1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/* audit.c -- Auditing support
3
 * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
4
 * System-call specific features have moved to auditsc.c
5
 *
6
 * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
7
 * All Rights Reserved.
8
 *
9
 * Written by Rickard E. (Rik) Faith <[email protected]>
10
 *
11
 * Goals: 1) Integrate fully with Security Modules.
12
 *	  2) Minimal run-time overhead:
13
 *	     a) Minimal when syscall auditing is disabled (audit_enable=0).
14
 *	     b) Small when syscall auditing is enabled and no audit record
15
 *		is generated (defer as much work as possible to record
16
 *		generation time):
17
 *		i) context is allocated,
18
 *		ii) names from getname are stored without a copy, and
19
 *		iii) inode information stored from path_lookup.
20
 *	  3) Ability to disable syscall auditing at boot time (audit=0).
21
 *	  4) Usable by other parts of the kernel (if audit_log* is called,
22
 *	     then a syscall record will be generated automatically for the
23
 *	     current syscall).
24
 *	  5) Netlink interface to user-space.
25
 *	  6) Support low-overhead kernel-based filtering to minimize the
26
 *	     information that must be passed to user-space.
27
 *
28
 * Audit userspace, documentation, tests, and bug/issue trackers:
29
 * 	https://github.com/linux-audit
30
 */
31

32
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33

34
#include <linux/file.h>
35
#include <linux/init.h>
36
#include <linux/types.h>
37
#include <linux/atomic.h>
38
#include <linux/mm.h>
39
#include <linux/export.h>
40
#include <linux/slab.h>
41
#include <linux/err.h>
42
#include <linux/kthread.h>
43
#include <linux/kernel.h>
44
#include <linux/syscalls.h>
45
#include <linux/spinlock.h>
46
#include <linux/rcupdate.h>
47
#include <linux/mutex.h>
48
#include <linux/gfp.h>
49
#include <linux/pid.h>
50

51
#include <linux/audit.h>
52

53
#include <net/sock.h>
54
#include <net/netlink.h>
55
#include <linux/skbuff.h>
56
#include <linux/security.h>
57
#include <linux/freezer.h>
58
#include <linux/pid_namespace.h>
59
#include <net/netns/generic.h>
60

61
#include "audit.h"
62

63
/* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
64
 * (Initialization happens after skb_init is called.) */
65
#define AUDIT_DISABLED		-1
66
#define AUDIT_UNINITIALIZED	0
67
#define AUDIT_INITIALIZED	1
68
static int	audit_initialized = AUDIT_UNINITIALIZED;
69

70
u32		audit_enabled = AUDIT_OFF;
71
bool		audit_ever_enabled = !!AUDIT_OFF;
72

73
EXPORT_SYMBOL_GPL(audit_enabled);
74

75
/* Default state when kernel boots without any parameters. */
76
static u32	audit_default = AUDIT_OFF;
77

78
/* If auditing cannot proceed, audit_failure selects what happens. */
79
static u32	audit_failure = AUDIT_FAIL_PRINTK;
80

81
/* private audit network namespace index */
82
static unsigned int audit_net_id;
83

84
/**
85
 * struct audit_net - audit private network namespace data
86
 * @sk: communication socket
87
 */
88
struct audit_net {
89
	struct sock *sk;
90
};
91

92
/**
93
 * struct auditd_connection - kernel/auditd connection state
94
 * @pid: auditd PID
95
 * @portid: netlink portid
96
 * @net: the associated network namespace
97
 * @rcu: RCU head
98
 *
99
 * Description:
100
 * This struct is RCU protected; you must either hold the RCU lock for reading
101
 * or the associated spinlock for writing.
102
 */
103
struct auditd_connection {
104
	struct pid *pid;
105
	u32 portid;
106
	struct net *net;
107
	struct rcu_head rcu;
108
};
109
static struct auditd_connection __rcu *auditd_conn;
110
static DEFINE_SPINLOCK(auditd_conn_lock);
111

112
/* If audit_rate_limit is non-zero, limit the rate of sending audit records
113
 * to that number per second.  This prevents DoS attacks, but results in
114
 * audit records being dropped. */
115
static u32	audit_rate_limit;
116

117
/* Number of outstanding audit_buffers allowed.
118
 * When set to zero, this means unlimited. */
119
static u32	audit_backlog_limit = 64;
120
#define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
121
static u32	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
122

123
/* The identity of the user shutting down the audit system. */
124
static kuid_t		audit_sig_uid = INVALID_UID;
125
static pid_t		audit_sig_pid = -1;
126
static struct lsm_prop	audit_sig_lsm;
127

128
/* Records can be lost in several ways:
129
   0) [suppressed in audit_alloc]
130
   1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
131
   2) out of memory in audit_log_move [alloc_skb]
132
   3) suppressed due to audit_rate_limit
133
   4) suppressed due to audit_backlog_limit
134
*/
135
static atomic_t	audit_lost = ATOMIC_INIT(0);
136

137
/* Monotonically increasing sum of time the kernel has spent
138
 * waiting while the backlog limit is exceeded.
139
 */
140
static atomic_t audit_backlog_wait_time_actual = ATOMIC_INIT(0);
141

142
/* Hash for inode-based rules */
143
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
144

145
static struct kmem_cache *audit_buffer_cache;
146

147
/* queue msgs to send via kauditd_task */
148
static struct sk_buff_head audit_queue;
149
/* queue msgs due to temporary unicast send problems */
150
static struct sk_buff_head audit_retry_queue;
151
/* queue msgs waiting for new auditd connection */
152
static struct sk_buff_head audit_hold_queue;
153

154
/* queue servicing thread */
155
static struct task_struct *kauditd_task;
156
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
157

158
/* waitqueue for callers who are blocked on the audit backlog */
159
static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
160

161
static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION,
162
				   .mask = -1,
163
				   .features = 0,
164
				   .lock = 0,};
165

166
static char *audit_feature_names[2] = {
167
	"only_unset_loginuid",
168
	"loginuid_immutable",
169
};
170

171
/**
172
 * struct audit_ctl_mutex - serialize requests from userspace
173
 * @lock: the mutex used for locking
174
 * @owner: the task which owns the lock
175
 *
176
 * Description:
177
 * This is the lock struct used to ensure we only process userspace requests
178
 * in an orderly fashion.  We can't simply use a mutex/lock here because we
179
 * need to track lock ownership so we don't end up blocking the lock owner in
180
 * audit_log_start() or similar.
181
 */
182
static struct audit_ctl_mutex {
183
	struct mutex lock;
184
	void *owner;
185
} audit_cmd_mutex;
186

187
/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
188
 * audit records.  Since printk uses a 1024 byte buffer, this buffer
189
 * should be at least that large. */
190
#define AUDIT_BUFSIZ 1024
191

192
/* The audit_buffer is used when formatting an audit record.  The caller
193
 * locks briefly to get the record off the freelist or to allocate the
194
 * buffer, and locks briefly to send the buffer to the netlink layer or
195
 * to place it on a transmit queue.  Multiple audit_buffers can be in
196
 * use simultaneously. */
197
struct audit_buffer {
198
	struct sk_buff       *skb;	/* formatted skb ready to send */
199
	struct audit_context *ctx;	/* NULL or associated context */
200
	gfp_t		     gfp_mask;
201
};
202

203
struct audit_reply {
204
	__u32 portid;
205
	struct net *net;
206
	struct sk_buff *skb;
207
};
208

