1
/* auditsc.c -- System-call auditing support
2
 * Handles all system-call specific auditing features.
3
 *
4
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6
 * Copyright (C) 2005, 2006 IBM Corporation
7
 * All Rights Reserved.
8
 *
9
 * This program is free software; you can redistribute it and/or modify
10
 * it under the terms of the GNU General Public License as published by
11
 * the Free Software Foundation; either version 2 of the License, or
12
 * (at your option) any later version.
13
 *
14
 * This program is distributed in the hope that it will be useful,
15
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17
 * GNU General Public License for more details.
18
 *
19
 * You should have received a copy of the GNU General Public License
20
 * along with this program; if not, write to the Free Software
21
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22
 *
23
 * Written by Rickard E. (Rik) Faith <[email protected]>
24
 *
25
 * Many of the ideas implemented here are from Stephen C. Tweedie,
26
 * especially the idea of avoiding a copy by using getname.
27
 *
28
 * The method for actual interception of syscall entry and exit (not in
29
 * this file -- see entry.S) is based on a GPL'd patch written by
30
 * [email protected] and Copyright 2003 SuSE Linux AG.
31
 *
32
 * POSIX message queue support added by George Wilson <[email protected]>,
33
 * 2006.
34
 *
35
 * The support of additional filter rules compares (>, <, >=, <=) was
36
 * added by Dustin Kirkland <[email protected]>, 2005.
37
 *
38
 * Modified by Amy Griffis <[email protected]> to collect additional
39
 * filesystem information.
40
 *
41
 * Subject and object context labeling support added by <[email protected]>
42
 * and <[email protected]> for LSPP certification compliance.
43
 */
44

45
#include <linux/init.h>
46
#include <asm/types.h>
47
#include <asm/atomic.h>
48
#include <linux/fs.h>
49
#include <linux/namei.h>
50
#include <linux/mm.h>
51
#include <linux/module.h>
52
#include <linux/slab.h>
53
#include <linux/mount.h>
54
#include <linux/socket.h>
55
#include <linux/mqueue.h>
56
#include <linux/audit.h>
57
#include <linux/personality.h>
58
#include <linux/time.h>
59
#include <linux/netlink.h>
60
#include <linux/compiler.h>
61
#include <asm/unistd.h>
62
#include <linux/security.h>
63
#include <linux/list.h>
64
#include <linux/tty.h>
65
#include <linux/binfmts.h>
66
#include <linux/highmem.h>
67
#include <linux/syscalls.h>
68
#include <linux/capability.h>
69
#include <linux/fs_struct.h>
70

71
#include "audit.h"
72

73
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
74
 * for saving names from getname(). */
75
#define AUDIT_NAMES    20
76

77
/* Indicates that audit should log the full pathname. */
78
#define AUDIT_NAME_FULL -1
79

80
/* no execve audit message should be longer than this (userspace limits) */
81
#define MAX_EXECVE_AUDIT_LEN 7500
82

83
/* number of audit rules */
84
int audit_n_rules;
85

86
/* determines whether we collect data for signals sent */
87
int audit_signals;
88

89
struct audit_cap_data {
90
	kernel_cap_t		permitted;
91
	kernel_cap_t		inheritable;
92
	union {
93
		unsigned int	fE;		/* effective bit of a file capability */
94
		kernel_cap_t	effective;	/* effective set of a process */
95
	};
96
};
97

98
/* When fs/namei.c:getname() is called, we store the pointer in name and
99
 * we don't let putname() free it (instead we free all of the saved
100
 * pointers at syscall exit time).
101
 *
102
 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
103
struct audit_names {
104
	const char	*name;
105
	int		name_len;	/* number of name's characters to log */
106
	unsigned	name_put;	/* call __putname() for this name */
107
	unsigned long	ino;
108
	dev_t		dev;
109
	umode_t		mode;
110
	uid_t		uid;
111
	gid_t		gid;
112
	dev_t		rdev;
113
	u32		osid;
114
	struct audit_cap_data fcap;
115
	unsigned int	fcap_ver;
116
};
117

118
struct audit_aux_data {
119
	struct audit_aux_data	*next;
120
	int			type;
121
};
122

123
#define AUDIT_AUX_IPCPERM	0
124

125
/* Number of target pids per aux struct. */
126
#define AUDIT_AUX_PIDS	16
127

128
struct audit_aux_data_execve {
129
	struct audit_aux_data	d;
130
	int argc;
131
	int envc;
132
	struct mm_struct *mm;
133
};
134

135
struct audit_aux_data_pids {
136
	struct audit_aux_data	d;
137
	pid_t			target_pid[AUDIT_AUX_PIDS];
138
	uid_t			target_auid[AUDIT_AUX_PIDS];
139
	uid_t			target_uid[AUDIT_AUX_PIDS];
140
	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
141
	u32			target_sid[AUDIT_AUX_PIDS];
142
	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
143
	int			pid_count;
144
};
145

146
struct audit_aux_data_bprm_fcaps {
147
	struct audit_aux_data	d;
148
	struct audit_cap_data	fcap;
149
	unsigned int		fcap_ver;
150
	struct audit_cap_data	old_pcap;
151
	struct audit_cap_data	new_pcap;
152
};
153

154
struct audit_aux_data_capset {
155
	struct audit_aux_data	d;
156
	pid_t			pid;
157
	struct audit_cap_data	cap;
158
};
159

160
struct audit_tree_refs {
161
	struct audit_tree_refs *next;
162
	struct audit_chunk *c[31];
163
};
164

165
/* The per-task audit context. */
166
struct audit_context {
167
	int		    dummy;	/* must be the first element */
168
	int		    in_syscall;	/* 1 if task is in a syscall */
169
	enum audit_state    state, current_state;
170
	unsigned int	    serial;     /* serial number for record */
171
	int		    major;      /* syscall number */
172
	struct timespec	    ctime;      /* time of syscall entry */
173
	unsigned long	    argv[4];    /* syscall arguments */
174
	long		    return_code;/* syscall return code */
175
	u64		    prio;
176
	int		    return_valid; /* return code is valid */
177
	int		    name_count;
178
	struct audit_names  names[AUDIT_NAMES];
179
	char *		    filterkey;	/* key for rule that triggered record */
180
	struct path	    pwd;
181
	struct audit_context *previous; /* For nested syscalls */
182
	struct audit_aux_data *aux;
183
	struct audit_aux_data *aux_pids;
184
	struct sockaddr_storage *sockaddr;
185
	size_t sockaddr_len;
186
				/* Save things to print about task_struct */
187
	pid_t		    pid, ppid;
188
	uid_t		    uid, euid, suid, fsuid;
189
	gid_t		    gid, egid, sgid, fsgid;
190
	unsigned long	    personality;
191
	int		    arch;
192

193
	pid_t		    target_pid;
194
	uid_t		    target_auid;
195
	uid_t		    target_uid;
196
	unsigned int	    target_sessionid;
197
	u32		    target_sid;
198
	char		    target_comm[TASK_COMM_LEN];
199

200
	struct audit_tree_refs *trees, *first_trees;
201
	struct list_head killed_trees;
202
	int tree_count;
203

204
	int type;
205
	union {
206
		struct {
207
			int nargs;
208
			long args[6];
209
		} socketcall;
210
		struct {
211
			uid_t			uid;
212
			gid_t			gid;
213
			mode_t			mode;
214
			u32			osid;
215
			int			has_perm;
216
			uid_t			perm_uid;
217
			gid_t			perm_gid;
218
			mode_t			perm_mode;
219
			unsigned long		qbytes;
220
		} ipc;
221
		struct {
222
			mqd_t			mqdes;
223
			struct mq_attr 		mqstat;
224
		} mq_getsetattr;
225
		struct {
226
			mqd_t			mqdes;
227
			int			sigev_signo;
228
		} mq_notify;
229
		struct {
230
			mqd_t			mqdes;
231
			size_t			msg_len;
232
			unsigned int		msg_prio;
233
			struct timespec		abs_timeout;
234
		} mq_sendrecv;
235
		struct {
236
			int			oflag;
237
			mode_t			mode;
238
			struct mq_attr		attr;
239
		} mq_open;
240
		struct {
241
			pid_t			pid;
242
			struct audit_cap_data	cap;
243
		} capset;
244
		struct {
245
			int			fd;
246
			int			flags;
247
		} mmap;
248
	};
249
	int fds[2];
250

251
#if AUDIT_DEBUG
252
	int		    put_count;
253
	int		    ino_count;
254
#endif
255
};
256

257
static inline int open_arg(int flags, int mask)
258
{
259
	int n = ACC_MODE(flags);
260
	if (flags & (O_TRUNC | O_CREAT))
261
		n |= AUDIT_PERM_WRITE;
262
	return n & mask;
263
}
264

265
static int audit_match_perm(struct audit_context *ctx, int mask)
266
{
267
	unsigned n;
268
	if (unlikely(!ctx))
269
		return 0;
270
	n = ctx->major;
271

272
	switch (audit_classify_syscall(ctx->arch, n)) {
273
	case 0:	/* native */
274
		if ((mask & AUDIT_PERM_WRITE) &&
275
		     audit_match_class(AUDIT_CLASS_WRITE, n))
276
			return 1;
277
		if ((mask & AUDIT_PERM_READ) &&
278
		     audit_match_class(AUDIT_CLASS_READ, n))
279
			return 1;
280
		if ((mask & AUDIT_PERM_ATTR) &&
281
		     audit_match_class(AUDIT_CLASS_CHATTR, n))
282
			return 1;
283
		return 0;
284
	case 1: /* 32bit on biarch */
285
		if ((mask & AUDIT_PERM_WRITE) &&
286
		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
287
			return 1;
288
		if ((mask & AUDIT_PERM_READ) &&
289
		     audit_match_class(AUDIT_CLASS_READ_32, n))
290
			return 1;
291
		if ((mask & AUDIT_PERM_ATTR) &&
292
		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
293
			return 1;
294
		return 0;
295
	case 2: /* open */
296
		return mask & ACC_MODE(ctx->argv[1]);
297
	case 3: /* openat */
298
		return mask & ACC_MODE(ctx->argv[2]);
299
	case 4: /* socketcall */
300
		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
301
	case 5: /* execve */
302
		return mask & AUDIT_PERM_EXEC;
303
	default:
304
		return 0;
305
	}
306
}
307

308
static int audit_match_filetype(struct audit_context *ctx, int which)
309
{
310
	unsigned index = which & ~S_IFMT;
311
	mode_t mode = which & S_IFMT;
312

