        mntput(axi->mnt);
 646                }
 647
 648                context->aux = aux->next;
 649                kfree(aux);
 650        }
 651}
 652
 653static inline void audit_zero_context(struct audit_context *context,
 654                                      enum audit_state state)
 655{
 656        uid_t loginuid = context->loginuid;
 657
 658        memset(context, 0, sizeof(*context));
 659        context->state      = state;
 660        context->loginuid   = loginuid;
 661}
 662
 663static inline struct audit_context *audit_alloc_context(enum audit_state state)
 664{
 665        struct audit_context *context;
 666
 667        if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
 668                return NULL;
 669        audit_zero_context(context, state);
 670        return context;
 671}
 672
 673/**
 674 * audit_alloc - allocate an audit context block for a task
 675 * @tsk: task
 676 *
 677 * Filter on the task information and allocate a per-task audit context
 678 * if necessary.  Doing so turns on system call auditing for the
 679 * specified task.  This is called from copy_process, so no lock is
 680 * needed.
 681 */
 682int audit_alloc(struct task_struct *tsk)
 683{
 684        struct audit_context *context;
 685        enum audit_state     state;
 686
 687        if (likely(!audit_enabled))
 688                return 0; /* Return if not auditing. */
 689
 690        state = audit_filter_task(tsk);
 691        if (likely(state == AUDIT_DISABLED))
 692                return 0;
 693
 694        if (!(context = audit_alloc_context(state))) {
 695                audit_log_lost("out of memory in audit_alloc");
 696                return -ENOMEM;
 697        }
 698
 699                                /* Preserve login uid */
 700        context->loginuid = -1;
 701        if (current->audit_context)
 702                context->loginuid = current->audit_context->loginuid;
 703
 704        tsk->audit_context  = context;
 705        set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
 706        return 0;
 707}
 708
 709static inline void audit_free_context(struct audit_context *context)
 710{
 711        struct audit_context *previous;
 712        int                  count = 0;
 713
 714        do {
 715                previous = context->previous;
 716                if (previous || (count &&  count < 10)) {
 717                        ++count;
 718                        printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
 719                               " freeing multiple contexts (%d)\n",
 720                               context->serial, context->major,
 721                               context->name_count, count);
 722                }
 723                audit_free_names(context);
 724                audit_free_aux(context);
 725                kfree(context->filterkey);
 726                kfree(context);
 727                context  = previous;
 728        } while (context);
 729        if (count >= 10)
 730                printk(KERN_ERR "audit: freed %d contexts\n", count);
 731}
 732
 733static void audit_log_task_context(struct audit_buffer *ab)
 734{
 735        char *ctx = NULL;
 736        ssize_t len = 0;
 737
 738        len = security_getprocattr(current, "current", NULL, 0);
 739        if (len < 0) {
 740                if (len != -EINVAL)
 741                        goto error_path;
 742                return;
 743        }
 744
 745        ctx = kmalloc(len, GFP_KERNEL);
 746        if (!ctx)
 747                goto error_path;
 748
 749        len = security_getprocattr(current, "current", ctx, len);
 750        if (len < 0 )
 751                goto error_path;
 752
 753        audit_log_format(ab, " subj=%s", ctx);
 754        return;
 755
 756error_path:
 757        kfree(ctx);
 758        audit_panic("error in audit_log_task_context");
 759        return;
 760}
 761
 762static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
 763{
 764        char name[sizeof(tsk->comm)];
 765        struct mm_struct *mm = tsk->mm;
 766        struct vm_area_struct *vma;
 767
 768        /* tsk == current */
 769
 770        get_task_comm(name, tsk);
 771        audit_log_format(ab, " comm=");
 772        audit_log_untrustedstring(ab, name);
 773
 774        if (mm) {
 775                down_read(&mm->mmap_sem);
 776                vma = mm->mmap;
 777                while (vma) {
 778                        if ((vma->vm_flags & VM_EXECUTABLE) &&
 779                            vma->vm_file) {
 780                                audit_log_d_path(ab, "exe=",
 781                                                 vma->vm_file->f_dentry,
 782                                                 vma->vm_file->f_vfsmnt);
 783                                break;
 784                        }
 785                        vma = vma->vm_next;
 786                }
 787                up_read(&mm->mmap_sem);
 788        }
 789        audit_log_task_context(ab);
 790}
 791
 792static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
 793{
 794        int i, call_panic = 0;
 795        struct audit_buffer *ab;
 796        struct audit_aux_data *aux;
 797        const char *tty;
 798
 799        /* tsk == current */
 800        context->pid = tsk->pid;
 801        if (!context->ppid)
 802                context->ppid = sys_getppid();
 803        context->uid = tsk->uid;
 804        context->gid = tsk->gid;
 805        context->euid = tsk->euid;
 806        context->suid = tsk->suid;
 807        context->fsuid = tsk->fsuid;
 808        context->egid = tsk->egid;
 809        context->sgid = tsk->sgid;
 810        context->fsgid = tsk->fsgid;
 811        context->personality = tsk->personality;
 812
 813        ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
 814        if (!ab)
 815                return;         /* audit_panic has been called */
 816        audit_log_format(ab, "arch=%x syscall=%d",
 817                         context->arch, context->major);
 818        if (context->personality != PER_LINUX)
 819                audit_log_format(ab, " per=%lx", context->personality);
 820        if (context->return_valid)
 821                audit_log_format(ab, " success=%s exit=%ld", 
 822                                 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
