linux/kernel/auditsc.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* auditsc.c -- System-call auditing support
   3 * Handles all system-call specific auditing features.
   4 *
   5 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
   6 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   7 * Copyright (C) 2005, 2006 IBM Corporation
   8 * All Rights Reserved.
   9 *
  10 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  11 *
  12 * Many of the ideas implemented here are from Stephen C. Tweedie,
  13 * especially the idea of avoiding a copy by using getname.
  14 *
  15 * The method for actual interception of syscall entry and exit (not in
  16 * this file -- see entry.S) is based on a GPL'd patch written by
  17 * okir@suse.de and Copyright 2003 SuSE Linux AG.
  18 *
  19 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
  20 * 2006.
  21 *
  22 * The support of additional filter rules compares (>, <, >=, <=) was
  23 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
  24 *
  25 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
  26 * filesystem information.
  27 *
  28 * Subject and object context labeling support added by <danjones@us.ibm.com>
  29 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
  30 */
  31
  32#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  33
  34#include <linux/init.h>
  35#include <asm/types.h>
  36#include <linux/atomic.h>
  37#include <linux/fs.h>
  38#include <linux/namei.h>
  39#include <linux/mm.h>
  40#include <linux/export.h>
  41#include <linux/slab.h>
  42#include <linux/mount.h>
  43#include <linux/socket.h>
  44#include <linux/mqueue.h>
  45#include <linux/audit.h>
  46#include <linux/personality.h>
  47#include <linux/time.h>
  48#include <linux/netlink.h>
  49#include <linux/compiler.h>
  50#include <asm/unistd.h>
  51#include <linux/security.h>
  52#include <linux/list.h>
  53#include <linux/binfmts.h>
  54#include <linux/highmem.h>
  55#include <linux/syscalls.h>
  56#include <asm/syscall.h>
  57#include <linux/capability.h>
  58#include <linux/fs_struct.h>
  59#include <linux/compat.h>
  60#include <linux/ctype.h>
  61#include <linux/string.h>
  62#include <linux/uaccess.h>
  63#include <linux/fsnotify_backend.h>
  64#include <uapi/linux/limits.h>
  65#include <uapi/linux/netfilter/nf_tables.h>
  66#include <uapi/linux/openat2.h> // struct open_how
  67
  68#include "audit.h"
  69
  70/* flags stating the success for a syscall */
  71#define AUDITSC_INVALID 0
  72#define AUDITSC_SUCCESS 1
  73#define AUDITSC_FAILURE 2
  74
  75/* no execve audit message should be longer than this (userspace limits),
  76 * see the note near the top of audit_log_execve_info() about this value */
  77#define MAX_EXECVE_AUDIT_LEN 7500
  78
  79/* max length to print of cmdline/proctitle value during audit */
  80#define MAX_PROCTITLE_AUDIT_LEN 128
  81
  82/* number of audit rules */
  83int audit_n_rules;
  84
  85/* determines whether we collect data for signals sent */
  86int audit_signals;
  87
  88struct audit_aux_data {
  89        struct audit_aux_data   *next;
  90        int                     type;
  91};
  92
  93/* Number of target pids per aux struct. */
  94#define AUDIT_AUX_PIDS  16
  95
  96struct audit_aux_data_pids {
  97        struct audit_aux_data   d;
  98        pid_t                   target_pid[AUDIT_AUX_PIDS];
  99        kuid_t                  target_auid[AUDIT_AUX_PIDS];
 100        kuid_t                  target_uid[AUDIT_AUX_PIDS];
 101        unsigned int            target_sessionid[AUDIT_AUX_PIDS];
 102        u32                     target_sid[AUDIT_AUX_PIDS];
 103        char                    target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
 104        int                     pid_count;
 105};
 106
 107struct audit_aux_data_bprm_fcaps {
 108        struct audit_aux_data   d;
 109        struct audit_cap_data   fcap;
 110        unsigned int            fcap_ver;
 111        struct audit_cap_data   old_pcap;
 112        struct audit_cap_data   new_pcap;
 113};
 114
 115struct audit_tree_refs {
 116        struct audit_tree_refs *next;
 117        struct audit_chunk *c[31];
 118};
 119
 120struct audit_nfcfgop_tab {
 121        enum audit_nfcfgop      op;
 122        const char              *s;
 123};
 124
 125static const struct audit_nfcfgop_tab audit_nfcfgs[] = {
 126        { AUDIT_XT_OP_REGISTER,                 "xt_register"              },
 127        { AUDIT_XT_OP_REPLACE,                  "xt_replace"               },
 128        { AUDIT_XT_OP_UNREGISTER,               "xt_unregister"            },
 129        { AUDIT_NFT_OP_TABLE_REGISTER,          "nft_register_table"       },
 130        { AUDIT_NFT_OP_TABLE_UNREGISTER,        "nft_unregister_table"     },
 131        { AUDIT_NFT_OP_CHAIN_REGISTER,          "nft_register_chain"       },
 132        { AUDIT_NFT_OP_CHAIN_UNREGISTER,        "nft_unregister_chain"     },
 133        { AUDIT_NFT_OP_RULE_REGISTER,           "nft_register_rule"        },
 134        { AUDIT_NFT_OP_RULE_UNREGISTER,         "nft_unregister_rule"      },
 135        { AUDIT_NFT_OP_SET_REGISTER,            "nft_register_set"         },
 136        { AUDIT_NFT_OP_SET_UNREGISTER,          "nft_unregister_set"       },
 137        { AUDIT_NFT_OP_SETELEM_REGISTER,        "nft_register_setelem"     },
 138        { AUDIT_NFT_OP_SETELEM_UNREGISTER,      "nft_unregister_setelem"   },
 139        { AUDIT_NFT_OP_GEN_REGISTER,            "nft_register_gen"         },
 140        { AUDIT_NFT_OP_OBJ_REGISTER,            "nft_register_obj"         },
 141        { AUDIT_NFT_OP_OBJ_UNREGISTER,          "nft_unregister_obj"       },
 142        { AUDIT_NFT_OP_OBJ_RESET,               "nft_reset_obj"            },
 143        { AUDIT_NFT_OP_FLOWTABLE_REGISTER,      "nft_register_flowtable"   },
 144        { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,    "nft_unregister_flowtable" },
 145        { AUDIT_NFT_OP_INVALID,                 "nft_invalid"              },
 146};
 147
 148static int audit_match_perm(struct audit_context *ctx, int mask)
 149{
 150        unsigned n;
 151
 152        if (unlikely(!ctx))
 153                return 0;
 154        n = ctx->major;
 155
 156        switch (audit_classify_syscall(ctx->arch, n)) {
 157        case AUDITSC_NATIVE:
 158                if ((mask & AUDIT_PERM_WRITE) &&
 159                     audit_match_class(AUDIT_CLASS_WRITE, n))
 160                        return 1;
 161                if ((mask & AUDIT_PERM_READ) &&
 162                     audit_match_class(AUDIT_CLASS_READ, n))
 163                        return 1;
 164                if ((mask & AUDIT_PERM_ATTR) &&
 165                     audit_match_class(AUDIT_CLASS_CHATTR, n))
 166                        return 1;
 167                return 0;
 168        case AUDITSC_COMPAT: /* 32bit on biarch */
 169                if ((mask & AUDIT_PERM_WRITE) &&
 170                     audit_match_class(AUDIT_CLASS_WRITE_32, n))
 171                        return 1;
 172                if ((mask & AUDIT_PERM_READ) &&
 173                     audit_match_class(AUDIT_CLASS_READ_32, n))
 174                        return 1;
 175                if ((mask & AUDIT_PERM_ATTR) &&
 176                     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
 177                        return 1;
 178                return 0;
 179        case AUDITSC_OPEN:
 180                return mask & ACC_MODE(ctx->argv[1]);
 181        case AUDITSC_OPENAT:
 182                return mask & ACC_MODE(ctx->argv[2]);
 183        case AUDITSC_SOCKETCALL:
 184                return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
 185        case AUDITSC_EXECVE:
 186                return mask & AUDIT_PERM_EXEC;
 187        case AUDITSC_OPENAT2:
 188                return mask & ACC_MODE((u32)ctx->openat2.flags);
 189        default:
 190                return 0;
 191        }
 192}
 193
 194static int audit_match_filetype(struct audit_context *ctx, int val)
 195{
 196        struct audit_names *n;
 197        umode_t mode = (umode_t)val;
 198
 199        if (unlikely(!ctx))
 200                return 0;
 201
 202        list_for_each_entry(n, &ctx->names_list, list) {
 203                if ((n->ino != AUDIT_INO_UNSET) &&
 204                    ((n->mode & S_IFMT) == mode))
 205                        return 1;
 206        }
 207
 208        return 0;
 209}
 210
 211/*
 212 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
 213 * ->first_trees points to its beginning, ->trees - to the current end of data.
 214 * ->tree_count is the number of free entries in array pointed to by ->trees.
 215 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
 216 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
 217 * it's going to remain 1-element for almost any setup) until we free context itself.
 218 * References in it _are_ dropped - at the same time we free/drop aux stuff.
 219 */
 220
 221static void audit_set_auditable(struct audit_context *ctx)
 222{
 223        if (!ctx->prio) {
 224                ctx->prio = 1;
 225                ctx->current_state = AUDIT_STATE_RECORD;
 226        }
 227}
 228
 229static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
 230{
 231        struct audit_tree_refs *p = ctx->trees;
 232        int left = ctx->tree_count;
 233
 234        if (likely(left)) {
 235                p->c[--left] = chunk;
 236                ctx->tree_count = left;
 237                return 1;
 238        }
 239        if (!p)
 240                return 0;
 241        p = p->next;
 242        if (p) {
 243                p->c[30] = chunk;
 244                ctx->trees = p;
 245                ctx->tree_count = 30;
 246                return 1;
 247        }
 248        return 0;
 249}
 250
 251static int grow_tree_refs(struct audit_context *ctx)
 252{
 253        struct audit_tree_refs *p = ctx->trees;
 254
 255        ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
 256        if (!ctx->trees) {
 257                ctx->trees = p;
 258                return 0;
 259        }
 260        if (p)
 261                p->next = ctx->trees;
 262        else
 263                ctx->first_trees = ctx->trees;
 264        ctx->tree_count = 31;
 265        return 1;
 266}
 267
 268static void unroll_tree_refs(struct audit_context *ctx,
 269                      struct audit_tree_refs *p, int count)
 270{
 271        struct audit_tree_refs *q;
 272        int n;
 273
 274        if (!p) {
 275                /* we started with empty chain */
 276                p = ctx->first_trees;
 277                count = 31;
 278                /* if the very first allocation has failed, nothing to do */
 279                if (!p)
 280                        return;
 281        }
 282        n = count;
 283        for (q = p; q != ctx->trees; q = q->next, n = 31) {
 284                while (n--) {
 285                        audit_put_chunk(q->c[n]);
 286                        q->c[n] = NULL;
 287                }
 288        }
 289        while (n-- > ctx->tree_count) {
 290                audit_put_chunk(q->c[n]);
 291                q->c[n] = NULL;
 292        }
 293        ctx->trees = p;
 294        ctx->tree_count = count;
 295}
 296
 297static void free_tree_refs(struct audit_context *ctx)
 298{
 299        struct audit_tree_refs *p, *q;
 300
 301        for (p = ctx->first_trees; p; p = q) {
 302                q = p->next;
 303                kfree(p);
 304        }
 305}
 306
 307static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
 308{
 309        struct audit_tree_refs *p;
 310        int n;
 311
 312        if (!tree)
 313                return 0;
 314        /* full ones */
 315        for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
 316                for (n = 0; n < 31; n++)
 317                        if (audit_tree_match(p->c[n], tree))
 318                                return 1;
 319        }
 320        /* partial */
 321        if (p) {
 322                for (n = ctx->tree_count; n < 31; n++)
 323                        if (audit_tree_match(p->c[n], tree))
 324                                return 1;
 325        }
 326        return 0;
 327}
 328
 329static int audit_compare_uid(kuid_t uid,
 330                             struct audit_names *name,
 331                             struct audit_field *f,
 332                             struct audit_context *ctx)
 333{
 334        struct audit_names *n;
 335        int rc;
 336
 337        if (name) {
 338                rc = audit_uid_comparator(uid, f->op, name->uid);
 339                if (rc)
 340                        return rc;
 341        }
 342
 343        if (ctx) {
 344                list_for_each_entry(n, &ctx->names_list, list) {
 345                        rc = audit_uid_comparator(uid, f->op, n->uid);
 346                        if (rc)
 347                                return rc;
 348                }
 349        }
 350        return 0;
 351}
 352
 353static int audit_compare_gid(kgid_t gid,
 354                             struct audit_names *name,
 355                             struct audit_field *f,
 356                             struct audit_context *ctx)
 357{
 358        struct audit_names *n;
 359        int rc;
 360
 361        if (name) {
 362                rc = audit_gid_comparator(gid, f->op, name->gid);
 363                if (rc)
 364                        return rc;
 365        }
 366
 367        if (ctx) {
 368                list_for_each_entry(n, &ctx->names_list, list) {
 369                        rc = audit_gid_comparator(gid, f->op, n->gid);
 370                        if (rc)
 371                                return rc;
 372                }
 373        }
 374        return 0;
 375}
 376
 377static int audit_field_compare(struct task_struct *tsk,
 378                               const struct cred *cred,
 379                               struct audit_field *f,
 380                               struct audit_context *ctx,
 381                               struct audit_names *name)
 382{
 383        switch (f->val) {
 384        /* process to file object comparisons */
 385        case AUDIT_COMPARE_UID_TO_OBJ_UID:
 386                return audit_compare_uid(cred->uid, name, f, ctx);
 387        case AUDIT_COMPARE_GID_TO_OBJ_GID:
 388                return audit_compare_gid(cred->gid, name, f, ctx);
 389        case AUDIT_COMPARE_EUID_TO_OBJ_UID:
 390                return audit_compare_uid(cred->euid, name, f, ctx);
 391        case AUDIT_COMPARE_EGID_TO_OBJ_GID:
 392                return audit_compare_gid(cred->egid, name, f, ctx);
 393        case AUDIT_COMPARE_AUID_TO_OBJ_UID:
 394                return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
 395        case AUDIT_COMPARE_SUID_TO_OBJ_UID:
 396                return audit_compare_uid(cred->suid, name, f, ctx);
 397        case AUDIT_COMPARE_SGID_TO_OBJ_GID:
 398                return audit_compare_gid(cred->sgid, name, f, ctx);
 399        case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
 400                return audit_compare_uid(cred->fsuid, name, f, ctx);
 401        case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
 402                return audit_compare_gid(cred->fsgid, name, f, ctx);
 403        /* uid comparisons */
 404        case AUDIT_COMPARE_UID_TO_AUID:
 405                return audit_uid_comparator(cred->uid, f->op,
 406                                            audit_get_loginuid(tsk));
 407        case AUDIT_COMPARE_UID_TO_EUID:
 408                return audit_uid_comparator(cred->uid, f->op, cred->euid);
 409        case AUDIT_COMPARE_UID_TO_SUID:
 410                return audit_uid_comparator(cred->uid, f->op, cred->suid);
 411        case AUDIT_COMPARE_UID_TO_FSUID:
 412                return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
 413        /* auid comparisons */
 414        case AUDIT_COMPARE_AUID_TO_EUID:
 415                return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
 416                                            cred->euid);
 417        case AUDIT_COMPARE_AUID_TO_SUID:
 418                return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
 419                                            cred->suid);
 420        case AUDIT_COMPARE_AUID_TO_FSUID:
 421                return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
 422                                            cred->fsuid);
 423        /* euid comparisons */
 424        case AUDIT_COMPARE_EUID_TO_SUID:
 425                return audit_uid_comparator(cred->euid, f->op, cred->suid);
 426        case AUDIT_COMPARE_EUID_TO_FSUID:
 427                return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
 428        /* suid comparisons */
 429        case AUDIT_COMPARE_SUID_TO_FSUID:
 430                return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
 431        /* gid comparisons */
 432        case AUDIT_COMPARE_GID_TO_EGID:
 433                return audit_gid_comparator(cred->gid, f->op, cred->egid);
 434        case AUDIT_COMPARE_GID_TO_SGID:
 435                return audit_gid_comparator(cred->gid, f->op, cred->sgid);
 436        case AUDIT_COMPARE_GID_TO_FSGID:
 437                return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
 438        /* egid comparisons */
 439        case AUDIT_COMPARE_EGID_TO_SGID:
 440                return audit_gid_comparator(cred->egid, f->op, cred->sgid);
 441        case AUDIT_COMPARE_EGID_TO_FSGID:
 442                return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
 443        /* sgid comparison */
 444        case AUDIT_COMPARE_SGID_TO_FSGID:
 445                return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
 446        default:
 447                WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
 448                return 0;
 449        }
 450        return 0;
 451}
 452
 453/* Determine if any context name data matches a rule's watch data */
 454/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 455 * otherwise.
 456 *
 457 * If task_creation is true, this is an explicit indication that we are
 458 * filtering a task rule at task creation time.  This and tsk == current are
 459 * the only situations where tsk->cred may be accessed without an rcu read lock.
 460 */
 461static int audit_filter_rules(struct task_struct *tsk,
 462                              struct audit_krule *rule,
 463                              struct audit_context *ctx,
 464                              struct audit_names *name,
 465                              enum audit_state *state,
 466                              bool task_creation)
 467{
 468        const struct cred *cred;
 469        int i, need_sid = 1;
 470        u32 sid;
 471        unsigned int sessionid;
 472
 473        if (ctx && rule->prio <= ctx->prio)
 474                return 0;
 475
 476        cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 477
 478        for (i = 0; i < rule->field_count; i++) {
 479                struct audit_field *f = &rule->fields[i];
 480                struct audit_names *n;
 481                int result = 0;
 482                pid_t pid;
 483
 484                switch (f->type) {
 485                case AUDIT_PID:
 486                        pid = task_tgid_nr(tsk);
 487                        result = audit_comparator(pid, f->op, f->val);
 488                        break;
 489                case AUDIT_PPID:
 490                        if (ctx) {
 491                                if (!ctx->ppid)
 492                                        ctx->ppid = task_ppid_nr(tsk);
 493                                result = audit_comparator(ctx->ppid, f->op, f->val);
 494                        }
 495                        break;
 496                case AUDIT_EXE:
 497                        result = audit_exe_compare(tsk, rule->exe);
 498                        if (f->op == Audit_not_equal)
 499                                result = !result;
 500                        break;
 501                case AUDIT_UID:
 502                        result = audit_uid_comparator(cred->uid, f->op, f->uid);
 503                        break;
 504                case AUDIT_EUID:
 505                        result = audit_uid_comparator(cred->euid, f->op, f->uid);
 506                        break;
 507                case AUDIT_SUID:
 508                        result = audit_uid_comparator(cred->suid, f->op, f->uid);
 509                        break;
 510                case AUDIT_FSUID:
 511                        result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
 512                        break;
 513                case AUDIT_GID:
 514                        result = audit_gid_comparator(cred->gid, f->op, f->gid);
 515                        if (f->op == Audit_equal) {
 516                                if (!result)
 517                                        result = groups_search(cred->group_info, f->gid);
 518                        } else if (f->op == Audit_not_equal) {
 519                                if (result)
 520                                        result = !groups_search(cred->group_info, f->gid);
 521                        }
 522                        break;
 523                case AUDIT_EGID:
 524                        result = audit_gid_comparator(cred->egid, f->op, f->gid);
 525                        if (f->op == Audit_equal) {
 526                                if (!result)
 527                                        result = groups_search(cred->group_info, f->gid);
 528                        } else if (f->op == Audit_not_equal) {
 529                                if (result)
 530                                        result = !groups_search(cred->group_info, f->gid);
 531                        }
 532                        break;
 533                case AUDIT_SGID:
 534                        result = audit_gid_comparator(cred->sgid, f->op, f->gid);
 535                        break;
 536                case AUDIT_FSGID:
 537                        result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 538                        break;
 539                case AUDIT_SESSIONID:
 540                        sessionid = audit_get_sessionid(tsk);
 541                        result = audit_comparator(sessionid, f->op, f->val);
 542                        break;
 543                case AUDIT_PERS:
 544                        result = audit_comparator(tsk->personality, f->op, f->val);
 545                        break;
 546                case AUDIT_ARCH:
 547                        if (ctx)
 548                                result = audit_comparator(ctx->arch, f->op, f->val);
 549                        break;
 550
 551                case AUDIT_EXIT:
 552                        if (ctx && ctx->return_valid != AUDITSC_INVALID)
 553                                result = audit_comparator(ctx->return_code, f->op, f->val);
 554                        break;
 555                case AUDIT_SUCCESS:
 556                        if (ctx && ctx->return_valid != AUDITSC_INVALID) {
 557                                if (f->val)
 558                                        result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
 559                                else
 560                                        result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
 561                        }
 562                        break;
 563                case AUDIT_DEVMAJOR:
 564                        if (name) {
 565                                if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
 566                                    audit_comparator(MAJOR(name->rdev), f->op, f->val))
 567                                        ++result;
 568                        } else if (ctx) {
 569                                list_for_each_entry(n, &ctx->names_list, list) {
 570                                        if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
 571                                            audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
 572                                                ++result;
 573                                                break;
 574                                        }
 575                                }
 576                        }
 577                        break;
 578                case AUDIT_DEVMINOR:
 579                        if (name) {
 580                                if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
 581                                    audit_comparator(MINOR(name->rdev), f->op, f->val))
 582                                        ++result;
 583                        } else if (ctx) {
 584                                list_for_each_entry(n, &ctx->names_list, list) {
 585                                        if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
 586                                            audit_comparator(MINOR(n->rdev), f->op, f->val)) {
 587                                                ++result;
 588                                                break;
 589                                        }
 590                                }
 591                        }
 592                        break;
 593                case AUDIT_INODE:
 594                        if (name)
 595                                result = audit_comparator(name->ino, f->op, f->val);
 596                        else if (ctx) {
 597                                list_for_each_entry(n, &ctx->names_list, list) {
 598                                        if (audit_comparator(n->ino, f->op, f->val)) {
 599                                                ++result;
 600                                                break;
 601                                        }
 602                                }
 603                        }
 604                        break;
 605                case AUDIT_OBJ_UID:
 606                        if (name) {
 607                                result = audit_uid_comparator(name->uid, f->op, f->uid);
 608                        } else if (ctx) {
 609                                list_for_each_entry(n, &ctx->names_list, list) {
 610                                        if (audit_uid_comparator(n->uid, f->op, f->uid)) {
 611                                                ++result;
 612                                                break;
 613                                        }
 614                                }
 615                        }
 616                        break;
 617                case AUDIT_OBJ_GID:
 618                        if (name) {
 619                                result = audit_gid_comparator(name->gid, f->op, f->gid);
 620                        } else if (ctx) {
 621                                list_for_each_entry(n, &ctx->names_list, list) {
 622                                        if (audit_gid_comparator(n->gid, f->op, f->gid)) {
 623                                                ++result;
 624                                                break;
 625                                        }
 626                                }
 627                        }
 628                        break;
 629                case AUDIT_WATCH:
 630                        if (name) {
 631                                result = audit_watch_compare(rule->watch,
 632                                                             name->ino,
 633                                                             name->dev);
 634                                if (f->op == Audit_not_equal)
 635                                        result = !result;
 636                        }
 637                        break;
 638                case AUDIT_DIR:
 639                        if (ctx) {
 640                                result = match_tree_refs(ctx, rule->tree);
 641                                if (f->op == Audit_not_equal)
 642                                        result = !result;
 643                        }
 644                        break;
 645                case AUDIT_LOGINUID:
 646                        result = audit_uid_comparator(audit_get_loginuid(tsk),
 647                                                      f->op, f->uid);
 648                        break;
 649                case AUDIT_LOGINUID_SET:
 650                        result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 651                        break;
 652                case AUDIT_SADDR_FAM:
 653                        if (ctx && ctx->sockaddr)
 654                                result = audit_comparator(ctx->sockaddr->ss_family,
 655                                                          f->op, f->val);
 656                        break;
 657                case AUDIT_SUBJ_USER:
 658                case AUDIT_SUBJ_ROLE:
 659                case AUDIT_SUBJ_TYPE:
 660                case AUDIT_SUBJ_SEN:
 661                case AUDIT_SUBJ_CLR:
 662                        /* NOTE: this may return negative values indicating
 663                           a temporary error.  We simply treat this as a
 664                           match for now to avoid losing information that
 665                           may be wanted.   An error message will also be
 666                           logged upon error */
 667                        if (f->lsm_rule) {
 668                                if (need_sid) {
 669                                        /* @tsk should always be equal to
 670                                         * @current with the exception of
 671                                         * fork()/copy_process() in which case
 672                                         * the new @tsk creds are still a dup
 673                                         * of @current's creds so we can still
 674                                         * use security_current_getsecid_subj()
 675                                         * here even though it always refs
 676                                         * @current's creds
 677                                         */
 678                                        security_current_getsecid_subj(&sid);
 679                                        need_sid = 0;
 680                                }
 681                                result = security_audit_rule_match(sid, f->type,
 682                                                                   f->op,
 683                                                                   f->lsm_rule);
 684                        }
 685                        break;
 686                case AUDIT_OBJ_USER:
 687                case AUDIT_OBJ_ROLE:
 688                case AUDIT_OBJ_TYPE:
 689                case AUDIT_OBJ_LEV_LOW:
 690                case AUDIT_OBJ_LEV_HIGH:
 691                        /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
 692                           also applies here */
 693                        if (f->lsm_rule) {
 694                                /* Find files that match */
 695                                if (name) {
 696                                        result = security_audit_rule_match(
 697                                                                name->osid,
 698                                                                f->type,
 699                                                                f->op,
 700                                                                f->lsm_rule);
 701                                } else if (ctx) {
 702                                        list_for_each_entry(n, &ctx->names_list, list) {
 703                                                if (security_audit_rule_match(
 704                                                                n->osid,
 705                                                                f->type,
 706                                                                f->op,
 707                                                                f->lsm_rule)) {
 708                                                        ++result;
 709                                                        break;
 710                                                }
 711                                        }
 712                                }
 713                                /* Find ipc objects that match */
 714                                if (!ctx || ctx->type != AUDIT_IPC)
 715                                        break;
 716                                if (security_audit_rule_match(ctx->ipc.osid,
 717                                                              f->type, f->op,
 718                                                              f->lsm_rule))
 719                                        ++result;
 720                        }
 721                        break;
 722                case AUDIT_ARG0:
 723                case AUDIT_ARG1:
 724                case AUDIT_ARG2:
 725                case AUDIT_ARG3:
 726                        if (ctx)
 727                                result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
 728                        break;
 729                case AUDIT_FILTERKEY:
 730                        /* ignore this field for filtering */
 731                        result = 1;
 732                        break;
 733                case AUDIT_PERM:
 734                        result = audit_match_perm(ctx, f->val);
 735                        if (f->op == Audit_not_equal)
 736                                result = !result;
 737                        break;
 738                case AUDIT_FILETYPE:
 739                        result = audit_match_filetype(ctx, f->val);
 740                        if (f->op == Audit_not_equal)
 741                                result = !result;
 742                        break;
 743                case AUDIT_FIELD_COMPARE:
 744                        result = audit_field_compare(tsk, cred, f, ctx, name);
 745                        break;
 746                }
 747                if (!result)
 748                        return 0;
 749        }
 750
 751        if (ctx) {
 752                if (rule->filterkey) {
 753                        kfree(ctx->filterkey);
 754                        ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
 755                }
 756                ctx->prio = rule->prio;
 757        }
 758        switch (rule->action) {
 759        case AUDIT_NEVER:
 760                *state = AUDIT_STATE_DISABLED;
 761                break;
 762        case AUDIT_ALWAYS:
 763                *state = AUDIT_STATE_RECORD;
 764                break;
 765        }
 766        return 1;
 767}
 768
 769/* At process creation time, we can determine if system-call auditing is
 770 * completely disabled for this task.  Since we only have the task
 771 * structure at this point, we can only check uid and gid.