313
	if (unlikely(!ctx))
314
		return 0;
315

316
	if (index >= ctx->name_count)
317
		return 0;
318
	if (ctx->names[index].ino == -1)
319
		return 0;
320
	if ((ctx->names[index].mode ^ mode) & S_IFMT)
321
		return 0;
322
	return 1;
323
}
324

325
/*
326
 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
327
 * ->first_trees points to its beginning, ->trees - to the current end of data.
328
 * ->tree_count is the number of free entries in array pointed to by ->trees.
329
 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
330
 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
331
 * it's going to remain 1-element for almost any setup) until we free context itself.
332
 * References in it _are_ dropped - at the same time we free/drop aux stuff.
333
 */
334

335
#ifdef CONFIG_AUDIT_TREE
336
static void audit_set_auditable(struct audit_context *ctx)
337
{
338
	if (!ctx->prio) {
339
		ctx->prio = 1;
340
		ctx->current_state = AUDIT_RECORD_CONTEXT;
341
	}
342
}
343

344
static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
345
{
346
	struct audit_tree_refs *p = ctx->trees;
347
	int left = ctx->tree_count;
348
	if (likely(left)) {
349
		p->c[--left] = chunk;
350
		ctx->tree_count = left;
351
		return 1;
352
	}
353
	if (!p)
354
		return 0;
355
	p = p->next;
356
	if (p) {
357
		p->c[30] = chunk;
358
		ctx->trees = p;
359
		ctx->tree_count = 30;
360
		return 1;
361
	}
362
	return 0;
363
}
364

365
static int grow_tree_refs(struct audit_context *ctx)
366
{
367
	struct audit_tree_refs *p = ctx->trees;
368
	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
369
	if (!ctx->trees) {
370
		ctx->trees = p;
371
		return 0;
372
	}
373
	if (p)
374
		p->next = ctx->trees;
375
	else
376
		ctx->first_trees = ctx->trees;
377
	ctx->tree_count = 31;
378
	return 1;
379
}
380
#endif
381

382
static void unroll_tree_refs(struct audit_context *ctx,
383
		      struct audit_tree_refs *p, int count)
384
{
385
#ifdef CONFIG_AUDIT_TREE
386
	struct audit_tree_refs *q;
387
	int n;
388
	if (!p) {
389
		/* we started with empty chain */
390
		p = ctx->first_trees;
391
		count = 31;
392
		/* if the very first allocation has failed, nothing to do */
393
		if (!p)
394
			return;
395
	}
396
	n = count;
397
	for (q = p; q != ctx->trees; q = q->next, n = 31) {
398
		while (n--) {
399
			audit_put_chunk(q->c[n]);
400
			q->c[n] = NULL;
401
		}
402
	}
403
	while (n-- > ctx->tree_count) {
404
		audit_put_chunk(q->c[n]);
405
		q->c[n] = NULL;
406
	}
407
	ctx->trees = p;
408
	ctx->tree_count = count;
409
#endif
410
}
411

412
static void free_tree_refs(struct audit_context *ctx)
413
{
414
	struct audit_tree_refs *p, *q;
415
	for (p = ctx->first_trees; p; p = q) {
416
		q = p->next;
417
		kfree(p);
418
	}
419
}
420

421
static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
422
{
423
#ifdef CONFIG_AUDIT_TREE
424
	struct audit_tree_refs *p;
425
	int n;
426
	if (!tree)
427
		return 0;
428
	/* full ones */
429
	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
430
		for (n = 0; n < 31; n++)
431
			if (audit_tree_match(p->c[n], tree))
432
				return 1;
433
	}
434
	/* partial */
435
	if (p) {
436
		for (n = ctx->tree_count; n < 31; n++)
437
			if (audit_tree_match(p->c[n], tree))
438
				return 1;
439
	}
440
#endif
441
	return 0;
442
}
443

444
/* Determine if any context name data matches a rule's watch data */
445
/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
446
 * otherwise.
447
 *
448
 * If task_creation is true, this is an explicit indication that we are
449
 * filtering a task rule at task creation time.  This and tsk == current are
450
 * the only situations where tsk->cred may be accessed without an rcu read lock.
451
 */
452
static int audit_filter_rules(struct task_struct *tsk,
453
			      struct audit_krule *rule,
454
			      struct audit_context *ctx,
455
			      struct audit_names *name,
456
			      enum audit_state *state,
457
			      bool task_creation)
458
{
459
	const struct cred *cred;
460
	int i, j, need_sid = 1;
461
	u32 sid;
462

463
	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
464

465
	for (i = 0; i < rule->field_count; i++) {
466
		struct audit_field *f = &rule->fields[i];
467
		int result = 0;
468

469
		switch (f->type) {
470
		case AUDIT_PID:
471
			result = audit_comparator(tsk->pid, f->op, f->val);
472
			break;
473
		case AUDIT_PPID:
474
			if (ctx) {
475
				if (!ctx->ppid)
476
					ctx->ppid = sys_getppid();
477
				result = audit_comparator(ctx->ppid, f->op, f->val);
478
			}
479
			break;
480
		case AUDIT_UID:
481
			result = audit_comparator(cred->uid, f->op, f->val);
482
			break;
483
		case AUDIT_EUID:
484
			result = audit_comparator(cred->euid, f->op, f->val);
485
			break;
486
		case AUDIT_SUID:
487
			result = audit_comparator(cred->suid, f->op, f->val);
488
			break;
489
		case AUDIT_FSUID:
490
			result = audit_comparator(cred->fsuid, f->op, f->val);
491
			break;
492
		case AUDIT_GID:
493
			result = audit_comparator(cred->gid, f->op, f->val);
494
			break;
495
		case AUDIT_EGID:
496
			result = audit_comparator(cred->egid, f->op, f->val);
497
			break;
498
		case AUDIT_SGID:
499
			result = audit_comparator(cred->sgid, f->op, f->val);
500
			break;
501
		case AUDIT_FSGID:
502
			result = audit_comparator(cred->fsgid, f->op, f->val);
503
			break;
504
		case AUDIT_PERS:
505
			result = audit_comparator(tsk->personality, f->op, f->val);
506
			break;
507
		case AUDIT_ARCH:
508
			if (ctx)
509
				result = audit_comparator(ctx->arch, f->op, f->val);
510
			break;
511

512
		case AUDIT_EXIT:
513
			if (ctx && ctx->return_valid)
514
				result = audit_comparator(ctx->return_code, f->op, f->val);
515
			break;
516
		case AUDIT_SUCCESS:
517
			if (ctx && ctx->return_valid) {
518
				if (f->val)
519
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
520
				else
521
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
522
			}
523
			break;
524
		case AUDIT_DEVMAJOR:
525
			if (name)
526
				result = audit_comparator(MAJOR(name->dev),
527
							  f->op, f->val);
528
			else if (ctx) {
529
				for (j = 0; j < ctx->name_count; j++) {
530
					if (audit_comparator(MAJOR(ctx->names[j].dev),	f->op, f->val)) {
531
						++result;
532
						break;
533
					}
534
				}
535
			}
536
			break;
537
		case AUDIT_DEVMINOR:
538
			if (name)
539
				result = audit_comparator(MINOR(name->dev),
540
							  f->op, f->val);
541
			else if (ctx) {
542
				for (j = 0; j < ctx->name_count; j++) {
543
					if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
544
						++result;
545
						break;
546
					}
547
				}
548
			}
549
			break;
550
		case AUDIT_INODE:
551
			if (name)
552
				result = (name->ino == f->val);
553
			else if (ctx) {
554
				for (j = 0; j < ctx->name_count; j++) {
555
					if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
556
						++result;
557
						break;
558
					}
559
				}
560
			}
561
			break;
562
		case AUDIT_WATCH:
563
			if (name)
564
				result = audit_watch_compare(rule->watch, name->ino, name->dev);
565
			break;
566
		case AUDIT_DIR:
567
			if (ctx)
568
				result = match_tree_refs(ctx, rule->tree);
569
			break;
570
		case AUDIT_LOGINUID:
571
			result = 0;
572
			if (ctx)
573
				result = audit_comparator(tsk->loginuid, f->op, f->val);
574
			break;
575
		case AUDIT_SUBJ_USER:
576
		case AUDIT_SUBJ_ROLE:
577
		case AUDIT_SUBJ_TYPE:
578
		case AUDIT_SUBJ_SEN:
579
		case AUDIT_SUBJ_CLR:
580
			/* NOTE: this may return negative values indicating
581
			   a temporary error.  We simply treat this as a
582
			   match for now to avoid losing information that
583
			   may be wanted.   An error message will also be
584
			   logged upon error */
585
			if (f->lsm_rule) {
586
				if (need_sid) {
587
					security_task_getsecid(tsk, &sid);
588
					need_sid = 0;
589
				}
590
				result = security_audit_rule_match(sid, f->type,
591
				                                  f->op,
592
				                                  f->lsm_rule,
593
				                                  ctx);
594
			}
595
			break;
596
		case AUDIT_OBJ_USER:
597
		case AUDIT_OBJ_ROLE:
598
		case AUDIT_OBJ_TYPE:
599
		case AUDIT_OBJ_LEV_LOW:
600
		case AUDIT_OBJ_LEV_HIGH:
601
			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
602
			   also applies here */
603
			if (f->lsm_rule) {
604
				/* Find files that match */
605
				if (name) {
606
					result = security_audit_rule_match(
607
					           name->osid, f->type, f->op,
608
					           f->lsm_rule, ctx);
609
				} else if (ctx) {
610
					for (j = 0; j < ctx->name_count; j++) {
611
						if (security_audit_rule_match(
612
						      ctx->names[j].osid,
613
						      f->type, f->op,
614
						      f->lsm_rule, ctx)) {
615
							++result;
616
							break;
617
						}
618
					}
619
				}
620
				/* Find ipc objects that match */
621
				if (!ctx || ctx->type != AUDIT_IPC)
622
					break;
623
				if (security_audit_rule_match(ctx->ipc.osid,
624
							      f->type, f->op,
625
							      f->lsm_rule, ctx))
626
					++result;
627
			}
628
			break;
629
		case AUDIT_ARG0:
630
		case AUDIT_ARG1:
631
		case AUDIT_ARG2:
632
		case AUDIT_ARG3:
633
			if (ctx)
634
				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
635
			break;
636
		case AUDIT_FILTERKEY:
637
			/* ignore this field for filtering */
638
			result = 1;
639
			break;
640
		case AUDIT_PERM:
641
			result = audit_match_perm(ctx, f->val);
642
			break;
643
		case AUDIT_FILETYPE:
644
			result = audit_match_filetype(ctx, f->val);
645
			break;
646
		}
647

