1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* auditsc.c -- System-call auditing support |
3 | * Handles all system-call specific auditing features. |
4 | * |
5 | * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. |
6 | * Copyright 2005 Hewlett-Packard Development Company, L.P. |
7 | * Copyright (C) 2005, 2006 IBM Corporation |
8 | * All Rights Reserved. |
9 | * |
10 | * Written by Rickard E. (Rik) Faith <faith@redhat.com> |
11 | * |
12 | * Many of the ideas implemented here are from Stephen C. Tweedie, |
13 | * especially the idea of avoiding a copy by using getname. |
14 | * |
15 | * The method for actual interception of syscall entry and exit (not in |
16 | * this file -- see entry.S) is based on a GPL'd patch written by |
17 | * okir@suse.de and Copyright 2003 SuSE Linux AG. |
18 | * |
19 | * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, |
20 | * 2006. |
21 | * |
22 | * The support of additional filter rules compares (>, <, >=, <=) was |
23 | * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. |
24 | * |
25 | * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional |
26 | * filesystem information. |
27 | * |
28 | * Subject and object context labeling support added by <danjones@us.ibm.com> |
29 | * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. |
30 | */ |
31 | |
32 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
33 | |
34 | #include <linux/init.h> |
35 | #include <asm/types.h> |
36 | #include <linux/atomic.h> |
37 | #include <linux/fs.h> |
38 | #include <linux/namei.h> |
39 | #include <linux/mm.h> |
40 | #include <linux/export.h> |
41 | #include <linux/slab.h> |
42 | #include <linux/mount.h> |
43 | #include <linux/socket.h> |
44 | #include <linux/mqueue.h> |
45 | #include <linux/audit.h> |
46 | #include <linux/personality.h> |
47 | #include <linux/time.h> |
48 | #include <linux/netlink.h> |
49 | #include <linux/compiler.h> |
50 | #include <asm/unistd.h> |
51 | #include <linux/security.h> |
52 | #include <linux/list.h> |
53 | #include <linux/binfmts.h> |
54 | #include <linux/highmem.h> |
55 | #include <linux/syscalls.h> |
56 | #include <asm/syscall.h> |
57 | #include <linux/capability.h> |
58 | #include <linux/fs_struct.h> |
59 | #include <linux/compat.h> |
60 | #include <linux/ctype.h> |
61 | #include <linux/string.h> |
62 | #include <linux/uaccess.h> |
63 | #include <linux/fsnotify_backend.h> |
64 | #include <uapi/linux/limits.h> |
65 | #include <uapi/linux/netfilter/nf_tables.h> |
66 | #include <uapi/linux/openat2.h> // struct open_how |
67 | #include <uapi/linux/fanotify.h> |
68 | |
69 | #include "audit.h" |
70 | |
71 | /* flags stating the success for a syscall */ |
72 | #define AUDITSC_INVALID 0 |
73 | #define AUDITSC_SUCCESS 1 |
74 | #define AUDITSC_FAILURE 2 |
75 | |
76 | /* no execve audit message should be longer than this (userspace limits), |
77 | * see the note near the top of audit_log_execve_info() about this value */ |
78 | #define MAX_EXECVE_AUDIT_LEN 7500 |
79 | |
80 | /* max length to print of cmdline/proctitle value during audit */ |
81 | #define MAX_PROCTITLE_AUDIT_LEN 128 |
82 | |
83 | /* number of audit rules */ |
84 | int audit_n_rules; |
85 | |
86 | /* determines whether we collect data for signals sent */ |
87 | int audit_signals; |
88 | |
89 | struct audit_aux_data { |
90 | struct audit_aux_data *next; |
91 | int type; |
92 | }; |
93 | |
94 | /* Number of target pids per aux struct. */ |
95 | #define AUDIT_AUX_PIDS 16 |
96 | |
97 | struct audit_aux_data_pids { |
98 | struct audit_aux_data d; |
99 | pid_t target_pid[AUDIT_AUX_PIDS]; |
100 | kuid_t target_auid[AUDIT_AUX_PIDS]; |
101 | kuid_t target_uid[AUDIT_AUX_PIDS]; |
102 | unsigned int target_sessionid[AUDIT_AUX_PIDS]; |
103 | u32 target_sid[AUDIT_AUX_PIDS]; |
104 | char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; |
105 | int pid_count; |
106 | }; |
107 | |
108 | struct audit_aux_data_bprm_fcaps { |
109 | struct audit_aux_data d; |
110 | struct audit_cap_data fcap; |
111 | unsigned int fcap_ver; |
112 | struct audit_cap_data old_pcap; |
113 | struct audit_cap_data new_pcap; |
114 | }; |
115 | |
116 | struct audit_tree_refs { |
117 | struct audit_tree_refs *next; |
118 | struct audit_chunk *c[31]; |
119 | }; |
120 | |
121 | struct audit_nfcfgop_tab { |
122 | enum audit_nfcfgop op; |
123 | const char *s; |
124 | }; |
125 | |
126 | static const struct audit_nfcfgop_tab audit_nfcfgs[] = { |
127 | { AUDIT_XT_OP_REGISTER, "xt_register" }, |
128 | { AUDIT_XT_OP_REPLACE, "xt_replace" }, |
129 | { AUDIT_XT_OP_UNREGISTER, "xt_unregister" }, |
130 | { AUDIT_NFT_OP_TABLE_REGISTER, "nft_register_table" }, |
131 | { AUDIT_NFT_OP_TABLE_UNREGISTER, "nft_unregister_table" }, |
132 | { AUDIT_NFT_OP_CHAIN_REGISTER, "nft_register_chain" }, |
133 | { AUDIT_NFT_OP_CHAIN_UNREGISTER, "nft_unregister_chain" }, |
134 | { AUDIT_NFT_OP_RULE_REGISTER, "nft_register_rule" }, |
135 | { AUDIT_NFT_OP_RULE_UNREGISTER, "nft_unregister_rule" }, |
136 | { AUDIT_NFT_OP_SET_REGISTER, "nft_register_set" }, |
137 | { AUDIT_NFT_OP_SET_UNREGISTER, "nft_unregister_set" }, |
138 | { AUDIT_NFT_OP_SETELEM_REGISTER, "nft_register_setelem" }, |
139 | { AUDIT_NFT_OP_SETELEM_UNREGISTER, "nft_unregister_setelem" }, |
140 | { AUDIT_NFT_OP_GEN_REGISTER, "nft_register_gen" }, |
141 | { AUDIT_NFT_OP_OBJ_REGISTER, "nft_register_obj" }, |
142 | { AUDIT_NFT_OP_OBJ_UNREGISTER, "nft_unregister_obj" }, |
143 | { AUDIT_NFT_OP_OBJ_RESET, "nft_reset_obj" }, |
144 | { AUDIT_NFT_OP_FLOWTABLE_REGISTER, "nft_register_flowtable" }, |
145 | { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, "nft_unregister_flowtable" }, |
146 | { AUDIT_NFT_OP_SETELEM_RESET, "nft_reset_setelem" }, |
147 | { AUDIT_NFT_OP_RULE_RESET, "nft_reset_rule" }, |
148 | { AUDIT_NFT_OP_INVALID, "nft_invalid" }, |
149 | }; |
150 | |
151 | static int audit_match_perm(struct audit_context *ctx, int mask) |
152 | { |
153 | unsigned n; |
154 | |
155 | if (unlikely(!ctx)) |
156 | return 0; |
157 | n = ctx->major; |
158 | |
159 | switch (audit_classify_syscall(abi: ctx->arch, syscall: n)) { |
160 | case AUDITSC_NATIVE: |
161 | if ((mask & AUDIT_PERM_WRITE) && |
162 | audit_match_class(AUDIT_CLASS_WRITE, syscall: n)) |
163 | return 1; |
164 | if ((mask & AUDIT_PERM_READ) && |
165 | audit_match_class(AUDIT_CLASS_READ, syscall: n)) |
166 | return 1; |
167 | if ((mask & AUDIT_PERM_ATTR) && |
168 | audit_match_class(AUDIT_CLASS_CHATTR, syscall: n)) |
169 | return 1; |
170 | return 0; |
171 | case AUDITSC_COMPAT: /* 32bit on biarch */ |
172 | if ((mask & AUDIT_PERM_WRITE) && |
173 | audit_match_class(AUDIT_CLASS_WRITE_32, syscall: n)) |
174 | return 1; |
175 | if ((mask & AUDIT_PERM_READ) && |
176 | audit_match_class(AUDIT_CLASS_READ_32, syscall: n)) |
177 | return 1; |
178 | if ((mask & AUDIT_PERM_ATTR) && |
179 | audit_match_class(AUDIT_CLASS_CHATTR_32, syscall: n)) |
180 | return 1; |
181 | return 0; |
182 | case AUDITSC_OPEN: |
183 | return mask & ACC_MODE(ctx->argv[1]); |
184 | case AUDITSC_OPENAT: |
185 | return mask & ACC_MODE(ctx->argv[2]); |
186 | case AUDITSC_SOCKETCALL: |
187 | return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); |
188 | case AUDITSC_EXECVE: |
189 | return mask & AUDIT_PERM_EXEC; |
190 | case AUDITSC_OPENAT2: |
191 | return mask & ACC_MODE((u32)ctx->openat2.flags); |
192 | default: |
193 | return 0; |
194 | } |
195 | } |
196 | |
197 | static int audit_match_filetype(struct audit_context *ctx, int val) |
198 | { |
199 | struct audit_names *n; |
200 | umode_t mode = (umode_t)val; |
201 | |
202 | if (unlikely(!ctx)) |
203 | return 0; |
204 | |
205 | list_for_each_entry(n, &ctx->names_list, list) { |
206 | if ((n->ino != AUDIT_INO_UNSET) && |
207 | ((n->mode & S_IFMT) == mode)) |
208 | return 1; |
209 | } |
210 | |
211 | return 0; |
212 | } |
213 | |
214 | /* |
215 | * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *; |
216 | * ->first_trees points to its beginning, ->trees - to the current end of data. |
217 | * ->tree_count is the number of free entries in array pointed to by ->trees. |
218 | * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL, |
219 | * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously, |
220 | * it's going to remain 1-element for almost any setup) until we free context itself. |
221 | * References in it _are_ dropped - at the same time we free/drop aux stuff. |
222 | */ |
223 | |
224 | static void audit_set_auditable(struct audit_context *ctx) |
225 | { |
226 | if (!ctx->prio) { |
227 | ctx->prio = 1; |
228 | ctx->current_state = AUDIT_STATE_RECORD; |
229 | } |
230 | } |
231 | |
232 | static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk) |
233 | { |
234 | struct audit_tree_refs *p = ctx->trees; |
235 | int left = ctx->tree_count; |
236 | |
237 | if (likely(left)) { |
238 | p->c[--left] = chunk; |
239 | ctx->tree_count = left; |
240 | return 1; |
241 | } |
242 | if (!p) |
243 | return 0; |
244 | p = p->next; |
245 | if (p) { |
246 | p->c[30] = chunk; |
247 | ctx->trees = p; |
248 | ctx->tree_count = 30; |
249 | return 1; |
250 | } |
251 | return 0; |
252 | } |
253 | |
254 | static int grow_tree_refs(struct audit_context *ctx) |
255 | { |
256 | struct audit_tree_refs *p = ctx->trees; |
257 | |
258 | ctx->trees = kzalloc(size: sizeof(struct audit_tree_refs), GFP_KERNEL); |
259 | if (!ctx->trees) { |
260 | ctx->trees = p; |
261 | return 0; |
262 | } |
263 | if (p) |
264 | p->next = ctx->trees; |
265 | else |
266 | ctx->first_trees = ctx->trees; |
267 | ctx->tree_count = 31; |
268 | return 1; |
269 | } |
270 | |
271 | static void unroll_tree_refs(struct audit_context *ctx, |
272 | struct audit_tree_refs *p, int count) |
273 | { |
274 | struct audit_tree_refs *q; |
275 | int n; |
276 | |
277 | if (!p) { |
278 | /* we started with empty chain */ |
279 | p = ctx->first_trees; |
280 | count = 31; |
281 | /* if the very first allocation has failed, nothing to do */ |
282 | if (!p) |
283 | return; |
284 | } |
285 | n = count; |
286 | for (q = p; q != ctx->trees; q = q->next, n = 31) { |
287 | while (n--) { |
288 | audit_put_chunk(chunk: q->c[n]); |
289 | q->c[n] = NULL; |
290 | } |
291 | } |
292 | while (n-- > ctx->tree_count) { |
293 | audit_put_chunk(chunk: q->c[n]); |
294 | q->c[n] = NULL; |
295 | } |
296 | ctx->trees = p; |
297 | ctx->tree_count = count; |
298 | } |
299 | |
300 | static void free_tree_refs(struct audit_context *ctx) |
301 | { |
302 | struct audit_tree_refs *p, *q; |
303 | |
304 | for (p = ctx->first_trees; p; p = q) { |
305 | q = p->next; |
306 | kfree(objp: p); |
307 | } |
308 | } |
309 | |
310 | static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree) |
311 | { |
312 | struct audit_tree_refs *p; |
313 | int n; |
314 | |
315 | if (!tree) |
316 | return 0; |
317 | /* full ones */ |
318 | for (p = ctx->first_trees; p != ctx->trees; p = p->next) { |
319 | for (n = 0; n < 31; n++) |
320 | if (audit_tree_match(chunk: p->c[n], tree)) |
321 | return 1; |
322 | } |
323 | /* partial */ |
324 | if (p) { |
325 | for (n = ctx->tree_count; n < 31; n++) |
326 | if (audit_tree_match(chunk: p->c[n], tree)) |
327 | return 1; |
328 | } |
329 | return 0; |
330 | } |
331 | |
332 | static int audit_compare_uid(kuid_t uid, |
333 | struct audit_names *name, |
334 | struct audit_field *f, |
335 | struct audit_context *ctx) |
336 | { |
337 | struct audit_names *n; |
338 | int rc; |
339 | |
340 | if (name) { |
341 | rc = audit_uid_comparator(left: uid, op: f->op, right: name->uid); |
342 | if (rc) |
343 | return rc; |
344 | } |
345 | |
346 | if (ctx) { |
347 | list_for_each_entry(n, &ctx->names_list, list) { |
348 | rc = audit_uid_comparator(left: uid, op: f->op, right: n->uid); |
349 | if (rc) |
350 | return rc; |
351 | } |
352 | } |
353 | return 0; |
354 | } |
355 | |
356 | static int audit_compare_gid(kgid_t gid, |
357 | struct audit_names *name, |
358 | struct audit_field *f, |
359 | struct audit_context *ctx) |
360 | { |
361 | struct audit_names *n; |
362 | int rc; |
363 | |
364 | if (name) { |
365 | rc = audit_gid_comparator(left: gid, op: f->op, right: name->gid); |
366 | if (rc) |
367 | return rc; |
368 | } |
369 | |
370 | if (ctx) { |
371 | list_for_each_entry(n, &ctx->names_list, list) { |
372 | rc = audit_gid_comparator(left: gid, op: f->op, right: n->gid); |
373 | if (rc) |
374 | return rc; |
375 | } |
376 | } |
377 | return 0; |
378 | } |
379 | |
380 | static int audit_field_compare(struct task_struct *tsk, |
381 | const struct cred *cred, |
382 | struct audit_field *f, |
383 | struct audit_context *ctx, |
384 | struct audit_names *name) |
385 | { |
386 | switch (f->val) { |
387 | /* process to file object comparisons */ |
388 | case AUDIT_COMPARE_UID_TO_OBJ_UID: |
389 | return audit_compare_uid(uid: cred->uid, name, f, ctx); |
390 | case AUDIT_COMPARE_GID_TO_OBJ_GID: |
391 | return audit_compare_gid(gid: cred->gid, name, f, ctx); |
392 | case AUDIT_COMPARE_EUID_TO_OBJ_UID: |
393 | return audit_compare_uid(uid: cred->euid, name, f, ctx); |
394 | case AUDIT_COMPARE_EGID_TO_OBJ_GID: |
395 | return audit_compare_gid(gid: cred->egid, name, f, ctx); |
396 | case AUDIT_COMPARE_AUID_TO_OBJ_UID: |
397 | return audit_compare_uid(uid: audit_get_loginuid(tsk), name, f, ctx); |
398 | case AUDIT_COMPARE_SUID_TO_OBJ_UID: |
399 | return audit_compare_uid(uid: cred->suid, name, f, ctx); |
400 | case AUDIT_COMPARE_SGID_TO_OBJ_GID: |
401 | return audit_compare_gid(gid: cred->sgid, name, f, ctx); |