209
/**
210
 * auditd_test_task - Check to see if a given task is an audit daemon
211
 * @task: the task to check
212
 *
213
 * Description:
214
 * Return 1 if the task is a registered audit daemon, 0 otherwise.
215
 */
216
int auditd_test_task(struct task_struct *task)
217
{
218
	int rc;
219
	struct auditd_connection *ac;
220

221
	rcu_read_lock();
222
	ac = rcu_dereference(auditd_conn);
223
	rc = (ac && ac->pid == task_tgid(task) ? 1 : 0);
224
	rcu_read_unlock();
225

226
	return rc;
227
}
228

229
/**
230
 * audit_ctl_lock - Take the audit control lock
231
 */
232
void audit_ctl_lock(void)
233
{
234
	mutex_lock(&audit_cmd_mutex.lock);
235
	audit_cmd_mutex.owner = current;
236
}
237

238
/**
239
 * audit_ctl_unlock - Drop the audit control lock
240
 */
241
void audit_ctl_unlock(void)
242
{
243
	audit_cmd_mutex.owner = NULL;
244
	mutex_unlock(&audit_cmd_mutex.lock);
245
}
246

247
/**
248
 * audit_ctl_owner_current - Test to see if the current task owns the lock
249
 *
250
 * Description:
251
 * Return true if the current task owns the audit control lock, false if it
252
 * doesn't own the lock.
253
 */
254
static bool audit_ctl_owner_current(void)
255
{
256
	return (current == audit_cmd_mutex.owner);
257
}
258

259
/**
260
 * auditd_pid_vnr - Return the auditd PID relative to the namespace
261
 *
262
 * Description:
263
 * Returns the PID in relation to the namespace, 0 on failure.
264
 */
265
static pid_t auditd_pid_vnr(void)
266
{
267
	pid_t pid;
268
	const struct auditd_connection *ac;
269

270
	rcu_read_lock();
271
	ac = rcu_dereference(auditd_conn);
272
	if (!ac || !ac->pid)
273
		pid = 0;
274
	else
275
		pid = pid_vnr(ac->pid);
276
	rcu_read_unlock();
277

278
	return pid;
279
}
280

281
/**
282
 * audit_get_sk - Return the audit socket for the given network namespace
283
 * @net: the destination network namespace
284
 *
285
 * Description:
286
 * Returns the sock pointer if valid, NULL otherwise.  The caller must ensure
287
 * that a reference is held for the network namespace while the sock is in use.
288
 */
289
static struct sock *audit_get_sk(const struct net *net)
290
{
291
	struct audit_net *aunet;
292

293
	if (!net)
294
		return NULL;
295

296
	aunet = net_generic(net, audit_net_id);
297
	return aunet->sk;
298
}
299

300
void audit_panic(const char *message)
301
{
302
	switch (audit_failure) {
303
	case AUDIT_FAIL_SILENT:
304
		break;
305
	case AUDIT_FAIL_PRINTK:
306
		if (printk_ratelimit())
307
			pr_err("%s\n", message);
308
		break;
309
	case AUDIT_FAIL_PANIC:
310
		panic("audit: %s\n", message);
311
		break;
312
	}
313
}
314

315
static inline int audit_rate_check(void)
316
{
317
	static unsigned long	last_check = 0;
318
	static int		messages   = 0;
319
	static DEFINE_SPINLOCK(lock);
320
	unsigned long		flags;
321
	unsigned long		now;
322
	int			retval	   = 0;
323

324
	if (!audit_rate_limit)
325
		return 1;
326

327
	spin_lock_irqsave(&lock, flags);
328
	if (++messages < audit_rate_limit) {
329
		retval = 1;
330
	} else {
331
		now = jiffies;
332
		if (time_after(now, last_check + HZ)) {
333
			last_check = now;
334
			messages   = 0;
335
			retval     = 1;
336
		}
337
	}
338
	spin_unlock_irqrestore(&lock, flags);
339

340
	return retval;
341
}
342

343
/**
344
 * audit_log_lost - conditionally log lost audit message event
345
 * @message: the message stating reason for lost audit message
346
 *
347
 * Emit at least 1 message per second, even if audit_rate_check is
348
 * throttling.
349
 * Always increment the lost messages counter.
350
*/
351
void audit_log_lost(const char *message)
352
{
353
	static unsigned long	last_msg = 0;
354
	static DEFINE_SPINLOCK(lock);
355
	unsigned long		flags;
356
	unsigned long		now;
357
	int			print;
358

359
	atomic_inc(&audit_lost);
360

361
	print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
362

363
	if (!print) {
364
		spin_lock_irqsave(&lock, flags);
365
		now = jiffies;
366
		if (time_after(now, last_msg + HZ)) {
367
			print = 1;
368
			last_msg = now;
369
		}
370
		spin_unlock_irqrestore(&lock, flags);
371
	}
372

373
	if (print) {
374
		if (printk_ratelimit())
375
			pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n",
376
				atomic_read(&audit_lost),
377
				audit_rate_limit,
378
				audit_backlog_limit);
379
		audit_panic(message);
380
	}
381
}
382

383
static int audit_log_config_change(char *function_name, u32 new, u32 old,
384
				   int allow_changes)
385
{
386
	struct audit_buffer *ab;
387
	int rc = 0;
388

389
	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
390
	if (unlikely(!ab))
391
		return rc;
392
	audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old);
393
	audit_log_session_info(ab);
394
	rc = audit_log_task_context(ab);
395
	if (rc)
396
		allow_changes = 0; /* Something weird, deny request */
397
	audit_log_format(ab, " res=%d", allow_changes);
398
	audit_log_end(ab);
399
	return rc;
400
}
401

402
static int audit_do_config_change(char *function_name, u32 *to_change, u32 new)
403
{
404
	int allow_changes, rc = 0;
405
	u32 old = *to_change;
406

407
	/* check if we are locked */
408
	if (audit_enabled == AUDIT_LOCKED)
409
		allow_changes = 0;
410
	else
411
		allow_changes = 1;
412

413
	if (audit_enabled != AUDIT_OFF) {
414
		rc = audit_log_config_change(function_name, new, old, allow_changes);
415
		if (rc)
416
			allow_changes = 0;
417
	}
418

419
	/* If we are allowed, make the change */
420
	if (allow_changes == 1)
421
		*to_change = new;
422
	/* Not allowed, update reason */
423
	else if (rc == 0)
424
		rc = -EPERM;
425
	return rc;
426
}
427

428
static int audit_set_rate_limit(u32 limit)
429
{
430
	return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
431
}
432

433
static int audit_set_backlog_limit(u32 limit)
434
{
435
	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
436
}
437

438
static int audit_set_backlog_wait_time(u32 timeout)
439
{
440
	return audit_do_config_change("audit_backlog_wait_time",
441
				      &audit_backlog_wait_time, timeout);
442
}
443

444
static int audit_set_enabled(u32 state)
445
{
446
	int rc;
447
	if (state > AUDIT_LOCKED)
448
		return -EINVAL;
449

450
	rc =  audit_do_config_change("audit_enabled", &audit_enabled, state);
451
	if (!rc)
452
		audit_ever_enabled |= !!state;
453

454
	return rc;
455
}
456

457
static int audit_set_failure(u32 state)
458
{
459
	if (state != AUDIT_FAIL_SILENT
460
	    && state != AUDIT_FAIL_PRINTK
461
	    && state != AUDIT_FAIL_PANIC)
462
		return -EINVAL;
463

464
	return audit_do_config_change("audit_failure", &audit_failure, state);
465
}
466