648
		if (!result)
649
			return 0;
650
	}
651

652
	if (ctx) {
653
		if (rule->prio <= ctx->prio)
654
			return 0;
655
		if (rule->filterkey) {
656
			kfree(ctx->filterkey);
657
			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
658
		}
659
		ctx->prio = rule->prio;
660
	}
661
	switch (rule->action) {
662
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
663
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
664
	}
665
	return 1;
666
}
667

668
/* At process creation time, we can determine if system-call auditing is
669
 * completely disabled for this task.  Since we only have the task
670
 * structure at this point, we can only check uid and gid.
671
 */
672
static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
673
{
674
	struct audit_entry *e;
675
	enum audit_state   state;
676

677
	rcu_read_lock();
678
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
679
		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
680
				       &state, true)) {
681
			if (state == AUDIT_RECORD_CONTEXT)
682
				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
683
			rcu_read_unlock();
684
			return state;
685
		}
686
	}
687
	rcu_read_unlock();
688
	return AUDIT_BUILD_CONTEXT;
689
}
690

691
/* At syscall entry and exit time, this filter is called if the
692
 * audit_state is not low enough that auditing cannot take place, but is
693
 * also not high enough that we already know we have to write an audit
694
 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
695
 */
696
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
697
					     struct audit_context *ctx,
698
					     struct list_head *list)
699
{
700
	struct audit_entry *e;
701
	enum audit_state state;
702

703
	if (audit_pid && tsk->tgid == audit_pid)
704
		return AUDIT_DISABLED;
705

706
	rcu_read_lock();
707
	if (!list_empty(list)) {
708
		int word = AUDIT_WORD(ctx->major);
709
		int bit  = AUDIT_BIT(ctx->major);
710

711
		list_for_each_entry_rcu(e, list, list) {
712
			if ((e->rule.mask[word] & bit) == bit &&
713
			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
714
					       &state, false)) {
715
				rcu_read_unlock();
716
				ctx->current_state = state;
717
				return state;
718
			}
719
		}
720
	}
721
	rcu_read_unlock();
722
	return AUDIT_BUILD_CONTEXT;
723
}
724

725
/* At syscall exit time, this filter is called if any audit_names[] have been
726
 * collected during syscall processing.  We only check rules in sublists at hash
727
 * buckets applicable to the inode numbers in audit_names[].
728
 * Regarding audit_state, same rules apply as for audit_filter_syscall().
729
 */
730
void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
731
{
732
	int i;
733
	struct audit_entry *e;
734
	enum audit_state state;
735

736
	if (audit_pid && tsk->tgid == audit_pid)
737
		return;
738

739
	rcu_read_lock();
740
	for (i = 0; i < ctx->name_count; i++) {
741
		int word = AUDIT_WORD(ctx->major);
742
		int bit  = AUDIT_BIT(ctx->major);
743
		struct audit_names *n = &ctx->names[i];
744
		int h = audit_hash_ino((u32)n->ino);
745
		struct list_head *list = &audit_inode_hash[h];
746

747
		if (list_empty(list))
748
			continue;
749

750
		list_for_each_entry_rcu(e, list, list) {
751
			if ((e->rule.mask[word] & bit) == bit &&
752
			    audit_filter_rules(tsk, &e->rule, ctx, n,
753
				    	       &state, false)) {
754
				rcu_read_unlock();
755
				ctx->current_state = state;
756
				return;
757
			}
758
		}
759
	}
760
	rcu_read_unlock();
761
}
762

763
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
764
						      int return_valid,
765
						      long return_code)
766
{
767
	struct audit_context *context = tsk->audit_context;
768

769
	if (likely(!context))
770
		return NULL;
771
	context->return_valid = return_valid;
772

773
	/*
774
	 * we need to fix up the return code in the audit logs if the actual
775
	 * return codes are later going to be fixed up by the arch specific
776
	 * signal handlers
777
	 *
778
	 * This is actually a test for:
779
	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
780
	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
781
	 *
782
	 * but is faster than a bunch of ||
783
	 */
784
	if (unlikely(return_code <= -ERESTARTSYS) &&
785
	    (return_code >= -ERESTART_RESTARTBLOCK) &&
786
	    (return_code != -ENOIOCTLCMD))
787
		context->return_code = -EINTR;
788
	else
789
		context->return_code  = return_code;
790

791
	if (context->in_syscall && !context->dummy) {
792
		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
793
		audit_filter_inodes(tsk, context);
794
	}
795

796
	tsk->audit_context = NULL;
797
	return context;
798
}
799

800
static inline void audit_free_names(struct audit_context *context)
801
{
802
	int i;
803

804
#if AUDIT_DEBUG == 2
805
	if (context->put_count + context->ino_count != context->name_count) {
806
		printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
807
		       " name_count=%d put_count=%d"
808
		       " ino_count=%d [NOT freeing]\n",
809
		       __FILE__, __LINE__,
810
		       context->serial, context->major, context->in_syscall,
811
		       context->name_count, context->put_count,
812
		       context->ino_count);
813
		for (i = 0; i < context->name_count; i++) {
814
			printk(KERN_ERR "names[%d] = %p = %s\n", i,
815
			       context->names[i].name,
816
			       context->names[i].name ?: "(null)");
817
		}
818
		dump_stack();
819
		return;
820
	}
821
#endif
822
#if AUDIT_DEBUG
823
	context->put_count  = 0;
824
	context->ino_count  = 0;
825
#endif
826

827
	for (i = 0; i < context->name_count; i++) {
828
		if (context->names[i].name && context->names[i].name_put)
829
			__putname(context->names[i].name);
830
	}
831
	context->name_count = 0;
832
	path_put(&context->pwd);
833
	context->pwd.dentry = NULL;
834
	context->pwd.mnt = NULL;
835
}
836

837
static inline void audit_free_aux(struct audit_context *context)
838
{
839
	struct audit_aux_data *aux;
840

841
	while ((aux = context->aux)) {
842
		context->aux = aux->next;
843
		kfree(aux);
844
	}
845
	while ((aux = context->aux_pids)) {
846
		context->aux_pids = aux->next;
847
		kfree(aux);
848
	}
849
}
850

851
static inline void audit_zero_context(struct audit_context *context,
852
				      enum audit_state state)
853
{
854
	memset(context, 0, sizeof(*context));
855
	context->state      = state;
856
	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
857
}
858

859
static inline struct audit_context *audit_alloc_context(enum audit_state state)
860
{
861
	struct audit_context *context;
862

863
	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
864
		return NULL;
865
	audit_zero_context(context, state);
866
	INIT_LIST_HEAD(&context->killed_trees);
867
	return context;
868
}
869

870
/**
871
 * audit_alloc - allocate an audit context block for a task
872
 * @tsk: task
873
 *
874
 * Filter on the task information and allocate a per-task audit context
875
 * if necessary.  Doing so turns on system call auditing for the
876
 * specified task.  This is called from copy_process, so no lock is
877
 * needed.
878
 */
879
int audit_alloc(struct task_struct *tsk)
880
{
881
	struct audit_context *context;
882
	enum audit_state     state;
883
	char *key = NULL;
884

885
	if (likely(!audit_ever_enabled))
886
		return 0; /* Return if not auditing. */
887

888
	state = audit_filter_task(tsk, &key);
889
	if (likely(state == AUDIT_DISABLED))
890
		return 0;
891

892
	if (!(context = audit_alloc_context(state))) {
893
		kfree(key);
894
		audit_log_lost("out of memory in audit_alloc");
895
		return -ENOMEM;
896
	}
897
	context->filterkey = key;
898

899
	tsk->audit_context  = context;
900
	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
901
	return 0;
902
}
903

904
static inline void audit_free_context(struct audit_context *context)
905
{
906
	struct audit_context *previous;
907
	int		     count = 0;
908

909
	do {
910
		previous = context->previous;
911
		if (previous || (count &&  count < 10)) {
912
			++count;
913
			printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
914
			       " freeing multiple contexts (%d)\n",
915
			       context->serial, context->major,
916
			       context->name_count, count);
917
		}
918
		audit_free_names(context);
919
		unroll_tree_refs(context, NULL, 0);
920
		free_tree_refs(context);
921
		audit_free_aux(context);
922
		kfree(context->filterkey);
923
		kfree(context->sockaddr);
924
		kfree(context);
925
		context  = previous;
926
	} while (context);
927
	if (count >= 10)
928
		printk(KERN_ERR "audit: freed %d contexts\n", count);
929
}
930

931
void audit_log_task_context(struct audit_buffer *ab)
932
{
933
	char *ctx = NULL;
934
	unsigned len;
935
	int error;
936
	u32 sid;
937

938
	security_task_getsecid(current, &sid);
939
	if (!sid)
940
		return;
941

942
	error = security_secid_to_secctx(sid, &ctx, &len);
943
	if (error) {
944
		if (error != -EINVAL)
945
			goto error_path;
946
		return;
947
	}
948

949
	audit_log_format(ab, " subj=%s", ctx);
950
	security_release_secctx(ctx, len);
951
	return;
952

953
error_path:
954
	audit_panic("error in audit_log_task_context");
955
	return;
956
}
957

958
EXPORT_SYMBOL(audit_log_task_context);
959

960
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
961
{
962
	char name[sizeof(tsk->comm)];
963
	struct mm_struct *mm = tsk->mm;
964
	struct vm_area_struct *vma;
965

966
	/* tsk == current */
967

968
	get_task_comm(name, tsk);
969
	audit_log_format(ab, " comm=");
970
	audit_log_untrustedstring(ab, name);
971

972
	if (mm) {
973
		down_read(&mm->mmap_sem);
974
		vma = mm->mmap;
975
		while (vma) {
976
			if ((vma->vm_flags & VM_EXECUTABLE) &&
977
			    vma->vm_file) {
978
				audit_log_d_path(ab, "exe=",
979
						 &vma->vm_file->f_path);
980
				break;
981
			}
982
			vma = vma->vm_next;
983
		}
984
		up_read(&mm->mmap_sem);
985
	}
986
	audit_log_task_context(ab);
987
}
988

989
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
990
				 uid_t auid, uid_t uid, unsigned int sessionid,
991
				 u32 sid, char *comm)
992
{
993
	struct audit_buffer *ab;
994
	char *ctx = NULL;
995
	u32 len;
996
	int rc = 0;
997

998
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
999
	if (!ab)
1000
		return rc;
1001

1002
	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
1003
			 uid, sessionid);
1004
	if (security_secid_to_secctx(sid, &ctx, &len)) {
1005
		audit_log_format(ab, " obj=(none)");
1006
		rc = 1;
1007
	} else {
1008
		audit_log_format(ab, " obj=%s", ctx);
1009
		security_release_secctx(ctx, len);
1010
	}
1011
	audit_log_format(ab, " ocomm=");
1012
	audit_log_untrustedstring(ab, comm);
1013
	audit_log_end(ab);
1014