 823                                 context->return_code);
 824
 825        mutex_lock(&tty_mutex);
 826        if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
 827                tty = tsk->signal->tty->name;
 828        else
 829                tty = "(none)";
 830        audit_log_format(ab,
 831                  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
 832                  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
 833                  " euid=%u suid=%u fsuid=%u"
 834                  " egid=%u sgid=%u fsgid=%u tty=%s",
 835                  context->argv[0],
 836                  context->argv[1],
 837                  context->argv[2],
 838                  context->argv[3],
 839                  context->name_count,
 840                  context->ppid,
 841                  context->pid,
 842                  context->loginuid,
 843                  context->uid,
 844                  context->gid,
 845                  context->euid, context->suid, context->fsuid,
 846                  context->egid, context->sgid, context->fsgid, tty);
 847
 848        mutex_unlock(&tty_mutex);
 849
 850        audit_log_task_info(ab, tsk);
 851        if (context->filterkey) {
 852                audit_log_format(ab, " key=");
 853                audit_log_untrustedstring(ab, context->filterkey);
 854        } else
 855                audit_log_format(ab, " key=(null)");
 856        audit_log_end(ab);
 857
 858        for (aux = context->aux; aux; aux = aux->next) {
 859
 860                ab = audit_log_start(context, GFP_KERNEL, aux->type);
 861                if (!ab)
 862                        continue; /* audit_panic has been called */
 863
 864                switch (aux->type) {
 865                case AUDIT_MQ_OPEN: {
 866                        struct audit_aux_data_mq_open *axi = (void *)aux;
 867                        audit_log_format(ab,
 868                                "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
 869                                "mq_msgsize=%ld mq_curmsgs=%ld",
 870                                axi->oflag, axi->mode, axi->attr.mq_flags,
 871                                axi->attr.mq_maxmsg, axi->attr.mq_msgsize,
 872                                axi->attr.mq_curmsgs);
 873                        break; }
 874
 875                case AUDIT_MQ_SENDRECV: {
 876                        struct audit_aux_data_mq_sendrecv *axi = (void *)aux;
 877                        audit_log_format(ab,
 878                                "mqdes=%d msg_len=%zd msg_prio=%u "
 879                                "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
 880                                axi->mqdes, axi->msg_len, axi->msg_prio,
 881                                axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec);
 882                        break; }
 883
 884                case AUDIT_MQ_NOTIFY: {
 885                        struct audit_aux_data_mq_notify *axi = (void *)aux;
 886                        audit_log_format(ab,
 887                                "mqdes=%d sigev_signo=%d",
 888                                axi->mqdes,
 889                                axi->notification.sigev_signo);
 890                        break; }
 891
 892                case AUDIT_MQ_GETSETATTR: {
 893                        struct audit_aux_data_mq_getsetattr *axi = (void *)aux;
 894                        audit_log_format(ab,
 895                                "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
 896                                "mq_curmsgs=%ld ",
 897                                axi->mqdes,
 898                                axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg,
 899                                axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs);
 900                        break; }
 901
 902                case AUDIT_IPC: {
 903                        struct audit_aux_data_ipcctl *axi = (void *)aux;
 904                        audit_log_format(ab, 
 905                                 "ouid=%u ogid=%u mode=%x",
 906                                 axi->uid, axi->gid, axi->mode);
 907                        if (axi->osid != 0) {
 908                                char *ctx = NULL;
 909                                u32 len;
 910                                if (selinux_sid_to_string(
 911                                                axi->osid, &ctx, &len)) {
 912                                        audit_log_format(ab, " osid=%u",
 913                                                        axi->osid);
 914                                        call_panic = 1;
 915                                } else
 916                                        audit_log_format(ab, " obj=%s", ctx);
 917                                kfree(ctx);
 918                        }
 919                        break; }
 920
 921                case AUDIT_IPC_SET_PERM: {
 922                        struct audit_aux_data_ipcctl *axi = (void *)aux;
 923                        audit_log_format(ab,
 924                                "qbytes=%lx ouid=%u ogid=%u mode=%x",
 925                                axi->qbytes, axi->uid, axi->gid, axi->mode);
 926                        break; }
 927
 928                case AUDIT_EXECVE: {
 929                        struct audit_aux_data_execve *axi = (void *)aux;
 930                        int i;
 931                        const char *p;
 932                        for (i = 0, p = axi->mem; i < axi->argc; i++) {
 933                                audit_log_format(ab, "a%d=", i);
 934                                p = audit_log_untrustedstring(ab, p);
 935                                audit_log_format(ab, "\n");
 936                        }
 937                        break; }
 938
 939                case AUDIT_SOCKETCALL: {
 940                        int i;
 941                        struct audit_aux_data_socketcall *axs = (void *)aux;
 942                        audit_log_format(ab, "nargs=%d", axs->nargs);
 943                        for (i=0; i<axs->nargs; i++)
 944                                audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
 945                        break; }
 946
 947                case AUDIT_SOCKADDR: {
 948                        struct audit_aux_data_sockaddr *axs = (void *)aux;