467
/**
468
 * auditd_conn_free - RCU helper to release an auditd connection struct
469
 * @rcu: RCU head
470
 *
471
 * Description:
472
 * Drop any references inside the auditd connection tracking struct and free
473
 * the memory.
474
 */
475
static void auditd_conn_free(struct rcu_head *rcu)
476
{
477
	struct auditd_connection *ac;
478

479
	ac = container_of(rcu, struct auditd_connection, rcu);
480
	put_pid(ac->pid);
481
	put_net(ac->net);
482
	kfree(ac);
483
}
484

485
/**
486
 * auditd_set - Set/Reset the auditd connection state
487
 * @pid: auditd PID
488
 * @portid: auditd netlink portid
489
 * @net: auditd network namespace pointer
490
 * @skb: the netlink command from the audit daemon
491
 * @ack: netlink ack flag, cleared if ack'd here
492
 *
493
 * Description:
494
 * This function will obtain and drop network namespace references as
495
 * necessary.  Returns zero on success, negative values on failure.
496
 */
497
static int auditd_set(struct pid *pid, u32 portid, struct net *net,
498
		      struct sk_buff *skb, bool *ack)
499
{
500
	unsigned long flags;
501
	struct auditd_connection *ac_old, *ac_new;
502
	struct nlmsghdr *nlh;
503

504
	if (!pid || !net)
505
		return -EINVAL;
506

507
	ac_new = kzalloc(sizeof(*ac_new), GFP_KERNEL);
508
	if (!ac_new)
509
		return -ENOMEM;
510
	ac_new->pid = get_pid(pid);
511
	ac_new->portid = portid;
512
	ac_new->net = get_net(net);
513

514
	/* send the ack now to avoid a race with the queue backlog */
515
	if (*ack) {
516
		nlh = nlmsg_hdr(skb);
517
		netlink_ack(skb, nlh, 0, NULL);
518
		*ack = false;
519
	}
520

521
	spin_lock_irqsave(&auditd_conn_lock, flags);
522
	ac_old = rcu_dereference_protected(auditd_conn,
523
					   lockdep_is_held(&auditd_conn_lock));
524
	rcu_assign_pointer(auditd_conn, ac_new);
525
	spin_unlock_irqrestore(&auditd_conn_lock, flags);
526

527
	if (ac_old)
528
		call_rcu(&ac_old->rcu, auditd_conn_free);
529

530
	return 0;
531
}
532

533
/**
534
 * kauditd_printk_skb - Print the audit record to the ring buffer
535
 * @skb: audit record
536
 *
537
 * Whatever the reason, this packet may not make it to the auditd connection
538
 * so write it via printk so the information isn't completely lost.
539
 */
540
static void kauditd_printk_skb(struct sk_buff *skb)
541
{
542
	struct nlmsghdr *nlh = nlmsg_hdr(skb);
543
	char *data = nlmsg_data(nlh);
544

545
	if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
546
		pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
547
}
548

549
/**
550
 * kauditd_rehold_skb - Handle a audit record send failure in the hold queue
551
 * @skb: audit record
552
 * @error: error code (unused)
553
 *
554
 * Description:
555
 * This should only be used by the kauditd_thread when it fails to flush the
556
 * hold queue.
557
 */
558
static void kauditd_rehold_skb(struct sk_buff *skb, __always_unused int error)
559
{
560
	/* put the record back in the queue */
561
	skb_queue_tail(&audit_hold_queue, skb);
562
}
563

564
/**
565
 * kauditd_hold_skb - Queue an audit record, waiting for auditd
566
 * @skb: audit record
567
 * @error: error code
568
 *
569
 * Description:
570
 * Queue the audit record, waiting for an instance of auditd.  When this
571
 * function is called we haven't given up yet on sending the record, but things
572
 * are not looking good.  The first thing we want to do is try to write the
573
 * record via printk and then see if we want to try and hold on to the record
574
 * and queue it, if we have room.  If we want to hold on to the record, but we
575
 * don't have room, record a record lost message.
576
 */
577
static void kauditd_hold_skb(struct sk_buff *skb, int error)
578
{
579
	/* at this point it is uncertain if we will ever send this to auditd so
580
	 * try to send the message via printk before we go any further */
581
	kauditd_printk_skb(skb);
582

583
	/* can we just silently drop the message? */
584
	if (!audit_default)
585
		goto drop;
586

587
	/* the hold queue is only for when the daemon goes away completely,
588
	 * not -EAGAIN failures; if we are in a -EAGAIN state requeue the
589
	 * record on the retry queue unless it's full, in which case drop it
590
	 */
591
	if (error == -EAGAIN) {
592
		if (!audit_backlog_limit ||
593
		    skb_queue_len(&audit_retry_queue) < audit_backlog_limit) {
594
			skb_queue_tail(&audit_retry_queue, skb);
595
			return;
596
		}
597
		audit_log_lost("kauditd retry queue overflow");
598
		goto drop;
599
	}
600

601
	/* if we have room in the hold queue, queue the message */
602
	if (!audit_backlog_limit ||
603
	    skb_queue_len(&audit_hold_queue) < audit_backlog_limit) {
604
		skb_queue_tail(&audit_hold_queue, skb);
605
		return;
606
	}
607

608
	/* we have no other options - drop the message */
609
	audit_log_lost("kauditd hold queue overflow");
610
drop:
611
	kfree_skb(skb);
612
}
613

614
/**
615
 * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd
616
 * @skb: audit record
617
 * @error: error code (unused)
618
 *
619
 * Description:
620
 * Not as serious as kauditd_hold_skb() as we still have a connected auditd,
621
 * but for some reason we are having problems sending it audit records so
622
 * queue the given record and attempt to resend.
623
 */
624
static void kauditd_retry_skb(struct sk_buff *skb, __always_unused int error)
625
{
626
	if (!audit_backlog_limit ||
627
	    skb_queue_len(&audit_retry_queue) < audit_backlog_limit) {
628
		skb_queue_tail(&audit_retry_queue, skb);
629
		return;
630
	}
631

632
	/* we have to drop the record, send it via printk as a last effort */
633
	kauditd_printk_skb(skb);
634
	audit_log_lost("kauditd retry queue overflow");
635
	kfree_skb(skb);
636
}
637

638
/**
639
 * auditd_reset - Disconnect the auditd connection
640
 * @ac: auditd connection state
641
 *
642
 * Description:
643
 * Break the auditd/kauditd connection and move all the queued records into the
644
 * hold queue in case auditd reconnects.  It is important to note that the @ac
645
 * pointer should never be dereferenced inside this function as it may be NULL
646
 * or invalid, you can only compare the memory address!  If @ac is NULL then
647
 * the connection will always be reset.
648
 */
649
static void auditd_reset(const struct auditd_connection *ac)
650
{
651
	unsigned long flags;
652
	struct sk_buff *skb;
653
	struct auditd_connection *ac_old;
654

655
	/* if it isn't already broken, break the connection */
656
	spin_lock_irqsave(&auditd_conn_lock, flags);
657
	ac_old = rcu_dereference_protected(auditd_conn,
658
					   lockdep_is_held(&auditd_conn_lock));
659
	if (ac && ac != ac_old) {
660
		/* someone already registered a new auditd connection */
661
		spin_unlock_irqrestore(&auditd_conn_lock, flags);
662
		return;
663
	}
664
	rcu_assign_pointer(auditd_conn, NULL);
665
	spin_unlock_irqrestore(&auditd_conn_lock, flags);
666