1015
	return rc;
1016
}
1017

1018
/*
1019
 * to_send and len_sent accounting are very loose estimates.  We aren't
1020
 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1021
 * within about 500 bytes (next page boundary)
1022
 *
1023
 * why snprintf?  an int is up to 12 digits long.  if we just assumed when
1024
 * logging that a[%d]= was going to be 16 characters long we would be wasting
1025
 * space in every audit message.  In one 7500 byte message we can log up to
1026
 * about 1000 min size arguments.  That comes down to about 50% waste of space
1027
 * if we didn't do the snprintf to find out how long arg_num_len was.
1028
 */
1029
static int audit_log_single_execve_arg(struct audit_context *context,
1030
					struct audit_buffer **ab,
1031
					int arg_num,
1032
					size_t *len_sent,
1033
					const char __user *p,
1034
					char *buf)
1035
{
1036
	char arg_num_len_buf[12];
1037
	const char __user *tmp_p = p;
1038
	/* how many digits are in arg_num? 5 is the length of ' a=""' */
1039
	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1040
	size_t len, len_left, to_send;
1041
	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1042
	unsigned int i, has_cntl = 0, too_long = 0;
1043
	int ret;
1044

1045
	/* strnlen_user includes the null we don't want to send */
1046
	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1047

1048
	/*
1049
	 * We just created this mm, if we can't find the strings
1050
	 * we just copied into it something is _very_ wrong. Similar
1051
	 * for strings that are too long, we should not have created
1052
	 * any.
1053
	 */
1054
	if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1055
		WARN_ON(1);
1056
		send_sig(SIGKILL, current, 0);
1057
		return -1;
1058
	}
1059

1060
	/* walk the whole argument looking for non-ascii chars */
1061
	do {
1062
		if (len_left > MAX_EXECVE_AUDIT_LEN)
1063
			to_send = MAX_EXECVE_AUDIT_LEN;
1064
		else
1065
			to_send = len_left;
1066
		ret = copy_from_user(buf, tmp_p, to_send);
1067
		/*
1068
		 * There is no reason for this copy to be short. We just
1069
		 * copied them here, and the mm hasn't been exposed to user-
1070
		 * space yet.
1071
		 */
1072
		if (ret) {
1073
			WARN_ON(1);
1074
			send_sig(SIGKILL, current, 0);
1075
			return -1;
1076
		}
1077
		buf[to_send] = '\0';
1078
		has_cntl = audit_string_contains_control(buf, to_send);
1079
		if (has_cntl) {
1080
			/*
1081
			 * hex messages get logged as 2 bytes, so we can only
1082
			 * send half as much in each message
1083
			 */
1084
			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1085
			break;
1086
		}
1087
		len_left -= to_send;
1088
		tmp_p += to_send;
1089
	} while (len_left > 0);
1090

1091
	len_left = len;
1092

1093
	if (len > max_execve_audit_len)
1094
		too_long = 1;
1095

1096
	/* rewalk the argument actually logging the message */
1097
	for (i = 0; len_left > 0; i++) {
1098
		int room_left;
1099

1100
		if (len_left > max_execve_audit_len)
1101
			to_send = max_execve_audit_len;
1102
		else
1103
			to_send = len_left;
1104

1105
		/* do we have space left to send this argument in this ab? */
1106
		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1107
		if (has_cntl)
1108
			room_left -= (to_send * 2);
1109
		else
1110
			room_left -= to_send;
1111
		if (room_left < 0) {
1112
			*len_sent = 0;
1113
			audit_log_end(*ab);
1114
			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1115
			if (!*ab)
1116
				return 0;
1117
		}
1118

1119
		/*
1120
		 * first record needs to say how long the original string was
1121
		 * so we can be sure nothing was lost.
1122
		 */
1123
		if ((i == 0) && (too_long))
1124
			audit_log_format(*ab, " a%d_len=%zu", arg_num,
1125
					 has_cntl ? 2*len : len);
1126

1127
		/*
1128
		 * normally arguments are small enough to fit and we already
1129
		 * filled buf above when we checked for control characters
1130
		 * so don't bother with another copy_from_user
1131
		 */
1132
		if (len >= max_execve_audit_len)
1133
			ret = copy_from_user(buf, p, to_send);
1134
		else
1135
			ret = 0;
1136
		if (ret) {
1137
			WARN_ON(1);
1138
			send_sig(SIGKILL, current, 0);
1139
			return -1;
1140
		}
1141
		buf[to_send] = '\0';
1142

1143
		/* actually log it */
1144
		audit_log_format(*ab, " a%d", arg_num);
1145
		if (too_long)
1146
			audit_log_format(*ab, "[%d]", i);
1147
		audit_log_format(*ab, "=");
1148
		if (has_cntl)
1149
			audit_log_n_hex(*ab, buf, to_send);
1150
		else
1151
			audit_log_string(*ab, buf);
1152

1153
		p += to_send;
1154
		len_left -= to_send;
1155
		*len_sent += arg_num_len;
1156
		if (has_cntl)
1157
			*len_sent += to_send * 2;
1158
		else
1159
			*len_sent += to_send;
1160
	}
1161
	/* include the null we didn't log */
1162
	return len + 1;
1163
}
1164

1165
static void audit_log_execve_info(struct audit_context *context,
1166
				  struct audit_buffer **ab,
1167
				  struct audit_aux_data_execve *axi)
1168
{
1169
	int i;
1170
	size_t len, len_sent = 0;
1171
	const char __user *p;
1172
	char *buf;
1173

1174
	if (axi->mm != current->mm)
1175
		return; /* execve failed, no additional info */
1176

1177
	p = (const char __user *)axi->mm->arg_start;
1178

1179
	audit_log_format(*ab, "argc=%d", axi->argc);
1180

1181
	/*
1182
	 * we need some kernel buffer to hold the userspace args.  Just
1183
	 * allocate one big one rather than allocating one of the right size
1184
	 * for every single argument inside audit_log_single_execve_arg()
1185
	 * should be <8k allocation so should be pretty safe.
1186
	 */
1187
	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1188
	if (!buf) {
1189
		audit_panic("out of memory for argv string\n");
1190
		return;
1191
	}
1192

1193
	for (i = 0; i < axi->argc; i++) {
1194
		len = audit_log_single_execve_arg(context, ab, i,
1195
						  &len_sent, p, buf);
1196
		if (len <= 0)
1197
			break;
1198
		p += len;
1199
	}
1200
	kfree(buf);
1201
}
1202

1203
static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
1204
{
1205
	int i;
1206

1207
	audit_log_format(ab, " %s=", prefix);
1208
	CAP_FOR_EACH_U32(i) {
1209
		audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
1210
	}
1211
}
1212

1213
static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1214
{
1215
	kernel_cap_t *perm = &name->fcap.permitted;
1216
	kernel_cap_t *inh = &name->fcap.inheritable;
1217
	int log = 0;
1218

1219
	if (!cap_isclear(*perm)) {
1220
		audit_log_cap(ab, "cap_fp", perm);
1221
		log = 1;
1222
	}
1223
	if (!cap_isclear(*inh)) {
1224
		audit_log_cap(ab, "cap_fi", inh);
1225
		log = 1;
1226
	}
1227

1228
	if (log)
1229
		audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1230
}
1231

1232
static void show_special(struct audit_context *context, int *call_panic)
1233
{
1234
	struct audit_buffer *ab;
1235
	int i;
1236

1237
	ab = audit_log_start(context, GFP_KERNEL, context->type);
1238
	if (!ab)
1239
		return;
1240

1241
	switch (context->type) {
1242
	case AUDIT_SOCKETCALL: {
1243
		int nargs = context->socketcall.nargs;
1244
		audit_log_format(ab, "nargs=%d", nargs);
1245
		for (i = 0; i < nargs; i++)
1246
			audit_log_format(ab, " a%d=%lx", i,
1247
				context->socketcall.args[i]);
1248
		break; }
1249
	case AUDIT_IPC: {
1250
		u32 osid = context->ipc.osid;
1251

1252
		audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
1253
			 context->ipc.uid, context->ipc.gid, context->ipc.mode);
1254
		if (osid) {
1255
			char *ctx = NULL;
1256
			u32 len;
1257
			if (security_secid_to_secctx(osid, &ctx, &len)) {
1258
				audit_log_format(ab, " osid=%u", osid);
1259
				*call_panic = 1;
1260
			} else {
1261
				audit_log_format(ab, " obj=%s", ctx);
1262
				security_release_secctx(ctx, len);
1263
			}
1264
		}
1265
		if (context->ipc.has_perm) {
1266
			audit_log_end(ab);
1267
			ab = audit_log_start(context, GFP_KERNEL,
1268
					     AUDIT_IPC_SET_PERM);
1269
			audit_log_format(ab,
1270
				"qbytes=%lx ouid=%u ogid=%u mode=%#o",
1271
				context->ipc.qbytes,
1272
				context->ipc.perm_uid,
1273
				context->ipc.perm_gid,
1274
				context->ipc.perm_mode);
1275
			if (!ab)
1276
				return;
1277
		}
1278
		break; }
1279
	case AUDIT_MQ_OPEN: {
1280
		audit_log_format(ab,
1281
			"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
1282
			"mq_msgsize=%ld mq_curmsgs=%ld",
1283
			context->mq_open.oflag, context->mq_open.mode,
1284
			context->mq_open.attr.mq_flags,
1285
			context->mq_open.attr.mq_maxmsg,
1286
			context->mq_open.attr.mq_msgsize,
1287
			context->mq_open.attr.mq_curmsgs);
1288
		break; }
1289
	case AUDIT_MQ_SENDRECV: {
1290
		audit_log_format(ab,
1291
			"mqdes=%d msg_len=%zd msg_prio=%u "
1292
			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1293
			context->mq_sendrecv.mqdes,
1294
			context->mq_sendrecv.msg_len,
1295
			context->mq_sendrecv.msg_prio,
1296
			context->mq_sendrecv.abs_timeout.tv_sec,
1297
			context->mq_sendrecv.abs_timeout.tv_nsec);
1298
		break; }
1299
	case AUDIT_MQ_NOTIFY: {
1300
		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1301
				context->mq_notify.mqdes,
1302
				context->mq_notify.sigev_signo);
1303
		break; }
1304
	case AUDIT_MQ_GETSETATTR: {
1305
		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1306
		audit_log_format(ab,
1307
			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1308
			"mq_curmsgs=%ld ",
1309
			context->mq_getsetattr.mqdes,
1310
			attr->mq_flags, attr->mq_maxmsg,
1311
			attr->mq_msgsize, attr->mq_curmsgs);
1312
		break; }
1313
	case AUDIT_CAPSET: {
1314
		audit_log_format(ab, "pid=%d", context->capset.pid);
1315
		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1316
		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1317
		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1318
		break; }
1319
	case AUDIT_MMAP: {
1320
		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1321
				 context->mmap.flags);
1322
		break; }
1323
	}
1324
	audit_log_end(ab);
1325
}
1326