 949
 950                        audit_log_format(ab, "saddr=");
 951                        audit_log_hex(ab, axs->a, axs->len);
 952                        break; }
 953
 954                case AUDIT_AVC_PATH: {
 955                        struct audit_aux_data_path *axi = (void *)aux;
 956                        audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
 957                        break; }
 958
 959                }
 960                audit_log_end(ab);
 961        }
 962
 963        if (context->pwd && context->pwdmnt) {
 964                ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
 965                if (ab) {
 966                        audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
 967                        audit_log_end(ab);
 968                }
 969        }
 970        for (i = 0; i < context->name_count; i++) {
 971                struct audit_names *n = &context->names[i];
 972
 973                ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
 974                if (!ab)
 975                        continue; /* audit_panic has been called */
 976
 977                audit_log_format(ab, "item=%d", i);
 978
 979                if (n->name) {
 980                        switch(n->name_len) {
 981                        case AUDIT_NAME_FULL:
 982                                /* log the full path */
 983                                audit_log_format(ab, " name=");
 984                                audit_log_untrustedstring(ab, n->name);
 985                                break;
 986                        case 0:
 987                                /* name was specified as a relative path and the
 988                                 * directory component is the cwd */
 989                                audit_log_d_path(ab, " name=", context->pwd,
 990                                                 context->pwdmnt);
 991                                break;
 992                        default:
 993                                /* log the name's directory component */
 994                                audit_log_format(ab, " name=");
 995                                audit_log_n_untrustedstring(ab, n->name_len,
 996                                                            n->name);
 997                        }
 998                } else
 999                        audit_log_format(ab, " name=(null)");
1000
1001                if (n->ino != (unsigned long)-1) {
1002                        audit_log_format(ab, " inode=%lu"
1003                                         " dev=%02x:%02x mode=%#o"
1004                                         " ouid=%u ogid=%u rdev=%02x:%02x",
1005                                         n->ino,
1006                                         MAJOR(n->dev),
1007                                         MINOR(n->dev),
1008                                         n->mode,
1009                                         n->uid,
1010                                         n->gid,
1011                                         MAJOR(n->rdev),
1012                                         MINOR(n->rdev));
1013                }
1014                if (n->osid != 0) {
1015                        char *ctx = NULL;
1016                        u32 len;
1017                        if (selinux_sid_to_string(
1018                                n->osid, &ctx, &len)) {
1019                                audit_log_format(ab, " osid=%u", n->osid);
1020                                call_panic = 2;
1021                        } else
1022                                audit_log_format(ab, " obj=%s", ctx);
1023                        kfree(ctx);
1024                }
1025
1026                audit_log_end(ab);
1027        }
1028        if (call_panic)
1029                audit_panic("error converting sid to string");
1030}
1031
1032/**
1033 * audit_free - free a per-task audit context
1034 * @tsk: task whose audit context block to free
1035 *
1036 * Called from copy_process and do_exit
1037 */
1038void audit_free(struct task_struct *tsk)
1039{
1040        struct audit_context *context;
1041
1042        context = audit_get_context(tsk, 0, 0);
1043        if (likely(!context))
1044                return;
1045
1046        /* Check for system calls that do not go through the exit
1047         * function (e.g., exit_group), then free context block. 
1048         * We use GFP_ATOMIC here because we might be doing this 
1049         * in the context of the idle thread */
1050        /* that can happen only if we are called from do_exit() */
1051        if (context->in_syscall && context->auditable)
1052                audit_log_exit(context, tsk);
1053
1054        audit_free_context(context);
1055}
1056
1057/**
1058 * audit_syscall_entry - fill in an audit record at syscall entry
1059 * @tsk: task being audited
1060 * @arch: architecture type
1061 * @major: major syscall type (function)
1062 * @a1: additional syscall register 1
1063 * @a2: additional syscall register 2
1064 * @a3: additional syscall register 3
1065 * @a4: additional syscall register 4
1066 *
1067 * Fill in audit context at syscall entry.  This only happens if the
1068 * audit context was created when the task was created and the state or
1069 * filters demand the audit context be built.  If the state from the
1070 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1071 * then the record will be written at syscall exit time (otherwise, it
1072 * will only be written if another part of the kernel requests that it
1073 * be written).
1074 */
1075void audit_syscall_entry(int arch, int major,
1076                         unsigned long a1, unsigned long a2,
1077                         unsigned long a3, unsigned long a4)
1078{
1079        struct task_struct *tsk = current;
1080        struct audit_context *context = tsk->audit_context;
1081        enum audit_state     state;
1082
1083        BUG_ON(!context);
1084
1085        /*
1086         * This happens only on certain architectures that make system
1087         * calls in kernel_thread via the entry.S interface, instead of
1088         * with direct calls.  (If you are porting to a new
1089         * architecture, hitting this condition can indicate that you
1090         * got the _exit/_leave calls backward in entry.S.)