667
	if (ac_old)
668
		call_rcu(&ac_old->rcu, auditd_conn_free);
669

670
	/* flush the retry queue to the hold queue, but don't touch the main
671
	 * queue since we need to process that normally for multicast */
672
	while ((skb = skb_dequeue(&audit_retry_queue)))
673
		kauditd_hold_skb(skb, -ECONNREFUSED);
674
}
675

676
/**
677
 * auditd_send_unicast_skb - Send a record via unicast to auditd
678
 * @skb: audit record
679
 *
680
 * Description:
681
 * Send a skb to the audit daemon, returns positive/zero values on success and
682
 * negative values on failure; in all cases the skb will be consumed by this
683
 * function.  If the send results in -ECONNREFUSED the connection with auditd
684
 * will be reset.  This function may sleep so callers should not hold any locks
685
 * where this would cause a problem.
686
 */
687
static int auditd_send_unicast_skb(struct sk_buff *skb)
688
{
689
	int rc;
690
	u32 portid;
691
	struct net *net;
692
	struct sock *sk;
693
	struct auditd_connection *ac;
694

695
	/* NOTE: we can't call netlink_unicast while in the RCU section so
696
	 *       take a reference to the network namespace and grab local
697
	 *       copies of the namespace, the sock, and the portid; the
698
	 *       namespace and sock aren't going to go away while we hold a
699
	 *       reference and if the portid does become invalid after the RCU
700
	 *       section netlink_unicast() should safely return an error */
701

702
	rcu_read_lock();
703
	ac = rcu_dereference(auditd_conn);
704
	if (!ac) {
705
		rcu_read_unlock();
706
		kfree_skb(skb);
707
		rc = -ECONNREFUSED;
708
		goto err;
709
	}
710
	net = get_net(ac->net);
711
	sk = audit_get_sk(net);
712
	portid = ac->portid;
713
	rcu_read_unlock();
714

715
	rc = netlink_unicast(sk, skb, portid, 0);
716
	put_net(net);
717
	if (rc < 0)
718
		goto err;
719

720
	return rc;
721

722
err:
723
	if (ac && rc == -ECONNREFUSED)
724
		auditd_reset(ac);
725
	return rc;
726
}
727

728
/**
729
 * kauditd_send_queue - Helper for kauditd_thread to flush skb queues
730
 * @sk: the sending sock
731
 * @portid: the netlink destination
732
 * @queue: the skb queue to process
733
 * @retry_limit: limit on number of netlink unicast failures
734
 * @skb_hook: per-skb hook for additional processing
735
 * @err_hook: hook called if the skb fails the netlink unicast send
736
 *
737
 * Description:
738
 * Run through the given queue and attempt to send the audit records to auditd,
739
 * returns zero on success, negative values on failure.  It is up to the caller
740
 * to ensure that the @sk is valid for the duration of this function.
741
 *
742
 */
743
static int kauditd_send_queue(struct sock *sk, u32 portid,
744
			      struct sk_buff_head *queue,
745
			      unsigned int retry_limit,
746
			      void (*skb_hook)(struct sk_buff *skb),
747
			      void (*err_hook)(struct sk_buff *skb, int error))
748
{
749
	int rc = 0;
750
	struct sk_buff *skb = NULL;
751
	struct sk_buff *skb_tail;
752
	unsigned int failed = 0;
753

754
	/* NOTE: kauditd_thread takes care of all our locking, we just use
755
	 *       the netlink info passed to us (e.g. sk and portid) */
756

757
	skb_tail = skb_peek_tail(queue);
758
	while ((skb != skb_tail) && (skb = skb_dequeue(queue))) {
759
		/* call the skb_hook for each skb we touch */
760
		if (skb_hook)
761
			(*skb_hook)(skb);
762

763
		/* can we send to anyone via unicast? */
764
		if (!sk) {
765
			if (err_hook)
766
				(*err_hook)(skb, -ECONNREFUSED);
767
			continue;
768
		}
769

770
retry:
771
		/* grab an extra skb reference in case of error */
772
		skb_get(skb);
773
		rc = netlink_unicast(sk, skb, portid, 0);
774
		if (rc < 0) {
775
			/* send failed - try a few times unless fatal error */
776
			if (++failed >= retry_limit ||
777
			    rc == -ECONNREFUSED || rc == -EPERM) {
778
				sk = NULL;
779
				if (err_hook)
780
					(*err_hook)(skb, rc);
781
				if (rc == -EAGAIN)
782
					rc = 0;
783
				/* continue to drain the queue */
784
				continue;
785
			} else
786
				goto retry;
787
		} else {
788
			/* skb sent - drop the extra reference and continue */
789
			consume_skb(skb);
790
			failed = 0;
791
		}
792
	}
793

794
	return (rc >= 0 ? 0 : rc);
795
}
796

797
/*
798
 * kauditd_send_multicast_skb - Send a record to any multicast listeners
799
 * @skb: audit record
800
 *
801
 * Description:
802
 * Write a multicast message to anyone listening in the initial network
803
 * namespace.  This function doesn't consume an skb as might be expected since
804
 * it has to copy it anyways.
805
 */
806
static void kauditd_send_multicast_skb(struct sk_buff *skb)
807
{
808
	struct sk_buff *copy;
809
	struct sock *sock = audit_get_sk(&init_net);
810
	struct nlmsghdr *nlh;
811

812
	/* NOTE: we are not taking an additional reference for init_net since
813
	 *       we don't have to worry about it going away */
814

815
	if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG))
816
		return;
817

818
	/*
819
	 * The seemingly wasteful skb_copy() rather than bumping the refcount
820
	 * using skb_get() is necessary because non-standard mods are made to
821
	 * the skb by the original kaudit unicast socket send routine.  The
822
	 * existing auditd daemon assumes this breakage.  Fixing this would
823
	 * require co-ordinating a change in the established protocol between
824
	 * the kaudit kernel subsystem and the auditd userspace code.  There is
825
	 * no reason for new multicast clients to continue with this
826
	 * non-compliance.
827
	 */
828
	copy = skb_copy(skb, GFP_KERNEL);
829
	if (!copy)
830
		return;
831
	nlh = nlmsg_hdr(copy);
832
	nlh->nlmsg_len = skb->len;
833

834
	nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL);
835
}
836

837
/**
838
 * kauditd_thread - Worker thread to send audit records to userspace
839
 * @dummy: unused
840
 */
841
static int kauditd_thread(void *dummy)
842
{
843
	int rc;
844
	u32 portid = 0;
845
	struct net *net = NULL;
846
	struct sock *sk = NULL;
847
	struct auditd_connection *ac;
848

849
#define UNICAST_RETRIES 5
850

851
	set_freezable();
852
	while (!kthread_should_stop()) {
853
		/* NOTE: see the lock comments in auditd_send_unicast_skb() */
854
		rcu_read_lock();
855
		ac = rcu_dereference(auditd_conn);
856
		if (!ac) {
857
			rcu_read_unlock();
858
			goto main_queue;
859
		}
860
		net = get_net(ac->net);
861
		sk = audit_get_sk(net);
862
		portid = ac->portid;
863
		rcu_read_unlock();
864

865
		/* attempt to flush the hold queue */
866
		rc = kauditd_send_queue(sk, portid,
867
					&audit_hold_queue, UNICAST_RETRIES,
868
					NULL, kauditd_rehold_skb);
869
		if (rc < 0) {
870
			sk = NULL;
871
			auditd_reset(ac);
872
			goto main_queue;
873
		}
874