402 | case AUDIT_COMPARE_FSUID_TO_OBJ_UID: |
403 | return audit_compare_uid(uid: cred->fsuid, name, f, ctx); |
404 | case AUDIT_COMPARE_FSGID_TO_OBJ_GID: |
405 | return audit_compare_gid(gid: cred->fsgid, name, f, ctx); |
406 | /* uid comparisons */ |
407 | case AUDIT_COMPARE_UID_TO_AUID: |
408 | return audit_uid_comparator(left: cred->uid, op: f->op, |
409 | right: audit_get_loginuid(tsk)); |
410 | case AUDIT_COMPARE_UID_TO_EUID: |
411 | return audit_uid_comparator(left: cred->uid, op: f->op, right: cred->euid); |
412 | case AUDIT_COMPARE_UID_TO_SUID: |
413 | return audit_uid_comparator(left: cred->uid, op: f->op, right: cred->suid); |
414 | case AUDIT_COMPARE_UID_TO_FSUID: |
415 | return audit_uid_comparator(left: cred->uid, op: f->op, right: cred->fsuid); |
416 | /* auid comparisons */ |
417 | case AUDIT_COMPARE_AUID_TO_EUID: |
418 | return audit_uid_comparator(left: audit_get_loginuid(tsk), op: f->op, |
419 | right: cred->euid); |
420 | case AUDIT_COMPARE_AUID_TO_SUID: |
421 | return audit_uid_comparator(left: audit_get_loginuid(tsk), op: f->op, |
422 | right: cred->suid); |
423 | case AUDIT_COMPARE_AUID_TO_FSUID: |
424 | return audit_uid_comparator(left: audit_get_loginuid(tsk), op: f->op, |
425 | right: cred->fsuid); |
426 | /* euid comparisons */ |
427 | case AUDIT_COMPARE_EUID_TO_SUID: |
428 | return audit_uid_comparator(left: cred->euid, op: f->op, right: cred->suid); |
429 | case AUDIT_COMPARE_EUID_TO_FSUID: |
430 | return audit_uid_comparator(left: cred->euid, op: f->op, right: cred->fsuid); |
431 | /* suid comparisons */ |
432 | case AUDIT_COMPARE_SUID_TO_FSUID: |
433 | return audit_uid_comparator(left: cred->suid, op: f->op, right: cred->fsuid); |
434 | /* gid comparisons */ |
435 | case AUDIT_COMPARE_GID_TO_EGID: |
436 | return audit_gid_comparator(left: cred->gid, op: f->op, right: cred->egid); |
437 | case AUDIT_COMPARE_GID_TO_SGID: |
438 | return audit_gid_comparator(left: cred->gid, op: f->op, right: cred->sgid); |
439 | case AUDIT_COMPARE_GID_TO_FSGID: |
440 | return audit_gid_comparator(left: cred->gid, op: f->op, right: cred->fsgid); |
441 | /* egid comparisons */ |
442 | case AUDIT_COMPARE_EGID_TO_SGID: |
443 | return audit_gid_comparator(left: cred->egid, op: f->op, right: cred->sgid); |
444 | case AUDIT_COMPARE_EGID_TO_FSGID: |
445 | return audit_gid_comparator(left: cred->egid, op: f->op, right: cred->fsgid); |
446 | /* sgid comparison */ |
447 | case AUDIT_COMPARE_SGID_TO_FSGID: |
448 | return audit_gid_comparator(left: cred->sgid, op: f->op, right: cred->fsgid); |
449 | default: |
450 | WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n" ); |
451 | return 0; |
452 | } |
453 | return 0; |
454 | } |
455 | |
456 | /* Determine if any context name data matches a rule's watch data */ |
457 | /* Compare a task_struct with an audit_rule. Return 1 on match, 0 |
458 | * otherwise. |
459 | * |
460 | * If task_creation is true, this is an explicit indication that we are |
461 | * filtering a task rule at task creation time. This and tsk == current are |
462 | * the only situations where tsk->cred may be accessed without an rcu read lock. |
463 | */ |
464 | static int audit_filter_rules(struct task_struct *tsk, |
465 | struct audit_krule *rule, |
466 | struct audit_context *ctx, |
467 | struct audit_names *name, |
468 | enum audit_state *state, |
469 | bool task_creation) |
470 | { |
471 | const struct cred *cred; |
472 | int i, need_sid = 1; |
473 | u32 sid; |
474 | unsigned int sessionid; |
475 | |
476 | if (ctx && rule->prio <= ctx->prio) |
477 | return 0; |
478 | |
479 | cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); |
480 | |
481 | for (i = 0; i < rule->field_count; i++) { |
482 | struct audit_field *f = &rule->fields[i]; |
483 | struct audit_names *n; |
484 | int result = 0; |
485 | pid_t pid; |
486 | |
487 | switch (f->type) { |
488 | case AUDIT_PID: |
489 | pid = task_tgid_nr(tsk); |
490 | result = audit_comparator(left: pid, op: f->op, right: f->val); |
491 | break; |
492 | case AUDIT_PPID: |
493 | if (ctx) { |
494 | if (!ctx->ppid) |
495 | ctx->ppid = task_ppid_nr(tsk); |
496 | result = audit_comparator(left: ctx->ppid, op: f->op, right: f->val); |
497 | } |
498 | break; |
499 | case AUDIT_EXE: |
500 | result = audit_exe_compare(tsk, mark: rule->exe); |
501 | if (f->op == Audit_not_equal) |
502 | result = !result; |
503 | break; |
504 | case AUDIT_UID: |
505 | result = audit_uid_comparator(left: cred->uid, op: f->op, right: f->uid); |
506 | break; |
507 | case AUDIT_EUID: |
508 | result = audit_uid_comparator(left: cred->euid, op: f->op, right: f->uid); |
509 | break; |
510 | case AUDIT_SUID: |
511 | result = audit_uid_comparator(left: cred->suid, op: f->op, right: f->uid); |
512 | break; |
513 | case AUDIT_FSUID: |
514 | result = audit_uid_comparator(left: cred->fsuid, op: f->op, right: f->uid); |
515 | break; |
516 | case AUDIT_GID: |
517 | result = audit_gid_comparator(left: cred->gid, op: f->op, right: f->gid); |
518 | if (f->op == Audit_equal) { |
519 | if (!result) |
520 | result = groups_search(cred->group_info, f->gid); |
521 | } else if (f->op == Audit_not_equal) { |
522 | if (result) |
523 | result = !groups_search(cred->group_info, f->gid); |
524 | } |
525 | break; |
526 | case AUDIT_EGID: |
527 | result = audit_gid_comparator(left: cred->egid, op: f->op, right: f->gid); |
528 | if (f->op == Audit_equal) { |
529 | if (!result) |
530 | result = groups_search(cred->group_info, f->gid); |
531 | } else if (f->op == Audit_not_equal) { |
532 | if (result) |
533 | result = !groups_search(cred->group_info, f->gid); |
534 | } |
535 | break; |
536 | case AUDIT_SGID: |
537 | result = audit_gid_comparator(left: cred->sgid, op: f->op, right: f->gid); |
538 | break; |
539 | case AUDIT_FSGID: |
540 | result = audit_gid_comparator(left: cred->fsgid, op: f->op, right: f->gid); |
541 | break; |
542 | case AUDIT_SESSIONID: |
543 | sessionid = audit_get_sessionid(tsk); |
544 | result = audit_comparator(left: sessionid, op: f->op, right: f->val); |
545 | break; |
546 | case AUDIT_PERS: |
547 | result = audit_comparator(left: tsk->personality, op: f->op, right: f->val); |
548 | break; |
549 | case AUDIT_ARCH: |
550 | if (ctx) |
551 | result = audit_comparator(left: ctx->arch, op: f->op, right: f->val); |
552 | break; |
553 | |
554 | case AUDIT_EXIT: |
555 | if (ctx && ctx->return_valid != AUDITSC_INVALID) |
556 | result = audit_comparator(left: ctx->return_code, op: f->op, right: f->val); |
557 | break; |
558 | case AUDIT_SUCCESS: |
559 | if (ctx && ctx->return_valid != AUDITSC_INVALID) { |
560 | if (f->val) |
561 | result = audit_comparator(left: ctx->return_valid, op: f->op, AUDITSC_SUCCESS); |
562 | else |
563 | result = audit_comparator(left: ctx->return_valid, op: f->op, AUDITSC_FAILURE); |
564 | } |
565 | break; |
566 | case AUDIT_DEVMAJOR: |
567 | if (name) { |
568 | if (audit_comparator(MAJOR(name->dev), op: f->op, right: f->val) || |
569 | audit_comparator(MAJOR(name->rdev), op: f->op, right: f->val)) |
570 | ++result; |
571 | } else if (ctx) { |
572 | list_for_each_entry(n, &ctx->names_list, list) { |
573 | if (audit_comparator(MAJOR(n->dev), op: f->op, right: f->val) || |
574 | audit_comparator(MAJOR(n->rdev), op: f->op, right: f->val)) { |
575 | ++result; |
576 | break; |
577 | } |
578 | } |
579 | } |
580 | break; |
581 | case AUDIT_DEVMINOR: |
582 | if (name) { |
583 | if (audit_comparator(MINOR(name->dev), op: f->op, right: f->val) || |
584 | audit_comparator(MINOR(name->rdev), op: f->op, right: f->val)) |
585 | ++result; |
586 | } else if (ctx) { |
587 | list_for_each_entry(n, &ctx->names_list, list) { |
588 | if (audit_comparator(MINOR(n->dev), op: f->op, right: f->val) || |
589 | audit_comparator(MINOR(n->rdev), op: f->op, right: f->val)) { |
590 | ++result; |
591 | break; |
592 | } |
593 | } |
594 | } |
595 | break; |
596 | case AUDIT_INODE: |
597 | if (name) |
598 | result = audit_comparator(left: name->ino, op: f->op, right: f->val); |
599 | else if (ctx) { |
600 | list_for_each_entry(n, &ctx->names_list, list) { |
601 | if (audit_comparator(left: n->ino, op: f->op, right: f->val)) { |
602 | ++result; |
603 | break; |
604 | } |
605 | } |
606 | } |
607 | break; |
608 | case AUDIT_OBJ_UID: |
609 | if (name) { |
610 | result = audit_uid_comparator(left: name->uid, op: f->op, right: f->uid); |
611 | } else if (ctx) { |
612 | list_for_each_entry(n, &ctx->names_list, list) { |
613 | if (audit_uid_comparator(left: n->uid, op: f->op, right: f->uid)) { |
614 | ++result; |
615 | break; |
616 | } |
617 | } |
618 | } |
619 | break; |
620 | case AUDIT_OBJ_GID: |
621 | if (name) { |
622 | result = audit_gid_comparator(left: name->gid, op: f->op, right: f->gid); |
623 | } else if (ctx) { |
624 | list_for_each_entry(n, &ctx->names_list, list) { |
625 | if (audit_gid_comparator(left: n->gid, op: f->op, right: f->gid)) { |
626 | ++result; |
627 | break; |
628 | } |
629 | } |
630 | } |
631 | break; |
632 | case AUDIT_WATCH: |
633 | if (name) { |
634 | result = audit_watch_compare(watch: rule->watch, |
635 | ino: name->ino, |
636 | dev: name->dev); |
637 | if (f->op == Audit_not_equal) |
638 | result = !result; |
639 | } |
640 | break; |
641 | case AUDIT_DIR: |
642 | if (ctx) { |
643 | result = match_tree_refs(ctx, tree: rule->tree); |
644 | if (f->op == Audit_not_equal) |
645 | result = !result; |
646 | } |
647 | break; |
648 | case AUDIT_LOGINUID: |
649 | result = audit_uid_comparator(left: audit_get_loginuid(tsk), |
650 | op: f->op, right: f->uid); |
651 | break; |
652 | case AUDIT_LOGINUID_SET: |
653 | result = audit_comparator(left: audit_loginuid_set(tsk), op: f->op, right: f->val); |
654 | break; |
655 | case AUDIT_SADDR_FAM: |
656 | if (ctx && ctx->sockaddr) |
657 | result = audit_comparator(left: ctx->sockaddr->ss_family, |
658 | op: f->op, right: f->val); |
659 | break; |
660 | case AUDIT_SUBJ_USER: |
661 | case AUDIT_SUBJ_ROLE: |
662 | case AUDIT_SUBJ_TYPE: |
663 | case AUDIT_SUBJ_SEN: |
664 | case AUDIT_SUBJ_CLR: |
665 | /* NOTE: this may return negative values indicating |
666 | a temporary error. We simply treat this as a |
667 | match for now to avoid losing information that |
668 | may be wanted. An error message will also be |
669 | logged upon error */ |
670 | if (f->lsm_rule) { |
671 | if (need_sid) { |
672 | /* @tsk should always be equal to |
673 | * @current with the exception of |
674 | * fork()/copy_process() in which case |
675 | * the new @tsk creds are still a dup |
676 | * of @current's creds so we can still |
677 | * use security_current_getsecid_subj() |
678 | * here even though it always refs |
679 | * @current's creds |
680 | */ |
681 | security_current_getsecid_subj(secid: &sid); |
682 | need_sid = 0; |
683 | } |
684 | result = security_audit_rule_match(secid: sid, field: f->type, |
685 | op: f->op, |
686 | lsmrule: f->lsm_rule); |
687 | } |
688 | break; |
689 | case AUDIT_OBJ_USER: |
690 | case AUDIT_OBJ_ROLE: |
691 | case AUDIT_OBJ_TYPE: |
692 | case AUDIT_OBJ_LEV_LOW: |
693 | case AUDIT_OBJ_LEV_HIGH: |
694 | /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR |
695 | also applies here */ |
696 | if (f->lsm_rule) { |
697 | /* Find files that match */ |
698 | if (name) { |
699 | result = security_audit_rule_match( |
700 | secid: name->osid, |
701 | field: f->type, |
702 | op: f->op, |
703 | lsmrule: f->lsm_rule); |
704 | } else if (ctx) { |
705 | list_for_each_entry(n, &ctx->names_list, list) { |
706 | if (security_audit_rule_match( |
707 | secid: n->osid, |
708 | field: f->type, |
709 | op: f->op, |
710 | lsmrule: f->lsm_rule)) { |
711 | ++result; |
712 | break; |
713 | } |
714 | } |
715 | } |
716 | /* Find ipc objects that match */ |
717 | if (!ctx || ctx->type != AUDIT_IPC) |
718 | break; |
719 | if (security_audit_rule_match(secid: ctx->ipc.osid, |
720 | field: f->type, op: f->op, |
721 | lsmrule: f->lsm_rule)) |
722 | ++result; |
723 | } |
724 | break; |
725 | case AUDIT_ARG0: |
726 | case AUDIT_ARG1: |
727 | case AUDIT_ARG2: |
728 | case AUDIT_ARG3: |
729 | if (ctx) |
730 | result = audit_comparator(left: ctx->argv[f->type-AUDIT_ARG0], op: f->op, right: f->val); |
731 | break; |
732 | case AUDIT_FILTERKEY: |
733 | /* ignore this field for filtering */ |
734 | result = 1; |
735 | break; |
736 | case AUDIT_PERM: |
737 | result = audit_match_perm(ctx, mask: f->val); |
738 | if (f->op == Audit_not_equal) |
739 | result = !result; |
740 | break; |
741 | case AUDIT_FILETYPE: |
742 | result = audit_match_filetype(ctx, val: f->val); |
743 | if (f->op == Audit_not_equal) |
744 | result = !result; |
745 | break; |
746 | case AUDIT_FIELD_COMPARE: |
747 | result = audit_field_compare(tsk, cred, f, ctx, name); |
748 | break; |
749 | } |
750 | if (!result) |
751 | return 0; |
752 | } |
753 | |
754 | if (ctx) { |
755 | if (rule->filterkey) { |
756 | kfree(objp: ctx->filterkey); |
757 | ctx->filterkey = kstrdup(s: rule->filterkey, GFP_ATOMIC); |
758 | } |
759 | ctx->prio = rule->prio; |
760 | } |
761 | switch (rule->action) { |
762 | case AUDIT_NEVER: |
763 | *state = AUDIT_STATE_DISABLED; |
764 | break; |
765 | case AUDIT_ALWAYS: |
766 | *state = AUDIT_STATE_RECORD; |
767 | break; |
768 | } |
769 | return 1; |
770 | } |
771 | |
772 | /* At process creation time, we can determine if system-call auditing is |
773 | * completely disabled for this task. Since we only have the task |
774 | * structure at this point, we can only check uid and gid. |
775 | */ |