1091         *
1092         * i386     no
1093         * x86_64   no
1094         * ppc64    yes (see arch/powerpc/platforms/iseries/misc.S)
1095         *
1096         * This also happens with vm86 emulation in a non-nested manner
1097         * (entries without exits), so this case must be caught.
1098         */
1099        if (context->in_syscall) {
1100                struct audit_context *newctx;
1101
1102#if AUDIT_DEBUG
1103                printk(KERN_ERR
1104                       "audit(:%d) pid=%d in syscall=%d;"
1105                       " entering syscall=%d\n",
1106                       context->serial, tsk->pid, context->major, major);
1107#endif
1108                newctx = audit_alloc_context(context->state);
1109                if (newctx) {
1110                        newctx->previous   = context;
1111                        context            = newctx;
1112                        tsk->audit_context = newctx;
1113                } else  {
1114                        /* If we can't alloc a new context, the best we
1115                         * can do is to leak memory (any pending putname
1116                         * will be lost).  The only other alternative is
1117                         * to abandon auditing. */
1118                        audit_zero_context(context, context->state);
1119                }
1120        }
1121        BUG_ON(context->in_syscall || context->name_count);
1122
1123        if (!audit_enabled)
1124                return;
1125
1126        context->arch       = arch;
1127        context->major      = major;
1128        context->argv[0]    = a1;
1129        context->argv[1]    = a2;
1130        context->argv[2]    = a3;
1131        context->argv[3]    = a4;
1132
1133        state = context->state;
1134        context->dummy = !audit_n_rules;
1135        if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT))
1136                state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1137        if (likely(state == AUDIT_DISABLED))
1138                return;
1139
1140        context->serial     = 0;
1141        context->ctime      = CURRENT_TIME;
1142        context->in_syscall = 1;
1143        context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
1144        context->ppid       = 0;
1145}
1146
1147/**
1148 * audit_syscall_exit - deallocate audit context after a system call
1149 * @tsk: task being audited
1150 * @valid: success/failure flag
1151 * @return_code: syscall return value
1152 *
1153 * Tear down after system call.  If the audit context has been marked as
1154 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1155 * filtering, or because some other part of the kernel write an audit
1156 * message), then write out the syscall information.  In call cases,
1157 * free the names stored from getname().
1158 */
1159void audit_syscall_exit(int valid, long return_code)
1160{
1161        struct task_struct *tsk = current;
1162        struct audit_context *context;
1163
1164        context = audit_get_context(tsk, valid, return_code);
1165
1166        if (likely(!context))
1167                return;
1168
1169        if (context->in_syscall && context->auditable)
1170                audit_log_exit(context, tsk);
1171
1172        context->in_syscall = 0;
1173        context->auditable  = 0;
1174
1175        if (context->previous) {
1176                struct audit_context *new_context = context->previous;
1177                context->previous  = NULL;
1178                audit_free_context(context);
1179                tsk->audit_context = new_context;
1180        } else {
1181                audit_free_names(context);
1182                audit_free_aux(context);
1183                kfree(context->filterkey);
1184                context->filterkey = NULL;
1185                tsk->audit_context = context;
1186        }
1187}
1188
1189/**
1190 * audit_getname - add a name to the list
1191 * @name: name to add
1192 *
1193 * Add a name to the list of audit names for this context.
1194 * Called from fs/namei.c:getname().
1195 */
1196void __audit_getname(const char *name)
1197{
1198        struct audit_context *context = current->audit_context;
1199
1200        if (IS_ERR(name) || !name)
1201                return;
1202
1203        if (!context->in_syscall) {
1204#if AUDIT_DEBUG == 2
1205                printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
1206                       __FILE__, __LINE__, context->serial, name);
1207                dump_stack();
1208#endif
1209                return;
1210        }
1211        BUG_ON(context->name_count >= AUDIT_NAMES);
1212        context->names[context->name_count].name = name;
1213        context->names[context->name_count].name_len = AUDIT_NAME_FULL;
1214        context->names[context->name_count].name_put = 1;
1215        context->names[context->name_count].ino  = (unsigned long)-1;
1216        ++context->name_count;
1217        if (!context->pwd) {
1218                read_lock(&current->fs->lock);
1219                context->pwd = dget(current->fs->pwd);
1220                context->pwdmnt = mntget(current->fs->pwdmnt);
1221                read_unlock(&current->fs->lock);
1222        }
1223                
1224}
1225
1226/* audit_putname - intercept a putname request
1227 * @name: name to intercept and delay for putname
1228 *
1229 * If we have stored the name from getname in the audit context,
1230 * then we delay the putname until syscall exit.
1231 * Called from include/linux/fs.h:putname().