875
		/* attempt to flush the retry queue */
876
		rc = kauditd_send_queue(sk, portid,
877
					&audit_retry_queue, UNICAST_RETRIES,
878
					NULL, kauditd_hold_skb);
879
		if (rc < 0) {
880
			sk = NULL;
881
			auditd_reset(ac);
882
			goto main_queue;
883
		}
884

885
main_queue:
886
		/* process the main queue - do the multicast send and attempt
887
		 * unicast, dump failed record sends to the retry queue; if
888
		 * sk == NULL due to previous failures we will just do the
889
		 * multicast send and move the record to the hold queue */
890
		rc = kauditd_send_queue(sk, portid, &audit_queue, 1,
891
					kauditd_send_multicast_skb,
892
					(sk ?
893
					 kauditd_retry_skb : kauditd_hold_skb));
894
		if (ac && rc < 0)
895
			auditd_reset(ac);
896
		sk = NULL;
897

898
		/* drop our netns reference, no auditd sends past this line */
899
		if (net) {
900
			put_net(net);
901
			net = NULL;
902
		}
903

904
		/* we have processed all the queues so wake everyone */
905
		wake_up(&audit_backlog_wait);
906

907
		/* NOTE: we want to wake up if there is anything on the queue,
908
		 *       regardless of if an auditd is connected, as we need to
909
		 *       do the multicast send and rotate records from the
910
		 *       main queue to the retry/hold queues */
911
		wait_event_freezable(kauditd_wait,
912
				     (skb_queue_len(&audit_queue) ? 1 : 0));
913
	}
914

915
	return 0;
916
}
917

918
int audit_send_list_thread(void *_dest)
919
{
920
	struct audit_netlink_list *dest = _dest;
921
	struct sk_buff *skb;
922
	struct sock *sk = audit_get_sk(dest->net);
923

924
	/* wait for parent to finish and send an ACK */
925
	audit_ctl_lock();
926
	audit_ctl_unlock();
927

928
	while ((skb = __skb_dequeue(&dest->q)) != NULL)
929
		netlink_unicast(sk, skb, dest->portid, 0);
930

931
	put_net(dest->net);
932
	kfree(dest);
933

934
	return 0;
935
}
936

937
struct sk_buff *audit_make_reply(int seq, int type, int done,
938
				 int multi, const void *payload, int size)
939
{
940
	struct sk_buff	*skb;
941
	struct nlmsghdr	*nlh;
942
	void		*data;
943
	int		flags = multi ? NLM_F_MULTI : 0;
944
	int		t     = done  ? NLMSG_DONE  : type;
945

946
	skb = nlmsg_new(size, GFP_KERNEL);
947
	if (!skb)
948
		return NULL;
949

950
	nlh	= nlmsg_put(skb, 0, seq, t, size, flags);
951
	if (!nlh)
952
		goto out_kfree_skb;
953
	data = nlmsg_data(nlh);
954
	memcpy(data, payload, size);
955
	return skb;
956

957
out_kfree_skb:
958
	kfree_skb(skb);
959
	return NULL;
960
}
961

962
static void audit_free_reply(struct audit_reply *reply)
963
{
964
	if (!reply)
965
		return;
966

967
	kfree_skb(reply->skb);
968
	if (reply->net)
969
		put_net(reply->net);
970
	kfree(reply);
971
}
972

973
static int audit_send_reply_thread(void *arg)
974
{
975
	struct audit_reply *reply = (struct audit_reply *)arg;
976

977
	audit_ctl_lock();
978
	audit_ctl_unlock();
979

980
	/* Ignore failure. It'll only happen if the sender goes away,
981
	   because our timeout is set to infinite. */
982
	netlink_unicast(audit_get_sk(reply->net), reply->skb, reply->portid, 0);
983
	reply->skb = NULL;
984
	audit_free_reply(reply);
985
	return 0;
986
}
987

988
/**
989
 * audit_send_reply - send an audit reply message via netlink
990
 * @request_skb: skb of request we are replying to (used to target the reply)
991
 * @seq: sequence number
992
 * @type: audit message type
993
 * @done: done (last) flag
994
 * @multi: multi-part message flag
995
 * @payload: payload data
996
 * @size: payload size
997
 *
998
 * Allocates a skb, builds the netlink message, and sends it to the port id.
999
 */
1000
static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done,
1001
			     int multi, const void *payload, int size)
1002
{
1003
	struct task_struct *tsk;
1004
	struct audit_reply *reply;
1005

1006
	reply = kzalloc(sizeof(*reply), GFP_KERNEL);
1007
	if (!reply)
1008
		return;
1009

1010
	reply->skb = audit_make_reply(seq, type, done, multi, payload, size);
1011
	if (!reply->skb)
1012
		goto err;
1013
	reply->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
1014
	reply->portid = NETLINK_CB(request_skb).portid;
1015

1016
	tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
1017
	if (IS_ERR(tsk))
1018
		goto err;
1019

1020
	return;
1021

1022
err:
1023
	audit_free_reply(reply);
1024
}
1025

1026
/*
1027
 * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
1028
 * control messages.
1029
 */
1030
static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
1031
{
1032
	int err = 0;
1033

1034
	/* Only support initial user namespace for now. */
1035
	/*
1036
	 * We return ECONNREFUSED because it tricks userspace into thinking
1037
	 * that audit was not configured into the kernel.  Lots of users
1038
	 * configure their PAM stack (because that's what the distro does)
1039
	 * to reject login if unable to send messages to audit.  If we return
1040
	 * ECONNREFUSED the PAM stack thinks the kernel does not have audit
1041
	 * configured in and will let login proceed.  If we return EPERM
1042
	 * userspace will reject all logins.  This should be removed when we
1043
	 * support non init namespaces!!
1044
	 */
1045
	if (current_user_ns() != &init_user_ns)
1046
		return -ECONNREFUSED;
1047

1048
	switch (msg_type) {
1049
	case AUDIT_LIST:
1050
	case AUDIT_ADD:
1051
	case AUDIT_DEL:
1052
		return -EOPNOTSUPP;
1053
	case AUDIT_GET:
1054
	case AUDIT_SET:
1055
	case AUDIT_GET_FEATURE:
1056
	case AUDIT_SET_FEATURE:
1057
	case AUDIT_LIST_RULES:
1058
	case AUDIT_ADD_RULE:
1059
	case AUDIT_DEL_RULE:
1060
	case AUDIT_SIGNAL_INFO:
1061
	case AUDIT_TTY_GET:
1062
	case AUDIT_TTY_SET:
1063
	case AUDIT_TRIM:
1064
	case AUDIT_MAKE_EQUIV:
1065
		/* Only support auditd and auditctl in initial pid namespace
1066
		 * for now. */
1067
		if (task_active_pid_ns(current) != &init_pid_ns)
1068
			return -EPERM;
1069

1070
		if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
1071
			err = -EPERM;
1072
		break;
1073
	case AUDIT_USER:
1074
	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
1075
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
1076
		if (!netlink_capable(skb, CAP_AUDIT_WRITE))
1077
			err = -EPERM;
1078
		break;
1079
	default:  /* bad msg */
1080
		err = -EINVAL;
1081
	}
1082

1083
	return err;
1084
}
1085

1086
static void audit_log_common_recv_msg(struct audit_context *context,
1087
					struct audit_buffer **ab, u16 msg_type)
1088
{
1089
	uid_t uid = from_kuid(&init_user_ns, current_uid());
1090
	pid_t pid = task_tgid_nr(current);
1091