 772 */
 773static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
 774{
 775        struct audit_entry *e;
 776        enum audit_state   state;
 777
 778        rcu_read_lock();
 779        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
 780                if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
 781                                       &state, true)) {
 782                        if (state == AUDIT_STATE_RECORD)
 783                                *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
 784                        rcu_read_unlock();
 785                        return state;
 786                }
 787        }
 788        rcu_read_unlock();
 789        return AUDIT_STATE_BUILD;
 790}
 791
 792static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
 793{
 794        int word, bit;
 795
 796        if (val > 0xffffffff)
 797                return false;
 798
 799        word = AUDIT_WORD(val);
 800        if (word >= AUDIT_BITMASK_SIZE)
 801                return false;
 802
 803        bit = AUDIT_BIT(val);
 804
 805        return rule->mask[word] & bit;
 806}
 807
 808/**
 809 * audit_filter_uring - apply filters to an io_uring operation
 810 * @tsk: associated task
 811 * @ctx: audit context
 812 */
 813static void audit_filter_uring(struct task_struct *tsk,
 814                               struct audit_context *ctx)
 815{
 816        struct audit_entry *e;
 817        enum audit_state state;
 818
 819        if (auditd_test_task(tsk))
 820                return;
 821
 822        rcu_read_lock();
 823        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_URING_EXIT],
 824                                list) {
 825                if (audit_in_mask(&e->rule, ctx->uring_op) &&
 826                    audit_filter_rules(tsk, &e->rule, ctx, NULL, &state,
 827                                       false)) {
 828                        rcu_read_unlock();
 829                        ctx->current_state = state;
 830                        return;
 831                }
 832        }
 833        rcu_read_unlock();
 834}
 835
 836/* At syscall exit time, this filter is called if the audit_state is
 837 * not low enough that auditing cannot take place, but is also not
 838 * high enough that we already know we have to write an audit record
 839 * (i.e., the state is AUDIT_STATE_BUILD).
 840 */
 841static void audit_filter_syscall(struct task_struct *tsk,
 842                                 struct audit_context *ctx)
 843{
 844        struct audit_entry *e;
 845        enum audit_state state;
 846
 847        if (auditd_test_task(tsk))
 848                return;
 849
 850        rcu_read_lock();
 851        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_EXIT], list) {
 852                if (audit_in_mask(&e->rule, ctx->major) &&
 853                    audit_filter_rules(tsk, &e->rule, ctx, NULL,
 854                                       &state, false)) {
 855                        rcu_read_unlock();
 856                        ctx->current_state = state;
 857                        return;
 858                }
 859        }
 860        rcu_read_unlock();
 861        return;
 862}
 863
 864/*
 865 * Given an audit_name check the inode hash table to see if they match.
 866 * Called holding the rcu read lock to protect the use of audit_inode_hash
 867 */
 868static int audit_filter_inode_name(struct task_struct *tsk,
 869                                   struct audit_names *n,
 870                                   struct audit_context *ctx) {
 871        int h = audit_hash_ino((u32)n->ino);
 872        struct list_head *list = &audit_inode_hash[h];
 873        struct audit_entry *e;
 874        enum audit_state state;
 875
 876        list_for_each_entry_rcu(e, list, list) {
 877                if (audit_in_mask(&e->rule, ctx->major) &&
 878                    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
 879                        ctx->current_state = state;
 880                        return 1;
 881                }
 882        }
 883        return 0;
 884}
 885
 886/* At syscall exit time, this filter is called if any audit_names have been
 887 * collected during syscall processing.  We only check rules in sublists at hash
 888 * buckets applicable to the inode numbers in audit_names.
 889 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 890 */
 891void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
 892{
 893        struct audit_names *n;
 894
 895        if (auditd_test_task(tsk))
 896                return;
 897
 898        rcu_read_lock();
 899
 900        list_for_each_entry(n, &ctx->names_list, list) {
 901                if (audit_filter_inode_name(tsk, n, ctx))
 902                        break;
 903        }
 904        rcu_read_unlock();
 905}
 906
 907static inline void audit_proctitle_free(struct audit_context *context)
 908{
 909        kfree(context->proctitle.value);
 910        context->proctitle.value = NULL;
 911        context->proctitle.len = 0;
 912}
 913
 914static inline void audit_free_module(struct audit_context *context)
 915{
 916        if (context->type == AUDIT_KERN_MODULE) {
 917                kfree(context->module.name);
 918                context->module.name = NULL;
 919        }
 920}
 921static inline void audit_free_names(struct audit_context *context)
 922{
 923        struct audit_names *n, *next;
 924
 925        list_for_each_entry_safe(n, next, &context->names_list, list) {
 926                list_del(&n->list);
 927                if (n->name)
 928                        putname(n->name);
 929                if (n->should_free)
 930                        kfree(n);
 931        }
 932        context->name_count = 0;
 933        path_put(&context->pwd);
 934        context->pwd.dentry = NULL;
 935        context->pwd.mnt = NULL;
 936}
 937
 938static inline void audit_free_aux(struct audit_context *context)
 939{
 940        struct audit_aux_data *aux;
 941
 942        while ((aux = context->aux)) {
 943                context->aux = aux->next;
 944                kfree(aux);
 945        }
 946        context->aux = NULL;
 947        while ((aux = context->aux_pids)) {
 948                context->aux_pids = aux->next;
 949                kfree(aux);
 950        }
 951        context->aux_pids = NULL;
 952}
 953
 954/**
 955 * audit_reset_context - reset a audit_context structure
 956 * @ctx: the audit_context to reset
 957 *
 958 * All fields in the audit_context will be reset to an initial state, all
 959 * references held by fields will be dropped, and private memory will be
 960 * released.  When this function returns the audit_context will be suitable
 961 * for reuse, so long as the passed context is not NULL or a dummy context.
 962 */
 963static void audit_reset_context(struct audit_context *ctx)
 964{
 965        if (!ctx)
 966                return;
 967
 968        /* if ctx is non-null, reset the "ctx->state" regardless */
 969        ctx->context = AUDIT_CTX_UNUSED;
 970        if (ctx->dummy)
 971                return;
 972
 973        /*
 974         * NOTE: It shouldn't matter in what order we release the fields, so
 975         *       release them in the order in which they appear in the struct;
 976         *       this gives us some hope of quickly making sure we are
 977         *       resetting the audit_context properly.
 978         *
 979         *       Other things worth mentioning:
 980         *       - we don't reset "dummy"
 981         *       - we don't reset "state", we do reset "current_state"
 982         *       - we preserve "filterkey" if "state" is AUDIT_STATE_RECORD
 983         *       - much of this is likely overkill, but play it safe for now
 984         *       - we really need to work on improving the audit_context struct
 985         */
 986
 987        ctx->current_state = ctx->state;
 988        ctx->serial = 0;
 989        ctx->major = 0;
 990        ctx->uring_op = 0;
 991        ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
 992        memset(ctx->argv, 0, sizeof(ctx->argv));
 993        ctx->return_code = 0;
 994        ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
 995        ctx->return_valid = AUDITSC_INVALID;
 996        audit_free_names(ctx);
 997        if (ctx->state != AUDIT_STATE_RECORD) {
 998                kfree(ctx->filterkey);
 999                ctx->filterkey = NULL;
1000        }
1001        audit_free_aux(ctx);
1002        kfree(ctx->sockaddr);
1003        ctx->sockaddr = NULL;
1004        ctx->sockaddr_len = 0;
1005        ctx->pid = ctx->ppid = 0;
1006        ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0);
1007        ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0);
1008        ctx->personality = 0;
1009        ctx->arch = 0;
1010        ctx->target_pid = 0;
1011        ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
1012        ctx->target_sessionid = 0;
1013        ctx->target_sid = 0;
1014        ctx->target_comm[0] = '\0';
1015        unroll_tree_refs(ctx, NULL, 0);
1016        WARN_ON(!list_empty(&ctx->killed_trees));
1017        audit_free_module(ctx);
1018        ctx->fds[0] = -1;
1019        ctx->type = 0; /* reset last for audit_free_*() */
1020}
1021
1022static inline struct audit_context *audit_alloc_context(enum audit_state state)
1023{
1024        struct audit_context *context;
1025
1026        context = kzalloc(sizeof(*context), GFP_KERNEL);
1027        if (!context)
1028                return NULL;
1029        context->context = AUDIT_CTX_UNUSED;
1030        context->state = state;
1031        context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0;
1032        INIT_LIST_HEAD(&context->killed_trees);
1033        INIT_LIST_HEAD(&context->names_list);
1034        context->fds[0] = -1;
1035        context->return_valid = AUDITSC_INVALID;
1036        return context;
1037}
1038
1039/**
1040 * audit_alloc - allocate an audit context block for a task
1041 * @tsk: task
1042 *
1043 * Filter on the task information and allocate a per-task audit context
1044 * if necessary.  Doing so turns on system call auditing for the
1045 * specified task.  This is called from copy_process, so no lock is
1046 * needed.