1232 */
1233void audit_putname(const char *name)
1234{
1235        struct audit_context *context = current->audit_context;
1236
1237        BUG_ON(!context);
1238        if (!context->in_syscall) {
1239#if AUDIT_DEBUG == 2
1240                printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
1241                       __FILE__, __LINE__, context->serial, name);
1242                if (context->name_count) {
1243                        int i;
1244                        for (i = 0; i < context->name_count; i++)
1245                                printk(KERN_ERR "name[%d] = %p = %s\n", i,
1246                                       context->names[i].name,
1247                                       context->names[i].name ?: "(null)");
1248                }
1249#endif
1250                __putname(name);
1251        }
1252#if AUDIT_DEBUG
1253        else {
1254                ++context->put_count;
1255                if (context->put_count > context->name_count) {
1256                        printk(KERN_ERR "%s:%d(:%d): major=%d"
1257                               " in_syscall=%d putname(%p) name_count=%d"
1258                               " put_count=%d\n",
1259                               __FILE__, __LINE__,
1260                               context->serial, context->major,
1261                               context->in_syscall, name, context->name_count,
1262                               context->put_count);
1263                        dump_stack();
1264                }
1265        }
1266#endif
1267}
1268
1269/* Copy inode data into an audit_names. */
1270static void audit_copy_inode(struct audit_names *name, const struct inode *inode)
1271{
1272        name->ino   = inode->i_ino;
1273        name->dev   = inode->i_sb->s_dev;
1274        name->mode  = inode->i_mode;
1275        name->uid   = inode->i_uid;
1276        name->gid   = inode->i_gid;
1277        name->rdev  = inode->i_rdev;
1278        selinux_get_inode_sid(inode, &name->osid);
1279}
1280
1281/**
1282 * audit_inode - store the inode and device from a lookup
1283 * @name: name being audited
1284 * @inode: inode being audited
1285 *
1286 * Called from fs/namei.c:path_lookup().
1287 */
1288void __audit_inode(const char *name, const struct inode *inode)
1289{
1290        int idx;
1291        struct audit_context *context = current->audit_context;
1292
1293        if (!context->in_syscall)
1294                return;
1295        if (context->name_count
1296            && context->names[context->name_count-1].name
1297            && context->names[context->name_count-1].name == name)
1298                idx = context->name_count - 1;
1299        else if (context->name_count > 1
1300                 && context->names[context->name_count-2].name
1301                 && context->names[context->name_count-2].name == name)
1302                idx = context->name_count - 2;
1303        else {
1304                /* FIXME: how much do we care about inodes that have no
1305                 * associated name? */
1306                if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
1307                        return;
1308                idx = context->name_count++;
1309                context->names[idx].name = NULL;
1310#if AUDIT_DEBUG
1311                ++context->ino_count;
1312#endif
1313        }
1314        audit_copy_inode(&context->names[idx], inode);
1315}
1316
1317/**
1318 * audit_inode_child - collect inode info for created/removed objects
1319 * @dname: inode's dentry name
1320 * @inode: inode being audited
1321 * @parent: inode of dentry parent
1322 *
1323 * For syscalls that create or remove filesystem objects, audit_inode
1324 * can only collect information for the filesystem object's parent.
1325 * This call updates the audit context with the child's information.
1326 * Syscalls that create a new filesystem object must be hooked after
1327 * the object is created.  Syscalls that remove a filesystem object
1328 * must be hooked prior, in order to capture the target inode during
1329 * unsuccessful attempts.
1330 */
1331void __audit_inode_child(const char *dname, const struct inode *inode,
1332                         const struct inode *parent)
1333{
1334        int idx;
1335        struct audit_context *context = current->audit_context;
1336        const char *found_name = NULL;
1337        int dirlen = 0;
1338
1339        if (!context->in_syscall)
1340                return;
1341
1342        /* determine matching parent */
1343        if (!dname)
1344                goto update_context;
1345        for (idx = 0; idx < context->name_count; idx++)
1346                if (context->names[idx].ino == parent->i_ino) {
1347                        const char *name = context->names[idx].name;
1348
1349                        if (!name)
1350                                continue;
1351
1352                        if (audit_compare_dname_path(dname, name, &dirlen) == 0) {
1353                                context->names[idx].name_len = dirlen;
1354                                found_name = name;
1355                                break;
1356                        }
1357                }
1358
1359update_context:
1360        idx = context->name_count;
1361        if (context->name_count == AUDIT_NAMES) {
1362                printk(KERN_DEBUG "name_count maxed and losing %s\n",
1363                        found_name ?: "(null)");
1364                return;
1365        }
1366        context->name_count++;
1367#if AUDIT_DEBUG
1368        context->ino_count++;
1369#endif
1370        /* Re-use the name belonging to the slot for a matching parent directory.