776 | static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) |
777 | { |
778 | struct audit_entry *e; |
779 | enum audit_state state; |
780 | |
781 | rcu_read_lock(); |
782 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { |
783 | if (audit_filter_rules(tsk, rule: &e->rule, NULL, NULL, |
784 | state: &state, task_creation: true)) { |
785 | if (state == AUDIT_STATE_RECORD) |
786 | *key = kstrdup(s: e->rule.filterkey, GFP_ATOMIC); |
787 | rcu_read_unlock(); |
788 | return state; |
789 | } |
790 | } |
791 | rcu_read_unlock(); |
792 | return AUDIT_STATE_BUILD; |
793 | } |
794 | |
795 | static int audit_in_mask(const struct audit_krule *rule, unsigned long val) |
796 | { |
797 | int word, bit; |
798 | |
799 | if (val > 0xffffffff) |
800 | return false; |
801 | |
802 | word = AUDIT_WORD(val); |
803 | if (word >= AUDIT_BITMASK_SIZE) |
804 | return false; |
805 | |
806 | bit = AUDIT_BIT(val); |
807 | |
808 | return rule->mask[word] & bit; |
809 | } |
810 | |
811 | /** |
812 | * __audit_filter_op - common filter helper for operations (syscall/uring/etc) |
813 | * @tsk: associated task |
814 | * @ctx: audit context |
815 | * @list: audit filter list |
816 | * @name: audit_name (can be NULL) |
817 | * @op: current syscall/uring_op |
818 | * |
819 | * Run the udit filters specified in @list against @tsk using @ctx, |
820 | * @name, and @op, as necessary; the caller is responsible for ensuring |
821 | * that the call is made while the RCU read lock is held. The @name |
822 | * parameter can be NULL, but all others must be specified. |
823 | * Returns 1/true if the filter finds a match, 0/false if none are found. |
824 | */ |
825 | static int __audit_filter_op(struct task_struct *tsk, |
826 | struct audit_context *ctx, |
827 | struct list_head *list, |
828 | struct audit_names *name, |
829 | unsigned long op) |
830 | { |
831 | struct audit_entry *e; |
832 | enum audit_state state; |
833 | |
834 | list_for_each_entry_rcu(e, list, list) { |
835 | if (audit_in_mask(rule: &e->rule, val: op) && |
836 | audit_filter_rules(tsk, rule: &e->rule, ctx, name, |
837 | state: &state, task_creation: false)) { |
838 | ctx->current_state = state; |
839 | return 1; |
840 | } |
841 | } |
842 | return 0; |
843 | } |
844 | |
845 | /** |
846 | * audit_filter_uring - apply filters to an io_uring operation |
847 | * @tsk: associated task |
848 | * @ctx: audit context |
849 | */ |
850 | static void audit_filter_uring(struct task_struct *tsk, |
851 | struct audit_context *ctx) |
852 | { |
853 | if (auditd_test_task(task: tsk)) |
854 | return; |
855 | |
856 | rcu_read_lock(); |
857 | __audit_filter_op(tsk, ctx, list: &audit_filter_list[AUDIT_FILTER_URING_EXIT], |
858 | NULL, op: ctx->uring_op); |
859 | rcu_read_unlock(); |
860 | } |
861 | |
862 | /* At syscall exit time, this filter is called if the audit_state is |
863 | * not low enough that auditing cannot take place, but is also not |
864 | * high enough that we already know we have to write an audit record |
865 | * (i.e., the state is AUDIT_STATE_BUILD). |
866 | */ |
867 | static void audit_filter_syscall(struct task_struct *tsk, |
868 | struct audit_context *ctx) |
869 | { |
870 | if (auditd_test_task(task: tsk)) |
871 | return; |
872 | |
873 | rcu_read_lock(); |
874 | __audit_filter_op(tsk, ctx, list: &audit_filter_list[AUDIT_FILTER_EXIT], |
875 | NULL, op: ctx->major); |
876 | rcu_read_unlock(); |
877 | } |
878 | |
879 | /* |
880 | * Given an audit_name check the inode hash table to see if they match. |
881 | * Called holding the rcu read lock to protect the use of audit_inode_hash |
882 | */ |
883 | static int audit_filter_inode_name(struct task_struct *tsk, |
884 | struct audit_names *n, |
885 | struct audit_context *ctx) |
886 | { |
887 | int h = audit_hash_ino(ino: (u32)n->ino); |
888 | struct list_head *list = &audit_inode_hash[h]; |
889 | |
890 | return __audit_filter_op(tsk, ctx, list, name: n, op: ctx->major); |
891 | } |
892 | |
893 | /* At syscall exit time, this filter is called if any audit_names have been |
894 | * collected during syscall processing. We only check rules in sublists at hash |
895 | * buckets applicable to the inode numbers in audit_names. |
896 | * Regarding audit_state, same rules apply as for audit_filter_syscall(). |
897 | */ |
898 | void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx) |
899 | { |
900 | struct audit_names *n; |
901 | |
902 | if (auditd_test_task(task: tsk)) |
903 | return; |
904 | |
905 | rcu_read_lock(); |
906 | |
907 | list_for_each_entry(n, &ctx->names_list, list) { |
908 | if (audit_filter_inode_name(tsk, n, ctx)) |
909 | break; |
910 | } |
911 | rcu_read_unlock(); |
912 | } |
913 | |
914 | static inline void audit_proctitle_free(struct audit_context *context) |
915 | { |
916 | kfree(objp: context->proctitle.value); |
917 | context->proctitle.value = NULL; |
918 | context->proctitle.len = 0; |
919 | } |
920 | |
921 | static inline void audit_free_module(struct audit_context *context) |
922 | { |
923 | if (context->type == AUDIT_KERN_MODULE) { |
924 | kfree(objp: context->module.name); |
925 | context->module.name = NULL; |
926 | } |
927 | } |
928 | static inline void audit_free_names(struct audit_context *context) |
929 | { |
930 | struct audit_names *n, *next; |
931 | |
932 | list_for_each_entry_safe(n, next, &context->names_list, list) { |
933 | list_del(entry: &n->list); |
934 | if (n->name) |
935 | putname(name: n->name); |
936 | if (n->should_free) |
937 | kfree(objp: n); |
938 | } |
939 | context->name_count = 0; |
940 | path_put(&context->pwd); |
941 | context->pwd.dentry = NULL; |
942 | context->pwd.mnt = NULL; |
943 | } |
944 | |
945 | static inline void audit_free_aux(struct audit_context *context) |
946 | { |
947 | struct audit_aux_data *aux; |
948 | |
949 | while ((aux = context->aux)) { |
950 | context->aux = aux->next; |
951 | kfree(objp: aux); |
952 | } |
953 | context->aux = NULL; |
954 | while ((aux = context->aux_pids)) { |
955 | context->aux_pids = aux->next; |
956 | kfree(objp: aux); |
957 | } |
958 | context->aux_pids = NULL; |
959 | } |
960 | |
961 | /** |
962 | * audit_reset_context - reset a audit_context structure |
963 | * @ctx: the audit_context to reset |
964 | * |
965 | * All fields in the audit_context will be reset to an initial state, all |
966 | * references held by fields will be dropped, and private memory will be |
967 | * released. When this function returns the audit_context will be suitable |
968 | * for reuse, so long as the passed context is not NULL or a dummy context. |
969 | */ |
970 | static void audit_reset_context(struct audit_context *ctx) |
971 | { |
972 | if (!ctx) |
973 | return; |
974 | |
975 | /* if ctx is non-null, reset the "ctx->context" regardless */ |
976 | ctx->context = AUDIT_CTX_UNUSED; |
977 | if (ctx->dummy) |
978 | return; |
979 | |
980 | /* |
981 | * NOTE: It shouldn't matter in what order we release the fields, so |
982 | * release them in the order in which they appear in the struct; |
983 | * this gives us some hope of quickly making sure we are |
984 | * resetting the audit_context properly. |
985 | * |
986 | * Other things worth mentioning: |
987 | * - we don't reset "dummy" |
988 | * - we don't reset "state", we do reset "current_state" |
989 | * - we preserve "filterkey" if "state" is AUDIT_STATE_RECORD |
990 | * - much of this is likely overkill, but play it safe for now |
991 | * - we really need to work on improving the audit_context struct |
992 | */ |
993 | |
994 | ctx->current_state = ctx->state; |
995 | ctx->serial = 0; |
996 | ctx->major = 0; |
997 | ctx->uring_op = 0; |
998 | ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; |
999 | memset(ctx->argv, 0, sizeof(ctx->argv)); |
1000 | ctx->return_code = 0; |
1001 | ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0); |
1002 | ctx->return_valid = AUDITSC_INVALID; |
1003 | audit_free_names(context: ctx); |
1004 | if (ctx->state != AUDIT_STATE_RECORD) { |
1005 | kfree(objp: ctx->filterkey); |
1006 | ctx->filterkey = NULL; |
1007 | } |
1008 | audit_free_aux(context: ctx); |
1009 | kfree(objp: ctx->sockaddr); |
1010 | ctx->sockaddr = NULL; |
1011 | ctx->sockaddr_len = 0; |
1012 | ctx->ppid = 0; |
1013 | ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0); |
1014 | ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0); |
1015 | ctx->personality = 0; |
1016 | ctx->arch = 0; |
1017 | ctx->target_pid = 0; |
1018 | ctx->target_auid = ctx->target_uid = KUIDT_INIT(0); |
1019 | ctx->target_sessionid = 0; |
1020 | ctx->target_sid = 0; |
1021 | ctx->target_comm[0] = '\0'; |
1022 | unroll_tree_refs(ctx, NULL, 0); |
1023 | WARN_ON(!list_empty(&ctx->killed_trees)); |
1024 | audit_free_module(ctx); |
1025 | ctx->fds[0] = -1; |
1026 | ctx->type = 0; /* reset last for audit_free_*() */ |
1027 | } |
1028 | |
1029 | static inline struct audit_context *audit_alloc_context(enum audit_state state) |
1030 | { |
1031 | struct audit_context *context; |
1032 | |
1033 | context = kzalloc(size: sizeof(*context), GFP_KERNEL); |
1034 | if (!context) |
1035 | return NULL; |
1036 | context->context = AUDIT_CTX_UNUSED; |
1037 | context->state = state; |
1038 | context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0; |
1039 | INIT_LIST_HEAD(list: &context->killed_trees); |
1040 | INIT_LIST_HEAD(list: &context->names_list); |
1041 | context->fds[0] = -1; |
1042 | context->return_valid = AUDITSC_INVALID; |
1043 | return context; |
1044 | } |
1045 | |
1046 | /** |
1047 | * audit_alloc - allocate an audit context block for a task |
1048 | * @tsk: task |
1049 | * |
1050 | * Filter on the task information and allocate a per-task audit context |
1051 | * if necessary. Doing so turns on system call auditing for the |
1052 | * specified task. This is called from copy_process, so no lock is |
1053 | * needed. |
1054 | */ |
1055 | int audit_alloc(struct task_struct *tsk) |
1056 | { |
1057 | struct audit_context *context; |
1058 | enum audit_state state; |
1059 | char *key = NULL; |
1060 | |
1061 | if (likely(!audit_ever_enabled)) |
1062 | return 0; |
1063 | |
1064 | state = audit_filter_task(tsk, key: &key); |
1065 | if (state == AUDIT_STATE_DISABLED) { |
1066 | clear_task_syscall_work(tsk, SYSCALL_AUDIT); |
1067 | return 0; |
1068 | } |
1069 | |
1070 | context = audit_alloc_context(state); |
1071 | if (!context) { |
1072 | kfree(objp: key); |
1073 | audit_log_lost(message: "out of memory in audit_alloc" ); |
1074 | return -ENOMEM; |
1075 | } |
1076 | context->filterkey = key; |
1077 | |
1078 | audit_set_context(task: tsk, ctx: context); |
1079 | set_task_syscall_work(tsk, SYSCALL_AUDIT); |
1080 | return 0; |
1081 | } |
1082 | |
1083 | static inline void audit_free_context(struct audit_context *context) |
1084 | { |
1085 | /* resetting is extra work, but it is likely just noise */ |
1086 | audit_reset_context(ctx: context); |
1087 | audit_proctitle_free(context); |
1088 | free_tree_refs(ctx: context); |
1089 | kfree(objp: context->filterkey); |
1090 | kfree(objp: context); |
1091 | } |
1092 | |
1093 | static int audit_log_pid_context(struct audit_context *context, pid_t pid, |
1094 | kuid_t auid, kuid_t uid, unsigned int sessionid, |
1095 | u32 sid, char *comm) |
1096 | { |
1097 | struct audit_buffer *ab; |
1098 | char *ctx = NULL; |
1099 | u32 len; |
1100 | int rc = 0; |
1101 | |
1102 | ab = audit_log_start(ctx: context, GFP_KERNEL, AUDIT_OBJ_PID); |
1103 | if (!ab) |
1104 | return rc; |
1105 | |
1106 | audit_log_format(ab, fmt: "opid=%d oauid=%d ouid=%d oses=%d" , pid, |
1107 | from_kuid(to: &init_user_ns, uid: auid), |
1108 | from_kuid(to: &init_user_ns, uid), sessionid); |
1109 | if (sid) { |
1110 | if (security_secid_to_secctx(secid: sid, secdata: &ctx, seclen: &len)) { |
1111 | audit_log_format(ab, fmt: " obj=(none)" ); |
1112 | rc = 1; |
1113 | } else { |
1114 | audit_log_format(ab, fmt: " obj=%s" , ctx); |
1115 | security_release_secctx(secdata: ctx, seclen: len); |
1116 | } |
1117 | } |
1118 | audit_log_format(ab, fmt: " ocomm=" ); |
1119 | audit_log_untrustedstring(ab, string: comm); |
1120 | audit_log_end(ab); |
1121 | |
1122 | return rc; |
1123 | } |
1124 | |
1125 | static void audit_log_execve_info(struct audit_context *context, |
1126 | struct audit_buffer **ab) |
1127 | { |
1128 | long len_max; |
1129 | long len_rem; |
1130 | long len_full; |
1131 | long len_buf; |
1132 | long len_abuf = 0; |
1133 | long len_tmp; |
1134 | bool require_data; |
1135 | bool encode; |
1136 | unsigned int iter; |
1137 | unsigned int arg; |
1138 | char *buf_head; |
1139 | char *buf; |
1140 | const char __user *p = (const char __user *)current->mm->arg_start; |
1141 | |
1142 | /* NOTE: this buffer needs to be large enough to hold all the non-arg |
1143 | * data we put in the audit record for this argument (see the |
1144 | * code below) ... at this point in time 96 is plenty */ |
1145 | char abuf[96]; |
1146 | |
1147 | /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the |
1148 | * current value of 7500 is not as important as the fact that it |
1149 | * is less than 8k, a setting of 7500 gives us plenty of wiggle |
1150 | * room if we go over a little bit in the logging below */ |
1151 | WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500); |
1152 | len_max = MAX_EXECVE_AUDIT_LEN; |
1153 | |
1154 | /* scratch buffer to hold the userspace args */ |
1155 | buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL); |