1047 */
1048int audit_alloc(struct task_struct *tsk)
1049{
1050        struct audit_context *context;
1051        enum audit_state     state;
1052        char *key = NULL;
1053
1054        if (likely(!audit_ever_enabled))
1055                return 0;
1056
1057        state = audit_filter_task(tsk, &key);
1058        if (state == AUDIT_STATE_DISABLED) {
1059                clear_task_syscall_work(tsk, SYSCALL_AUDIT);
1060                return 0;
1061        }
1062
1063        if (!(context = audit_alloc_context(state))) {
1064                kfree(key);
1065                audit_log_lost("out of memory in audit_alloc");
1066                return -ENOMEM;
1067        }
1068        context->filterkey = key;
1069
1070        audit_set_context(tsk, context);
1071        set_task_syscall_work(tsk, SYSCALL_AUDIT);
1072        return 0;
1073}
1074
1075static inline void audit_free_context(struct audit_context *context)
1076{
1077        /* resetting is extra work, but it is likely just noise */
1078        audit_reset_context(context);
1079        audit_proctitle_free(context);
1080        free_tree_refs(context);
1081        kfree(context->filterkey);
1082        kfree(context);
1083}
1084
1085static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1086                                 kuid_t auid, kuid_t uid, unsigned int sessionid,
1087                                 u32 sid, char *comm)
1088{
1089        struct audit_buffer *ab;
1090        char *ctx = NULL;
1091        u32 len;
1092        int rc = 0;
1093
1094        ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1095        if (!ab)
1096                return rc;
1097
1098        audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1099                         from_kuid(&init_user_ns, auid),
1100                         from_kuid(&init_user_ns, uid), sessionid);
1101        if (sid) {
1102                if (security_secid_to_secctx(sid, &ctx, &len)) {
1103                        audit_log_format(ab, " obj=(none)");
1104                        rc = 1;
1105                } else {
1106                        audit_log_format(ab, " obj=%s", ctx);
1107                        security_release_secctx(ctx, len);
1108                }
1109        }
1110        audit_log_format(ab, " ocomm=");
1111        audit_log_untrustedstring(ab, comm);
1112        audit_log_end(ab);
1113
1114        return rc;
1115}
1116
1117static void audit_log_execve_info(struct audit_context *context,
1118                                  struct audit_buffer **ab)
1119{
1120        long len_max;
1121        long len_rem;
1122        long len_full;
1123        long len_buf;
1124        long len_abuf = 0;
1125        long len_tmp;
1126        bool require_data;
1127        bool encode;
1128        unsigned int iter;
1129        unsigned int arg;
1130        char *buf_head;
1131        char *buf;
1132        const char __user *p = (const char __user *)current->mm->arg_start;
1133
1134        /* NOTE: this buffer needs to be large enough to hold all the non-arg
1135         *       data we put in the audit record for this argument (see the
1136         *       code below) ... at this point in time 96 is plenty */
1137        char abuf[96];
1138
1139        /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1140         *       current value of 7500 is not as important as the fact that it
1141         *       is less than 8k, a setting of 7500 gives us plenty of wiggle
1142         *       room if we go over a little bit in the logging below */
1143        WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1144        len_max = MAX_EXECVE_AUDIT_LEN;
1145
1146        /* scratch buffer to hold the userspace args */
1147        buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1148        if (!buf_head) {
1149                audit_panic("out of memory for argv string");
1150                return;
1151        }
1152        buf = buf_head;
1153
1154        audit_log_format(*ab, "argc=%d", context->execve.argc);
1155
1156        len_rem = len_max;
1157        len_buf = 0;
1158        len_full = 0;
1159        require_data = true;
1160        encode = false;
1161        iter = 0;
1162        arg = 0;
1163        do {
1164                /* NOTE: we don't ever want to trust this value for anything
1165                 *       serious, but the audit record format insists we
1166                 *       provide an argument length for really long arguments,
1167                 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1168                 *       to use strncpy_from_user() to obtain this value for
1169                 *       recording in the log, although we don't use it
1170                 *       anywhere here to avoid a double-fetch problem */
1171                if (len_full == 0)
1172                        len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1173
1174                /* read more data from userspace */
1175                if (require_data) {
1176                        /* can we make more room in the buffer? */
1177                        if (buf != buf_head) {
1178                                memmove(buf_head, buf, len_buf);
1179                                buf = buf_head;
1180                        }
1181
1182                        /* fetch as much as we can of the argument */
1183                        len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1184                                                    len_max - len_buf);
1185                        if (len_tmp == -EFAULT) {
1186                                /* unable to copy from userspace */
1187                                send_sig(SIGKILL, current, 0);
1188                                goto out;
1189                        } else if (len_tmp == (len_max - len_buf)) {
1190                                /* buffer is not large enough */
1191                                require_data = true;
1192                                /* NOTE: if we are going to span multiple
1193                                 *       buffers force the encoding so we stand
1194                                 *       a chance at a sane len_full value and
1195                                 *       consistent record encoding */
1196                                encode = true;
1197                                len_full = len_full * 2;
1198                                p += len_tmp;
1199                        } else {
1200                                require_data = false;
1201                                if (!encode)
1202                                        encode = audit_string_contains_control(
1203                                                                buf, len_tmp);
1204                                /* try to use a trusted value for len_full */
1205                                if (len_full < len_max)
1206                                        len_full = (encode ?
1207                                                    len_tmp * 2 : len_tmp);
1208                                p += len_tmp + 1;
1209                        }
1210                        len_buf += len_tmp;
1211                        buf_head[len_buf] = '\0';
1212
1213                        /* length of the buffer in the audit record? */
1214                        len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1215                }
1216
1217                /* write as much as we can to the audit log */
1218                if (len_buf >= 0) {
1219                        /* NOTE: some magic numbers here - basically if we
1220                         *       can't fit a reasonable amount of data into the
1221                         *       existing audit buffer, flush it and start with
1222                         *       a new buffer */
1223                        if ((sizeof(abuf) + 8) > len_rem) {
1224                                len_rem = len_max;
1225                                audit_log_end(*ab);
1226                                *ab = audit_log_start(context,
1227                                                      GFP_KERNEL, AUDIT_EXECVE);
1228                                if (!*ab)
1229                                        goto out;
1230                        }
1231
1232                        /* create the non-arg portion of the arg record */
1233                        len_tmp = 0;
1234                        if (require_data || (iter > 0) ||
1235                            ((len_abuf + sizeof(abuf)) > len_rem)) {
1236                                if (iter == 0) {
1237                                        len_tmp += snprintf(&abuf[len_tmp],
1238                                                        sizeof(abuf) - len_tmp,
1239                                                        " a%d_len=%lu",
1240                                                        arg, len_full);
1241                                }
1242                                len_tmp += snprintf(&abuf[len_tmp],
1243                                                    sizeof(abuf) - len_tmp,
1244                                                    " a%d[%d]=", arg, iter++);
1245                        } else
1246                                len_tmp += snprintf(&abuf[len_tmp],
1247                                                    sizeof(abuf) - len_tmp,
1248                                                    " a%d=", arg);
1249                        WARN_ON(len_tmp >= sizeof(abuf));
1250                        abuf[sizeof(abuf) - 1] = '\0';
1251
1252                        /* log the arg in the audit record */
1253                        audit_log_format(*ab, "%s", abuf);
1254                        len_rem -= len_tmp;
1255                        len_tmp = len_buf;
1256                        if (encode) {
1257                                if (len_abuf > len_rem)
1258                                        len_tmp = len_rem / 2; /* encoding */
1259                                audit_log_n_hex(*ab, buf, len_tmp);
1260                                len_rem -= len_tmp * 2;
1261                                len_abuf -= len_tmp * 2;
1262                        } else {
1263                                if (len_abuf > len_rem)
1264                                        len_tmp = len_rem - 2; /* quotes */
1265                                audit_log_n_string(*ab, buf, len_tmp);
1266                                len_rem -= len_tmp + 2;
1267                                /* don't subtract the "2" because we still need
1268                                 * to add quotes to the remaining string */
1269                                len_abuf -= len_tmp;
1270                        }
1271                        len_buf -= len_tmp;
1272                        buf += len_tmp;
1273                }
1274
1275                /* ready to move to the next argument? */
1276                if ((len_buf == 0) && !require_data) {
1277                        arg++;
1278                        iter = 0;
1279                        len_full = 0;
1280                        require_data = true;
1281                        encode = false;
1282                }
1283        } while (arg < context->execve.argc);
1284
1285        /* NOTE: the caller handles the final audit_log_end() call */
1286
1287out:
1288        kfree(buf_head);
1289}
1290
1291static void audit_log_cap(struct audit_buffer *ab, char *prefix,
1292                          kernel_cap_t *cap)
1293{
1294        int i;
1295
1296        if (cap_isclear(*cap)) {
1297                audit_log_format(ab, " %s=0", prefix);
1298                return;
1299        }
1300        audit_log_format(ab, " %s=", prefix);
1301        CAP_FOR_EACH_U32(i)
1302                audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]);
1303}
1304
1305static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1306{
1307        if (name->fcap_ver == -1) {
1308                audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
1309                return;
1310        }
1311        audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
1312        audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
1313        audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
1314                         name->fcap.fE, name->fcap_ver,
1315                         from_kuid(&init_user_ns, name->fcap.rootid));
1316}
1317
1318static void audit_log_time(struct audit_context *context, struct audit_buffer **ab)
1319{
1320        const struct audit_ntp_data *ntp = &context->time.ntp_data;
1321        const struct timespec64 *tk = &context->time.tk_injoffset;
1322        static const char * const ntp_name[] = {
1323                "offset",
1324                "freq",
1325                "status",
1326                "tai",
1327                "tick",
1328                "adjust",
1329        };
1330        int type;
1331
1332        if (context->type == AUDIT_TIME_ADJNTPVAL) {
1333                for (type = 0; type < AUDIT_NTP_NVALS; type++) {
1334                        if (ntp->vals[type].newval != ntp->vals[type].oldval) {
1335                                if (!*ab) {
1336                                        *ab = audit_log_start(context,
1337                                                        GFP_KERNEL,
1338                                                        AUDIT_TIME_ADJNTPVAL);
1339                                        if (!*ab)
1340                                                return;
1341                                }
1342                                audit_log_format(*ab, "op=%s old=%lli new=%lli",
1343                                                 ntp_name[type],
1344                                                 ntp->vals[type].oldval,
1345                                                 ntp->vals[type].newval);
1346                                audit_log_end(*ab);
1347                                *ab = NULL;
1348                        }
1349                }
1350        }
1351        if (tk->tv_sec != 0 || tk->tv_nsec != 0) {
1352                if (!*ab) {
1353                        *ab = audit_log_start(context, GFP_KERNEL,
1354                                              AUDIT_TIME_INJOFFSET);
1355                        if (!*ab)
1356                                return;
1357                }
1358                audit_log_format(*ab, "sec=%lli nsec=%li",
1359                                 (long long)tk->tv_sec, tk->tv_nsec);
1360                audit_log_end(*ab);
1361                *ab = NULL;
1362        }
1363}
1364
1365static void show_special(struct audit_context *context, int *call_panic)
1366{
1367        struct audit_buffer *ab;
1368        int i;
1369
1370        ab = audit_log_start(context, GFP_KERNEL, context->type);
1371        if (!ab)
1372                return;
1373
1374        switch (context->type) {
1375        case AUDIT_SOCKETCALL: {
1376                int nargs = context->socketcall.nargs;
1377
1378                audit_log_format(ab, "nargs=%d", nargs);
1379                for (i = 0; i < nargs; i++)
1380                        audit_log_format(ab, " a%d=%lx", i,
1381                                context->socketcall.args[i]);
1382                break; }
1383        case AUDIT_IPC: {
1384                u32 osid = context->ipc.osid;
1385
1386                audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1387                                 from_kuid(&init_user_ns, context->ipc.uid),
1388                                 from_kgid(&init_user_ns, context->ipc.gid),
1389                                 context->ipc.mode);
1390                if (osid) {
1391                        char *ctx = NULL;
1392                        u32 len;
1393
1394                        if (security_secid_to_secctx(osid, &ctx, &len)) {
1395                                audit_log_format(ab, " osid=%u", osid);
1396                                *call_panic = 1;
1397                        } else {
1398                                audit_log_format(ab, " obj=%s", ctx);
1399                                security_release_secctx(ctx, len);
1400                        }
1401                }
1402                if (context->ipc.has_perm) {
1403                        audit_log_end(ab);
1404                        ab = audit_log_start(context, GFP_KERNEL,
1405                                             AUDIT_IPC_SET_PERM);
1406                        if (unlikely(!ab))
1407                                return;
1408                        audit_log_format(ab,
1409                                "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1410                                context->ipc.qbytes,
1411                                context->ipc.perm_uid,
1412                                context->ipc.perm_gid,
1413                                context->ipc.perm_mode);
1414                }
1415                break; }
1416        case AUDIT_MQ_OPEN:
1417                audit_log_format(ab,
1418                        "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1419                        "mq_msgsize=%ld mq_curmsgs=%ld",
1420                        context->mq_open.oflag, context->mq_open.mode,
1421                        context->mq_open.attr.mq_flags,
1422                        context->mq_open.attr.mq_maxmsg,
1423                        context->mq_open.attr.mq_msgsize,
1424                        context->mq_open.attr.mq_curmsgs);
1425                break;
1426        case AUDIT_MQ_SENDRECV:
1427                audit_log_format(ab,
1428                        "mqdes=%d msg_len=%zd msg_prio=%u "
1429                        "abs_timeout_sec=%lld abs_timeout_nsec=%ld",
1430                        context->mq_sendrecv.mqdes,
1431                        context->mq_sendrecv.msg_len,
1432                        context->mq_sendrecv.msg_prio,