1092
	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
1093
		*ab = NULL;
1094
		return;
1095
	}
1096

1097
	*ab = audit_log_start(context, GFP_KERNEL, msg_type);
1098
	if (unlikely(!*ab))
1099
		return;
1100
	audit_log_format(*ab, "pid=%d uid=%u ", pid, uid);
1101
	audit_log_session_info(*ab);
1102
	audit_log_task_context(*ab);
1103
}
1104

1105
static inline void audit_log_user_recv_msg(struct audit_buffer **ab,
1106
					   u16 msg_type)
1107
{
1108
	audit_log_common_recv_msg(NULL, ab, msg_type);
1109
}
1110

1111
static int is_audit_feature_set(int i)
1112
{
1113
	return af.features & AUDIT_FEATURE_TO_MASK(i);
1114
}
1115

1116

1117
static int audit_get_feature(struct sk_buff *skb)
1118
{
1119
	u32 seq;
1120

1121
	seq = nlmsg_hdr(skb)->nlmsg_seq;
1122

1123
	audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af));
1124

1125
	return 0;
1126
}
1127

1128
static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature,
1129
				     u32 old_lock, u32 new_lock, int res)
1130
{
1131
	struct audit_buffer *ab;
1132

1133
	if (audit_enabled == AUDIT_OFF)
1134
		return;
1135

1136
	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FEATURE_CHANGE);
1137
	if (!ab)
1138
		return;
1139
	audit_log_task_info(ab);
1140
	audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
1141
			 audit_feature_names[which], !!old_feature, !!new_feature,
1142
			 !!old_lock, !!new_lock, res);
1143
	audit_log_end(ab);
1144
}
1145

1146
static int audit_set_feature(struct audit_features *uaf)
1147
{
1148
	int i;
1149

1150
	BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
1151

1152
	/* if there is ever a version 2 we should handle that here */
1153

1154
	for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
1155
		u32 feature = AUDIT_FEATURE_TO_MASK(i);
1156
		u32 old_feature, new_feature, old_lock, new_lock;
1157

1158
		/* if we are not changing this feature, move along */
1159
		if (!(feature & uaf->mask))
1160
			continue;
1161

1162
		old_feature = af.features & feature;
1163
		new_feature = uaf->features & feature;
1164
		new_lock = (uaf->lock | af.lock) & feature;
1165
		old_lock = af.lock & feature;
1166

1167
		/* are we changing a locked feature? */
1168
		if (old_lock && (new_feature != old_feature)) {
1169
			audit_log_feature_change(i, old_feature, new_feature,
1170
						 old_lock, new_lock, 0);
1171
			return -EPERM;
1172
		}
1173
	}
1174
	/* nothing invalid, do the changes */
1175
	for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
1176
		u32 feature = AUDIT_FEATURE_TO_MASK(i);
1177
		u32 old_feature, new_feature, old_lock, new_lock;
1178

1179
		/* if we are not changing this feature, move along */
1180
		if (!(feature & uaf->mask))
1181
			continue;
1182

1183
		old_feature = af.features & feature;
1184
		new_feature = uaf->features & feature;
1185
		old_lock = af.lock & feature;
1186
		new_lock = (uaf->lock | af.lock) & feature;
1187

1188
		if (new_feature != old_feature)
1189
			audit_log_feature_change(i, old_feature, new_feature,
1190
						 old_lock, new_lock, 1);
1191

1192
		if (new_feature)
1193
			af.features |= feature;
1194
		else
1195
			af.features &= ~feature;
1196
		af.lock |= new_lock;
1197
	}
1198

1199
	return 0;
1200
}
1201

1202
static int audit_replace(struct pid *pid)
1203
{
1204
	pid_t pvnr;
1205
	struct sk_buff *skb;
1206

1207
	pvnr = pid_vnr(pid);
1208
	skb = audit_make_reply(0, AUDIT_REPLACE, 0, 0, &pvnr, sizeof(pvnr));
1209
	if (!skb)
1210
		return -ENOMEM;
1211
	return auditd_send_unicast_skb(skb);
1212
}
1213

1214
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
1215
			     bool *ack)
1216
{
1217
	u32			seq;
1218
	void			*data;
1219
	int			data_len;
1220
	int			err;
1221
	struct audit_buffer	*ab;
1222
	u16			msg_type = nlh->nlmsg_type;
1223
	struct audit_sig_info   *sig_data;
1224
	struct lsm_context	lsmctx = { NULL, 0, 0 };
1225

1226
	err = audit_netlink_ok(skb, msg_type);
1227
	if (err)
1228
		return err;
1229

1230
	seq  = nlh->nlmsg_seq;
1231
	data = nlmsg_data(nlh);
1232
	data_len = nlmsg_len(nlh);
1233

1234
	switch (msg_type) {
1235
	case AUDIT_GET: {
1236
		struct audit_status	s;
1237
		memset(&s, 0, sizeof(s));
1238
		s.enabled		   = audit_enabled;
1239
		s.failure		   = audit_failure;
1240
		/* NOTE: use pid_vnr() so the PID is relative to the current
1241
		 *       namespace */
1242
		s.pid			   = auditd_pid_vnr();
1243
		s.rate_limit		   = audit_rate_limit;
1244
		s.backlog_limit		   = audit_backlog_limit;
1245
		s.lost			   = atomic_read(&audit_lost);
1246
		s.backlog		   = skb_queue_len(&audit_queue);
1247
		s.feature_bitmap	   = AUDIT_FEATURE_BITMAP_ALL;
1248
		s.backlog_wait_time	   = audit_backlog_wait_time;
1249
		s.backlog_wait_time_actual = atomic_read(&audit_backlog_wait_time_actual);
1250
		audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
1251
		break;
1252
	}
1253
	case AUDIT_SET: {
1254
		struct audit_status	s;
1255
		memset(&s, 0, sizeof(s));
1256
		/* guard against past and future API changes */
1257
		memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
1258
		if (s.mask & AUDIT_STATUS_ENABLED) {
1259
			err = audit_set_enabled(s.enabled);
1260
			if (err < 0)
1261
				return err;
1262
		}
1263
		if (s.mask & AUDIT_STATUS_FAILURE) {
1264
			err = audit_set_failure(s.failure);
1265
			if (err < 0)
1266
				return err;
1267
		}
1268
		if (s.mask & AUDIT_STATUS_PID) {
1269
			/* NOTE: we are using the vnr PID functions below
1270
			 *       because the s.pid value is relative to the
1271
			 *       namespace of the caller; at present this
1272
			 *       doesn't matter much since you can really only
1273
			 *       run auditd from the initial pid namespace, but
1274
			 *       something to keep in mind if this changes */
1275
			pid_t new_pid = s.pid;
1276
			pid_t auditd_pid;
1277
			struct pid *req_pid = task_tgid(current);
1278

1279
			/* Sanity check - PID values must match. Setting
1280
			 * pid to 0 is how auditd ends auditing. */
1281
			if (new_pid && (new_pid != pid_vnr(req_pid)))
1282
				return -EINVAL;
1283

1284
			/* test the auditd connection */
1285
			audit_replace(req_pid);
1286

1287
			auditd_pid = auditd_pid_vnr();
1288
			if (auditd_pid) {
1289
				/* replacing a healthy auditd is not allowed */
1290
				if (new_pid) {
1291
					audit_log_config_change("audit_pid",
1292
							new_pid, auditd_pid, 0);
1293
					return -EEXIST;
1294
				}
1295
				/* only current auditd can unregister itself */
1296
				if (pid_vnr(req_pid) != auditd_pid) {
1297
					audit_log_config_change("audit_pid",
1298
							new_pid, auditd_pid, 0);
1299
					return -EACCES;
1300
				}
1301
			}
1302