1156 | if (!buf_head) { |
1157 | audit_panic(message: "out of memory for argv string" ); |
1158 | return; |
1159 | } |
1160 | buf = buf_head; |
1161 | |
1162 | audit_log_format(ab: *ab, fmt: "argc=%d" , context->execve.argc); |
1163 | |
1164 | len_rem = len_max; |
1165 | len_buf = 0; |
1166 | len_full = 0; |
1167 | require_data = true; |
1168 | encode = false; |
1169 | iter = 0; |
1170 | arg = 0; |
1171 | do { |
1172 | /* NOTE: we don't ever want to trust this value for anything |
1173 | * serious, but the audit record format insists we |
1174 | * provide an argument length for really long arguments, |
1175 | * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but |
1176 | * to use strncpy_from_user() to obtain this value for |
1177 | * recording in the log, although we don't use it |
1178 | * anywhere here to avoid a double-fetch problem */ |
1179 | if (len_full == 0) |
1180 | len_full = strnlen_user(str: p, MAX_ARG_STRLEN) - 1; |
1181 | |
1182 | /* read more data from userspace */ |
1183 | if (require_data) { |
1184 | /* can we make more room in the buffer? */ |
1185 | if (buf != buf_head) { |
1186 | memmove(buf_head, buf, len_buf); |
1187 | buf = buf_head; |
1188 | } |
1189 | |
1190 | /* fetch as much as we can of the argument */ |
1191 | len_tmp = strncpy_from_user(dst: &buf_head[len_buf], src: p, |
1192 | count: len_max - len_buf); |
1193 | if (len_tmp == -EFAULT) { |
1194 | /* unable to copy from userspace */ |
1195 | send_sig(SIGKILL, current, 0); |
1196 | goto out; |
1197 | } else if (len_tmp == (len_max - len_buf)) { |
1198 | /* buffer is not large enough */ |
1199 | require_data = true; |
1200 | /* NOTE: if we are going to span multiple |
1201 | * buffers force the encoding so we stand |
1202 | * a chance at a sane len_full value and |
1203 | * consistent record encoding */ |
1204 | encode = true; |
1205 | len_full = len_full * 2; |
1206 | p += len_tmp; |
1207 | } else { |
1208 | require_data = false; |
1209 | if (!encode) |
1210 | encode = audit_string_contains_control( |
1211 | string: buf, len: len_tmp); |
1212 | /* try to use a trusted value for len_full */ |
1213 | if (len_full < len_max) |
1214 | len_full = (encode ? |
1215 | len_tmp * 2 : len_tmp); |
1216 | p += len_tmp + 1; |
1217 | } |
1218 | len_buf += len_tmp; |
1219 | buf_head[len_buf] = '\0'; |
1220 | |
1221 | /* length of the buffer in the audit record? */ |
1222 | len_abuf = (encode ? len_buf * 2 : len_buf + 2); |
1223 | } |
1224 | |
1225 | /* write as much as we can to the audit log */ |
1226 | if (len_buf >= 0) { |
1227 | /* NOTE: some magic numbers here - basically if we |
1228 | * can't fit a reasonable amount of data into the |
1229 | * existing audit buffer, flush it and start with |
1230 | * a new buffer */ |
1231 | if ((sizeof(abuf) + 8) > len_rem) { |
1232 | len_rem = len_max; |
1233 | audit_log_end(ab: *ab); |
1234 | *ab = audit_log_start(ctx: context, |
1235 | GFP_KERNEL, AUDIT_EXECVE); |
1236 | if (!*ab) |
1237 | goto out; |
1238 | } |
1239 | |
1240 | /* create the non-arg portion of the arg record */ |
1241 | len_tmp = 0; |
1242 | if (require_data || (iter > 0) || |
1243 | ((len_abuf + sizeof(abuf)) > len_rem)) { |
1244 | if (iter == 0) { |
1245 | len_tmp += snprintf(buf: &abuf[len_tmp], |
1246 | size: sizeof(abuf) - len_tmp, |
1247 | fmt: " a%d_len=%lu" , |
1248 | arg, len_full); |
1249 | } |
1250 | len_tmp += snprintf(buf: &abuf[len_tmp], |
1251 | size: sizeof(abuf) - len_tmp, |
1252 | fmt: " a%d[%d]=" , arg, iter++); |
1253 | } else |
1254 | len_tmp += snprintf(buf: &abuf[len_tmp], |
1255 | size: sizeof(abuf) - len_tmp, |
1256 | fmt: " a%d=" , arg); |
1257 | WARN_ON(len_tmp >= sizeof(abuf)); |
1258 | abuf[sizeof(abuf) - 1] = '\0'; |
1259 | |
1260 | /* log the arg in the audit record */ |
1261 | audit_log_format(ab: *ab, fmt: "%s" , abuf); |
1262 | len_rem -= len_tmp; |
1263 | len_tmp = len_buf; |
1264 | if (encode) { |
1265 | if (len_abuf > len_rem) |
1266 | len_tmp = len_rem / 2; /* encoding */ |
1267 | audit_log_n_hex(ab: *ab, buf, len: len_tmp); |
1268 | len_rem -= len_tmp * 2; |
1269 | len_abuf -= len_tmp * 2; |
1270 | } else { |
1271 | if (len_abuf > len_rem) |
1272 | len_tmp = len_rem - 2; /* quotes */ |
1273 | audit_log_n_string(ab: *ab, buf, n: len_tmp); |
1274 | len_rem -= len_tmp + 2; |
1275 | /* don't subtract the "2" because we still need |
1276 | * to add quotes to the remaining string */ |
1277 | len_abuf -= len_tmp; |
1278 | } |
1279 | len_buf -= len_tmp; |
1280 | buf += len_tmp; |
1281 | } |
1282 | |
1283 | /* ready to move to the next argument? */ |
1284 | if ((len_buf == 0) && !require_data) { |
1285 | arg++; |
1286 | iter = 0; |
1287 | len_full = 0; |
1288 | require_data = true; |
1289 | encode = false; |
1290 | } |
1291 | } while (arg < context->execve.argc); |
1292 | |
1293 | /* NOTE: the caller handles the final audit_log_end() call */ |
1294 | |
1295 | out: |
1296 | kfree(objp: buf_head); |
1297 | } |
1298 | |
1299 | static void audit_log_cap(struct audit_buffer *ab, char *prefix, |
1300 | kernel_cap_t *cap) |
1301 | { |
1302 | if (cap_isclear(a: *cap)) { |
1303 | audit_log_format(ab, fmt: " %s=0" , prefix); |
1304 | return; |
1305 | } |
1306 | audit_log_format(ab, fmt: " %s=%016llx" , prefix, cap->val); |
1307 | } |
1308 | |
1309 | static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) |
1310 | { |
1311 | if (name->fcap_ver == -1) { |
1312 | audit_log_format(ab, fmt: " cap_fe=? cap_fver=? cap_fp=? cap_fi=?" ); |
1313 | return; |
1314 | } |
1315 | audit_log_cap(ab, prefix: "cap_fp" , cap: &name->fcap.permitted); |
1316 | audit_log_cap(ab, prefix: "cap_fi" , cap: &name->fcap.inheritable); |
1317 | audit_log_format(ab, fmt: " cap_fe=%d cap_fver=%x cap_frootid=%d" , |
1318 | name->fcap.fE, name->fcap_ver, |
1319 | from_kuid(to: &init_user_ns, uid: name->fcap.rootid)); |
1320 | } |
1321 | |
1322 | static void audit_log_time(struct audit_context *context, struct audit_buffer **ab) |
1323 | { |
1324 | const struct audit_ntp_data *ntp = &context->time.ntp_data; |
1325 | const struct timespec64 *tk = &context->time.tk_injoffset; |
1326 | static const char * const ntp_name[] = { |
1327 | "offset" , |
1328 | "freq" , |
1329 | "status" , |
1330 | "tai" , |
1331 | "tick" , |
1332 | "adjust" , |
1333 | }; |
1334 | int type; |
1335 | |
1336 | if (context->type == AUDIT_TIME_ADJNTPVAL) { |
1337 | for (type = 0; type < AUDIT_NTP_NVALS; type++) { |
1338 | if (ntp->vals[type].newval != ntp->vals[type].oldval) { |
1339 | if (!*ab) { |
1340 | *ab = audit_log_start(ctx: context, |
1341 | GFP_KERNEL, |
1342 | AUDIT_TIME_ADJNTPVAL); |
1343 | if (!*ab) |
1344 | return; |
1345 | } |
1346 | audit_log_format(ab: *ab, fmt: "op=%s old=%lli new=%lli" , |
1347 | ntp_name[type], |
1348 | ntp->vals[type].oldval, |
1349 | ntp->vals[type].newval); |
1350 | audit_log_end(ab: *ab); |
1351 | *ab = NULL; |
1352 | } |
1353 | } |
1354 | } |
1355 | if (tk->tv_sec != 0 || tk->tv_nsec != 0) { |
1356 | if (!*ab) { |
1357 | *ab = audit_log_start(ctx: context, GFP_KERNEL, |
1358 | AUDIT_TIME_INJOFFSET); |
1359 | if (!*ab) |
1360 | return; |
1361 | } |
1362 | audit_log_format(ab: *ab, fmt: "sec=%lli nsec=%li" , |
1363 | (long long)tk->tv_sec, tk->tv_nsec); |
1364 | audit_log_end(ab: *ab); |
1365 | *ab = NULL; |
1366 | } |
1367 | } |
1368 | |
1369 | static void show_special(struct audit_context *context, int *call_panic) |
1370 | { |
1371 | struct audit_buffer *ab; |
1372 | int i; |
1373 | |
1374 | ab = audit_log_start(ctx: context, GFP_KERNEL, type: context->type); |
1375 | if (!ab) |
1376 | return; |
1377 | |
1378 | switch (context->type) { |
1379 | case AUDIT_SOCKETCALL: { |
1380 | int nargs = context->socketcall.nargs; |
1381 | |
1382 | audit_log_format(ab, fmt: "nargs=%d" , nargs); |
1383 | for (i = 0; i < nargs; i++) |
1384 | audit_log_format(ab, fmt: " a%d=%lx" , i, |
1385 | context->socketcall.args[i]); |
1386 | break; } |
1387 | case AUDIT_IPC: { |
1388 | u32 osid = context->ipc.osid; |
1389 | |
1390 | audit_log_format(ab, fmt: "ouid=%u ogid=%u mode=%#ho" , |
1391 | from_kuid(to: &init_user_ns, uid: context->ipc.uid), |
1392 | from_kgid(to: &init_user_ns, gid: context->ipc.gid), |
1393 | context->ipc.mode); |
1394 | if (osid) { |
1395 | char *ctx = NULL; |
1396 | u32 len; |
1397 | |
1398 | if (security_secid_to_secctx(secid: osid, secdata: &ctx, seclen: &len)) { |
1399 | audit_log_format(ab, fmt: " osid=%u" , osid); |
1400 | *call_panic = 1; |
1401 | } else { |
1402 | audit_log_format(ab, fmt: " obj=%s" , ctx); |
1403 | security_release_secctx(secdata: ctx, seclen: len); |
1404 | } |
1405 | } |
1406 | if (context->ipc.has_perm) { |
1407 | audit_log_end(ab); |
1408 | ab = audit_log_start(ctx: context, GFP_KERNEL, |
1409 | AUDIT_IPC_SET_PERM); |
1410 | if (unlikely(!ab)) |
1411 | return; |
1412 | audit_log_format(ab, |
1413 | fmt: "qbytes=%lx ouid=%u ogid=%u mode=%#ho" , |
1414 | context->ipc.qbytes, |
1415 | context->ipc.perm_uid, |
1416 | context->ipc.perm_gid, |
1417 | context->ipc.perm_mode); |
1418 | } |
1419 | break; } |
1420 | case AUDIT_MQ_OPEN: |
1421 | audit_log_format(ab, |
1422 | fmt: "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld " |
1423 | "mq_msgsize=%ld mq_curmsgs=%ld" , |
1424 | context->mq_open.oflag, context->mq_open.mode, |
1425 | context->mq_open.attr.mq_flags, |
1426 | context->mq_open.attr.mq_maxmsg, |
1427 | context->mq_open.attr.mq_msgsize, |
1428 | context->mq_open.attr.mq_curmsgs); |
1429 | break; |
1430 | case AUDIT_MQ_SENDRECV: |
1431 | audit_log_format(ab, |
1432 | fmt: "mqdes=%d msg_len=%zd msg_prio=%u " |
1433 | "abs_timeout_sec=%lld abs_timeout_nsec=%ld" , |
1434 | context->mq_sendrecv.mqdes, |
1435 | context->mq_sendrecv.msg_len, |
1436 | context->mq_sendrecv.msg_prio, |
1437 | (long long) context->mq_sendrecv.abs_timeout.tv_sec, |
1438 | context->mq_sendrecv.abs_timeout.tv_nsec); |
1439 | break; |
1440 | case AUDIT_MQ_NOTIFY: |
1441 | audit_log_format(ab, fmt: "mqdes=%d sigev_signo=%d" , |
1442 | context->mq_notify.mqdes, |
1443 | context->mq_notify.sigev_signo); |
1444 | break; |
1445 | case AUDIT_MQ_GETSETATTR: { |
1446 | struct mq_attr *attr = &context->mq_getsetattr.mqstat; |
1447 | |
1448 | audit_log_format(ab, |
1449 | fmt: "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " |
1450 | "mq_curmsgs=%ld " , |
1451 | context->mq_getsetattr.mqdes, |
1452 | attr->mq_flags, attr->mq_maxmsg, |
1453 | attr->mq_msgsize, attr->mq_curmsgs); |
1454 | break; } |
1455 | case AUDIT_CAPSET: |
1456 | audit_log_format(ab, fmt: "pid=%d" , context->capset.pid); |
1457 | audit_log_cap(ab, prefix: "cap_pi" , cap: &context->capset.cap.inheritable); |
1458 | audit_log_cap(ab, prefix: "cap_pp" , cap: &context->capset.cap.permitted); |
1459 | audit_log_cap(ab, prefix: "cap_pe" , cap: &context->capset.cap.effective); |
1460 | audit_log_cap(ab, prefix: "cap_pa" , cap: &context->capset.cap.ambient); |
1461 | break; |
1462 | case AUDIT_MMAP: |
1463 | audit_log_format(ab, fmt: "fd=%d flags=0x%x" , context->mmap.fd, |
1464 | context->mmap.flags); |
1465 | break; |
1466 | case AUDIT_OPENAT2: |
1467 | audit_log_format(ab, fmt: "oflag=0%llo mode=0%llo resolve=0x%llx" , |
1468 | context->openat2.flags, |
1469 | context->openat2.mode, |
1470 | context->openat2.resolve); |
1471 | break; |
1472 | case AUDIT_EXECVE: |
1473 | audit_log_execve_info(context, ab: &ab); |
1474 | break; |
1475 | case AUDIT_KERN_MODULE: |
1476 | audit_log_format(ab, fmt: "name=" ); |
1477 | if (context->module.name) { |
1478 | audit_log_untrustedstring(ab, string: context->module.name); |
1479 | } else |
1480 | audit_log_format(ab, fmt: "(null)" ); |
1481 | |
1482 | break; |
1483 | case AUDIT_TIME_ADJNTPVAL: |
1484 | case AUDIT_TIME_INJOFFSET: |
1485 | /* this call deviates from the rest, eating the buffer */ |
1486 | audit_log_time(context, ab: &ab); |
1487 | break; |
1488 | } |
1489 | audit_log_end(ab); |
1490 | } |
1491 | |
1492 | static inline int audit_proctitle_rtrim(char *proctitle, int len) |
1493 | { |
1494 | char *end = proctitle + len - 1; |
1495 | |
1496 | while (end > proctitle && !isprint(*end)) |
1497 | end--; |
1498 | |
1499 | /* catch the case where proctitle is only 1 non-print character */ |
1500 | len = end - proctitle + 1; |
1501 | len -= isprint(proctitle[len-1]) == 0; |
1502 | return len; |
1503 | } |
1504 | |
1505 | /* |
1506 | * audit_log_name - produce AUDIT_PATH record from struct audit_names |
1507 | * @context: audit_context for the task |
1508 | * @n: audit_names structure with reportable details |
1509 | * @path: optional path to report instead of audit_names->name |
1510 | * @record_num: record number to report when handling a list of names |
1511 | * @call_panic: optional pointer to int that will be updated if secid fails |
1512 | */ |
1513 | static void audit_log_name(struct audit_context *context, struct audit_names *n, |
1514 | const struct path *path, int record_num, int *call_panic) |
1515 | { |
1516 | struct audit_buffer *ab; |
1517 | |
1518 | ab = audit_log_start(ctx: context, GFP_KERNEL, AUDIT_PATH); |
1519 | if (!ab) |
1520 | return; |
1521 | |
1522 | audit_log_format(ab, fmt: "item=%d" , record_num); |
1523 | |
1524 | if (path) |
1525 | audit_log_d_path(ab, prefix: " name=" , path); |
1526 | else if (n->name) { |
1527 | switch (n->name_len) { |
1528 | case AUDIT_NAME_FULL: |
1529 | /* log the full path */ |
1530 | audit_log_format(ab, fmt: " name=" ); |