1433                        (long long) context->mq_sendrecv.abs_timeout.tv_sec,
1434                        context->mq_sendrecv.abs_timeout.tv_nsec);
1435                break;
1436        case AUDIT_MQ_NOTIFY:
1437                audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1438                                context->mq_notify.mqdes,
1439                                context->mq_notify.sigev_signo);
1440                break;
1441        case AUDIT_MQ_GETSETATTR: {
1442                struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1443
1444                audit_log_format(ab,
1445                        "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1446                        "mq_curmsgs=%ld ",
1447                        context->mq_getsetattr.mqdes,
1448                        attr->mq_flags, attr->mq_maxmsg,
1449                        attr->mq_msgsize, attr->mq_curmsgs);
1450                break; }
1451        case AUDIT_CAPSET:
1452                audit_log_format(ab, "pid=%d", context->capset.pid);
1453                audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1454                audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1455                audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1456                audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
1457                break;
1458        case AUDIT_MMAP:
1459                audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1460                                 context->mmap.flags);
1461                break;
1462        case AUDIT_OPENAT2:
1463                audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx",
1464                                 context->openat2.flags,
1465                                 context->openat2.mode,
1466                                 context->openat2.resolve);
1467                break;
1468        case AUDIT_EXECVE:
1469                audit_log_execve_info(context, &ab);
1470                break;
1471        case AUDIT_KERN_MODULE:
1472                audit_log_format(ab, "name=");
1473                if (context->module.name) {
1474                        audit_log_untrustedstring(ab, context->module.name);
1475                } else
1476                        audit_log_format(ab, "(null)");
1477
1478                break;
1479        case AUDIT_TIME_ADJNTPVAL:
1480        case AUDIT_TIME_INJOFFSET:
1481                /* this call deviates from the rest, eating the buffer */
1482                audit_log_time(context, &ab);
1483                break;
1484        }
1485        audit_log_end(ab);
1486}
1487
1488static inline int audit_proctitle_rtrim(char *proctitle, int len)
1489{
1490        char *end = proctitle + len - 1;
1491
1492        while (end > proctitle && !isprint(*end))
1493                end--;
1494
1495        /* catch the case where proctitle is only 1 non-print character */
1496        len = end - proctitle + 1;
1497        len -= isprint(proctitle[len-1]) == 0;
1498        return len;
1499}
1500
1501/*
1502 * audit_log_name - produce AUDIT_PATH record from struct audit_names
1503 * @context: audit_context for the task
1504 * @n: audit_names structure with reportable details
1505 * @path: optional path to report instead of audit_names->name
1506 * @record_num: record number to report when handling a list of names
1507 * @call_panic: optional pointer to int that will be updated if secid fails
1508 */
1509static void audit_log_name(struct audit_context *context, struct audit_names *n,
1510                    const struct path *path, int record_num, int *call_panic)
1511{
1512        struct audit_buffer *ab;
1513
1514        ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1515        if (!ab)
1516                return;
1517
1518        audit_log_format(ab, "item=%d", record_num);
1519
1520        if (path)
1521                audit_log_d_path(ab, " name=", path);
1522        else if (n->name) {
1523                switch (n->name_len) {
1524                case AUDIT_NAME_FULL:
1525                        /* log the full path */
1526                        audit_log_format(ab, " name=");
1527                        audit_log_untrustedstring(ab, n->name->name);
1528                        break;
1529                case 0:
1530                        /* name was specified as a relative path and the
1531                         * directory component is the cwd
1532                         */
1533                        if (context->pwd.dentry && context->pwd.mnt)
1534                                audit_log_d_path(ab, " name=", &context->pwd);
1535                        else
1536                                audit_log_format(ab, " name=(null)");
1537                        break;
1538                default:
1539                        /* log the name's directory component */
1540                        audit_log_format(ab, " name=");
1541                        audit_log_n_untrustedstring(ab, n->name->name,
1542                                                    n->name_len);
1543                }
1544        } else
1545                audit_log_format(ab, " name=(null)");
1546
1547        if (n->ino != AUDIT_INO_UNSET)
1548                audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
1549                                 n->ino,
1550                                 MAJOR(n->dev),
1551                                 MINOR(n->dev),
1552                                 n->mode,
1553                                 from_kuid(&init_user_ns, n->uid),
1554                                 from_kgid(&init_user_ns, n->gid),
1555                                 MAJOR(n->rdev),
1556                                 MINOR(n->rdev));
1557        if (n->osid != 0) {
1558                char *ctx = NULL;
1559                u32 len;
1560
1561                if (security_secid_to_secctx(
1562                        n->osid, &ctx, &len)) {
1563                        audit_log_format(ab, " osid=%u", n->osid);
1564                        if (call_panic)
1565                                *call_panic = 2;
1566                } else {
1567                        audit_log_format(ab, " obj=%s", ctx);
1568                        security_release_secctx(ctx, len);
1569                }
1570        }
1571
1572        /* log the audit_names record type */
1573        switch (n->type) {
1574        case AUDIT_TYPE_NORMAL:
1575                audit_log_format(ab, " nametype=NORMAL");
1576                break;
1577        case AUDIT_TYPE_PARENT:
1578                audit_log_format(ab, " nametype=PARENT");
1579                break;
1580        case AUDIT_TYPE_CHILD_DELETE:
1581                audit_log_format(ab, " nametype=DELETE");
1582                break;
1583        case AUDIT_TYPE_CHILD_CREATE:
1584                audit_log_format(ab, " nametype=CREATE");
1585                break;
1586        default:
1587                audit_log_format(ab, " nametype=UNKNOWN");
1588                break;
1589        }
1590
1591        audit_log_fcaps(ab, n);
1592        audit_log_end(ab);
1593}
1594
1595static void audit_log_proctitle(void)
1596{
1597        int res;
1598        char *buf;
1599        char *msg = "(null)";
1600        int len = strlen(msg);
1601        struct audit_context *context = audit_context();
1602        struct audit_buffer *ab;
1603
1604        ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1605        if (!ab)
1606                return; /* audit_panic or being filtered */
1607
1608        audit_log_format(ab, "proctitle=");
1609
1610        /* Not  cached */
1611        if (!context->proctitle.value) {
1612                buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1613                if (!buf)
1614                        goto out;
1615                /* Historically called this from procfs naming */
1616                res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);
1617                if (res == 0) {
1618                        kfree(buf);
1619                        goto out;
1620                }
1621                res = audit_proctitle_rtrim(buf, res);
1622                if (res == 0) {
1623                        kfree(buf);
1624                        goto out;
1625                }
1626                context->proctitle.value = buf;
1627                context->proctitle.len = res;
1628        }
1629        msg = context->proctitle.value;
1630        len = context->proctitle.len;
1631out:
1632        audit_log_n_untrustedstring(ab, msg, len);
1633        audit_log_end(ab);
1634}
1635
1636/**
1637 * audit_log_uring - generate a AUDIT_URINGOP record
1638 * @ctx: the audit context
1639 */
1640static void audit_log_uring(struct audit_context *ctx)
1641{
1642        struct audit_buffer *ab;
1643        const struct cred *cred;
1644
1645        ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_URINGOP);
1646        if (!ab)
1647                return;
1648        cred = current_cred();
1649        audit_log_format(ab, "uring_op=%d", ctx->uring_op);
1650        if (ctx->return_valid != AUDITSC_INVALID)
1651                audit_log_format(ab, " success=%s exit=%ld",
1652                                 (ctx->return_valid == AUDITSC_SUCCESS ?
1653                                  "yes" : "no"),
1654                                 ctx->return_code);
1655        audit_log_format(ab,
1656                         " items=%d"
1657                         " ppid=%d pid=%d uid=%u gid=%u euid=%u suid=%u"
1658                         " fsuid=%u egid=%u sgid=%u fsgid=%u",
1659                         ctx->name_count,
1660                         task_ppid_nr(current), task_tgid_nr(current),
1661                         from_kuid(&init_user_ns, cred->uid),
1662                         from_kgid(&init_user_ns, cred->gid),
1663                         from_kuid(&init_user_ns, cred->euid),
1664                         from_kuid(&init_user_ns, cred->suid),
1665                         from_kuid(&init_user_ns, cred->fsuid),
1666                         from_kgid(&init_user_ns, cred->egid),
1667                         from_kgid(&init_user_ns, cred->sgid),
1668                         from_kgid(&init_user_ns, cred->fsgid));
1669        audit_log_task_context(ab);
1670        audit_log_key(ab, ctx->filterkey);
1671        audit_log_end(ab);
1672}
1673
1674static void audit_log_exit(void)
1675{
1676        int i, call_panic = 0;
1677        struct audit_context *context = audit_context();
1678        struct audit_buffer *ab;
1679        struct audit_aux_data *aux;
1680        struct audit_names *n;
1681
1682        context->personality = current->personality;
1683
1684        switch (context->context) {
1685        case AUDIT_CTX_SYSCALL:
1686                ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1687                if (!ab)
1688                        return;
1689                audit_log_format(ab, "arch=%x syscall=%d",
1690                                 context->arch, context->major);
1691                if (context->personality != PER_LINUX)
1692                        audit_log_format(ab, " per=%lx", context->personality);
1693                if (context->return_valid != AUDITSC_INVALID)
1694                        audit_log_format(ab, " success=%s exit=%ld",
1695                                         (context->return_valid == AUDITSC_SUCCESS ?
1696                                          "yes" : "no"),
1697                                         context->return_code);
1698                audit_log_format(ab,
1699                                 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1700                                 context->argv[0],
1701                                 context->argv[1],
1702                                 context->argv[2],
1703                                 context->argv[3],
1704                                 context->name_count);
1705                audit_log_task_info(ab);
1706                audit_log_key(ab, context->filterkey);
1707                audit_log_end(ab);
1708                break;
1709        case AUDIT_CTX_URING:
1710                audit_log_uring(context);
1711                break;
1712        default:
1713                BUG();
1714                break;
1715        }
1716
1717        for (aux = context->aux; aux; aux = aux->next) {
1718
1719                ab = audit_log_start(context, GFP_KERNEL, aux->type);
1720                if (!ab)
1721                        continue; /* audit_panic has been called */
1722
1723                switch (aux->type) {
1724
1725                case AUDIT_BPRM_FCAPS: {
1726                        struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1727
1728                        audit_log_format(ab, "fver=%x", axs->fcap_ver);
1729                        audit_log_cap(ab, "fp", &axs->fcap.permitted);
1730                        audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1731                        audit_log_format(ab, " fe=%d", axs->fcap.fE);
1732                        audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1733                        audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1734                        audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1735                        audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
1736                        audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
1737                        audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
1738                        audit_log_cap(ab, "pe", &axs->new_pcap.effective);
1739                        audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
1740                        audit_log_format(ab, " frootid=%d",
1741                                         from_kuid(&init_user_ns,
1742                                                   axs->fcap.rootid));
1743                        break; }
1744
1745                }
1746                audit_log_end(ab);
1747        }
1748
1749        if (context->type)
1750                show_special(context, &call_panic);
1751
1752        if (context->fds[0] >= 0) {
1753                ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1754                if (ab) {
1755                        audit_log_format(ab, "fd0=%d fd1=%d",
1756                                        context->fds[0], context->fds[1]);
1757                        audit_log_end(ab);
1758                }
1759        }
1760
1761        if (context->sockaddr_len) {
1762                ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1763                if (ab) {
1764                        audit_log_format(ab, "saddr=");
1765                        audit_log_n_hex(ab, (void *)context->sockaddr,
1766                                        context->sockaddr_len);
1767                        audit_log_end(ab);
1768                }
1769        }
1770
1771        for (aux = context->aux_pids; aux; aux = aux->next) {
1772                struct audit_aux_data_pids *axs = (void *)aux;
1773
1774                for (i = 0; i < axs->pid_count; i++)
1775                        if (audit_log_pid_context(context, axs->target_pid[i],
1776                                                  axs->target_auid[i],
1777                                                  axs->target_uid[i],
1778                                                  axs->target_sessionid[i],
1779                                                  axs->target_sid[i],
1780                                                  axs->target_comm[i]))
1781                                call_panic = 1;
1782        }
1783
1784        if (context->target_pid &&
1785            audit_log_pid_context(context, context->target_pid,
1786                                  context->target_auid, context->target_uid,
1787                                  context->target_sessionid,
1788                                  context->target_sid, context->target_comm))
1789                        call_panic = 1;
1790
1791        if (context->pwd.dentry && context->pwd.mnt) {
1792                ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1793                if (ab) {
1794                        audit_log_d_path(ab, "cwd=", &context->pwd);
1795                        audit_log_end(ab);
1796                }
1797        }
1798
1799        i = 0;
1800        list_for_each_entry(n, &context->names_list, list) {
1801                if (n->hidden)
1802                        continue;
1803                audit_log_name(context, n, NULL, i++, &call_panic);
1804        }
1805
1806        if (context->context == AUDIT_CTX_SYSCALL)
1807                audit_log_proctitle();
1808
1809        /* Send end of event record to help user space know we are finished */
1810        ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1811        if (ab)
1812                audit_log_end(ab);
1813        if (call_panic)
1814                audit_panic("error in audit_log_exit()");
1815}
1816
1817/**
1818 * __audit_free - free a per-task audit context
1819 * @tsk: task whose audit context block to free
1820 *
1821 * Called from copy_process, do_exit, and the io_uring code
1822 */
1823void __audit_free(struct task_struct *tsk)
1824{
1825        struct audit_context *context = tsk->audit_context;
1826
1827        if (!context)
1828                return;
1829
1830        /* this may generate CONFIG_CHANGE records */
1831        if (!list_empty(&context->killed_trees))
1832                audit_kill_trees(context);
1833
1834        /* We are called either by do_exit() or the fork() error handling code;
1835         * in the former case tsk == current and in the latter tsk is a
1836         * random task_struct that doesn't doesn't have any meaningful data we
1837         * need to log via audit_log_exit().