1371         * All names for this context are relinquished in audit_free_names() */
1372        context->names[idx].name = found_name;
1373        context->names[idx].name_len = AUDIT_NAME_FULL;
1374        context->names[idx].name_put = 0;       /* don't call __putname() */
1375
1376        if (!inode)
1377                context->names[idx].ino = (unsigned long)-1;
1378        else
1379                audit_copy_inode(&context->names[idx], inode);
1380
1381        /* A parent was not found in audit_names, so copy the inode data for the
1382         * provided parent. */
1383        if (!found_name) {
1384                idx = context->name_count;
1385                if (context->name_count == AUDIT_NAMES) {
1386                        printk(KERN_DEBUG
1387                                "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
1388                                MAJOR(parent->i_sb->s_dev),
1389                                MINOR(parent->i_sb->s_dev),
1390                                parent->i_ino);
1391                        return;
1392                }
1393                context->name_count++;
1394#if AUDIT_DEBUG
1395                context->ino_count++;
1396#endif
1397                audit_copy_inode(&context->names[idx], parent);
1398        }
1399}
1400
1401/**
1402 * audit_inode_update - update inode info for last collected name
1403 * @inode: inode being audited
1404 *
1405 * When open() is called on an existing object with the O_CREAT flag, the inode
1406 * data audit initially collects is incorrect.  This additional hook ensures
1407 * audit has the inode data for the actual object to be opened.
1408 */
1409void __audit_inode_update(const struct inode *inode)
1410{
1411        struct audit_context *context = current->audit_context;
1412        int idx;
1413
1414        if (!context->in_syscall || !inode)
1415                return;
1416
1417        if (context->name_count == 0) {
1418                context->name_count++;
1419#if AUDIT_DEBUG
1420                context->ino_count++;
1421#endif
1422        }
1423        idx = context->name_count - 1;
1424
1425        audit_copy_inode(&context->names[idx], inode);
1426}
1427
1428/**
1429 * auditsc_get_stamp - get local copies of audit_context values
1430 * @ctx: audit_context for the task
1431 * @t: timespec to store time recorded in the audit_context
1432 * @serial: serial value that is recorded in the audit_context
1433 *
1434 * Also sets the context as auditable.
1435 */
1436void auditsc_get_stamp(struct audit_context *ctx,
1437                       struct timespec *t, unsigned int *serial)
1438{
1439        if (!ctx->serial)
1440                ctx->serial = audit_serial();
1441        t->tv_sec  = ctx->ctime.tv_sec;
1442        t->tv_nsec = ctx->ctime.tv_nsec;
1443        *serial    = ctx->serial;
1444        ctx->auditable = 1;
1445}
1446
1447/**
1448 * audit_set_loginuid - set a task's audit_context loginuid
1449 * @task: task whose audit context is being modified
1450 * @loginuid: loginuid value
1451 *
1452 * Returns 0.
1453 *
1454 * Called (set) from fs/proc/base.c::proc_loginuid_write().
1455 */
1456int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1457{
1458        struct audit_context *context = task->audit_context;
1459
1460        if (context) {
1461                /* Only log if audit is enabled */
1462                if (context->in_syscall) {
1463                        struct audit_buffer *ab;
1464
1465                        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1466                        if (ab) {
1467                                audit_log_format(ab, "login pid=%d uid=%u "
1468                                        "old auid=%u new auid=%u",
1469                                        task->pid, task->uid,
1470                                        context->loginuid, loginuid);
1471                                audit_log_end(ab);
1472                        }
1473                }
1474                context->loginuid = loginuid;
1475        }
1476        return 0;
1477}
1478
1479/**
1480 * audit_get_loginuid - get the loginuid for an audit_context
1481 * @ctx: the audit_context
1482 *
1483 * Returns the context's loginuid or -1 if @ctx is NULL.
1484 */
1485uid_t audit_get_loginuid(struct audit_context *ctx)
1486{
1487        return ctx ? ctx->loginuid : -1;
1488}
1489
1490/**
1491 * __audit_mq_open - record audit data for a POSIX MQ open
1492 * @oflag: open flag
1493 * @mode: mode bits
1494 * @u_attr: queue attributes
1495 *
1496 * Returns 0 for success or NULL context or < 0 on error.
1497 */
1498int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr)
1499{
1500        struct audit_aux_data_mq_open *ax;
1501        struct audit_context *context = current->audit_context;
1502
1503        if (!audit_enabled)
1504                return 0;
1505
1506        if (likely(!context))
1507                return 0;
1508
1509        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1510        if (!ax)
1511                return -ENOMEM;
1512
1513        if (u_attr != NULL) {
1514                if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) {
1515                        kfree(ax);
1516                        return -EFAULT;
1517                }
1518        } else
1519                memset(&ax->attr, 0, sizeof(ax->attr));
1520
1521        ax->oflag = oflag;
1522        ax->mode = mode;
1523
1524        ax->d.type = AUDIT_MQ_OPEN;
1525        ax->d.next = context->aux;
1526        context->aux = (void *)ax;
1527        return 0;
1528}
1529
1530/**
1531 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send
1532 * @mqdes: MQ descriptor
1533 * @msg_len: Message length
1534 * @msg_prio: Message priority
1535 * @u_abs_timeout: Message timeout in absolute time
1536 *
1537 * Returns 0 for success or NULL context or < 0 on error.