1531 | audit_log_untrustedstring(ab, string: n->name->name); |
1532 | break; |
1533 | case 0: |
1534 | /* name was specified as a relative path and the |
1535 | * directory component is the cwd |
1536 | */ |
1537 | if (context->pwd.dentry && context->pwd.mnt) |
1538 | audit_log_d_path(ab, prefix: " name=" , path: &context->pwd); |
1539 | else |
1540 | audit_log_format(ab, fmt: " name=(null)" ); |
1541 | break; |
1542 | default: |
1543 | /* log the name's directory component */ |
1544 | audit_log_format(ab, fmt: " name=" ); |
1545 | audit_log_n_untrustedstring(ab, string: n->name->name, |
1546 | n: n->name_len); |
1547 | } |
1548 | } else |
1549 | audit_log_format(ab, fmt: " name=(null)" ); |
1550 | |
1551 | if (n->ino != AUDIT_INO_UNSET) |
1552 | audit_log_format(ab, fmt: " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x" , |
1553 | n->ino, |
1554 | MAJOR(n->dev), |
1555 | MINOR(n->dev), |
1556 | n->mode, |
1557 | from_kuid(to: &init_user_ns, uid: n->uid), |
1558 | from_kgid(to: &init_user_ns, gid: n->gid), |
1559 | MAJOR(n->rdev), |
1560 | MINOR(n->rdev)); |
1561 | if (n->osid != 0) { |
1562 | char *ctx = NULL; |
1563 | u32 len; |
1564 | |
1565 | if (security_secid_to_secctx( |
1566 | secid: n->osid, secdata: &ctx, seclen: &len)) { |
1567 | audit_log_format(ab, fmt: " osid=%u" , n->osid); |
1568 | if (call_panic) |
1569 | *call_panic = 2; |
1570 | } else { |
1571 | audit_log_format(ab, fmt: " obj=%s" , ctx); |
1572 | security_release_secctx(secdata: ctx, seclen: len); |
1573 | } |
1574 | } |
1575 | |
1576 | /* log the audit_names record type */ |
1577 | switch (n->type) { |
1578 | case AUDIT_TYPE_NORMAL: |
1579 | audit_log_format(ab, fmt: " nametype=NORMAL" ); |
1580 | break; |
1581 | case AUDIT_TYPE_PARENT: |
1582 | audit_log_format(ab, fmt: " nametype=PARENT" ); |
1583 | break; |
1584 | case AUDIT_TYPE_CHILD_DELETE: |
1585 | audit_log_format(ab, fmt: " nametype=DELETE" ); |
1586 | break; |
1587 | case AUDIT_TYPE_CHILD_CREATE: |
1588 | audit_log_format(ab, fmt: " nametype=CREATE" ); |
1589 | break; |
1590 | default: |
1591 | audit_log_format(ab, fmt: " nametype=UNKNOWN" ); |
1592 | break; |
1593 | } |
1594 | |
1595 | audit_log_fcaps(ab, name: n); |
1596 | audit_log_end(ab); |
1597 | } |
1598 | |
1599 | static void audit_log_proctitle(void) |
1600 | { |
1601 | int res; |
1602 | char *buf; |
1603 | char *msg = "(null)" ; |
1604 | int len = strlen(msg); |
1605 | struct audit_context *context = audit_context(); |
1606 | struct audit_buffer *ab; |
1607 | |
1608 | ab = audit_log_start(ctx: context, GFP_KERNEL, AUDIT_PROCTITLE); |
1609 | if (!ab) |
1610 | return; /* audit_panic or being filtered */ |
1611 | |
1612 | audit_log_format(ab, fmt: "proctitle=" ); |
1613 | |
1614 | /* Not cached */ |
1615 | if (!context->proctitle.value) { |
1616 | buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL); |
1617 | if (!buf) |
1618 | goto out; |
1619 | /* Historically called this from procfs naming */ |
1620 | res = get_cmdline(current, buffer: buf, MAX_PROCTITLE_AUDIT_LEN); |
1621 | if (res == 0) { |
1622 | kfree(objp: buf); |
1623 | goto out; |
1624 | } |
1625 | res = audit_proctitle_rtrim(proctitle: buf, len: res); |
1626 | if (res == 0) { |
1627 | kfree(objp: buf); |
1628 | goto out; |
1629 | } |
1630 | context->proctitle.value = buf; |
1631 | context->proctitle.len = res; |
1632 | } |
1633 | msg = context->proctitle.value; |
1634 | len = context->proctitle.len; |
1635 | out: |
1636 | audit_log_n_untrustedstring(ab, string: msg, n: len); |
1637 | audit_log_end(ab); |
1638 | } |
1639 | |
1640 | /** |
1641 | * audit_log_uring - generate a AUDIT_URINGOP record |
1642 | * @ctx: the audit context |
1643 | */ |
1644 | static void audit_log_uring(struct audit_context *ctx) |
1645 | { |
1646 | struct audit_buffer *ab; |
1647 | const struct cred *cred; |
1648 | |
1649 | ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_URINGOP); |
1650 | if (!ab) |
1651 | return; |
1652 | cred = current_cred(); |
1653 | audit_log_format(ab, fmt: "uring_op=%d" , ctx->uring_op); |
1654 | if (ctx->return_valid != AUDITSC_INVALID) |
1655 | audit_log_format(ab, fmt: " success=%s exit=%ld" , |
1656 | (ctx->return_valid == AUDITSC_SUCCESS ? |
1657 | "yes" : "no" ), |
1658 | ctx->return_code); |
1659 | audit_log_format(ab, |
1660 | fmt: " items=%d" |
1661 | " ppid=%d pid=%d uid=%u gid=%u euid=%u suid=%u" |
1662 | " fsuid=%u egid=%u sgid=%u fsgid=%u" , |
1663 | ctx->name_count, |
1664 | task_ppid_nr(current), task_tgid_nr(current), |
1665 | from_kuid(to: &init_user_ns, uid: cred->uid), |
1666 | from_kgid(to: &init_user_ns, gid: cred->gid), |
1667 | from_kuid(to: &init_user_ns, uid: cred->euid), |
1668 | from_kuid(to: &init_user_ns, uid: cred->suid), |
1669 | from_kuid(to: &init_user_ns, uid: cred->fsuid), |
1670 | from_kgid(to: &init_user_ns, gid: cred->egid), |
1671 | from_kgid(to: &init_user_ns, gid: cred->sgid), |
1672 | from_kgid(to: &init_user_ns, gid: cred->fsgid)); |
1673 | audit_log_task_context(ab); |
1674 | audit_log_key(ab, key: ctx->filterkey); |
1675 | audit_log_end(ab); |
1676 | } |
1677 | |
1678 | static void audit_log_exit(void) |
1679 | { |
1680 | int i, call_panic = 0; |
1681 | struct audit_context *context = audit_context(); |
1682 | struct audit_buffer *ab; |
1683 | struct audit_aux_data *aux; |
1684 | struct audit_names *n; |
1685 | |
1686 | context->personality = current->personality; |
1687 | |
1688 | switch (context->context) { |
1689 | case AUDIT_CTX_SYSCALL: |
1690 | ab = audit_log_start(ctx: context, GFP_KERNEL, AUDIT_SYSCALL); |
1691 | if (!ab) |
1692 | return; |
1693 | audit_log_format(ab, fmt: "arch=%x syscall=%d" , |
1694 | context->arch, context->major); |
1695 | if (context->personality != PER_LINUX) |
1696 | audit_log_format(ab, fmt: " per=%lx" , context->personality); |
1697 | if (context->return_valid != AUDITSC_INVALID) |
1698 | audit_log_format(ab, fmt: " success=%s exit=%ld" , |
1699 | (context->return_valid == AUDITSC_SUCCESS ? |
1700 | "yes" : "no" ), |
1701 | context->return_code); |
1702 | audit_log_format(ab, |
1703 | fmt: " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" , |
1704 | context->argv[0], |
1705 | context->argv[1], |
1706 | context->argv[2], |
1707 | context->argv[3], |
1708 | context->name_count); |
1709 | audit_log_task_info(ab); |
1710 | audit_log_key(ab, key: context->filterkey); |
1711 | audit_log_end(ab); |
1712 | break; |
1713 | case AUDIT_CTX_URING: |
1714 | audit_log_uring(ctx: context); |
1715 | break; |
1716 | default: |
1717 | BUG(); |
1718 | break; |
1719 | } |
1720 | |
1721 | for (aux = context->aux; aux; aux = aux->next) { |
1722 | |
1723 | ab = audit_log_start(ctx: context, GFP_KERNEL, type: aux->type); |
1724 | if (!ab) |
1725 | continue; /* audit_panic has been called */ |
1726 | |
1727 | switch (aux->type) { |
1728 | |
1729 | case AUDIT_BPRM_FCAPS: { |
1730 | struct audit_aux_data_bprm_fcaps *axs = (void *)aux; |
1731 | |
1732 | audit_log_format(ab, fmt: "fver=%x" , axs->fcap_ver); |
1733 | audit_log_cap(ab, prefix: "fp" , cap: &axs->fcap.permitted); |
1734 | audit_log_cap(ab, prefix: "fi" , cap: &axs->fcap.inheritable); |
1735 | audit_log_format(ab, fmt: " fe=%d" , axs->fcap.fE); |
1736 | audit_log_cap(ab, prefix: "old_pp" , cap: &axs->old_pcap.permitted); |
1737 | audit_log_cap(ab, prefix: "old_pi" , cap: &axs->old_pcap.inheritable); |
1738 | audit_log_cap(ab, prefix: "old_pe" , cap: &axs->old_pcap.effective); |
1739 | audit_log_cap(ab, prefix: "old_pa" , cap: &axs->old_pcap.ambient); |
1740 | audit_log_cap(ab, prefix: "pp" , cap: &axs->new_pcap.permitted); |
1741 | audit_log_cap(ab, prefix: "pi" , cap: &axs->new_pcap.inheritable); |
1742 | audit_log_cap(ab, prefix: "pe" , cap: &axs->new_pcap.effective); |
1743 | audit_log_cap(ab, prefix: "pa" , cap: &axs->new_pcap.ambient); |
1744 | audit_log_format(ab, fmt: " frootid=%d" , |
1745 | from_kuid(to: &init_user_ns, |
1746 | uid: axs->fcap.rootid)); |
1747 | break; } |
1748 | |
1749 | } |
1750 | audit_log_end(ab); |
1751 | } |
1752 | |
1753 | if (context->type) |
1754 | show_special(context, call_panic: &call_panic); |
1755 | |
1756 | if (context->fds[0] >= 0) { |
1757 | ab = audit_log_start(ctx: context, GFP_KERNEL, AUDIT_FD_PAIR); |
1758 | if (ab) { |
1759 | audit_log_format(ab, fmt: "fd0=%d fd1=%d" , |
1760 | context->fds[0], context->fds[1]); |
1761 | audit_log_end(ab); |
1762 | } |
1763 | } |
1764 | |
1765 | if (context->sockaddr_len) { |
1766 | ab = audit_log_start(ctx: context, GFP_KERNEL, AUDIT_SOCKADDR); |
1767 | if (ab) { |
1768 | audit_log_format(ab, fmt: "saddr=" ); |
1769 | audit_log_n_hex(ab, buf: (void *)context->sockaddr, |
1770 | len: context->sockaddr_len); |
1771 | audit_log_end(ab); |
1772 | } |
1773 | } |
1774 | |
1775 | for (aux = context->aux_pids; aux; aux = aux->next) { |
1776 | struct audit_aux_data_pids *axs = (void *)aux; |
1777 | |
1778 | for (i = 0; i < axs->pid_count; i++) |
1779 | if (audit_log_pid_context(context, pid: axs->target_pid[i], |
1780 | auid: axs->target_auid[i], |
1781 | uid: axs->target_uid[i], |
1782 | sessionid: axs->target_sessionid[i], |
1783 | sid: axs->target_sid[i], |
1784 | comm: axs->target_comm[i])) |
1785 | call_panic = 1; |
1786 | } |
1787 | |
1788 | if (context->target_pid && |
1789 | audit_log_pid_context(context, pid: context->target_pid, |
1790 | auid: context->target_auid, uid: context->target_uid, |
1791 | sessionid: context->target_sessionid, |
1792 | sid: context->target_sid, comm: context->target_comm)) |
1793 | call_panic = 1; |
1794 | |
1795 | if (context->pwd.dentry && context->pwd.mnt) { |
1796 | ab = audit_log_start(ctx: context, GFP_KERNEL, AUDIT_CWD); |
1797 | if (ab) { |
1798 | audit_log_d_path(ab, prefix: "cwd=" , path: &context->pwd); |
1799 | audit_log_end(ab); |
1800 | } |
1801 | } |
1802 | |
1803 | i = 0; |
1804 | list_for_each_entry(n, &context->names_list, list) { |
1805 | if (n->hidden) |
1806 | continue; |
1807 | audit_log_name(context, n, NULL, record_num: i++, call_panic: &call_panic); |
1808 | } |
1809 | |
1810 | if (context->context == AUDIT_CTX_SYSCALL) |
1811 | audit_log_proctitle(); |
1812 | |
1813 | /* Send end of event record to help user space know we are finished */ |
1814 | ab = audit_log_start(ctx: context, GFP_KERNEL, AUDIT_EOE); |
1815 | if (ab) |
1816 | audit_log_end(ab); |
1817 | if (call_panic) |
1818 | audit_panic(message: "error in audit_log_exit()" ); |
1819 | } |
1820 | |
1821 | /** |
1822 | * __audit_free - free a per-task audit context |
1823 | * @tsk: task whose audit context block to free |
1824 | * |
1825 | * Called from copy_process, do_exit, and the io_uring code |
1826 | */ |
1827 | void __audit_free(struct task_struct *tsk) |
1828 | { |
1829 | struct audit_context *context = tsk->audit_context; |
1830 | |
1831 | if (!context) |
1832 | return; |
1833 | |
1834 | /* this may generate CONFIG_CHANGE records */ |
1835 | if (!list_empty(head: &context->killed_trees)) |
1836 | audit_kill_trees(context); |
1837 | |
1838 | /* We are called either by do_exit() or the fork() error handling code; |
1839 | * in the former case tsk == current and in the latter tsk is a |
1840 | * random task_struct that doesn't have any meaningful data we |
1841 | * need to log via audit_log_exit(). |
1842 | */ |
1843 | if (tsk == current && !context->dummy) { |
1844 | context->return_valid = AUDITSC_INVALID; |
1845 | context->return_code = 0; |
1846 | if (context->context == AUDIT_CTX_SYSCALL) { |
1847 | audit_filter_syscall(tsk, ctx: context); |
1848 | audit_filter_inodes(tsk, ctx: context); |
1849 | if (context->current_state == AUDIT_STATE_RECORD) |
1850 | audit_log_exit(); |
1851 | } else if (context->context == AUDIT_CTX_URING) { |
1852 | /* TODO: verify this case is real and valid */ |
1853 | audit_filter_uring(tsk, ctx: context); |
1854 | audit_filter_inodes(tsk, ctx: context); |
1855 | if (context->current_state == AUDIT_STATE_RECORD) |
1856 | audit_log_uring(ctx: context); |
1857 | } |
1858 | } |
1859 | |
1860 | audit_set_context(task: tsk, NULL); |
1861 | audit_free_context(context); |
1862 | } |
1863 | |
1864 | /** |
1865 | * audit_return_fixup - fixup the return codes in the audit_context |
1866 | * @ctx: the audit_context |
1867 | * @success: true/false value to indicate if the operation succeeded or not |
1868 | * @code: operation return code |
1869 | * |
1870 | * We need to fixup the return code in the audit logs if the actual return |
1871 | * codes are later going to be fixed by the arch specific signal handlers. |
1872 | */ |
1873 | static void audit_return_fixup(struct audit_context *ctx, |
1874 | int success, long code) |
1875 | { |
1876 | /* |
1877 | * This is actually a test for: |
1878 | * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) || |
1879 | * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK) |
1880 | * |
1881 | * but is faster than a bunch of || |
1882 | */ |
1883 | if (unlikely(code <= -ERESTARTSYS) && |
1884 | (code >= -ERESTART_RESTARTBLOCK) && |
1885 | (code != -ENOIOCTLCMD)) |
1886 | ctx->return_code = -EINTR; |
1887 | else |
1888 | ctx->return_code = code; |
1889 | ctx->return_valid = (success ? AUDITSC_SUCCESS : AUDITSC_FAILURE); |
1890 | } |
1891 | |
1892 | /** |
1893 | * __audit_uring_entry - prepare the kernel task's audit context for io_uring |
1894 | * @op: the io_uring opcode |
1895 | * |
1896 | * This is similar to audit_syscall_entry() but is intended for use by io_uring |