1838         */
1839        if (tsk == current && !context->dummy) {
1840                context->return_valid = AUDITSC_INVALID;
1841                context->return_code = 0;
1842                if (context->context == AUDIT_CTX_SYSCALL) {
1843                        audit_filter_syscall(tsk, context);
1844                        audit_filter_inodes(tsk, context);
1845                        if (context->current_state == AUDIT_STATE_RECORD)
1846                                audit_log_exit();
1847                } else if (context->context == AUDIT_CTX_URING) {
1848                        /* TODO: verify this case is real and valid */
1849                        audit_filter_uring(tsk, context);
1850                        audit_filter_inodes(tsk, context);
1851                        if (context->current_state == AUDIT_STATE_RECORD)
1852                                audit_log_uring(context);
1853                }
1854        }
1855
1856        audit_set_context(tsk, NULL);
1857        audit_free_context(context);
1858}
1859
1860/**
1861 * audit_return_fixup - fixup the return codes in the audit_context
1862 * @ctx: the audit_context
1863 * @success: true/false value to indicate if the operation succeeded or not
1864 * @code: operation return code
1865 *
1866 * We need to fixup the return code in the audit logs if the actual return
1867 * codes are later going to be fixed by the arch specific signal handlers.
1868 */
1869static void audit_return_fixup(struct audit_context *ctx,
1870                               int success, long code)
1871{
1872        /*
1873         * This is actually a test for:
1874         * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
1875         * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
1876         *
1877         * but is faster than a bunch of ||
1878         */
1879        if (unlikely(code <= -ERESTARTSYS) &&
1880            (code >= -ERESTART_RESTARTBLOCK) &&
1881            (code != -ENOIOCTLCMD))
1882                ctx->return_code = -EINTR;
1883        else
1884                ctx->return_code  = code;
1885        ctx->return_valid = (success ? AUDITSC_SUCCESS : AUDITSC_FAILURE);
1886}
1887
1888/**
1889 * __audit_uring_entry - prepare the kernel task's audit context for io_uring
1890 * @op: the io_uring opcode
1891 *
1892 * This is similar to audit_syscall_entry() but is intended for use by io_uring
1893 * operations.  This function should only ever be called from
1894 * audit_uring_entry() as we rely on the audit context checking present in that
1895 * function.
1896 */
1897void __audit_uring_entry(u8 op)
1898{
1899        struct audit_context *ctx = audit_context();
1900
1901        if (ctx->state == AUDIT_STATE_DISABLED)
1902                return;
1903
1904        /*
1905         * NOTE: It's possible that we can be called from the process' context
1906         *       before it returns to userspace, and before audit_syscall_exit()
1907         *       is called.  In this case there is not much to do, just record
1908         *       the io_uring details and return.
1909         */
1910        ctx->uring_op = op;
1911        if (ctx->context == AUDIT_CTX_SYSCALL)
1912                return;
1913
1914        ctx->dummy = !audit_n_rules;
1915        if (!ctx->dummy && ctx->state == AUDIT_STATE_BUILD)
1916                ctx->prio = 0;
1917
1918        ctx->context = AUDIT_CTX_URING;
1919        ctx->current_state = ctx->state;
1920        ktime_get_coarse_real_ts64(&ctx->ctime);
1921}
1922
1923/**
1924 * __audit_uring_exit - wrap up the kernel task's audit context after io_uring
1925 * @success: true/false value to indicate if the operation succeeded or not
1926 * @code: operation return code
1927 *
1928 * This is similar to audit_syscall_exit() but is intended for use by io_uring
1929 * operations.  This function should only ever be called from
1930 * audit_uring_exit() as we rely on the audit context checking present in that
1931 * function.
1932 */
1933void __audit_uring_exit(int success, long code)
1934{
1935        struct audit_context *ctx = audit_context();
1936
1937        if (ctx->dummy) {
1938                if (ctx->context != AUDIT_CTX_URING)
1939                        return;
1940                goto out;
1941        }
1942
1943        audit_return_fixup(ctx, success, code);
1944        if (ctx->context == AUDIT_CTX_SYSCALL) {
1945                /*
1946                 * NOTE: See the note in __audit_uring_entry() about the case
1947                 *       where we may be called from process context before we
1948                 *       return to userspace via audit_syscall_exit().  In this
1949                 *       case we simply emit a URINGOP record and bail, the
1950                 *       normal syscall exit handling will take care of
1951                 *       everything else.
1952                 *       It is also worth mentioning that when we are called,
1953                 *       the current process creds may differ from the creds
1954                 *       used during the normal syscall processing; keep that
1955                 *       in mind if/when we move the record generation code.
1956                 */
1957
1958                /*
1959                 * We need to filter on the syscall info here to decide if we
1960                 * should emit a URINGOP record.  I know it seems odd but this
1961                 * solves the problem where users have a filter to block *all*
1962                 * syscall records in the "exit" filter; we want to preserve
1963                 * the behavior here.
1964                 */
1965                audit_filter_syscall(current, ctx);
1966                if (ctx->current_state != AUDIT_STATE_RECORD)
1967                        audit_filter_uring(current, ctx);
1968                audit_filter_inodes(current, ctx);
1969                if (ctx->current_state != AUDIT_STATE_RECORD)
1970                        return;
1971
1972                audit_log_uring(ctx);
1973                return;
1974        }
1975
1976        /* this may generate CONFIG_CHANGE records */
1977        if (!list_empty(&ctx->killed_trees))
1978                audit_kill_trees(ctx);
1979
1980        /* run through both filters to ensure we set the filterkey properly */
1981        audit_filter_uring(current, ctx);
1982        audit_filter_inodes(current, ctx);
1983        if (ctx->current_state != AUDIT_STATE_RECORD)
1984                goto out;
1985        audit_log_exit();
1986
1987out:
1988        audit_reset_context(ctx);
1989}
1990
1991/**
1992 * __audit_syscall_entry - fill in an audit record at syscall entry
1993 * @major: major syscall type (function)
1994 * @a1: additional syscall register 1
1995 * @a2: additional syscall register 2
1996 * @a3: additional syscall register 3
1997 * @a4: additional syscall register 4
1998 *
1999 * Fill in audit context at syscall entry.  This only happens if the
2000 * audit context was created when the task was created and the state or
2001 * filters demand the audit context be built.  If the state from the
2002 * per-task filter or from the per-syscall filter is AUDIT_STATE_RECORD,
2003 * then the record will be written at syscall exit time (otherwise, it
2004 * will only be written if another part of the kernel requests that it
2005 * be written).
2006 */
2007void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
2008                           unsigned long a3, unsigned long a4)
2009{
2010        struct audit_context *context = audit_context();
2011        enum audit_state     state;
2012
2013        if (!audit_enabled || !context)
2014                return;
2015
2016        WARN_ON(context->context != AUDIT_CTX_UNUSED);
2017        WARN_ON(context->name_count);
2018        if (context->context != AUDIT_CTX_UNUSED || context->name_count) {
2019                audit_panic("unrecoverable error in audit_syscall_entry()");
2020                return;
2021        }
2022
2023        state = context->state;
2024        if (state == AUDIT_STATE_DISABLED)
2025                return;
2026
2027        context->dummy = !audit_n_rules;
2028        if (!context->dummy && state == AUDIT_STATE_BUILD) {
2029                context->prio = 0;
2030                if (auditd_test_task(current))
2031                        return;
2032        }
2033
2034        context->arch       = syscall_get_arch(current);
2035        context->major      = major;
2036        context->argv[0]    = a1;
2037        context->argv[1]    = a2;
2038        context->argv[2]    = a3;
2039        context->argv[3]    = a4;
2040        context->context = AUDIT_CTX_SYSCALL;
2041        context->current_state  = state;
2042        ktime_get_coarse_real_ts64(&context->ctime);
2043}
2044
2045/**
2046 * __audit_syscall_exit - deallocate audit context after a system call
2047 * @success: success value of the syscall
2048 * @return_code: return value of the syscall
2049 *
2050 * Tear down after system call.  If the audit context has been marked as
2051 * auditable (either because of the AUDIT_STATE_RECORD state from
2052 * filtering, or because some other part of the kernel wrote an audit
2053 * message), then write out the syscall information.  In call cases,
2054 * free the names stored from getname().
2055 */
2056void __audit_syscall_exit(int success, long return_code)
2057{
2058        struct audit_context *context = audit_context();
2059
2060        if (!context || context->dummy ||
2061            context->context != AUDIT_CTX_SYSCALL)
2062                goto out;
2063
2064        /* this may generate CONFIG_CHANGE records */
2065        if (!list_empty(&context->killed_trees))
2066                audit_kill_trees(context);
2067
2068        audit_return_fixup(context, success, return_code);
2069        /* run through both filters to ensure we set the filterkey properly */
2070        audit_filter_syscall(current, context);
2071        audit_filter_inodes(current, context);
2072        if (context->current_state != AUDIT_STATE_RECORD)
2073                goto out;
2074
2075        audit_log_exit();
2076
2077out:
2078        audit_reset_context(context);
2079}
2080
2081static inline void handle_one(const struct inode *inode)
2082{
2083        struct audit_context *context;
2084        struct audit_tree_refs *p;
2085        struct audit_chunk *chunk;
2086        int count;
2087
2088        if (likely(!inode->i_fsnotify_marks))
2089                return;
2090        context = audit_context();
2091        p = context->trees;
2092        count = context->tree_count;
2093        rcu_read_lock();
2094        chunk = audit_tree_lookup(inode);
2095        rcu_read_unlock();
2096        if (!chunk)
2097                return;
2098        if (likely(put_tree_ref(context, chunk)))
2099                return;
2100        if (unlikely(!grow_tree_refs(context))) {
2101                pr_warn("out of memory, audit has lost a tree reference\n");
2102                audit_set_auditable(context);
2103                audit_put_chunk(chunk);
2104                unroll_tree_refs(context, p, count);
2105                return;
2106        }
2107        put_tree_ref(context, chunk);
2108}
2109
2110static void handle_path(const struct dentry *dentry)
2111{
2112        struct audit_context *context;
2113        struct audit_tree_refs *p;
2114        const struct dentry *d, *parent;
2115        struct audit_chunk *drop;
2116        unsigned long seq;
2117        int count;
2118
2119        context = audit_context();
2120        p = context->trees;
2121        count = context->tree_count;
2122retry:
2123        drop = NULL;
2124        d = dentry;
2125        rcu_read_lock();
2126        seq = read_seqbegin(&rename_lock);
2127        for(;;) {
2128                struct inode *inode = d_backing_inode(d);
2129
2130                if (inode && unlikely(inode->i_fsnotify_marks)) {
2131                        struct audit_chunk *chunk;
2132
2133                        chunk = audit_tree_lookup(inode);
2134                        if (chunk) {
2135                                if (unlikely(!put_tree_ref(context, chunk))) {
2136                                        drop = chunk;
2137                                        break;
2138                                }
2139                        }
2140                }
2141                parent = d->d_parent;
2142                if (parent == d)
2143                        break;
2144                d = parent;
2145        }
2146        if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
2147                rcu_read_unlock();
2148                if (!drop) {
2149                        /* just a race with rename */
2150                        unroll_tree_refs(context, p, count);
2151                        goto retry;
2152                }
2153                audit_put_chunk(drop);
2154                if (grow_tree_refs(context)) {
2155                        /* OK, got more space */
2156                        unroll_tree_refs(context, p, count);
2157                        goto retry;
2158                }
2159                /* too bad */
2160                pr_warn("out of memory, audit has lost a tree reference\n");
2161                unroll_tree_refs(context, p, count);
2162                audit_set_auditable(context);
2163                return;
2164        }
2165        rcu_read_unlock();
2166}
2167
2168static struct audit_names *audit_alloc_name(struct audit_context *context,
2169                                                unsigned char type)
2170{
2171        struct audit_names *aname;
2172
2173        if (context->name_count < AUDIT_NAMES) {
2174                aname = &context->preallocated_names[context->name_count];
2175                memset(aname, 0, sizeof(*aname));
2176        } else {
2177                aname = kzalloc(sizeof(*aname), GFP_NOFS);
2178                if (!aname)
2179                        return NULL;
2180                aname->should_free = true;
2181        }
2182
2183        aname->ino = AUDIT_INO_UNSET;
2184        aname->type = type;
2185        list_add_tail(&aname->list, &context->names_list);
2186
2187        context->name_count++;
2188        if (!context->pwd.dentry)
2189                get_fs_pwd(current->fs, &context->pwd);
2190        return aname;
2191}
2192
2193/**
2194 * __audit_reusename - fill out filename with info from existing entry
2195 * @uptr: userland ptr to pathname
2196 *
2197 * Search the audit_names list for the current audit context. If there is an
2198 * existing entry with a matching "uptr" then return the filename
2199 * associated with that audit_name. If not, return NULL.
2200 */
2201struct filename *
2202__audit_reusename(const __user char *uptr)
2203{
2204        struct audit_context *context = audit_context();
2205        struct audit_names *n;
2206
2207        list_for_each_entry(n, &context->names_list, list) {
2208                if (!n->name)
2209                        continue;
2210                if (n->name->uptr == uptr) {
2211                        n->name->refcnt++;
2212                        return n->name;
2213                }
2214        }
2215        return NULL;
2216}
2217
2218/**
2219 * __audit_getname - add a name to the list
2220 * @name: name to add
2221 *
2222 * Add a name to the list of audit names for this context.