1327
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1328
{
1329
	const struct cred *cred;
1330
	int i, call_panic = 0;
1331
	struct audit_buffer *ab;
1332
	struct audit_aux_data *aux;
1333
	const char *tty;
1334

1335
	/* tsk == current */
1336
	context->pid = tsk->pid;
1337
	if (!context->ppid)
1338
		context->ppid = sys_getppid();
1339
	cred = current_cred();
1340
	context->uid   = cred->uid;
1341
	context->gid   = cred->gid;
1342
	context->euid  = cred->euid;
1343
	context->suid  = cred->suid;
1344
	context->fsuid = cred->fsuid;
1345
	context->egid  = cred->egid;
1346
	context->sgid  = cred->sgid;
1347
	context->fsgid = cred->fsgid;
1348
	context->personality = tsk->personality;
1349

1350
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1351
	if (!ab)
1352
		return;		/* audit_panic has been called */
1353
	audit_log_format(ab, "arch=%x syscall=%d",
1354
			 context->arch, context->major);
1355
	if (context->personality != PER_LINUX)
1356
		audit_log_format(ab, " per=%lx", context->personality);
1357
	if (context->return_valid)
1358
		audit_log_format(ab, " success=%s exit=%ld",
1359
				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1360
				 context->return_code);
1361

1362
	spin_lock_irq(&tsk->sighand->siglock);
1363
	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
1364
		tty = tsk->signal->tty->name;
1365
	else
1366
		tty = "(none)";
1367
	spin_unlock_irq(&tsk->sighand->siglock);
1368

1369
	audit_log_format(ab,
1370
		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1371
		  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1372
		  " euid=%u suid=%u fsuid=%u"
1373
		  " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1374
		  context->argv[0],
1375
		  context->argv[1],
1376
		  context->argv[2],
1377
		  context->argv[3],
1378
		  context->name_count,
1379
		  context->ppid,
1380
		  context->pid,
1381
		  tsk->loginuid,
1382
		  context->uid,
1383
		  context->gid,
1384
		  context->euid, context->suid, context->fsuid,
1385
		  context->egid, context->sgid, context->fsgid, tty,
1386
		  tsk->sessionid);
1387

1388

1389
	audit_log_task_info(ab, tsk);
1390
	audit_log_key(ab, context->filterkey);
1391
	audit_log_end(ab);
1392

1393
	for (aux = context->aux; aux; aux = aux->next) {
1394

1395
		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1396
		if (!ab)
1397
			continue; /* audit_panic has been called */
1398

1399
		switch (aux->type) {
1400

1401
		case AUDIT_EXECVE: {
1402
			struct audit_aux_data_execve *axi = (void *)aux;
1403
			audit_log_execve_info(context, &ab, axi);
1404
			break; }
1405

1406
		case AUDIT_BPRM_FCAPS: {
1407
			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1408
			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1409
			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1410
			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1411
			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1412
			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1413
			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1414
			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1415
			audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1416
			audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1417
			audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1418
			break; }
1419

1420
		}
1421
		audit_log_end(ab);
1422
	}
1423

1424
	if (context->type)
1425
		show_special(context, &call_panic);
1426

1427
	if (context->fds[0] >= 0) {
1428
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1429
		if (ab) {
1430
			audit_log_format(ab, "fd0=%d fd1=%d",
1431
					context->fds[0], context->fds[1]);
1432
			audit_log_end(ab);
1433
		}
1434
	}
1435

1436
	if (context->sockaddr_len) {
1437
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1438
		if (ab) {
1439
			audit_log_format(ab, "saddr=");
1440
			audit_log_n_hex(ab, (void *)context->sockaddr,
1441
					context->sockaddr_len);
1442
			audit_log_end(ab);
1443
		}
1444
	}
1445

1446
	for (aux = context->aux_pids; aux; aux = aux->next) {
1447
		struct audit_aux_data_pids *axs = (void *)aux;
1448

1449
		for (i = 0; i < axs->pid_count; i++)
1450
			if (audit_log_pid_context(context, axs->target_pid[i],
1451
						  axs->target_auid[i],
1452
						  axs->target_uid[i],
1453
						  axs->target_sessionid[i],
1454
						  axs->target_sid[i],
1455
						  axs->target_comm[i]))
1456
				call_panic = 1;
1457
	}
1458

1459
	if (context->target_pid &&
1460
	    audit_log_pid_context(context, context->target_pid,
1461
				  context->target_auid, context->target_uid,
1462
				  context->target_sessionid,
1463
				  context->target_sid, context->target_comm))
1464
			call_panic = 1;
1465

1466
	if (context->pwd.dentry && context->pwd.mnt) {
1467
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1468
		if (ab) {
1469
			audit_log_d_path(ab, "cwd=", &context->pwd);
1470
			audit_log_end(ab);
1471
		}
1472
	}
1473
	for (i = 0; i < context->name_count; i++) {
1474
		struct audit_names *n = &context->names[i];
1475

1476
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1477
		if (!ab)
1478
			continue; /* audit_panic has been called */
1479

1480
		audit_log_format(ab, "item=%d", i);
1481

1482
		if (n->name) {
1483
			switch(n->name_len) {
1484
			case AUDIT_NAME_FULL:
1485
				/* log the full path */
1486
				audit_log_format(ab, " name=");
1487
				audit_log_untrustedstring(ab, n->name);
1488
				break;
1489
			case 0:
1490
				/* name was specified as a relative path and the
1491
				 * directory component is the cwd */
1492
				audit_log_d_path(ab, "name=", &context->pwd);
1493
				break;
1494
			default:
1495
				/* log the name's directory component */
1496
				audit_log_format(ab, " name=");
1497
				audit_log_n_untrustedstring(ab, n->name,
1498
							    n->name_len);
1499
			}
1500
		} else
1501
			audit_log_format(ab, " name=(null)");
1502

1503
		if (n->ino != (unsigned long)-1) {
1504
			audit_log_format(ab, " inode=%lu"
1505
					 " dev=%02x:%02x mode=%#o"
1506
					 " ouid=%u ogid=%u rdev=%02x:%02x",
1507
					 n->ino,
1508
					 MAJOR(n->dev),
1509
					 MINOR(n->dev),
1510
					 n->mode,
1511
					 n->uid,
1512
					 n->gid,
1513
					 MAJOR(n->rdev),
1514
					 MINOR(n->rdev));
1515
		}
1516
		if (n->osid != 0) {
1517
			char *ctx = NULL;
1518
			u32 len;
1519
			if (security_secid_to_secctx(
1520
				n->osid, &ctx, &len)) {
1521
				audit_log_format(ab, " osid=%u", n->osid);
1522
				call_panic = 2;
1523
			} else {
1524
				audit_log_format(ab, " obj=%s", ctx);
1525
				security_release_secctx(ctx, len);
1526
			}
1527
		}
1528

1529
		audit_log_fcaps(ab, n);
1530

1531
		audit_log_end(ab);
1532
	}
1533

1534
	/* Send end of event record to help user space know we are finished */
1535
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1536
	if (ab)
1537
		audit_log_end(ab);
1538
	if (call_panic)
1539
		audit_panic("error converting sid to string");
1540
}
1541

1542
/**
1543
 * audit_free - free a per-task audit context
1544
 * @tsk: task whose audit context block to free
1545
 *
1546
 * Called from copy_process and do_exit
1547
 */
1548
void audit_free(struct task_struct *tsk)
1549
{
1550
	struct audit_context *context;
1551

1552
	context = audit_get_context(tsk, 0, 0);
1553
	if (likely(!context))
1554
		return;
1555

1556
	/* Check for system calls that do not go through the exit
1557
	 * function (e.g., exit_group), then free context block.
1558
	 * We use GFP_ATOMIC here because we might be doing this
1559
	 * in the context of the idle thread */
1560
	/* that can happen only if we are called from do_exit() */
1561
	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1562
		audit_log_exit(context, tsk);
1563
	if (!list_empty(&context->killed_trees))
1564
		audit_kill_trees(&context->killed_trees);
1565

1566
	audit_free_context(context);
1567
}
1568

1569
/**
1570
 * audit_syscall_entry - fill in an audit record at syscall entry
1571
 * @arch: architecture type
1572
 * @major: major syscall type (function)
1573
 * @a1: additional syscall register 1
1574
 * @a2: additional syscall register 2
1575
 * @a3: additional syscall register 3
1576
 * @a4: additional syscall register 4
1577
 *
1578
 * Fill in audit context at syscall entry.  This only happens if the
1579
 * audit context was created when the task was created and the state or
1580
 * filters demand the audit context be built.  If the state from the
1581
 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1582
 * then the record will be written at syscall exit time (otherwise, it
1583
 * will only be written if another part of the kernel requests that it
1584
 * be written).
1585
 */
1586
void audit_syscall_entry(int arch, int major,
1587
			 unsigned long a1, unsigned long a2,
1588
			 unsigned long a3, unsigned long a4)
1589
{
1590
	struct task_struct *tsk = current;
1591
	struct audit_context *context = tsk->audit_context;
1592
	enum audit_state     state;
1593

1594
	if (unlikely(!context))
1595
		return;
1596

1597
	/*
1598
	 * This happens only on certain architectures that make system
1599
	 * calls in kernel_thread via the entry.S interface, instead of
1600
	 * with direct calls.  (If you are porting to a new
1601
	 * architecture, hitting this condition can indicate that you
1602
	 * got the _exit/_leave calls backward in entry.S.)
1603
	 *
1604
	 * i386     no
1605
	 * x86_64   no
1606
	 * ppc64    yes (see arch/powerpc/platforms/iseries/misc.S)
1607
	 *
1608
	 * This also happens with vm86 emulation in a non-nested manner
1609
	 * (entries without exits), so this case must be caught.
1610
	 */
1611
	if (context->in_syscall) {
1612
		struct audit_context *newctx;
1613