1303
			if (new_pid) {
1304
				/* register a new auditd connection */
1305
				err = auditd_set(req_pid,
1306
						 NETLINK_CB(skb).portid,
1307
						 sock_net(NETLINK_CB(skb).sk),
1308
						 skb, ack);
1309
				if (audit_enabled != AUDIT_OFF)
1310
					audit_log_config_change("audit_pid",
1311
								new_pid,
1312
								auditd_pid,
1313
								err ? 0 : 1);
1314
				if (err)
1315
					return err;
1316

1317
				/* try to process any backlog */
1318
				wake_up_interruptible(&kauditd_wait);
1319
			} else {
1320
				if (audit_enabled != AUDIT_OFF)
1321
					audit_log_config_change("audit_pid",
1322
								new_pid,
1323
								auditd_pid, 1);
1324

1325
				/* unregister the auditd connection */
1326
				auditd_reset(NULL);
1327
			}
1328
		}
1329
		if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
1330
			err = audit_set_rate_limit(s.rate_limit);
1331
			if (err < 0)
1332
				return err;
1333
		}
1334
		if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
1335
			err = audit_set_backlog_limit(s.backlog_limit);
1336
			if (err < 0)
1337
				return err;
1338
		}
1339
		if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
1340
			if (sizeof(s) > (size_t)nlh->nlmsg_len)
1341
				return -EINVAL;
1342
			if (s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
1343
				return -EINVAL;
1344
			err = audit_set_backlog_wait_time(s.backlog_wait_time);
1345
			if (err < 0)
1346
				return err;
1347
		}
1348
		if (s.mask == AUDIT_STATUS_LOST) {
1349
			u32 lost = atomic_xchg(&audit_lost, 0);
1350

1351
			audit_log_config_change("lost", 0, lost, 1);
1352
			return lost;
1353
		}
1354
		if (s.mask == AUDIT_STATUS_BACKLOG_WAIT_TIME_ACTUAL) {
1355
			u32 actual = atomic_xchg(&audit_backlog_wait_time_actual, 0);
1356

1357
			audit_log_config_change("backlog_wait_time_actual", 0, actual, 1);
1358
			return actual;
1359
		}
1360
		break;
1361
	}
1362
	case AUDIT_GET_FEATURE:
1363
		err = audit_get_feature(skb);
1364
		if (err)
1365
			return err;
1366
		break;
1367
	case AUDIT_SET_FEATURE:
1368
		if (data_len < sizeof(struct audit_features))
1369
			return -EINVAL;
1370
		err = audit_set_feature(data);
1371
		if (err)
1372
			return err;
1373
		break;
1374
	case AUDIT_USER:
1375
	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
1376
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
1377
		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
1378
			return 0;
1379
		/* exit early if there isn't at least one character to print */
1380
		if (data_len < 2)
1381
			return -EINVAL;
1382

1383
		err = audit_filter(msg_type, AUDIT_FILTER_USER);
1384
		if (err == 1) { /* match or error */
1385
			char *str = data;
1386

1387
			err = 0;
1388
			if (msg_type == AUDIT_USER_TTY) {
1389
				err = tty_audit_push();
1390
				if (err)
1391
					break;
1392
			}
1393
			audit_log_user_recv_msg(&ab, msg_type);
1394
			if (msg_type != AUDIT_USER_TTY) {
1395
				/* ensure NULL termination */
1396
				str[data_len - 1] = '\0';
1397
				audit_log_format(ab, " msg='%.*s'",
1398
						 AUDIT_MESSAGE_TEXT_MAX,
1399
						 str);
1400
			} else {
1401
				audit_log_format(ab, " data=");
1402
				if (str[data_len - 1] == '\0')
1403
					data_len--;
1404
				audit_log_n_untrustedstring(ab, str, data_len);
1405
			}
1406
			audit_log_end(ab);
1407
		}
1408
		break;
1409
	case AUDIT_ADD_RULE:
1410
	case AUDIT_DEL_RULE:
1411
		if (data_len < sizeof(struct audit_rule_data))
1412
			return -EINVAL;
1413
		if (audit_enabled == AUDIT_LOCKED) {
1414
			audit_log_common_recv_msg(audit_context(), &ab,
1415
						  AUDIT_CONFIG_CHANGE);
1416
			audit_log_format(ab, " op=%s audit_enabled=%d res=0",
1417
					 msg_type == AUDIT_ADD_RULE ?
1418
						"add_rule" : "remove_rule",
1419
					 audit_enabled);
1420
			audit_log_end(ab);
1421
			return -EPERM;
1422
		}
1423
		err = audit_rule_change(msg_type, seq, data, data_len);
1424
		break;
1425
	case AUDIT_LIST_RULES:
1426
		err = audit_list_rules_send(skb, seq);
1427
		break;
1428
	case AUDIT_TRIM:
1429
		audit_trim_trees();
1430
		audit_log_common_recv_msg(audit_context(), &ab,
1431
					  AUDIT_CONFIG_CHANGE);
1432
		audit_log_format(ab, " op=trim res=1");
1433
		audit_log_end(ab);
1434
		break;
1435
	case AUDIT_MAKE_EQUIV: {
1436
		void *bufp = data;
1437
		u32 sizes[2];
1438
		size_t msglen = data_len;
1439
		char *old, *new;
1440

1441
		err = -EINVAL;
1442
		if (msglen < 2 * sizeof(u32))
1443
			break;
1444
		memcpy(sizes, bufp, 2 * sizeof(u32));
1445
		bufp += 2 * sizeof(u32);
1446
		msglen -= 2 * sizeof(u32);
1447
		old = audit_unpack_string(&bufp, &msglen, sizes[0]);
1448
		if (IS_ERR(old)) {
1449
			err = PTR_ERR(old);
1450
			break;
1451
		}
1452
		new = audit_unpack_string(&bufp, &msglen, sizes[1]);
1453
		if (IS_ERR(new)) {
1454
			err = PTR_ERR(new);
1455
			kfree(old);
1456
			break;
1457
		}
1458
		/* OK, here comes... */
1459
		err = audit_tag_tree(old, new);
1460

1461
		audit_log_common_recv_msg(audit_context(), &ab,
1462
					  AUDIT_CONFIG_CHANGE);
1463
		audit_log_format(ab, " op=make_equiv old=");
1464
		audit_log_untrustedstring(ab, old);
1465
		audit_log_format(ab, " new=");
1466
		audit_log_untrustedstring(ab, new);
1467
		audit_log_format(ab, " res=%d", !err);
1468
		audit_log_end(ab);
1469
		kfree(old);
1470
		kfree(new);
1471
		break;
1472
	}
1473
	case AUDIT_SIGNAL_INFO:
1474
		if (lsmprop_is_set(&audit_sig_lsm)) {
1475
			err = security_lsmprop_to_secctx(&audit_sig_lsm,
1476
							 &lsmctx);
1477
			if (err < 0)
1478
				return err;
1479
		}
1480
		sig_data = kmalloc(struct_size(sig_data, ctx, lsmctx.len),
1481
				   GFP_KERNEL);
1482
		if (!sig_data) {
1483
			if (lsmprop_is_set(&audit_sig_lsm))
1484
				security_release_secctx(&lsmctx);
1485
			return -ENOMEM;
1486
		}
1487
		sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
1488
		sig_data->pid = audit_sig_pid;
1489
		if (lsmprop_is_set(&audit_sig_lsm)) {
1490
			memcpy(sig_data->ctx, lsmctx.context, lsmctx.len);
1491
			security_release_secctx(&lsmctx);
1492
		}
1493
		audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
1494
				 sig_data, struct_size(sig_data, ctx,
1495
						       lsmctx.len));
1496
		kfree(sig_data);
1497
		break;
1498
	case AUDIT_TTY_GET: {
1499
		struct audit_tty_status s;
1500
		unsigned int t;
1501