1897 | * operations. This function should only ever be called from |
1898 | * audit_uring_entry() as we rely on the audit context checking present in that |
1899 | * function. |
1900 | */ |
1901 | void __audit_uring_entry(u8 op) |
1902 | { |
1903 | struct audit_context *ctx = audit_context(); |
1904 | |
1905 | if (ctx->state == AUDIT_STATE_DISABLED) |
1906 | return; |
1907 | |
1908 | /* |
1909 | * NOTE: It's possible that we can be called from the process' context |
1910 | * before it returns to userspace, and before audit_syscall_exit() |
1911 | * is called. In this case there is not much to do, just record |
1912 | * the io_uring details and return. |
1913 | */ |
1914 | ctx->uring_op = op; |
1915 | if (ctx->context == AUDIT_CTX_SYSCALL) |
1916 | return; |
1917 | |
1918 | ctx->dummy = !audit_n_rules; |
1919 | if (!ctx->dummy && ctx->state == AUDIT_STATE_BUILD) |
1920 | ctx->prio = 0; |
1921 | |
1922 | ctx->context = AUDIT_CTX_URING; |
1923 | ctx->current_state = ctx->state; |
1924 | ktime_get_coarse_real_ts64(ts: &ctx->ctime); |
1925 | } |
1926 | |
1927 | /** |
1928 | * __audit_uring_exit - wrap up the kernel task's audit context after io_uring |
1929 | * @success: true/false value to indicate if the operation succeeded or not |
1930 | * @code: operation return code |
1931 | * |
1932 | * This is similar to audit_syscall_exit() but is intended for use by io_uring |
1933 | * operations. This function should only ever be called from |
1934 | * audit_uring_exit() as we rely on the audit context checking present in that |
1935 | * function. |
1936 | */ |
1937 | void __audit_uring_exit(int success, long code) |
1938 | { |
1939 | struct audit_context *ctx = audit_context(); |
1940 | |
1941 | if (ctx->dummy) { |
1942 | if (ctx->context != AUDIT_CTX_URING) |
1943 | return; |
1944 | goto out; |
1945 | } |
1946 | |
1947 | audit_return_fixup(ctx, success, code); |
1948 | if (ctx->context == AUDIT_CTX_SYSCALL) { |
1949 | /* |
1950 | * NOTE: See the note in __audit_uring_entry() about the case |
1951 | * where we may be called from process context before we |
1952 | * return to userspace via audit_syscall_exit(). In this |
1953 | * case we simply emit a URINGOP record and bail, the |
1954 | * normal syscall exit handling will take care of |
1955 | * everything else. |
1956 | * It is also worth mentioning that when we are called, |
1957 | * the current process creds may differ from the creds |
1958 | * used during the normal syscall processing; keep that |
1959 | * in mind if/when we move the record generation code. |
1960 | */ |
1961 | |
1962 | /* |
1963 | * We need to filter on the syscall info here to decide if we |
1964 | * should emit a URINGOP record. I know it seems odd but this |
1965 | * solves the problem where users have a filter to block *all* |
1966 | * syscall records in the "exit" filter; we want to preserve |
1967 | * the behavior here. |
1968 | */ |
1969 | audit_filter_syscall(current, ctx); |
1970 | if (ctx->current_state != AUDIT_STATE_RECORD) |
1971 | audit_filter_uring(current, ctx); |
1972 | audit_filter_inodes(current, ctx); |
1973 | if (ctx->current_state != AUDIT_STATE_RECORD) |
1974 | return; |
1975 | |
1976 | audit_log_uring(ctx); |
1977 | return; |
1978 | } |
1979 | |
1980 | /* this may generate CONFIG_CHANGE records */ |
1981 | if (!list_empty(head: &ctx->killed_trees)) |
1982 | audit_kill_trees(context: ctx); |
1983 | |
1984 | /* run through both filters to ensure we set the filterkey properly */ |
1985 | audit_filter_uring(current, ctx); |
1986 | audit_filter_inodes(current, ctx); |
1987 | if (ctx->current_state != AUDIT_STATE_RECORD) |
1988 | goto out; |
1989 | audit_log_exit(); |
1990 | |
1991 | out: |
1992 | audit_reset_context(ctx); |
1993 | } |
1994 | |
1995 | /** |
1996 | * __audit_syscall_entry - fill in an audit record at syscall entry |
1997 | * @major: major syscall type (function) |
1998 | * @a1: additional syscall register 1 |
1999 | * @a2: additional syscall register 2 |
2000 | * @a3: additional syscall register 3 |
2001 | * @a4: additional syscall register 4 |
2002 | * |
2003 | * Fill in audit context at syscall entry. This only happens if the |
2004 | * audit context was created when the task was created and the state or |
2005 | * filters demand the audit context be built. If the state from the |
2006 | * per-task filter or from the per-syscall filter is AUDIT_STATE_RECORD, |
2007 | * then the record will be written at syscall exit time (otherwise, it |
2008 | * will only be written if another part of the kernel requests that it |
2009 | * be written). |
2010 | */ |
2011 | void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, |
2012 | unsigned long a3, unsigned long a4) |
2013 | { |
2014 | struct audit_context *context = audit_context(); |
2015 | enum audit_state state; |
2016 | |
2017 | if (!audit_enabled || !context) |
2018 | return; |
2019 | |
2020 | WARN_ON(context->context != AUDIT_CTX_UNUSED); |
2021 | WARN_ON(context->name_count); |
2022 | if (context->context != AUDIT_CTX_UNUSED || context->name_count) { |
2023 | audit_panic(message: "unrecoverable error in audit_syscall_entry()" ); |
2024 | return; |
2025 | } |
2026 | |
2027 | state = context->state; |
2028 | if (state == AUDIT_STATE_DISABLED) |
2029 | return; |
2030 | |
2031 | context->dummy = !audit_n_rules; |
2032 | if (!context->dummy && state == AUDIT_STATE_BUILD) { |
2033 | context->prio = 0; |
2034 | if (auditd_test_task(current)) |
2035 | return; |
2036 | } |
2037 | |
2038 | context->arch = syscall_get_arch(current); |
2039 | context->major = major; |
2040 | context->argv[0] = a1; |
2041 | context->argv[1] = a2; |
2042 | context->argv[2] = a3; |
2043 | context->argv[3] = a4; |
2044 | context->context = AUDIT_CTX_SYSCALL; |
2045 | context->current_state = state; |
2046 | ktime_get_coarse_real_ts64(ts: &context->ctime); |
2047 | } |
2048 | |
2049 | /** |
2050 | * __audit_syscall_exit - deallocate audit context after a system call |
2051 | * @success: success value of the syscall |
2052 | * @return_code: return value of the syscall |
2053 | * |
2054 | * Tear down after system call. If the audit context has been marked as |
2055 | * auditable (either because of the AUDIT_STATE_RECORD state from |
2056 | * filtering, or because some other part of the kernel wrote an audit |
2057 | * message), then write out the syscall information. In call cases, |
2058 | * free the names stored from getname(). |
2059 | */ |
2060 | void __audit_syscall_exit(int success, long return_code) |
2061 | { |
2062 | struct audit_context *context = audit_context(); |
2063 | |
2064 | if (!context || context->dummy || |
2065 | context->context != AUDIT_CTX_SYSCALL) |
2066 | goto out; |
2067 | |
2068 | /* this may generate CONFIG_CHANGE records */ |
2069 | if (!list_empty(head: &context->killed_trees)) |
2070 | audit_kill_trees(context); |
2071 | |
2072 | audit_return_fixup(ctx: context, success, code: return_code); |
2073 | /* run through both filters to ensure we set the filterkey properly */ |
2074 | audit_filter_syscall(current, ctx: context); |
2075 | audit_filter_inodes(current, ctx: context); |
2076 | if (context->current_state != AUDIT_STATE_RECORD) |
2077 | goto out; |
2078 | |
2079 | audit_log_exit(); |
2080 | |
2081 | out: |
2082 | audit_reset_context(ctx: context); |
2083 | } |
2084 | |
2085 | static inline void handle_one(const struct inode *inode) |
2086 | { |
2087 | struct audit_context *context; |
2088 | struct audit_tree_refs *p; |
2089 | struct audit_chunk *chunk; |
2090 | int count; |
2091 | |
2092 | if (likely(!inode->i_fsnotify_marks)) |
2093 | return; |
2094 | context = audit_context(); |
2095 | p = context->trees; |
2096 | count = context->tree_count; |
2097 | rcu_read_lock(); |
2098 | chunk = audit_tree_lookup(inode); |
2099 | rcu_read_unlock(); |
2100 | if (!chunk) |
2101 | return; |
2102 | if (likely(put_tree_ref(context, chunk))) |
2103 | return; |
2104 | if (unlikely(!grow_tree_refs(context))) { |
2105 | pr_warn("out of memory, audit has lost a tree reference\n" ); |
2106 | audit_set_auditable(ctx: context); |
2107 | audit_put_chunk(chunk); |
2108 | unroll_tree_refs(ctx: context, p, count); |
2109 | return; |
2110 | } |
2111 | put_tree_ref(ctx: context, chunk); |
2112 | } |
2113 | |
2114 | static void handle_path(const struct dentry *dentry) |
2115 | { |
2116 | struct audit_context *context; |
2117 | struct audit_tree_refs *p; |
2118 | const struct dentry *d, *parent; |
2119 | struct audit_chunk *drop; |
2120 | unsigned long seq; |
2121 | int count; |
2122 | |
2123 | context = audit_context(); |
2124 | p = context->trees; |
2125 | count = context->tree_count; |
2126 | retry: |
2127 | drop = NULL; |
2128 | d = dentry; |
2129 | rcu_read_lock(); |
2130 | seq = read_seqbegin(sl: &rename_lock); |
2131 | for (;;) { |
2132 | struct inode *inode = d_backing_inode(upper: d); |
2133 | |
2134 | if (inode && unlikely(inode->i_fsnotify_marks)) { |
2135 | struct audit_chunk *chunk; |
2136 | |
2137 | chunk = audit_tree_lookup(inode); |
2138 | if (chunk) { |
2139 | if (unlikely(!put_tree_ref(context, chunk))) { |
2140 | drop = chunk; |
2141 | break; |
2142 | } |
2143 | } |
2144 | } |
2145 | parent = d->d_parent; |
2146 | if (parent == d) |
2147 | break; |
2148 | d = parent; |
2149 | } |
2150 | if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */ |
2151 | rcu_read_unlock(); |
2152 | if (!drop) { |
2153 | /* just a race with rename */ |
2154 | unroll_tree_refs(ctx: context, p, count); |
2155 | goto retry; |
2156 | } |
2157 | audit_put_chunk(chunk: drop); |
2158 | if (grow_tree_refs(ctx: context)) { |
2159 | /* OK, got more space */ |
2160 | unroll_tree_refs(ctx: context, p, count); |
2161 | goto retry; |
2162 | } |
2163 | /* too bad */ |
2164 | pr_warn("out of memory, audit has lost a tree reference\n" ); |
2165 | unroll_tree_refs(ctx: context, p, count); |
2166 | audit_set_auditable(ctx: context); |
2167 | return; |
2168 | } |
2169 | rcu_read_unlock(); |
2170 | } |
2171 | |
2172 | static struct audit_names *audit_alloc_name(struct audit_context *context, |
2173 | unsigned char type) |
2174 | { |
2175 | struct audit_names *aname; |
2176 | |
2177 | if (context->name_count < AUDIT_NAMES) { |
2178 | aname = &context->preallocated_names[context->name_count]; |
2179 | memset(aname, 0, sizeof(*aname)); |
2180 | } else { |
2181 | aname = kzalloc(size: sizeof(*aname), GFP_NOFS); |
2182 | if (!aname) |
2183 | return NULL; |
2184 | aname->should_free = true; |
2185 | } |
2186 | |
2187 | aname->ino = AUDIT_INO_UNSET; |
2188 | aname->type = type; |
2189 | list_add_tail(new: &aname->list, head: &context->names_list); |
2190 | |
2191 | context->name_count++; |
2192 | if (!context->pwd.dentry) |
2193 | get_fs_pwd(current->fs, pwd: &context->pwd); |
2194 | return aname; |
2195 | } |
2196 | |
2197 | /** |
2198 | * __audit_reusename - fill out filename with info from existing entry |
2199 | * @uptr: userland ptr to pathname |
2200 | * |
2201 | * Search the audit_names list for the current audit context. If there is an |
2202 | * existing entry with a matching "uptr" then return the filename |
2203 | * associated with that audit_name. If not, return NULL. |
2204 | */ |
2205 | struct filename * |
2206 | __audit_reusename(const __user char *uptr) |
2207 | { |
2208 | struct audit_context *context = audit_context(); |
2209 | struct audit_names *n; |
2210 | |
2211 | list_for_each_entry(n, &context->names_list, list) { |
2212 | if (!n->name) |
2213 | continue; |
2214 | if (n->name->uptr == uptr) { |
2215 | atomic_inc(v: &n->name->refcnt); |
2216 | return n->name; |
2217 | } |
2218 | } |
2219 | return NULL; |
2220 | } |
2221 | |
2222 | /** |
2223 | * __audit_getname - add a name to the list |
2224 | * @name: name to add |
2225 | * |
2226 | * Add a name to the list of audit names for this context. |
2227 | * Called from fs/namei.c:getname(). |
2228 | */ |
2229 | void __audit_getname(struct filename *name) |
2230 | { |
2231 | struct audit_context *context = audit_context(); |
2232 | struct audit_names *n; |
2233 | |
2234 | if (context->context == AUDIT_CTX_UNUSED) |
2235 | return; |
2236 | |
2237 | n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN); |
2238 | if (!n) |
2239 | return; |
2240 | |
2241 | n->name = name; |
2242 | n->name_len = AUDIT_NAME_FULL; |
2243 | name->aname = n; |
2244 | atomic_inc(v: &name->refcnt); |
2245 | } |
2246 | |
2247 | static inline int audit_copy_fcaps(struct audit_names *name, |
2248 | const struct dentry *dentry) |
2249 | { |
2250 | struct cpu_vfs_cap_data caps; |
2251 | int rc; |
2252 | |
2253 | if (!dentry) |
2254 | return 0; |
2255 | |
2256 | rc = get_vfs_caps_from_disk(idmap: &nop_mnt_idmap, dentry, cpu_caps: &caps); |
2257 | if (rc) |
2258 | return rc; |
2259 | |
2260 | name->fcap.permitted = caps.permitted; |
2261 | name->fcap.inheritable = caps.inheritable; |
2262 | name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); |
2263 | name->fcap.rootid = caps.rootid; |
2264 | name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> |
2265 | VFS_CAP_REVISION_SHIFT; |
2266 | |
2267 | return 0; |
2268 | } |
2269 | |
2270 | /* Copy inode data into an audit_names. */ |
2271 | static void audit_copy_inode(struct audit_names *name, |
2272 | const struct dentry *dentry, |
2273 | struct inode *inode, unsigned int flags) |
2274 | { |
2275 | name->ino = inode->i_ino; |
2276 | name->dev = inode->i_sb->s_dev; |