1538 */
1539int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
1540                        const struct timespec __user *u_abs_timeout)
1541{
1542        struct audit_aux_data_mq_sendrecv *ax;
1543        struct audit_context *context = current->audit_context;
1544
1545        if (!audit_enabled)
1546                return 0;
1547
1548        if (likely(!context))
1549                return 0;
1550
1551        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1552        if (!ax)
1553                return -ENOMEM;
1554
1555        if (u_abs_timeout != NULL) {
1556                if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
1557                        kfree(ax);
1558                        return -EFAULT;
1559                }
1560        } else
1561                memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));
1562
1563        ax->mqdes = mqdes;
1564        ax->msg_len = msg_len;
1565        ax->msg_prio = msg_prio;
1566
1567        ax->d.type = AUDIT_MQ_SENDRECV;
1568        ax->d.next = context->aux;
1569        context->aux = (void *)ax;
1570        return 0;
1571}
1572
1573/**
1574 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive
1575 * @mqdes: MQ descriptor
1576 * @msg_len: Message length
1577 * @u_msg_prio: Message priority
1578 * @u_abs_timeout: Message timeout in absolute time
1579 *
1580 * Returns 0 for success or NULL context or < 0 on error.
1581 */
1582int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len,
1583                                unsigned int __user *u_msg_prio,
1584                                const struct timespec __user *u_abs_timeout)
1585{
1586        struct audit_aux_data_mq_sendrecv *ax;
1587        struct audit_context *context = current->audit_context;
1588
1589        if (!audit_enabled)
1590                return 0;
1591
1592        if (likely(!context))
1593                return 0;
1594
1595        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1596        if (!ax)
1597                return -ENOMEM;
1598
1599        if (u_msg_prio != NULL) {
1600                if (get_user(ax->msg_prio, u_msg_prio)) {
1601                        kfree(ax);
1602                        return -EFAULT;
1603                }
1604        } else
1605                ax->msg_prio = 0;
1606
1607        if (u_abs_timeout != NULL) {
1608                if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
1609                        kfree(ax);
1610                        return -EFAULT;
1611                }
1612        } else
1613                memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));
1614
1615        ax->mqdes = mqdes;
1616        ax->msg_len = msg_len;
1617
1618        ax->d.type = AUDIT_MQ_SENDRECV;
1619        ax->d.next = context->aux;
1620        context->aux = (void *)ax;
1621        return 0;
1622}
1623
1624/**
1625 * __audit_mq_notify - record audit data for a POSIX MQ notify
1626 * @mqdes: MQ descriptor
1627 * @u_notification: Notification event
1628 *
1629 * Returns 0 for success or NULL context or < 0 on error.
1630 */
1631
1632int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
1633{
1634        struct audit_aux_data_mq_notify *ax;
1635        struct audit_context *context = current->audit_context;
1636
1637        if (!audit_enabled)
1638                return 0;
1639
1640        if (likely(!context))
1641                return 0;
1642
1643        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1644        if (!ax)
1645                return -ENOMEM;
1646
1647        if (u_notification != NULL) {
1648                if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) {
1649                        kfree(ax);
1650                        return -EFAULT;
1651                }
1652        } else
1653                memset(&ax->notification, 0, sizeof(ax->notification));
1654
1655        ax->mqdes = mqdes;
1656
1657        ax->d.type = AUDIT_MQ_NOTIFY;
1658        ax->d.next = context->aux;
1659        context->aux = (void *)ax;
1660        return 0;
1661}
1662
1663/**
1664 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
1665 * @mqdes: MQ descriptor
1666 * @mqstat: MQ flags
1667 *
1668 * Returns 0 for success or NULL context or < 0 on error.
1669 */
1670int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
1671{
1672        struct audit_aux_data_mq_getsetattr *ax;
1673        struct audit_context *context = current->audit_context;
1674
1675        if (!audit_enabled)
1676                return 0;
1677
1678        if (likely(!context))
1679                return 0;
1680
1681        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1682        if (!ax)
1683                return -ENOMEM;
1684
1685        ax->mqdes = mqdes;
1686        ax->mqstat = *mqstat;
1687
1688        ax->d.type = AUDIT_MQ_GETSETATTR;
1689        ax->d.next = context->aux;
1690        context->aux = (void *)ax;
1691        return 0;
1692}
1693
1694/**
1695 * audit_ipc_obj - record audit data for ipc object
1696 * @ipcp: ipc permissions
1697 *
1698 * Returns 0 for success or NULL context or < 0 on error.
1699 */
1700int __audit_ipc_obj(struct kern_ipc_perm *ipcp)
1701{
1702        struct audit_aux_data_ipcctl *ax;
1703        struct audit_context *context = current->audit_context;
1704
1705        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1706        if (!ax)
1707                return -ENOMEM;
1708
1709        ax->uid = ipcp->uid;
1710        ax->gid = ipcp->gid;
1711        ax->mode = ipcp->mode;
1712        selinux_get_ipc_sid(ipcp, &ax->osid);
1713
1714        ax->d.type = AUDIT_IPC;
1715        ax->d.next = context->aux;
1716        context->aux = (void *)ax;
1717        return 0;
1718}
1719
1720/**
1721 * audit_ipc_set_perm - record audit data for new ipc permissions
1722 * @qbytes: msgq bytes
1723 * @uid: msgq user id
1724 * @gid: msgq group id
1725 * @mode: msgq mode (permissions)
1726 *
1727 * Returns 0 for success or NULL context or < 0 on error.