1614
#if AUDIT_DEBUG
1615
		printk(KERN_ERR
1616
		       "audit(:%d) pid=%d in syscall=%d;"
1617
		       " entering syscall=%d\n",
1618
		       context->serial, tsk->pid, context->major, major);
1619
#endif
1620
		newctx = audit_alloc_context(context->state);
1621
		if (newctx) {
1622
			newctx->previous   = context;
1623
			context		   = newctx;
1624
			tsk->audit_context = newctx;
1625
		} else	{
1626
			/* If we can't alloc a new context, the best we
1627
			 * can do is to leak memory (any pending putname
1628
			 * will be lost).  The only other alternative is
1629
			 * to abandon auditing. */
1630
			audit_zero_context(context, context->state);
1631
		}
1632
	}
1633
	BUG_ON(context->in_syscall || context->name_count);
1634

1635
	if (!audit_enabled)
1636
		return;
1637

1638
	context->arch	    = arch;
1639
	context->major      = major;
1640
	context->argv[0]    = a1;
1641
	context->argv[1]    = a2;
1642
	context->argv[2]    = a3;
1643
	context->argv[3]    = a4;
1644

1645
	state = context->state;
1646
	context->dummy = !audit_n_rules;
1647
	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1648
		context->prio = 0;
1649
		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1650
	}
1651
	if (likely(state == AUDIT_DISABLED))
1652
		return;
1653

1654
	context->serial     = 0;
1655
	context->ctime      = CURRENT_TIME;
1656
	context->in_syscall = 1;
1657
	context->current_state  = state;
1658
	context->ppid       = 0;
1659
}
1660

1661
void audit_finish_fork(struct task_struct *child)
1662
{
1663
	struct audit_context *ctx = current->audit_context;
1664
	struct audit_context *p = child->audit_context;
1665
	if (!p || !ctx)
1666
		return;
1667
	if (!ctx->in_syscall || ctx->current_state != AUDIT_RECORD_CONTEXT)
1668
		return;
1669
	p->arch = ctx->arch;
1670
	p->major = ctx->major;
1671
	memcpy(p->argv, ctx->argv, sizeof(ctx->argv));
1672
	p->ctime = ctx->ctime;
1673
	p->dummy = ctx->dummy;
1674
	p->in_syscall = ctx->in_syscall;
1675
	p->filterkey = kstrdup(ctx->filterkey, GFP_KERNEL);
1676
	p->ppid = current->pid;
1677
	p->prio = ctx->prio;
1678
	p->current_state = ctx->current_state;
1679
}
1680

1681
/**
1682
 * audit_syscall_exit - deallocate audit context after a system call
1683
 * @valid: success/failure flag
1684
 * @return_code: syscall return value
1685
 *
1686
 * Tear down after system call.  If the audit context has been marked as
1687
 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1688
 * filtering, or because some other part of the kernel write an audit
1689
 * message), then write out the syscall information.  In call cases,
1690
 * free the names stored from getname().
1691
 */
1692
void audit_syscall_exit(int valid, long return_code)
1693
{
1694
	struct task_struct *tsk = current;
1695
	struct audit_context *context;
1696

1697
	context = audit_get_context(tsk, valid, return_code);
1698

1699
	if (likely(!context))
1700
		return;
1701

1702
	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1703
		audit_log_exit(context, tsk);
1704

1705
	context->in_syscall = 0;
1706
	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1707

1708
	if (!list_empty(&context->killed_trees))
1709
		audit_kill_trees(&context->killed_trees);
1710

1711
	if (context->previous) {
1712
		struct audit_context *new_context = context->previous;
1713
		context->previous  = NULL;
1714
		audit_free_context(context);
1715
		tsk->audit_context = new_context;
1716
	} else {
1717
		audit_free_names(context);
1718
		unroll_tree_refs(context, NULL, 0);
1719
		audit_free_aux(context);
1720
		context->aux = NULL;
1721
		context->aux_pids = NULL;
1722
		context->target_pid = 0;
1723
		context->target_sid = 0;
1724
		context->sockaddr_len = 0;
1725
		context->type = 0;
1726
		context->fds[0] = -1;
1727
		if (context->state != AUDIT_RECORD_CONTEXT) {
1728
			kfree(context->filterkey);
1729
			context->filterkey = NULL;
1730
		}
1731
		tsk->audit_context = context;
1732
	}
1733
}
1734

1735
static inline void handle_one(const struct inode *inode)
1736
{
1737
#ifdef CONFIG_AUDIT_TREE
1738
	struct audit_context *context;
1739
	struct audit_tree_refs *p;
1740
	struct audit_chunk *chunk;
1741
	int count;
1742
	if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1743
		return;
1744
	context = current->audit_context;
1745
	p = context->trees;
1746
	count = context->tree_count;
1747
	rcu_read_lock();
1748
	chunk = audit_tree_lookup(inode);
1749
	rcu_read_unlock();
1750
	if (!chunk)
1751
		return;
1752
	if (likely(put_tree_ref(context, chunk)))
1753
		return;
1754
	if (unlikely(!grow_tree_refs(context))) {
1755
		printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
1756
		audit_set_auditable(context);
1757
		audit_put_chunk(chunk);
1758
		unroll_tree_refs(context, p, count);
1759
		return;
1760
	}
1761
	put_tree_ref(context, chunk);
1762
#endif
1763
}
1764

1765
static void handle_path(const struct dentry *dentry)
1766
{
1767
#ifdef CONFIG_AUDIT_TREE
1768
	struct audit_context *context;
1769
	struct audit_tree_refs *p;
1770
	const struct dentry *d, *parent;
1771
	struct audit_chunk *drop;
1772
	unsigned long seq;
1773
	int count;
1774

1775
	context = current->audit_context;
1776
	p = context->trees;
1777
	count = context->tree_count;
1778
retry:
1779
	drop = NULL;
1780
	d = dentry;
1781
	rcu_read_lock();
1782
	seq = read_seqbegin(&rename_lock);
1783
	for(;;) {
1784
		struct inode *inode = d->d_inode;
1785
		if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1786
			struct audit_chunk *chunk;
1787
			chunk = audit_tree_lookup(inode);
1788
			if (chunk) {
1789
				if (unlikely(!put_tree_ref(context, chunk))) {
1790
					drop = chunk;
1791
					break;
1792
				}
1793
			}
1794
		}
1795
		parent = d->d_parent;
1796
		if (parent == d)
1797
			break;
1798
		d = parent;
1799
	}
1800
	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1801
		rcu_read_unlock();
1802
		if (!drop) {
1803
			/* just a race with rename */
1804
			unroll_tree_refs(context, p, count);
1805
			goto retry;
1806
		}
1807
		audit_put_chunk(drop);
1808
		if (grow_tree_refs(context)) {
1809
			/* OK, got more space */
1810
			unroll_tree_refs(context, p, count);
1811
			goto retry;
1812
		}
1813
		/* too bad */
1814
		printk(KERN_WARNING
1815
			"out of memory, audit has lost a tree reference\n");
1816
		unroll_tree_refs(context, p, count);
1817
		audit_set_auditable(context);
1818
		return;
1819
	}
1820
	rcu_read_unlock();
1821
#endif
1822
}
1823

1824
/**
1825
 * audit_getname - add a name to the list
1826
 * @name: name to add
1827
 *
1828
 * Add a name to the list of audit names for this context.
1829
 * Called from fs/namei.c:getname().
1830
 */
1831
void __audit_getname(const char *name)
1832
{
1833
	struct audit_context *context = current->audit_context;
1834

1835
	if (IS_ERR(name) || !name)
1836
		return;
1837

1838
	if (!context->in_syscall) {
1839
#if AUDIT_DEBUG == 2
1840
		printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
1841
		       __FILE__, __LINE__, context->serial, name);
1842
		dump_stack();
1843
#endif
1844
		return;
1845
	}
1846
	BUG_ON(context->name_count >= AUDIT_NAMES);
1847
	context->names[context->name_count].name = name;
1848
	context->names[context->name_count].name_len = AUDIT_NAME_FULL;
1849
	context->names[context->name_count].name_put = 1;
1850
	context->names[context->name_count].ino  = (unsigned long)-1;
1851
	context->names[context->name_count].osid = 0;
1852
	++context->name_count;
1853
	if (!context->pwd.dentry)
1854
		get_fs_pwd(current->fs, &context->pwd);
1855
}
1856

1857
/* audit_putname - intercept a putname request
1858
 * @name: name to intercept and delay for putname
1859
 *
1860
 * If we have stored the name from getname in the audit context,
1861
 * then we delay the putname until syscall exit.
1862
 * Called from include/linux/fs.h:putname().
1863
 */
1864
void audit_putname(const char *name)
1865
{
1866
	struct audit_context *context = current->audit_context;
1867

1868
	BUG_ON(!context);
1869
	if (!context->in_syscall) {
1870
#if AUDIT_DEBUG == 2
1871
		printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
1872
		       __FILE__, __LINE__, context->serial, name);
1873
		if (context->name_count) {
1874
			int i;
1875
			for (i = 0; i < context->name_count; i++)
1876
				printk(KERN_ERR "name[%d] = %p = %s\n", i,
1877
				       context->names[i].name,
1878
				       context->names[i].name ?: "(null)");
1879
		}
1880
#endif
1881
		__putname(name);
1882
	}
1883
#if AUDIT_DEBUG
1884
	else {
1885
		++context->put_count;
1886
		if (context->put_count > context->name_count) {
1887
			printk(KERN_ERR "%s:%d(:%d): major=%d"
1888
			       " in_syscall=%d putname(%p) name_count=%d"
1889
			       " put_count=%d\n",
1890
			       __FILE__, __LINE__,
1891
			       context->serial, context->major,
1892
			       context->in_syscall, name, context->name_count,
1893
			       context->put_count);
1894
			dump_stack();
1895
		}
1896
	}
1897
#endif
1898
}
1899

1900
static int audit_inc_name_count(struct audit_context *context,
1901
				const struct inode *inode)
1902
{
1903
	if (context->name_count >= AUDIT_NAMES) {
1904
		if (inode)
1905
			printk(KERN_DEBUG "audit: name_count maxed, losing inode data: "
1906
			       "dev=%02x:%02x, inode=%lu\n",
1907
			       MAJOR(inode->i_sb->s_dev),
1908
			       MINOR(inode->i_sb->s_dev),
1909
			       inode->i_ino);
1910

1911
		else
1912
			printk(KERN_DEBUG "name_count maxed, losing inode data\n");
1913
		return 1;
1914
	}
1915
	context->name_count++;
1916
#if AUDIT_DEBUG
1917
	context->ino_count++;
1918
#endif
1919
	return 0;
1920
}
1921

1922

1923
static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
1924
{
1925
	struct cpu_vfs_cap_data caps;
1926
	int rc;
1927