2277 | name->mode = inode->i_mode; |
2278 | name->uid = inode->i_uid; |
2279 | name->gid = inode->i_gid; |
2280 | name->rdev = inode->i_rdev; |
2281 | security_inode_getsecid(inode, secid: &name->osid); |
2282 | if (flags & AUDIT_INODE_NOEVAL) { |
2283 | name->fcap_ver = -1; |
2284 | return; |
2285 | } |
2286 | audit_copy_fcaps(name, dentry); |
2287 | } |
2288 | |
2289 | /** |
2290 | * __audit_inode - store the inode and device from a lookup |
2291 | * @name: name being audited |
2292 | * @dentry: dentry being audited |
2293 | * @flags: attributes for this particular entry |
2294 | */ |
2295 | void __audit_inode(struct filename *name, const struct dentry *dentry, |
2296 | unsigned int flags) |
2297 | { |
2298 | struct audit_context *context = audit_context(); |
2299 | struct inode *inode = d_backing_inode(upper: dentry); |
2300 | struct audit_names *n; |
2301 | bool parent = flags & AUDIT_INODE_PARENT; |
2302 | struct audit_entry *e; |
2303 | struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS]; |
2304 | int i; |
2305 | |
2306 | if (context->context == AUDIT_CTX_UNUSED) |
2307 | return; |
2308 | |
2309 | rcu_read_lock(); |
2310 | list_for_each_entry_rcu(e, list, list) { |
2311 | for (i = 0; i < e->rule.field_count; i++) { |
2312 | struct audit_field *f = &e->rule.fields[i]; |
2313 | |
2314 | if (f->type == AUDIT_FSTYPE |
2315 | && audit_comparator(left: inode->i_sb->s_magic, |
2316 | op: f->op, right: f->val) |
2317 | && e->rule.action == AUDIT_NEVER) { |
2318 | rcu_read_unlock(); |
2319 | return; |
2320 | } |
2321 | } |
2322 | } |
2323 | rcu_read_unlock(); |
2324 | |
2325 | if (!name) |
2326 | goto out_alloc; |
2327 | |
2328 | /* |
2329 | * If we have a pointer to an audit_names entry already, then we can |
2330 | * just use it directly if the type is correct. |
2331 | */ |
2332 | n = name->aname; |
2333 | if (n) { |
2334 | if (parent) { |
2335 | if (n->type == AUDIT_TYPE_PARENT || |
2336 | n->type == AUDIT_TYPE_UNKNOWN) |
2337 | goto out; |
2338 | } else { |
2339 | if (n->type != AUDIT_TYPE_PARENT) |
2340 | goto out; |
2341 | } |
2342 | } |
2343 | |
2344 | list_for_each_entry_reverse(n, &context->names_list, list) { |
2345 | if (n->ino) { |
2346 | /* valid inode number, use that for the comparison */ |
2347 | if (n->ino != inode->i_ino || |
2348 | n->dev != inode->i_sb->s_dev) |
2349 | continue; |
2350 | } else if (n->name) { |
2351 | /* inode number has not been set, check the name */ |
2352 | if (strcmp(n->name->name, name->name)) |
2353 | continue; |
2354 | } else |
2355 | /* no inode and no name (?!) ... this is odd ... */ |
2356 | continue; |
2357 | |
2358 | /* match the correct record type */ |
2359 | if (parent) { |
2360 | if (n->type == AUDIT_TYPE_PARENT || |
2361 | n->type == AUDIT_TYPE_UNKNOWN) |
2362 | goto out; |
2363 | } else { |
2364 | if (n->type != AUDIT_TYPE_PARENT) |
2365 | goto out; |
2366 | } |
2367 | } |
2368 | |
2369 | out_alloc: |
2370 | /* unable to find an entry with both a matching name and type */ |
2371 | n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN); |
2372 | if (!n) |
2373 | return; |
2374 | if (name) { |
2375 | n->name = name; |
2376 | atomic_inc(v: &name->refcnt); |
2377 | } |
2378 | |
2379 | out: |
2380 | if (parent) { |
2381 | n->name_len = n->name ? parent_len(path: n->name->name) : AUDIT_NAME_FULL; |
2382 | n->type = AUDIT_TYPE_PARENT; |
2383 | if (flags & AUDIT_INODE_HIDDEN) |
2384 | n->hidden = true; |
2385 | } else { |
2386 | n->name_len = AUDIT_NAME_FULL; |
2387 | n->type = AUDIT_TYPE_NORMAL; |
2388 | } |
2389 | handle_path(dentry); |
2390 | audit_copy_inode(name: n, dentry, inode, flags: flags & AUDIT_INODE_NOEVAL); |
2391 | } |
2392 | |
2393 | void __audit_file(const struct file *file) |
2394 | { |
2395 | __audit_inode(NULL, dentry: file->f_path.dentry, flags: 0); |
2396 | } |
2397 | |
2398 | /** |
2399 | * __audit_inode_child - collect inode info for created/removed objects |
2400 | * @parent: inode of dentry parent |
2401 | * @dentry: dentry being audited |
2402 | * @type: AUDIT_TYPE_* value that we're looking for |
2403 | * |
2404 | * For syscalls that create or remove filesystem objects, audit_inode |
2405 | * can only collect information for the filesystem object's parent. |
2406 | * This call updates the audit context with the child's information. |
2407 | * Syscalls that create a new filesystem object must be hooked after |
2408 | * the object is created. Syscalls that remove a filesystem object |
2409 | * must be hooked prior, in order to capture the target inode during |
2410 | * unsuccessful attempts. |
2411 | */ |
2412 | void __audit_inode_child(struct inode *parent, |
2413 | const struct dentry *dentry, |
2414 | const unsigned char type) |
2415 | { |
2416 | struct audit_context *context = audit_context(); |
2417 | struct inode *inode = d_backing_inode(upper: dentry); |
2418 | const struct qstr *dname = &dentry->d_name; |
2419 | struct audit_names *n, *found_parent = NULL, *found_child = NULL; |
2420 | struct audit_entry *e; |
2421 | struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS]; |
2422 | int i; |
2423 | |
2424 | if (context->context == AUDIT_CTX_UNUSED) |
2425 | return; |
2426 | |
2427 | rcu_read_lock(); |
2428 | list_for_each_entry_rcu(e, list, list) { |
2429 | for (i = 0; i < e->rule.field_count; i++) { |
2430 | struct audit_field *f = &e->rule.fields[i]; |
2431 | |
2432 | if (f->type == AUDIT_FSTYPE |
2433 | && audit_comparator(left: parent->i_sb->s_magic, |
2434 | op: f->op, right: f->val) |
2435 | && e->rule.action == AUDIT_NEVER) { |
2436 | rcu_read_unlock(); |
2437 | return; |
2438 | } |
2439 | } |
2440 | } |
2441 | rcu_read_unlock(); |
2442 | |
2443 | if (inode) |
2444 | handle_one(inode); |
2445 | |
2446 | /* look for a parent entry first */ |
2447 | list_for_each_entry(n, &context->names_list, list) { |
2448 | if (!n->name || |
2449 | (n->type != AUDIT_TYPE_PARENT && |
2450 | n->type != AUDIT_TYPE_UNKNOWN)) |
2451 | continue; |
2452 | |
2453 | if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev && |
2454 | !audit_compare_dname_path(dname, |
2455 | path: n->name->name, plen: n->name_len)) { |
2456 | if (n->type == AUDIT_TYPE_UNKNOWN) |
2457 | n->type = AUDIT_TYPE_PARENT; |
2458 | found_parent = n; |
2459 | break; |
2460 | } |
2461 | } |
2462 | |
2463 | cond_resched(); |
2464 | |
2465 | /* is there a matching child entry? */ |
2466 | list_for_each_entry(n, &context->names_list, list) { |
2467 | /* can only match entries that have a name */ |
2468 | if (!n->name || |
2469 | (n->type != type && n->type != AUDIT_TYPE_UNKNOWN)) |
2470 | continue; |
2471 | |
2472 | if (!strcmp(dname->name, n->name->name) || |
2473 | !audit_compare_dname_path(dname, path: n->name->name, |
2474 | plen: found_parent ? |
2475 | found_parent->name_len : |
2476 | AUDIT_NAME_FULL)) { |
2477 | if (n->type == AUDIT_TYPE_UNKNOWN) |
2478 | n->type = type; |
2479 | found_child = n; |
2480 | break; |
2481 | } |
2482 | } |
2483 | |
2484 | if (!found_parent) { |
2485 | /* create a new, "anonymous" parent record */ |
2486 | n = audit_alloc_name(context, AUDIT_TYPE_PARENT); |
2487 | if (!n) |
2488 | return; |
2489 | audit_copy_inode(name: n, NULL, inode: parent, flags: 0); |
2490 | } |
2491 | |
2492 | if (!found_child) { |
2493 | found_child = audit_alloc_name(context, type); |
2494 | if (!found_child) |
2495 | return; |
2496 | |
2497 | /* Re-use the name belonging to the slot for a matching parent |
2498 | * directory. All names for this context are relinquished in |
2499 | * audit_free_names() */ |
2500 | if (found_parent) { |
2501 | found_child->name = found_parent->name; |
2502 | found_child->name_len = AUDIT_NAME_FULL; |
2503 | atomic_inc(v: &found_child->name->refcnt); |
2504 | } |
2505 | } |
2506 | |
2507 | if (inode) |
2508 | audit_copy_inode(name: found_child, dentry, inode, flags: 0); |
2509 | else |
2510 | found_child->ino = AUDIT_INO_UNSET; |
2511 | } |
2512 | EXPORT_SYMBOL_GPL(__audit_inode_child); |
2513 | |
2514 | /** |
2515 | * auditsc_get_stamp - get local copies of audit_context values |
2516 | * @ctx: audit_context for the task |
2517 | * @t: timespec64 to store time recorded in the audit_context |
2518 | * @serial: serial value that is recorded in the audit_context |
2519 | * |
2520 | * Also sets the context as auditable. |
2521 | */ |
2522 | int auditsc_get_stamp(struct audit_context *ctx, |
2523 | struct timespec64 *t, unsigned int *serial) |
2524 | { |
2525 | if (ctx->context == AUDIT_CTX_UNUSED) |
2526 | return 0; |
2527 | if (!ctx->serial) |
2528 | ctx->serial = audit_serial(); |
2529 | t->tv_sec = ctx->ctime.tv_sec; |
2530 | t->tv_nsec = ctx->ctime.tv_nsec; |
2531 | *serial = ctx->serial; |
2532 | if (!ctx->prio) { |
2533 | ctx->prio = 1; |
2534 | ctx->current_state = AUDIT_STATE_RECORD; |
2535 | } |
2536 | return 1; |
2537 | } |
2538 | |
2539 | /** |
2540 | * __audit_mq_open - record audit data for a POSIX MQ open |
2541 | * @oflag: open flag |
2542 | * @mode: mode bits |
2543 | * @attr: queue attributes |
2544 | * |
2545 | */ |
2546 | void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) |
2547 | { |
2548 | struct audit_context *context = audit_context(); |
2549 | |
2550 | if (attr) |
2551 | memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr)); |
2552 | else |
2553 | memset(&context->mq_open.attr, 0, sizeof(struct mq_attr)); |
2554 | |
2555 | context->mq_open.oflag = oflag; |
2556 | context->mq_open.mode = mode; |
2557 | |
2558 | context->type = AUDIT_MQ_OPEN; |
2559 | } |
2560 | |
2561 | /** |
2562 | * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive |
2563 | * @mqdes: MQ descriptor |
2564 | * @msg_len: Message length |
2565 | * @msg_prio: Message priority |
2566 | * @abs_timeout: Message timeout in absolute time |
2567 | * |
2568 | */ |
2569 | void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, |
2570 | const struct timespec64 *abs_timeout) |
2571 | { |
2572 | struct audit_context *context = audit_context(); |
2573 | struct timespec64 *p = &context->mq_sendrecv.abs_timeout; |
2574 | |
2575 | if (abs_timeout) |
2576 | memcpy(p, abs_timeout, sizeof(*p)); |
2577 | else |
2578 | memset(p, 0, sizeof(*p)); |
2579 | |
2580 | context->mq_sendrecv.mqdes = mqdes; |
2581 | context->mq_sendrecv.msg_len = msg_len; |
2582 | context->mq_sendrecv.msg_prio = msg_prio; |
2583 | |
2584 | context->type = AUDIT_MQ_SENDRECV; |
2585 | } |
2586 | |
2587 | /** |
2588 | * __audit_mq_notify - record audit data for a POSIX MQ notify |
2589 | * @mqdes: MQ descriptor |
2590 | * @notification: Notification event |
2591 | * |
2592 | */ |
2593 | |
2594 | void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) |
2595 | { |
2596 | struct audit_context *context = audit_context(); |
2597 | |
2598 | if (notification) |
2599 | context->mq_notify.sigev_signo = notification->sigev_signo; |
2600 | else |
2601 | context->mq_notify.sigev_signo = 0; |
2602 | |
2603 | context->mq_notify.mqdes = mqdes; |
2604 | context->type = AUDIT_MQ_NOTIFY; |
2605 | } |
2606 | |
2607 | /** |
2608 | * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute |
2609 | * @mqdes: MQ descriptor |
2610 | * @mqstat: MQ flags |
2611 | * |
2612 | */ |
2613 | void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) |
2614 | { |
2615 | struct audit_context *context = audit_context(); |
2616 | |
2617 | context->mq_getsetattr.mqdes = mqdes; |
2618 | context->mq_getsetattr.mqstat = *mqstat; |
2619 | context->type = AUDIT_MQ_GETSETATTR; |
2620 | } |
2621 | |
2622 | /** |
2623 | * __audit_ipc_obj - record audit data for ipc object |
2624 | * @ipcp: ipc permissions |
2625 | * |
2626 | */ |
2627 | void __audit_ipc_obj(struct kern_ipc_perm *ipcp) |
2628 | { |
2629 | struct audit_context *context = audit_context(); |
2630 | |
2631 | context->ipc.uid = ipcp->uid; |
2632 | context->ipc.gid = ipcp->gid; |
2633 | context->ipc.mode = ipcp->mode; |
2634 | context->ipc.has_perm = 0; |
2635 | security_ipc_getsecid(ipcp, secid: &context->ipc.osid); |
2636 | context->type = AUDIT_IPC; |
2637 | } |
2638 | |
2639 | /** |
2640 | * __audit_ipc_set_perm - record audit data for new ipc permissions |
2641 | * @qbytes: msgq bytes |
2642 | * @uid: msgq user id |
2643 | * @gid: msgq group id |
2644 | * @mode: msgq mode (permissions) |
2645 | * |
2646 | * Called only after audit_ipc_obj(). |
2647 | */ |
2648 | void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) |
2649 | { |
2650 | struct audit_context *context = audit_context(); |
2651 | |
2652 | context->ipc.qbytes = qbytes; |
2653 | context->ipc.perm_uid = uid; |
2654 | context->ipc.perm_gid = gid; |
2655 | context->ipc.perm_mode = mode; |
2656 | context->ipc.has_perm = 1; |
2657 | } |
2658 | |
2659 | void __audit_bprm(struct linux_binprm *bprm) |
2660 | { |
2661 | struct audit_context *context = audit_context(); |
2662 | |
2663 | context->type = AUDIT_EXECVE; |
2664 | context->execve.argc = bprm->argc; |
2665 | } |
2666 | |
2667 | |
2668 | /** |
2669 | * __audit_socketcall - record audit data for sys_socketcall |
2670 | * @nargs: number of args, which should not be more than AUDITSC_ARGS. |
2671 | * @args: args array |
2672 | * |
2673 | */ |
2674 | int __audit_socketcall(int nargs, unsigned long *args) |
2675 | { |
2676 | struct audit_context *context = audit_context(); |
2677 | |
2678 | if (nargs <= 0 || nargs > AUDITSC_ARGS || !args) |
2679 | return -EINVAL; |
2680 | context->type = AUDIT_SOCKETCALL; |