2223 * Called from fs/namei.c:getname().
2224 */
2225void __audit_getname(struct filename *name)
2226{
2227        struct audit_context *context = audit_context();
2228        struct audit_names *n;
2229
2230        if (context->context == AUDIT_CTX_UNUSED)
2231                return;
2232
2233        n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2234        if (!n)
2235                return;
2236
2237        n->name = name;
2238        n->name_len = AUDIT_NAME_FULL;
2239        name->aname = n;
2240        name->refcnt++;
2241}
2242
2243static inline int audit_copy_fcaps(struct audit_names *name,
2244                                   const struct dentry *dentry)
2245{
2246        struct cpu_vfs_cap_data caps;
2247        int rc;
2248
2249        if (!dentry)
2250                return 0;
2251
2252        rc = get_vfs_caps_from_disk(&init_user_ns, dentry, &caps);
2253        if (rc)
2254                return rc;
2255
2256        name->fcap.permitted = caps.permitted;
2257        name->fcap.inheritable = caps.inheritable;
2258        name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2259        name->fcap.rootid = caps.rootid;
2260        name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
2261                                VFS_CAP_REVISION_SHIFT;
2262
2263        return 0;
2264}
2265
2266/* Copy inode data into an audit_names. */
2267static void audit_copy_inode(struct audit_names *name,
2268                             const struct dentry *dentry,
2269                             struct inode *inode, unsigned int flags)
2270{
2271        name->ino   = inode->i_ino;
2272        name->dev   = inode->i_sb->s_dev;
2273        name->mode  = inode->i_mode;
2274        name->uid   = inode->i_uid;
2275        name->gid   = inode->i_gid;
2276        name->rdev  = inode->i_rdev;
2277        security_inode_getsecid(inode, &name->osid);
2278        if (flags & AUDIT_INODE_NOEVAL) {
2279                name->fcap_ver = -1;
2280                return;
2281        }
2282        audit_copy_fcaps(name, dentry);
2283}
2284
2285/**
2286 * __audit_inode - store the inode and device from a lookup
2287 * @name: name being audited
2288 * @dentry: dentry being audited
2289 * @flags: attributes for this particular entry
2290 */
2291void __audit_inode(struct filename *name, const struct dentry *dentry,
2292                   unsigned int flags)
2293{
2294        struct audit_context *context = audit_context();
2295        struct inode *inode = d_backing_inode(dentry);
2296        struct audit_names *n;
2297        bool parent = flags & AUDIT_INODE_PARENT;
2298        struct audit_entry *e;
2299        struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2300        int i;
2301
2302        if (context->context == AUDIT_CTX_UNUSED)
2303                return;
2304
2305        rcu_read_lock();
2306        list_for_each_entry_rcu(e, list, list) {
2307                for (i = 0; i < e->rule.field_count; i++) {
2308                        struct audit_field *f = &e->rule.fields[i];
2309
2310                        if (f->type == AUDIT_FSTYPE
2311                            && audit_comparator(inode->i_sb->s_magic,
2312                                                f->op, f->val)
2313                            && e->rule.action == AUDIT_NEVER) {
2314                                rcu_read_unlock();
2315                                return;
2316                        }
2317                }
2318        }
2319        rcu_read_unlock();
2320
2321        if (!name)
2322                goto out_alloc;
2323
2324        /*
2325         * If we have a pointer to an audit_names entry already, then we can
2326         * just use it directly if the type is correct.
2327         */
2328        n = name->aname;
2329        if (n) {
2330                if (parent) {
2331                        if (n->type == AUDIT_TYPE_PARENT ||
2332                            n->type == AUDIT_TYPE_UNKNOWN)
2333                                goto out;
2334                } else {
2335                        if (n->type != AUDIT_TYPE_PARENT)
2336                                goto out;
2337                }
2338        }
2339
2340        list_for_each_entry_reverse(n, &context->names_list, list) {
2341                if (n->ino) {
2342                        /* valid inode number, use that for the comparison */
2343                        if (n->ino != inode->i_ino ||
2344                            n->dev != inode->i_sb->s_dev)
2345                                continue;
2346                } else if (n->name) {
2347                        /* inode number has not been set, check the name */
2348                        if (strcmp(n->name->name, name->name))
2349                                continue;
2350                } else
2351                        /* no inode and no name (?!) ... this is odd ... */
2352                        continue;
2353
2354                /* match the correct record type */
2355                if (parent) {
2356                        if (n->type == AUDIT_TYPE_PARENT ||
2357                            n->type == AUDIT_TYPE_UNKNOWN)
2358                                goto out;
2359                } else {
2360                        if (n->type != AUDIT_TYPE_PARENT)
2361                                goto out;
2362                }
2363        }
2364
2365out_alloc:
2366        /* unable to find an entry with both a matching name and type */
2367        n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2368        if (!n)
2369                return;
2370        if (name) {
2371                n->name = name;
2372                name->refcnt++;
2373        }
2374
2375out:
2376        if (parent) {
2377                n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2378                n->type = AUDIT_TYPE_PARENT;
2379                if (flags & AUDIT_INODE_HIDDEN)
2380                        n->hidden = true;
2381        } else {
2382                n->name_len = AUDIT_NAME_FULL;
2383                n->type = AUDIT_TYPE_NORMAL;
2384        }
2385        handle_path(dentry);
2386        audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
2387}
2388
2389void __audit_file(const struct file *file)
2390{
2391        __audit_inode(NULL, file->f_path.dentry, 0);
2392}
2393
2394/**
2395 * __audit_inode_child - collect inode info for created/removed objects
2396 * @parent: inode of dentry parent
2397 * @dentry: dentry being audited
2398 * @type:   AUDIT_TYPE_* value that we're looking for
2399 *
2400 * For syscalls that create or remove filesystem objects, audit_inode
2401 * can only collect information for the filesystem object's parent.
2402 * This call updates the audit context with the child's information.
2403 * Syscalls that create a new filesystem object must be hooked after
2404 * the object is created.  Syscalls that remove a filesystem object
2405 * must be hooked prior, in order to capture the target inode during
2406 * unsuccessful attempts.
2407 */
2408void __audit_inode_child(struct inode *parent,
2409                         const struct dentry *dentry,
2410                         const unsigned char type)
2411{
2412        struct audit_context *context = audit_context();
2413        struct inode *inode = d_backing_inode(dentry);
2414        const struct qstr *dname = &dentry->d_name;
2415        struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2416        struct audit_entry *e;
2417        struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2418        int i;
2419
2420        if (context->context == AUDIT_CTX_UNUSED)
2421                return;
2422
2423        rcu_read_lock();
2424        list_for_each_entry_rcu(e, list, list) {
2425                for (i = 0; i < e->rule.field_count; i++) {
2426                        struct audit_field *f = &e->rule.fields[i];
2427
2428                        if (f->type == AUDIT_FSTYPE
2429                            && audit_comparator(parent->i_sb->s_magic,
2430                                                f->op, f->val)
2431                            && e->rule.action == AUDIT_NEVER) {
2432                                rcu_read_unlock();
2433                                return;
2434                        }
2435                }
2436        }
2437        rcu_read_unlock();
2438
2439        if (inode)
2440                handle_one(inode);
2441
2442        /* look for a parent entry first */
2443        list_for_each_entry(n, &context->names_list, list) {
2444                if (!n->name ||
2445                    (n->type != AUDIT_TYPE_PARENT &&
2446                     n->type != AUDIT_TYPE_UNKNOWN))
2447                        continue;
2448
2449                if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
2450                    !audit_compare_dname_path(dname,
2451                                              n->name->name, n->name_len)) {
2452                        if (n->type == AUDIT_TYPE_UNKNOWN)
2453                                n->type = AUDIT_TYPE_PARENT;
2454                        found_parent = n;
2455                        break;
2456                }
2457        }
2458
2459        /* is there a matching child entry? */
2460        list_for_each_entry(n, &context->names_list, list) {
2461                /* can only match entries that have a name */
2462                if (!n->name ||
2463                    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
2464                        continue;
2465
2466                if (!strcmp(dname->name, n->name->name) ||
2467                    !audit_compare_dname_path(dname, n->name->name,
2468                                                found_parent ?
2469                                                found_parent->name_len :
2470                                                AUDIT_NAME_FULL)) {
2471                        if (n->type == AUDIT_TYPE_UNKNOWN)
2472                                n->type = type;
2473                        found_child = n;
2474                        break;
2475                }
2476        }
2477
2478        if (!found_parent) {
2479                /* create a new, "anonymous" parent record */
2480                n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2481                if (!n)
2482                        return;
2483                audit_copy_inode(n, NULL, parent, 0);
2484        }
2485
2486        if (!found_child) {
2487                found_child = audit_alloc_name(context, type);
2488                if (!found_child)
2489                        return;
2490
2491                /* Re-use the name belonging to the slot for a matching parent
2492                 * directory. All names for this context are relinquished in
2493                 * audit_free_names() */
2494                if (found_parent) {
2495                        found_child->name = found_parent->name;
2496                        found_child->name_len = AUDIT_NAME_FULL;
2497                        found_child->name->refcnt++;
2498                }
2499        }
2500
2501        if (inode)
2502                audit_copy_inode(found_child, dentry, inode, 0);
2503        else
2504                found_child->ino = AUDIT_INO_UNSET;
2505}
2506EXPORT_SYMBOL_GPL(__audit_inode_child);
2507
2508/**
2509 * auditsc_get_stamp - get local copies of audit_context values
2510 * @ctx: audit_context for the task
2511 * @t: timespec64 to store time recorded in the audit_context
2512 * @serial: serial value that is recorded in the audit_context
2513 *
2514 * Also sets the context as auditable.
2515 */
2516int auditsc_get_stamp(struct audit_context *ctx,
2517                       struct timespec64 *t, unsigned int *serial)
2518{
2519        if (ctx->context == AUDIT_CTX_UNUSED)
2520                return 0;
2521        if (!ctx->serial)
2522                ctx->serial = audit_serial();
2523        t->tv_sec  = ctx->ctime.tv_sec;
2524        t->tv_nsec = ctx->ctime.tv_nsec;
2525        *serial    = ctx->serial;
2526        if (!ctx->prio) {
2527                ctx->prio = 1;
2528                ctx->current_state = AUDIT_STATE_RECORD;
2529        }
2530        return 1;
2531}
2532
2533/**
2534 * __audit_mq_open - record audit data for a POSIX MQ open
2535 * @oflag: open flag
2536 * @mode: mode bits
2537 * @attr: queue attributes
2538 *
2539 */
2540void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2541{
2542        struct audit_context *context = audit_context();
2543
2544        if (attr)
2545                memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2546        else
2547                memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2548
2549        context->mq_open.oflag = oflag;
2550        context->mq_open.mode = mode;
2551
2552        context->type = AUDIT_MQ_OPEN;
2553}
2554
2555/**
2556 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2557 * @mqdes: MQ descriptor
2558 * @msg_len: Message length
2559 * @msg_prio: Message priority
2560 * @abs_timeout: Message timeout in absolute time
2561 *
2562 */
2563void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2564                        const struct timespec64 *abs_timeout)
2565{
2566        struct audit_context *context = audit_context();
2567        struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
2568
2569        if (abs_timeout)
2570                memcpy(p, abs_timeout, sizeof(*p));
2571        else
2572                memset(p, 0, sizeof(*p));
2573
2574        context->mq_sendrecv.mqdes = mqdes;
2575        context->mq_sendrecv.msg_len = msg_len;
2576        context->mq_sendrecv.msg_prio = msg_prio;
2577
2578        context->type = AUDIT_MQ_SENDRECV;
2579}
2580
2581/**
2582 * __audit_mq_notify - record audit data for a POSIX MQ notify
2583 * @mqdes: MQ descriptor
2584 * @notification: Notification event
2585 *
2586 */
2587
2588void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2589{
2590        struct audit_context *context = audit_context();
2591
2592        if (notification)
2593                context->mq_notify.sigev_signo = notification->sigev_signo;
2594        else
2595                context->mq_notify.sigev_signo = 0;
2596
2597        context->mq_notify.mqdes = mqdes;
2598        context->type = AUDIT_MQ_NOTIFY;
2599}
2600
2601/**
2602 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2603 * @mqdes: MQ descriptor
2604 * @mqstat: MQ flags
2605 *
2606 */
2607void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2608{
2609        struct audit_context *context = audit_context();
2610
2611        context->mq_getsetattr.mqdes = mqdes;
2612        context->mq_getsetattr.mqstat = *mqstat;
2613        context->type = AUDIT_MQ_GETSETATTR;
2614}
2615
2616/**
2617 * __audit_ipc_obj - record audit data for ipc object
2618 * @ipcp: ipc permissions
2619 *
2620 */
2621void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2622{
2623        struct audit_context *context = audit_context();
2624
2625        context->ipc.uid = ipcp->uid;
2626        context->ipc.gid = ipcp->gid;
2627        context->ipc.mode = ipcp->mode;
2628        context->ipc.has_perm = 0;
2629        security_ipc_getsecid(ipcp, &context->ipc.osid);
2630        context->type = AUDIT_IPC;
2631}
2632
2633/**
2634 * __audit_ipc_set_perm - record audit data for new ipc permissions
2635 * @qbytes: msgq bytes
2636 * @uid: msgq user id
2637 * @gid: msgq group id
2638 * @mode: msgq mode (permissions)
2639 *
2640 * Called only after audit_ipc_obj().