1928
	memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t));
1929
	memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t));
1930
	name->fcap.fE = 0;
1931
	name->fcap_ver = 0;
1932

1933
	if (!dentry)
1934
		return 0;
1935

1936
	rc = get_vfs_caps_from_disk(dentry, &caps);
1937
	if (rc)
1938
		return rc;
1939

1940
	name->fcap.permitted = caps.permitted;
1941
	name->fcap.inheritable = caps.inheritable;
1942
	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
1943
	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
1944

1945
	return 0;
1946
}
1947

1948

1949
/* Copy inode data into an audit_names. */
1950
static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
1951
			     const struct inode *inode)
1952
{
1953
	name->ino   = inode->i_ino;
1954
	name->dev   = inode->i_sb->s_dev;
1955
	name->mode  = inode->i_mode;
1956
	name->uid   = inode->i_uid;
1957
	name->gid   = inode->i_gid;
1958
	name->rdev  = inode->i_rdev;
1959
	security_inode_getsecid(inode, &name->osid);
1960
	audit_copy_fcaps(name, dentry);
1961
}
1962

1963
/**
1964
 * audit_inode - store the inode and device from a lookup
1965
 * @name: name being audited
1966
 * @dentry: dentry being audited
1967
 *
1968
 * Called from fs/namei.c:path_lookup().
1969
 */
1970
void __audit_inode(const char *name, const struct dentry *dentry)
1971
{
1972
	int idx;
1973
	struct audit_context *context = current->audit_context;
1974
	const struct inode *inode = dentry->d_inode;
1975

1976
	if (!context->in_syscall)
1977
		return;
1978
	if (context->name_count
1979
	    && context->names[context->name_count-1].name
1980
	    && context->names[context->name_count-1].name == name)
1981
		idx = context->name_count - 1;
1982
	else if (context->name_count > 1
1983
		 && context->names[context->name_count-2].name
1984
		 && context->names[context->name_count-2].name == name)
1985
		idx = context->name_count - 2;
1986
	else {
1987
		/* FIXME: how much do we care about inodes that have no
1988
		 * associated name? */
1989
		if (audit_inc_name_count(context, inode))
1990
			return;
1991
		idx = context->name_count - 1;
1992
		context->names[idx].name = NULL;
1993
	}
1994
	handle_path(dentry);
1995
	audit_copy_inode(&context->names[idx], dentry, inode);
1996
}
1997

1998
/**
1999
 * audit_inode_child - collect inode info for created/removed objects
2000
 * @dentry: dentry being audited
2001
 * @parent: inode of dentry parent
2002
 *
2003
 * For syscalls that create or remove filesystem objects, audit_inode
2004
 * can only collect information for the filesystem object's parent.
2005
 * This call updates the audit context with the child's information.
2006
 * Syscalls that create a new filesystem object must be hooked after
2007
 * the object is created.  Syscalls that remove a filesystem object
2008
 * must be hooked prior, in order to capture the target inode during
2009
 * unsuccessful attempts.
2010
 */
2011
void __audit_inode_child(const struct dentry *dentry,
2012
			 const struct inode *parent)
2013
{
2014
	int idx;
2015
	struct audit_context *context = current->audit_context;
2016
	const char *found_parent = NULL, *found_child = NULL;
2017
	const struct inode *inode = dentry->d_inode;
2018
	const char *dname = dentry->d_name.name;
2019
	int dirlen = 0;
2020

2021
	if (!context->in_syscall)
2022
		return;
2023

2024
	if (inode)
2025
		handle_one(inode);
2026

2027
	/* parent is more likely, look for it first */
2028
	for (idx = 0; idx < context->name_count; idx++) {
2029
		struct audit_names *n = &context->names[idx];
2030

2031
		if (!n->name)
2032
			continue;
2033

2034
		if (n->ino == parent->i_ino &&
2035
		    !audit_compare_dname_path(dname, n->name, &dirlen)) {
2036
			n->name_len = dirlen; /* update parent data in place */
2037
			found_parent = n->name;
2038
			goto add_names;
2039
		}
2040
	}
2041

2042
	/* no matching parent, look for matching child */
2043
	for (idx = 0; idx < context->name_count; idx++) {
2044
		struct audit_names *n = &context->names[idx];
2045

2046
		if (!n->name)
2047
			continue;
2048

2049
		/* strcmp() is the more likely scenario */
2050
		if (!strcmp(dname, n->name) ||
2051
		     !audit_compare_dname_path(dname, n->name, &dirlen)) {
2052
			if (inode)
2053
				audit_copy_inode(n, NULL, inode);
2054
			else
2055
				n->ino = (unsigned long)-1;
2056
			found_child = n->name;
2057
			goto add_names;
2058
		}
2059
	}
2060

2061
add_names:
2062
	if (!found_parent) {
2063
		if (audit_inc_name_count(context, parent))
2064
			return;
2065
		idx = context->name_count - 1;
2066
		context->names[idx].name = NULL;
2067
		audit_copy_inode(&context->names[idx], NULL, parent);
2068
	}
2069

2070
	if (!found_child) {
2071
		if (audit_inc_name_count(context, inode))
2072
			return;
2073
		idx = context->name_count - 1;
2074

2075
		/* Re-use the name belonging to the slot for a matching parent
2076
		 * directory. All names for this context are relinquished in
2077
		 * audit_free_names() */
2078
		if (found_parent) {
2079
			context->names[idx].name = found_parent;
2080
			context->names[idx].name_len = AUDIT_NAME_FULL;
2081
			/* don't call __putname() */
2082
			context->names[idx].name_put = 0;
2083
		} else {
2084
			context->names[idx].name = NULL;
2085
		}
2086

2087
		if (inode)
2088
			audit_copy_inode(&context->names[idx], NULL, inode);
2089
		else
2090
			context->names[idx].ino = (unsigned long)-1;
2091
	}
2092
}
2093
EXPORT_SYMBOL_GPL(__audit_inode_child);
2094

2095
/**
2096
 * auditsc_get_stamp - get local copies of audit_context values
2097
 * @ctx: audit_context for the task
2098
 * @t: timespec to store time recorded in the audit_context
2099
 * @serial: serial value that is recorded in the audit_context
2100
 *
2101
 * Also sets the context as auditable.
2102
 */
2103
int auditsc_get_stamp(struct audit_context *ctx,
2104
		       struct timespec *t, unsigned int *serial)
2105
{
2106
	if (!ctx->in_syscall)
2107
		return 0;
2108
	if (!ctx->serial)
2109
		ctx->serial = audit_serial();
2110
	t->tv_sec  = ctx->ctime.tv_sec;
2111
	t->tv_nsec = ctx->ctime.tv_nsec;
2112
	*serial    = ctx->serial;
2113
	if (!ctx->prio) {
2114
		ctx->prio = 1;
2115
		ctx->current_state = AUDIT_RECORD_CONTEXT;
2116
	}
2117
	return 1;
2118
}
2119

2120
/* global counter which is incremented every time something logs in */
2121
static atomic_t session_id = ATOMIC_INIT(0);
2122

2123
/**
2124
 * audit_set_loginuid - set a task's audit_context loginuid
2125
 * @task: task whose audit context is being modified
2126
 * @loginuid: loginuid value
2127
 *
2128
 * Returns 0.
2129
 *
2130
 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2131
 */
2132
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
2133
{
2134
	unsigned int sessionid = atomic_inc_return(&session_id);
2135
	struct audit_context *context = task->audit_context;
2136

2137
	if (context && context->in_syscall) {
2138
		struct audit_buffer *ab;
2139

2140
		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2141
		if (ab) {
2142
			audit_log_format(ab, "login pid=%d uid=%u "
2143
				"old auid=%u new auid=%u"
2144
				" old ses=%u new ses=%u",
2145
				task->pid, task_uid(task),
2146
				task->loginuid, loginuid,
2147
				task->sessionid, sessionid);
2148
			audit_log_end(ab);
2149
		}
2150
	}
2151
	task->sessionid = sessionid;
2152
	task->loginuid = loginuid;
2153
	return 0;
2154
}
2155

2156
/**
2157
 * __audit_mq_open - record audit data for a POSIX MQ open
2158
 * @oflag: open flag
2159
 * @mode: mode bits
2160
 * @attr: queue attributes
2161
 *
2162
 */
2163
void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
2164
{
2165
	struct audit_context *context = current->audit_context;
2166

2167
	if (attr)
2168
		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2169
	else
2170
		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2171

2172
	context->mq_open.oflag = oflag;
2173
	context->mq_open.mode = mode;
2174

2175
	context->type = AUDIT_MQ_OPEN;
2176
}
2177

2178
/**
2179
 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2180
 * @mqdes: MQ descriptor
2181
 * @msg_len: Message length
2182
 * @msg_prio: Message priority
2183
 * @abs_timeout: Message timeout in absolute time
2184
 *
2185
 */
2186
void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2187
			const struct timespec *abs_timeout)
2188
{
2189
	struct audit_context *context = current->audit_context;
2190
	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2191

2192
	if (abs_timeout)
2193
		memcpy(p, abs_timeout, sizeof(struct timespec));
2194
	else
2195
		memset(p, 0, sizeof(struct timespec));
2196

2197
	context->mq_sendrecv.mqdes = mqdes;
2198
	context->mq_sendrecv.msg_len = msg_len;
2199
	context->mq_sendrecv.msg_prio = msg_prio;
2200

2201
	context->type = AUDIT_MQ_SENDRECV;
2202
}
2203

2204
/**
2205
 * __audit_mq_notify - record audit data for a POSIX MQ notify
2206
 * @mqdes: MQ descriptor
2207
 * @notification: Notification event
2208
 *
2209
 */
2210

2211
void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2212
{
2213
	struct audit_context *context = current->audit_context;
2214

2215
	if (notification)
2216
		context->mq_notify.sigev_signo = notification->sigev_signo;
2217
	else
2218
		context->mq_notify.sigev_signo = 0;
2219

2220
	context->mq_notify.mqdes = mqdes;
2221
	context->type = AUDIT_MQ_NOTIFY;
2222
}
2223

2224
/**
2225
 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2226
 * @mqdes: MQ descriptor
2227
 * @mqstat: MQ flags
2228
 *
2229
 */
2230
void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2231
{
2232
	struct audit_context *context = current->audit_context;
2233
	context->mq_getsetattr.mqdes = mqdes;
2234
	context->mq_getsetattr.mqstat = *mqstat;
2235
	context->type = AUDIT_MQ_GETSETATTR;
2236
}
2237