2681 | context->socketcall.nargs = nargs; |
2682 | memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long)); |
2683 | return 0; |
2684 | } |
2685 | |
2686 | /** |
2687 | * __audit_fd_pair - record audit data for pipe and socketpair |
2688 | * @fd1: the first file descriptor |
2689 | * @fd2: the second file descriptor |
2690 | * |
2691 | */ |
2692 | void __audit_fd_pair(int fd1, int fd2) |
2693 | { |
2694 | struct audit_context *context = audit_context(); |
2695 | |
2696 | context->fds[0] = fd1; |
2697 | context->fds[1] = fd2; |
2698 | } |
2699 | |
2700 | /** |
2701 | * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto |
2702 | * @len: data length in user space |
2703 | * @a: data address in kernel space |
2704 | * |
2705 | * Returns 0 for success or NULL context or < 0 on error. |
2706 | */ |
2707 | int __audit_sockaddr(int len, void *a) |
2708 | { |
2709 | struct audit_context *context = audit_context(); |
2710 | |
2711 | if (!context->sockaddr) { |
2712 | void *p = kmalloc(size: sizeof(struct sockaddr_storage), GFP_KERNEL); |
2713 | |
2714 | if (!p) |
2715 | return -ENOMEM; |
2716 | context->sockaddr = p; |
2717 | } |
2718 | |
2719 | context->sockaddr_len = len; |
2720 | memcpy(context->sockaddr, a, len); |
2721 | return 0; |
2722 | } |
2723 | |
2724 | void __audit_ptrace(struct task_struct *t) |
2725 | { |
2726 | struct audit_context *context = audit_context(); |
2727 | |
2728 | context->target_pid = task_tgid_nr(tsk: t); |
2729 | context->target_auid = audit_get_loginuid(tsk: t); |
2730 | context->target_uid = task_uid(t); |
2731 | context->target_sessionid = audit_get_sessionid(tsk: t); |
2732 | security_task_getsecid_obj(p: t, secid: &context->target_sid); |
2733 | memcpy(context->target_comm, t->comm, TASK_COMM_LEN); |
2734 | } |
2735 | |
2736 | /** |
2737 | * audit_signal_info_syscall - record signal info for syscalls |
2738 | * @t: task being signaled |
2739 | * |
2740 | * If the audit subsystem is being terminated, record the task (pid) |
2741 | * and uid that is doing that. |
2742 | */ |
2743 | int audit_signal_info_syscall(struct task_struct *t) |
2744 | { |
2745 | struct audit_aux_data_pids *axp; |
2746 | struct audit_context *ctx = audit_context(); |
2747 | kuid_t t_uid = task_uid(t); |
2748 | |
2749 | if (!audit_signals || audit_dummy_context()) |
2750 | return 0; |
2751 | |
2752 | /* optimize the common case by putting first signal recipient directly |
2753 | * in audit_context */ |
2754 | if (!ctx->target_pid) { |
2755 | ctx->target_pid = task_tgid_nr(tsk: t); |
2756 | ctx->target_auid = audit_get_loginuid(tsk: t); |
2757 | ctx->target_uid = t_uid; |
2758 | ctx->target_sessionid = audit_get_sessionid(tsk: t); |
2759 | security_task_getsecid_obj(p: t, secid: &ctx->target_sid); |
2760 | memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); |
2761 | return 0; |
2762 | } |
2763 | |
2764 | axp = (void *)ctx->aux_pids; |
2765 | if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { |
2766 | axp = kzalloc(size: sizeof(*axp), GFP_ATOMIC); |
2767 | if (!axp) |
2768 | return -ENOMEM; |
2769 | |
2770 | axp->d.type = AUDIT_OBJ_PID; |
2771 | axp->d.next = ctx->aux_pids; |
2772 | ctx->aux_pids = (void *)axp; |
2773 | } |
2774 | BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS); |
2775 | |
2776 | axp->target_pid[axp->pid_count] = task_tgid_nr(tsk: t); |
2777 | axp->target_auid[axp->pid_count] = audit_get_loginuid(tsk: t); |
2778 | axp->target_uid[axp->pid_count] = t_uid; |
2779 | axp->target_sessionid[axp->pid_count] = audit_get_sessionid(tsk: t); |
2780 | security_task_getsecid_obj(p: t, secid: &axp->target_sid[axp->pid_count]); |
2781 | memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); |
2782 | axp->pid_count++; |
2783 | |
2784 | return 0; |
2785 | } |
2786 | |
2787 | /** |
2788 | * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps |
2789 | * @bprm: pointer to the bprm being processed |
2790 | * @new: the proposed new credentials |
2791 | * @old: the old credentials |
2792 | * |
2793 | * Simply check if the proc already has the caps given by the file and if not |
2794 | * store the priv escalation info for later auditing at the end of the syscall |
2795 | * |
2796 | * -Eric |
2797 | */ |
2798 | int __audit_log_bprm_fcaps(struct linux_binprm *bprm, |
2799 | const struct cred *new, const struct cred *old) |
2800 | { |
2801 | struct audit_aux_data_bprm_fcaps *ax; |
2802 | struct audit_context *context = audit_context(); |
2803 | struct cpu_vfs_cap_data vcaps; |
2804 | |
2805 | ax = kmalloc(size: sizeof(*ax), GFP_KERNEL); |
2806 | if (!ax) |
2807 | return -ENOMEM; |
2808 | |
2809 | ax->d.type = AUDIT_BPRM_FCAPS; |
2810 | ax->d.next = context->aux; |
2811 | context->aux = (void *)ax; |
2812 | |
2813 | get_vfs_caps_from_disk(idmap: &nop_mnt_idmap, |
2814 | dentry: bprm->file->f_path.dentry, cpu_caps: &vcaps); |
2815 | |
2816 | ax->fcap.permitted = vcaps.permitted; |
2817 | ax->fcap.inheritable = vcaps.inheritable; |
2818 | ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); |
2819 | ax->fcap.rootid = vcaps.rootid; |
2820 | ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; |
2821 | |
2822 | ax->old_pcap.permitted = old->cap_permitted; |
2823 | ax->old_pcap.inheritable = old->cap_inheritable; |
2824 | ax->old_pcap.effective = old->cap_effective; |
2825 | ax->old_pcap.ambient = old->cap_ambient; |
2826 | |
2827 | ax->new_pcap.permitted = new->cap_permitted; |
2828 | ax->new_pcap.inheritable = new->cap_inheritable; |
2829 | ax->new_pcap.effective = new->cap_effective; |
2830 | ax->new_pcap.ambient = new->cap_ambient; |
2831 | return 0; |
2832 | } |
2833 | |
2834 | /** |
2835 | * __audit_log_capset - store information about the arguments to the capset syscall |
2836 | * @new: the new credentials |
2837 | * @old: the old (current) credentials |
2838 | * |
2839 | * Record the arguments userspace sent to sys_capset for later printing by the |
2840 | * audit system if applicable |
2841 | */ |
2842 | void __audit_log_capset(const struct cred *new, const struct cred *old) |
2843 | { |
2844 | struct audit_context *context = audit_context(); |
2845 | |
2846 | context->capset.pid = task_tgid_nr(current); |
2847 | context->capset.cap.effective = new->cap_effective; |
2848 | context->capset.cap.inheritable = new->cap_effective; |
2849 | context->capset.cap.permitted = new->cap_permitted; |
2850 | context->capset.cap.ambient = new->cap_ambient; |
2851 | context->type = AUDIT_CAPSET; |
2852 | } |
2853 | |
2854 | void __audit_mmap_fd(int fd, int flags) |
2855 | { |
2856 | struct audit_context *context = audit_context(); |
2857 | |
2858 | context->mmap.fd = fd; |
2859 | context->mmap.flags = flags; |
2860 | context->type = AUDIT_MMAP; |
2861 | } |
2862 | |
2863 | void __audit_openat2_how(struct open_how *how) |
2864 | { |
2865 | struct audit_context *context = audit_context(); |
2866 | |
2867 | context->openat2.flags = how->flags; |
2868 | context->openat2.mode = how->mode; |
2869 | context->openat2.resolve = how->resolve; |
2870 | context->type = AUDIT_OPENAT2; |
2871 | } |
2872 | |
2873 | void __audit_log_kern_module(char *name) |
2874 | { |
2875 | struct audit_context *context = audit_context(); |
2876 | |
2877 | context->module.name = kstrdup(s: name, GFP_KERNEL); |
2878 | if (!context->module.name) |
2879 | audit_log_lost(message: "out of memory in __audit_log_kern_module" ); |
2880 | context->type = AUDIT_KERN_MODULE; |
2881 | } |
2882 | |
2883 | void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar) |
2884 | { |
2885 | /* {subj,obj}_trust values are {0,1,2}: no,yes,unknown */ |
2886 | switch (friar->hdr.type) { |
2887 | case FAN_RESPONSE_INFO_NONE: |
2888 | audit_log(ctx: audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, |
2889 | fmt: "resp=%u fan_type=%u fan_info=0 subj_trust=2 obj_trust=2" , |
2890 | response, FAN_RESPONSE_INFO_NONE); |
2891 | break; |
2892 | case FAN_RESPONSE_INFO_AUDIT_RULE: |
2893 | audit_log(ctx: audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, |
2894 | fmt: "resp=%u fan_type=%u fan_info=%X subj_trust=%u obj_trust=%u" , |
2895 | response, friar->hdr.type, friar->rule_number, |
2896 | friar->subj_trust, friar->obj_trust); |
2897 | } |
2898 | } |
2899 | |
2900 | void __audit_tk_injoffset(struct timespec64 offset) |
2901 | { |
2902 | struct audit_context *context = audit_context(); |
2903 | |
2904 | /* only set type if not already set by NTP */ |
2905 | if (!context->type) |
2906 | context->type = AUDIT_TIME_INJOFFSET; |
2907 | memcpy(&context->time.tk_injoffset, &offset, sizeof(offset)); |
2908 | } |
2909 | |
2910 | void __audit_ntp_log(const struct audit_ntp_data *ad) |
2911 | { |
2912 | struct audit_context *context = audit_context(); |
2913 | int type; |
2914 | |
2915 | for (type = 0; type < AUDIT_NTP_NVALS; type++) |
2916 | if (ad->vals[type].newval != ad->vals[type].oldval) { |
2917 | /* unconditionally set type, overwriting TK */ |
2918 | context->type = AUDIT_TIME_ADJNTPVAL; |
2919 | memcpy(&context->time.ntp_data, ad, sizeof(*ad)); |
2920 | break; |
2921 | } |
2922 | } |
2923 | |
2924 | void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, |
2925 | enum audit_nfcfgop op, gfp_t gfp) |
2926 | { |
2927 | struct audit_buffer *ab; |
2928 | char comm[sizeof(current->comm)]; |
2929 | |
2930 | ab = audit_log_start(ctx: audit_context(), gfp_mask: gfp, AUDIT_NETFILTER_CFG); |
2931 | if (!ab) |
2932 | return; |
2933 | audit_log_format(ab, fmt: "table=%s family=%u entries=%u op=%s" , |
2934 | name, af, nentries, audit_nfcfgs[op].s); |
2935 | |
2936 | audit_log_format(ab, fmt: " pid=%u" , task_pid_nr(current)); |
2937 | audit_log_task_context(ab); /* subj= */ |
2938 | audit_log_format(ab, fmt: " comm=" ); |
2939 | audit_log_untrustedstring(ab, get_task_comm(comm, current)); |
2940 | audit_log_end(ab); |
2941 | } |
2942 | EXPORT_SYMBOL_GPL(__audit_log_nfcfg); |
2943 | |
2944 | static void audit_log_task(struct audit_buffer *ab) |
2945 | { |
2946 | kuid_t auid, uid; |
2947 | kgid_t gid; |
2948 | unsigned int sessionid; |
2949 | char comm[sizeof(current->comm)]; |
2950 | |
2951 | auid = audit_get_loginuid(current); |
2952 | sessionid = audit_get_sessionid(current); |
2953 | current_uid_gid(&uid, &gid); |
2954 | |
2955 | audit_log_format(ab, fmt: "auid=%u uid=%u gid=%u ses=%u" , |
2956 | from_kuid(to: &init_user_ns, uid: auid), |
2957 | from_kuid(to: &init_user_ns, uid), |
2958 | from_kgid(to: &init_user_ns, gid), |
2959 | sessionid); |
2960 | audit_log_task_context(ab); |
2961 | audit_log_format(ab, fmt: " pid=%d comm=" , task_tgid_nr(current)); |
2962 | audit_log_untrustedstring(ab, get_task_comm(comm, current)); |
2963 | audit_log_d_path_exe(ab, current->mm); |
2964 | } |
2965 | |
2966 | /** |
2967 | * audit_core_dumps - record information about processes that end abnormally |
2968 | * @signr: signal value |
2969 | * |
2970 | * If a process ends with a core dump, something fishy is going on and we |
2971 | * should record the event for investigation. |
2972 | */ |
2973 | void audit_core_dumps(long signr) |
2974 | { |
2975 | struct audit_buffer *ab; |
2976 | |
2977 | if (!audit_enabled) |
2978 | return; |
2979 | |
2980 | if (signr == SIGQUIT) /* don't care for those */ |
2981 | return; |
2982 | |
2983 | ab = audit_log_start(ctx: audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND); |
2984 | if (unlikely(!ab)) |
2985 | return; |
2986 | audit_log_task(ab); |
2987 | audit_log_format(ab, fmt: " sig=%ld res=1" , signr); |
2988 | audit_log_end(ab); |
2989 | } |
2990 | |
2991 | /** |
2992 | * audit_seccomp - record information about a seccomp action |
2993 | * @syscall: syscall number |
2994 | * @signr: signal value |
2995 | * @code: the seccomp action |
2996 | * |
2997 | * Record the information associated with a seccomp action. Event filtering for |
2998 | * seccomp actions that are not to be logged is done in seccomp_log(). |
2999 | * Therefore, this function forces auditing independent of the audit_enabled |
3000 | * and dummy context state because seccomp actions should be logged even when |
3001 | * audit is not in use. |
3002 | */ |
3003 | void audit_seccomp(unsigned long syscall, long signr, int code) |
3004 | { |
3005 | struct audit_buffer *ab; |
3006 | |
3007 | ab = audit_log_start(ctx: audit_context(), GFP_KERNEL, AUDIT_SECCOMP); |
3008 | if (unlikely(!ab)) |
3009 | return; |
3010 | audit_log_task(ab); |
3011 | audit_log_format(ab, fmt: " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x" , |
3012 | signr, syscall_get_arch(current), syscall, |
3013 | in_compat_syscall(), KSTK_EIP(current), code); |
3014 | audit_log_end(ab); |
3015 | } |
3016 | |
3017 | void audit_seccomp_actions_logged(const char *names, const char *old_names, |
3018 | int res) |
3019 | { |
3020 | struct audit_buffer *ab; |
3021 | |
3022 | if (!audit_enabled) |
3023 | return; |
3024 | |
3025 | ab = audit_log_start(ctx: audit_context(), GFP_KERNEL, |
3026 | AUDIT_CONFIG_CHANGE); |
3027 | if (unlikely(!ab)) |
3028 | return; |
3029 | |
3030 | audit_log_format(ab, |
3031 | fmt: "op=seccomp-logging actions=%s old-actions=%s res=%d" , |
3032 | names, old_names, res); |
3033 | audit_log_end(ab); |
3034 | } |
3035 | |
3036 | struct list_head *audit_killed_trees(void) |
3037 | { |
3038 | struct audit_context *ctx = audit_context(); |
3039 | if (likely(!ctx || ctx->context == AUDIT_CTX_UNUSED)) |
3040 | return NULL; |
3041 | return &ctx->killed_trees; |
3042 | } |
3043 | |