2641 */
2642void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2643{
2644        struct audit_context *context = audit_context();
2645
2646        context->ipc.qbytes = qbytes;
2647        context->ipc.perm_uid = uid;
2648        context->ipc.perm_gid = gid;
2649        context->ipc.perm_mode = mode;
2650        context->ipc.has_perm = 1;
2651}
2652
2653void __audit_bprm(struct linux_binprm *bprm)
2654{
2655        struct audit_context *context = audit_context();
2656
2657        context->type = AUDIT_EXECVE;
2658        context->execve.argc = bprm->argc;
2659}
2660
2661
2662/**
2663 * __audit_socketcall - record audit data for sys_socketcall
2664 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2665 * @args: args array
2666 *
2667 */
2668int __audit_socketcall(int nargs, unsigned long *args)
2669{
2670        struct audit_context *context = audit_context();
2671
2672        if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2673                return -EINVAL;
2674        context->type = AUDIT_SOCKETCALL;
2675        context->socketcall.nargs = nargs;
2676        memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2677        return 0;
2678}
2679
2680/**
2681 * __audit_fd_pair - record audit data for pipe and socketpair
2682 * @fd1: the first file descriptor
2683 * @fd2: the second file descriptor
2684 *
2685 */
2686void __audit_fd_pair(int fd1, int fd2)
2687{
2688        struct audit_context *context = audit_context();
2689
2690        context->fds[0] = fd1;
2691        context->fds[1] = fd2;
2692}
2693
2694/**
2695 * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2696 * @len: data length in user space
2697 * @a: data address in kernel space
2698 *
2699 * Returns 0 for success or NULL context or < 0 on error.
2700 */
2701int __audit_sockaddr(int len, void *a)
2702{
2703        struct audit_context *context = audit_context();
2704
2705        if (!context->sockaddr) {
2706                void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2707
2708                if (!p)
2709                        return -ENOMEM;
2710                context->sockaddr = p;
2711        }
2712
2713        context->sockaddr_len = len;
2714        memcpy(context->sockaddr, a, len);
2715        return 0;
2716}
2717
2718void __audit_ptrace(struct task_struct *t)
2719{
2720        struct audit_context *context = audit_context();
2721
2722        context->target_pid = task_tgid_nr(t);
2723        context->target_auid = audit_get_loginuid(t);
2724        context->target_uid = task_uid(t);
2725        context->target_sessionid = audit_get_sessionid(t);
2726        security_task_getsecid_obj(t, &context->target_sid);
2727        memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2728}
2729
2730/**
2731 * audit_signal_info_syscall - record signal info for syscalls
2732 * @t: task being signaled
2733 *
2734 * If the audit subsystem is being terminated, record the task (pid)
2735 * and uid that is doing that.
2736 */
2737int audit_signal_info_syscall(struct task_struct *t)
2738{
2739        struct audit_aux_data_pids *axp;
2740        struct audit_context *ctx = audit_context();
2741        kuid_t t_uid = task_uid(t);
2742
2743        if (!audit_signals || audit_dummy_context())
2744                return 0;
2745
2746        /* optimize the common case by putting first signal recipient directly
2747         * in audit_context */
2748        if (!ctx->target_pid) {
2749                ctx->target_pid = task_tgid_nr(t);
2750                ctx->target_auid = audit_get_loginuid(t);
2751                ctx->target_uid = t_uid;
2752                ctx->target_sessionid = audit_get_sessionid(t);
2753                security_task_getsecid_obj(t, &ctx->target_sid);
2754                memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2755                return 0;
2756        }
2757
2758        axp = (void *)ctx->aux_pids;
2759        if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2760                axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2761                if (!axp)
2762                        return -ENOMEM;
2763
2764                axp->d.type = AUDIT_OBJ_PID;
2765                axp->d.next = ctx->aux_pids;
2766                ctx->aux_pids = (void *)axp;
2767        }
2768        BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2769
2770        axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2771        axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2772        axp->target_uid[axp->pid_count] = t_uid;
2773        axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2774        security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]);
2775        memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2776        axp->pid_count++;
2777
2778        return 0;
2779}
2780
2781/**
2782 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2783 * @bprm: pointer to the bprm being processed
2784 * @new: the proposed new credentials
2785 * @old: the old credentials
2786 *
2787 * Simply check if the proc already has the caps given by the file and if not
2788 * store the priv escalation info for later auditing at the end of the syscall
2789 *
2790 * -Eric
2791 */
2792int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2793                           const struct cred *new, const struct cred *old)
2794{
2795        struct audit_aux_data_bprm_fcaps *ax;
2796        struct audit_context *context = audit_context();
2797        struct cpu_vfs_cap_data vcaps;
2798
2799        ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2800        if (!ax)
2801                return -ENOMEM;
2802
2803        ax->d.type = AUDIT_BPRM_FCAPS;
2804        ax->d.next = context->aux;
2805        context->aux = (void *)ax;
2806
2807        get_vfs_caps_from_disk(&init_user_ns,
2808                               bprm->file->f_path.dentry, &vcaps);
2809
2810        ax->fcap.permitted = vcaps.permitted;
2811        ax->fcap.inheritable = vcaps.inheritable;
2812        ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2813        ax->fcap.rootid = vcaps.rootid;
2814        ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2815
2816        ax->old_pcap.permitted   = old->cap_permitted;
2817        ax->old_pcap.inheritable = old->cap_inheritable;
2818        ax->old_pcap.effective   = old->cap_effective;
2819        ax->old_pcap.ambient     = old->cap_ambient;
2820
2821        ax->new_pcap.permitted   = new->cap_permitted;
2822        ax->new_pcap.inheritable = new->cap_inheritable;
2823        ax->new_pcap.effective   = new->cap_effective;
2824        ax->new_pcap.ambient     = new->cap_ambient;
2825        return 0;
2826}
2827
2828/**
2829 * __audit_log_capset - store information about the arguments to the capset syscall
2830 * @new: the new credentials
2831 * @old: the old (current) credentials
2832 *
2833 * Record the arguments userspace sent to sys_capset for later printing by the
2834 * audit system if applicable
2835 */
2836void __audit_log_capset(const struct cred *new, const struct cred *old)
2837{
2838        struct audit_context *context = audit_context();
2839
2840        context->capset.pid = task_tgid_nr(current);
2841        context->capset.cap.effective   = new->cap_effective;
2842        context->capset.cap.inheritable = new->cap_effective;
2843        context->capset.cap.permitted   = new->cap_permitted;
2844        context->capset.cap.ambient     = new->cap_ambient;
2845        context->type = AUDIT_CAPSET;
2846}
2847
2848void __audit_mmap_fd(int fd, int flags)
2849{
2850        struct audit_context *context = audit_context();
2851
2852        context->mmap.fd = fd;
2853        context->mmap.flags = flags;
2854        context->type = AUDIT_MMAP;
2855}
2856
2857void __audit_openat2_how(struct open_how *how)
2858{
2859        struct audit_context *context = audit_context();
2860
2861        context->openat2.flags = how->flags;
2862        context->openat2.mode = how->mode;
2863        context->openat2.resolve = how->resolve;
2864        context->type = AUDIT_OPENAT2;
2865}
2866
2867void __audit_log_kern_module(char *name)
2868{
2869        struct audit_context *context = audit_context();
2870
2871        context->module.name = kstrdup(name, GFP_KERNEL);
2872        if (!context->module.name)
2873                audit_log_lost("out of memory in __audit_log_kern_module");
2874        context->type = AUDIT_KERN_MODULE;
2875}
2876
2877void __audit_fanotify(unsigned int response)
2878{
2879        audit_log(audit_context(), GFP_KERNEL,
2880                AUDIT_FANOTIFY, "resp=%u", response);
2881}
2882
2883void __audit_tk_injoffset(struct timespec64 offset)
2884{
2885        struct audit_context *context = audit_context();
2886
2887        /* only set type if not already set by NTP */
2888        if (!context->type)
2889                context->type = AUDIT_TIME_INJOFFSET;
2890        memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));
2891}
2892
2893void __audit_ntp_log(const struct audit_ntp_data *ad)
2894{
2895        struct audit_context *context = audit_context();
2896        int type;
2897
2898        for (type = 0; type < AUDIT_NTP_NVALS; type++)
2899                if (ad->vals[type].newval != ad->vals[type].oldval) {
2900                        /* unconditionally set type, overwriting TK */
2901                        context->type = AUDIT_TIME_ADJNTPVAL;
2902                        memcpy(&context->time.ntp_data, ad, sizeof(*ad));
2903                        break;
2904                }
2905}
2906
2907void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
2908                       enum audit_nfcfgop op, gfp_t gfp)
2909{
2910        struct audit_buffer *ab;
2911        char comm[sizeof(current->comm)];
2912
2913        ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG);
2914        if (!ab)
2915                return;
2916        audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
2917                         name, af, nentries, audit_nfcfgs[op].s);
2918
2919        audit_log_format(ab, " pid=%u", task_pid_nr(current));
2920        audit_log_task_context(ab); /* subj= */
2921        audit_log_format(ab, " comm=");
2922        audit_log_untrustedstring(ab, get_task_comm(comm, current));
2923        audit_log_end(ab);
2924}
2925EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
2926
2927static void audit_log_task(struct audit_buffer *ab)
2928{
2929        kuid_t auid, uid;
2930        kgid_t gid;
2931        unsigned int sessionid;
2932        char comm[sizeof(current->comm)];
2933
2934        auid = audit_get_loginuid(current);
2935        sessionid = audit_get_sessionid(current);
2936        current_uid_gid(&uid, &gid);
2937
2938        audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2939                         from_kuid(&init_user_ns, auid),
2940                         from_kuid(&init_user_ns, uid),
2941                         from_kgid(&init_user_ns, gid),
2942                         sessionid);
2943        audit_log_task_context(ab);
2944        audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2945        audit_log_untrustedstring(ab, get_task_comm(comm, current));
2946        audit_log_d_path_exe(ab, current->mm);
2947}
2948
2949/**
2950 * audit_core_dumps - record information about processes that end abnormally
2951 * @signr: signal value
2952 *
2953 * If a process ends with a core dump, something fishy is going on and we
2954 * should record the event for investigation.
2955 */
2956void audit_core_dumps(long signr)
2957{
2958        struct audit_buffer *ab;
2959
2960        if (!audit_enabled)
2961                return;
2962
2963        if (signr == SIGQUIT)   /* don't care for those */
2964                return;
2965
2966        ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
2967        if (unlikely(!ab))
2968                return;
2969        audit_log_task(ab);
2970        audit_log_format(ab, " sig=%ld res=1", signr);
2971        audit_log_end(ab);
2972}
2973
2974/**
2975 * audit_seccomp - record information about a seccomp action
2976 * @syscall: syscall number
2977 * @signr: signal value
2978 * @code: the seccomp action
2979 *
2980 * Record the information associated with a seccomp action. Event filtering for
2981 * seccomp actions that are not to be logged is done in seccomp_log().
2982 * Therefore, this function forces auditing independent of the audit_enabled
2983 * and dummy context state because seccomp actions should be logged even when
2984 * audit is not in use.
2985 */
2986void audit_seccomp(unsigned long syscall, long signr, int code)
2987{
2988        struct audit_buffer *ab;
2989
2990        ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
2991        if (unlikely(!ab))
2992                return;
2993        audit_log_task(ab);
2994        audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2995                         signr, syscall_get_arch(current), syscall,
2996                         in_compat_syscall(), KSTK_EIP(current), code);
2997        audit_log_end(ab);
2998}
2999
3000void audit_seccomp_actions_logged(const char *names, const char *old_names,
3001                                  int res)
3002{
3003        struct audit_buffer *ab;
3004
3005        if (!audit_enabled)
3006                return;
3007
3008        ab = audit_log_start(audit_context(), GFP_KERNEL,
3009                             AUDIT_CONFIG_CHANGE);
3010        if (unlikely(!ab))
3011                return;
3012
3013        audit_log_format(ab,
3014                         "op=seccomp-logging actions=%s old-actions=%s res=%d",
3015                         names, old_names, res);
3016        audit_log_end(ab);
3017}
3018
3019struct list_head *audit_killed_trees(void)
3020{
3021        struct audit_context *ctx = audit_context();
3022        if (likely(!ctx || ctx->context == AUDIT_CTX_UNUSED))
3023                return NULL;
3024        return &ctx->killed_trees;
3025}
3026