2238
/**
2239
 * audit_ipc_obj - record audit data for ipc object
2240
 * @ipcp: ipc permissions
2241
 *
2242
 */
2243
void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2244
{
2245
	struct audit_context *context = current->audit_context;
2246
	context->ipc.uid = ipcp->uid;
2247
	context->ipc.gid = ipcp->gid;
2248
	context->ipc.mode = ipcp->mode;
2249
	context->ipc.has_perm = 0;
2250
	security_ipc_getsecid(ipcp, &context->ipc.osid);
2251
	context->type = AUDIT_IPC;
2252
}
2253

2254
/**
2255
 * audit_ipc_set_perm - record audit data for new ipc permissions
2256
 * @qbytes: msgq bytes
2257
 * @uid: msgq user id
2258
 * @gid: msgq group id
2259
 * @mode: msgq mode (permissions)
2260
 *
2261
 * Called only after audit_ipc_obj().
2262
 */
2263
void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
2264
{
2265
	struct audit_context *context = current->audit_context;
2266

2267
	context->ipc.qbytes = qbytes;
2268
	context->ipc.perm_uid = uid;
2269
	context->ipc.perm_gid = gid;
2270
	context->ipc.perm_mode = mode;
2271
	context->ipc.has_perm = 1;
2272
}
2273

2274
int audit_bprm(struct linux_binprm *bprm)
2275
{
2276
	struct audit_aux_data_execve *ax;
2277
	struct audit_context *context = current->audit_context;
2278

2279
	if (likely(!audit_enabled || !context || context->dummy))
2280
		return 0;
2281

2282
	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2283
	if (!ax)
2284
		return -ENOMEM;
2285

2286
	ax->argc = bprm->argc;
2287
	ax->envc = bprm->envc;
2288
	ax->mm = bprm->mm;
2289
	ax->d.type = AUDIT_EXECVE;
2290
	ax->d.next = context->aux;
2291
	context->aux = (void *)ax;
2292
	return 0;
2293
}
2294

2295

2296
/**
2297
 * audit_socketcall - record audit data for sys_socketcall
2298
 * @nargs: number of args
2299
 * @args: args array
2300
 *
2301
 */
2302
void audit_socketcall(int nargs, unsigned long *args)
2303
{
2304
	struct audit_context *context = current->audit_context;
2305

2306
	if (likely(!context || context->dummy))
2307
		return;
2308

2309
	context->type = AUDIT_SOCKETCALL;
2310
	context->socketcall.nargs = nargs;
2311
	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2312
}
2313

2314
/**
2315
 * __audit_fd_pair - record audit data for pipe and socketpair
2316
 * @fd1: the first file descriptor
2317
 * @fd2: the second file descriptor
2318
 *
2319
 */
2320
void __audit_fd_pair(int fd1, int fd2)
2321
{
2322
	struct audit_context *context = current->audit_context;
2323
	context->fds[0] = fd1;
2324
	context->fds[1] = fd2;
2325
}
2326

2327
/**
2328
 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2329
 * @len: data length in user space
2330
 * @a: data address in kernel space
2331
 *
2332
 * Returns 0 for success or NULL context or < 0 on error.
2333
 */
2334
int audit_sockaddr(int len, void *a)
2335
{
2336
	struct audit_context *context = current->audit_context;
2337

2338
	if (likely(!context || context->dummy))
2339
		return 0;
2340

2341
	if (!context->sockaddr) {
2342
		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2343
		if (!p)
2344
			return -ENOMEM;
2345
		context->sockaddr = p;
2346
	}
2347

2348
	context->sockaddr_len = len;
2349
	memcpy(context->sockaddr, a, len);
2350
	return 0;
2351
}
2352

2353
void __audit_ptrace(struct task_struct *t)
2354
{
2355
	struct audit_context *context = current->audit_context;
2356

2357
	context->target_pid = t->pid;
2358
	context->target_auid = audit_get_loginuid(t);
2359
	context->target_uid = task_uid(t);
2360
	context->target_sessionid = audit_get_sessionid(t);
2361
	security_task_getsecid(t, &context->target_sid);
2362
	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2363
}
2364

2365
/**
2366
 * audit_signal_info - record signal info for shutting down audit subsystem
2367
 * @sig: signal value
2368
 * @t: task being signaled
2369
 *
2370
 * If the audit subsystem is being terminated, record the task (pid)
2371
 * and uid that is doing that.
2372
 */
2373
int __audit_signal_info(int sig, struct task_struct *t)
2374
{
2375
	struct audit_aux_data_pids *axp;
2376
	struct task_struct *tsk = current;
2377
	struct audit_context *ctx = tsk->audit_context;
2378
	uid_t uid = current_uid(), t_uid = task_uid(t);
2379

2380
	if (audit_pid && t->tgid == audit_pid) {
2381
		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2382
			audit_sig_pid = tsk->pid;
2383
			if (tsk->loginuid != -1)
2384
				audit_sig_uid = tsk->loginuid;
2385
			else
2386
				audit_sig_uid = uid;
2387
			security_task_getsecid(tsk, &audit_sig_sid);
2388
		}
2389
		if (!audit_signals || audit_dummy_context())
2390
			return 0;
2391
	}
2392

2393
	/* optimize the common case by putting first signal recipient directly
2394
	 * in audit_context */
2395
	if (!ctx->target_pid) {
2396
		ctx->target_pid = t->tgid;
2397
		ctx->target_auid = audit_get_loginuid(t);
2398
		ctx->target_uid = t_uid;
2399
		ctx->target_sessionid = audit_get_sessionid(t);
2400
		security_task_getsecid(t, &ctx->target_sid);
2401
		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2402
		return 0;
2403
	}
2404

2405
	axp = (void *)ctx->aux_pids;
2406
	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2407
		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2408
		if (!axp)
2409
			return -ENOMEM;
2410

2411
		axp->d.type = AUDIT_OBJ_PID;
2412
		axp->d.next = ctx->aux_pids;
2413
		ctx->aux_pids = (void *)axp;
2414
	}
2415
	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2416

2417
	axp->target_pid[axp->pid_count] = t->tgid;
2418
	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2419
	axp->target_uid[axp->pid_count] = t_uid;
2420
	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2421
	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2422
	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2423
	axp->pid_count++;
2424

2425
	return 0;
2426
}
2427

2428
/**
2429
 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2430
 * @bprm: pointer to the bprm being processed
2431
 * @new: the proposed new credentials
2432
 * @old: the old credentials
2433
 *
2434
 * Simply check if the proc already has the caps given by the file and if not
2435
 * store the priv escalation info for later auditing at the end of the syscall
2436
 *
2437
 * -Eric
2438
 */
2439
int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2440
			   const struct cred *new, const struct cred *old)
2441
{
2442
	struct audit_aux_data_bprm_fcaps *ax;
2443
	struct audit_context *context = current->audit_context;
2444
	struct cpu_vfs_cap_data vcaps;
2445
	struct dentry *dentry;
2446

2447
	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2448
	if (!ax)
2449
		return -ENOMEM;
2450

2451
	ax->d.type = AUDIT_BPRM_FCAPS;
2452
	ax->d.next = context->aux;
2453
	context->aux = (void *)ax;
2454

2455
	dentry = dget(bprm->file->f_dentry);
2456
	get_vfs_caps_from_disk(dentry, &vcaps);
2457
	dput(dentry);
2458

2459
	ax->fcap.permitted = vcaps.permitted;
2460
	ax->fcap.inheritable = vcaps.inheritable;
2461
	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2462
	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2463

2464
	ax->old_pcap.permitted   = old->cap_permitted;
2465
	ax->old_pcap.inheritable = old->cap_inheritable;
2466
	ax->old_pcap.effective   = old->cap_effective;
2467

2468
	ax->new_pcap.permitted   = new->cap_permitted;
2469
	ax->new_pcap.inheritable = new->cap_inheritable;
2470
	ax->new_pcap.effective   = new->cap_effective;
2471
	return 0;
2472
}
2473

2474
/**
2475
 * __audit_log_capset - store information about the arguments to the capset syscall
2476
 * @pid: target pid of the capset call
2477
 * @new: the new credentials
2478
 * @old: the old (current) credentials
2479
 *
2480
 * Record the aguments userspace sent to sys_capset for later printing by the
2481
 * audit system if applicable
2482
 */
2483
void __audit_log_capset(pid_t pid,
2484
		       const struct cred *new, const struct cred *old)
2485
{
2486
	struct audit_context *context = current->audit_context;
2487
	context->capset.pid = pid;
2488
	context->capset.cap.effective   = new->cap_effective;
2489
	context->capset.cap.inheritable = new->cap_effective;
2490
	context->capset.cap.permitted   = new->cap_permitted;
2491
	context->type = AUDIT_CAPSET;
2492
}
2493

2494
void __audit_mmap_fd(int fd, int flags)
2495
{
2496
	struct audit_context *context = current->audit_context;
2497
	context->mmap.fd = fd;
2498
	context->mmap.flags = flags;
2499
	context->type = AUDIT_MMAP;
2500
}
2501

2502
/**
2503
 * audit_core_dumps - record information about processes that end abnormally
2504
 * @signr: signal value
2505
 *
2506
 * If a process ends with a core dump, something fishy is going on and we
2507
 * should record the event for investigation.
2508
 */
2509
void audit_core_dumps(long signr)
2510
{
2511
	struct audit_buffer *ab;
2512
	u32 sid;
2513
	uid_t auid = audit_get_loginuid(current), uid;
2514
	gid_t gid;
2515
	unsigned int sessionid = audit_get_sessionid(current);
2516

2517
	if (!audit_enabled)
2518
		return;
2519

2520
	if (signr == SIGQUIT)	/* don't care for those */
2521
		return;
2522

2523
	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2524
	current_uid_gid(&uid, &gid);
2525
	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2526
			 auid, uid, gid, sessionid);
2527
	security_task_getsecid(current, &sid);
2528
	if (sid) {
2529
		char *ctx = NULL;
2530
		u32 len;
2531

2532
		if (security_secid_to_secctx(sid, &ctx, &len))
2533
			audit_log_format(ab, " ssid=%u", sid);
2534
		else {
2535
			audit_log_format(ab, " subj=%s", ctx);
2536
			security_release_secctx(ctx, len);
2537
		}
2538
	}
2539
	audit_log_format(ab, " pid=%d comm=", current->pid);
2540
	audit_log_untrustedstring(ab, current->comm);
2541
	audit_log_format(ab, " sig=%ld", signr);
2542
	audit_log_end(ab);
2543
}
2544

2545
struct list_head *audit_killed_trees(void)
2546
{
2547
	struct audit_context *ctx = current->audit_context;
2548
	if (likely(!ctx || !ctx->in_syscall))
2549
		return NULL;
2550
	return &ctx->killed_trees;
2551
}
2552

2553