1728 */
1729int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1730{
1731        struct audit_aux_data_ipcctl *ax;
1732        struct audit_context *context = current->audit_context;
1733
1734        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1735        if (!ax)
1736                return -ENOMEM;
1737
1738        ax->qbytes = qbytes;
1739        ax->uid = uid;
1740        ax->gid = gid;
1741        ax->mode = mode;
1742
1743        ax->d.type = AUDIT_IPC_SET_PERM;
1744        ax->d.next = context->aux;
1745        context->aux = (void *)ax;
1746        return 0;
1747}
1748
1749int audit_bprm(struct linux_binprm *bprm)
1750{
1751        struct audit_aux_data_execve *ax;
1752        struct audit_context *context = current->audit_context;
1753        unsigned long p, next;
1754        void *to;
1755
1756        if (likely(!audit_enabled || !context || context->dummy))
1757                return 0;
1758
1759        ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
1760                                GFP_KERNEL);
1761        if (!ax)
1762                return -ENOMEM;
1763
1764        ax->argc = bprm->argc;
1765        ax->envc = bprm->envc;
1766        for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
1767                struct page *page = bprm->page[p / PAGE_SIZE];
1768                void *kaddr = kmap(page);
1769                next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
1770                memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
1771                to += next - p;
1772                kunmap(page);
1773        }
1774
1775        ax->d.type = AUDIT_EXECVE;
1776        ax->d.next = context->aux;
1777        context->aux = (void *)ax;
1778        return 0;
1779}
1780
1781
1782/**
1783 * audit_socketcall - record audit data for sys_socketcall
1784 * @nargs: number of args
1785 * @args: args array
1786 *
1787 * Returns 0 for success or NULL context or < 0 on error.
1788 */
1789int audit_socketcall(int nargs, unsigned long *args)
1790{
1791        struct audit_aux_data_socketcall *ax;
1792        struct audit_context *context = current->audit_context;
1793
1794        if (likely(!context || context->dummy))
1795                return 0;
1796
1797        ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
1798        if (!ax)
1799                return -ENOMEM;
1800
1801        ax->nargs = nargs;
1802        memcpy(ax->args, args, nargs * sizeof(unsigned long));
1803
1804        ax->d.type = AUDIT_SOCKETCALL;
1805        ax->d.next = context->aux;
1806        context->aux = (void *)ax;
1807        return 0;
1808}
1809
1810/**
1811 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
1812 * @len: data length in user space
1813 * @a: data address in kernel space
1814 *
1815 * Returns 0 for success or NULL context or < 0 on error.
1816 */
1817int audit_sockaddr(int len, void *a)
1818{
1819        struct audit_aux_data_sockaddr *ax;
1820        struct audit_context *context = current->audit_context;
1821
1822        if (likely(!context || context->dummy))
1823                return 0;
1824
1825        ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
1826        if (!ax)
1827                return -ENOMEM;
1828
1829        ax->len = len;
1830        memcpy(ax->a, a, len);
1831
1832        ax->d.type = AUDIT_SOCKADDR;
1833        ax->d.next = context->aux;
1834        context->aux = (void *)ax;
1835        return 0;
1836}
1837
1838/**
1839 * audit_avc_path - record the granting or denial of permissions
1840 * @dentry: dentry to record
1841 * @mnt: mnt to record
1842 *
1843 * Returns 0 for success or NULL context or < 0 on error.
1844 *
1845 * Called from security/selinux/avc.c::avc_audit()
1846 */
1847int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1848{
1849        struct audit_aux_data_path *ax;
1850        struct audit_context *context = current->audit_context;
1851
1852        if (likely(!context))
1853                return 0;
1854
1855        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1856        if (!ax)
1857                return -ENOMEM;
1858
1859        ax->dentry = dget(dentry);
1860        ax->mnt = mntget(mnt);
1861
1862        ax->d.type = AUDIT_AVC_PATH;
1863        ax->d.next = context->aux;
1864        context->aux = (void *)ax;
1865        return 0;
1866}
1867
1868/**
1869 * audit_signal_info - record signal info for shutting down audit subsystem
1870 * @sig: signal value
1871 * @t: task being signaled
1872 *
1873 * If the audit subsystem is being terminated, record the task (pid)
1874 * and uid that is doing that.
1875 */
1876void __audit_signal_info(int sig, struct task_struct *t)
1877{
1878        extern pid_t audit_sig_pid;
1879        extern uid_t audit_sig_uid;
1880        extern u32 audit_sig_sid;
1881
1882        if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
1883                struct task_struct *tsk = current;
1884                struct audit_context *ctx = tsk->audit_context;
1885                audit_sig_pid = tsk->pid;
1886                if (ctx)
1887                        audit_sig_uid = ctx->loginuid;
1888                else
1889                        audit_sig_uid = tsk->uid;
1890                selinux_get_task_sid(tsk, &audit_sig_sid);
1891        }
1892}
1893