1502
		t = READ_ONCE(current->signal->audit_tty);
1503
		s.enabled = t & AUDIT_TTY_ENABLE;
1504
		s.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
1505

1506
		audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
1507
		break;
1508
	}
1509
	case AUDIT_TTY_SET: {
1510
		struct audit_tty_status s, old;
1511
		struct audit_buffer	*ab;
1512
		unsigned int t;
1513

1514
		memset(&s, 0, sizeof(s));
1515
		/* guard against past and future API changes */
1516
		memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
1517
		/* check if new data is valid */
1518
		if ((s.enabled != 0 && s.enabled != 1) ||
1519
		    (s.log_passwd != 0 && s.log_passwd != 1))
1520
			err = -EINVAL;
1521

1522
		if (err)
1523
			t = READ_ONCE(current->signal->audit_tty);
1524
		else {
1525
			t = s.enabled | (-s.log_passwd & AUDIT_TTY_LOG_PASSWD);
1526
			t = xchg(&current->signal->audit_tty, t);
1527
		}
1528
		old.enabled = t & AUDIT_TTY_ENABLE;
1529
		old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
1530

1531
		audit_log_common_recv_msg(audit_context(), &ab,
1532
					  AUDIT_CONFIG_CHANGE);
1533
		audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"
1534
				 " old-log_passwd=%d new-log_passwd=%d res=%d",
1535
				 old.enabled, s.enabled, old.log_passwd,
1536
				 s.log_passwd, !err);
1537
		audit_log_end(ab);
1538
		break;
1539
	}
1540
	default:
1541
		err = -EINVAL;
1542
		break;
1543
	}
1544

1545
	return err < 0 ? err : 0;
1546
}
1547

1548
/**
1549
 * audit_receive - receive messages from a netlink control socket
1550
 * @skb: the message buffer
1551
 *
1552
 * Parse the provided skb and deal with any messages that may be present,
1553
 * malformed skbs are discarded.
1554
 */
1555
static void audit_receive(struct sk_buff *skb)
1556
{
1557
	struct nlmsghdr *nlh;
1558
	bool ack;
1559
	/*
1560
	 * len MUST be signed for nlmsg_next to be able to dec it below 0
1561
	 * if the nlmsg_len was not aligned
1562
	 */
1563
	int len;
1564
	int err;
1565

1566
	nlh = nlmsg_hdr(skb);
1567
	len = skb->len;
1568

1569
	audit_ctl_lock();
1570
	while (nlmsg_ok(nlh, len)) {
1571
		ack = nlh->nlmsg_flags & NLM_F_ACK;
1572
		err = audit_receive_msg(skb, nlh, &ack);
1573

1574
		/* send an ack if the user asked for one and audit_receive_msg
1575
		 * didn't already do it, or if there was an error. */
1576
		if (ack || err)
1577
			netlink_ack(skb, nlh, err, NULL);
1578

1579
		nlh = nlmsg_next(nlh, &len);
1580
	}
1581
	audit_ctl_unlock();
1582

1583
	/* can't block with the ctrl lock, so penalize the sender now */
1584
	if (audit_backlog_limit &&
1585
	    (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
1586
		DECLARE_WAITQUEUE(wait, current);
1587

1588
		/* wake kauditd to try and flush the queue */
1589
		wake_up_interruptible(&kauditd_wait);
1590

1591
		add_wait_queue_exclusive(&audit_backlog_wait, &wait);
1592
		set_current_state(TASK_UNINTERRUPTIBLE);
1593
		schedule_timeout(audit_backlog_wait_time);
1594
		remove_wait_queue(&audit_backlog_wait, &wait);
1595
	}
1596
}
1597

1598
/* Log information about who is connecting to the audit multicast socket */
1599
static void audit_log_multicast(int group, const char *op, int err)
1600
{
1601
	const struct cred *cred;
1602
	struct tty_struct *tty;
1603
	char comm[sizeof(current->comm)];
1604
	struct audit_buffer *ab;
1605

1606
	if (!audit_enabled)
1607
		return;
1608

1609
	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
1610
	if (!ab)
1611
		return;
1612

1613
	cred = current_cred();
1614
	tty = audit_get_tty();
1615
	audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
1616
			 task_tgid_nr(current),
1617
			 from_kuid(&init_user_ns, cred->uid),
1618
			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
1619
			 tty ? tty_name(tty) : "(none)",
1620
			 audit_get_sessionid(current));
1621
	audit_put_tty(tty);
1622
	audit_log_task_context(ab); /* subj= */
1623
	audit_log_format(ab, " comm=");
1624
	audit_log_untrustedstring(ab, get_task_comm(comm, current));
1625
	audit_log_d_path_exe(ab, current->mm); /* exe= */
1626
	audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
1627
	audit_log_end(ab);
1628
}
1629

1630
/* Run custom bind function on netlink socket group connect or bind requests. */
1631
static int audit_multicast_bind(struct net *net, int group)
1632
{
1633
	int err = 0;
1634

1635
	if (!capable(CAP_AUDIT_READ))
1636
		err = -EPERM;
1637
	audit_log_multicast(group, "connect", err);
1638
	return err;
1639
}
1640

1641
static void audit_multicast_unbind(struct net *net, int group)
1642
{
1643
	audit_log_multicast(group, "disconnect", 0);
1644
}
1645

1646
static int __net_init audit_net_init(struct net *net)
1647
{
1648
	struct netlink_kernel_cfg cfg = {
1649
		.input	= audit_receive,
1650
		.bind	= audit_multicast_bind,
1651
		.unbind	= audit_multicast_unbind,
1652
		.flags	= NL_CFG_F_NONROOT_RECV,
1653
		.groups	= AUDIT_NLGRP_MAX,
1654
	};
1655

1656
	struct audit_net *aunet = net_generic(net, audit_net_id);
1657

1658
	aunet->sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
1659
	if (aunet->sk == NULL) {
1660
		audit_panic("cannot initialize netlink socket in namespace");
1661
		return -ENOMEM;
1662
	}
1663
	/* limit the timeout in case auditd is blocked/stopped */
1664
	aunet->sk->sk_sndtimeo = HZ / 10;
1665

1666
	return 0;
1667
}
1668

1669
static void __net_exit audit_net_exit(struct net *net)
1670
{
1671
	struct audit_net *aunet = net_generic(net, audit_net_id);
1672

1673
	/* NOTE: you would think that we would want to check the auditd
1674
	 * connection and potentially reset it here if it lives in this
1675
	 * namespace, but since the auditd connection tracking struct holds a
1676
	 * reference to this namespace (see auditd_set()) we are only ever
1677
	 * going to get here after that connection has been released */
1678

1679
	netlink_kernel_release(aunet->sk);
1680
}
1681

1682
static struct pernet_operations audit_net_ops __net_initdata = {
1683
	.init = audit_net_init,
1684
	.exit = audit_net_exit,
1685
	.id = &audit_net_id,
1686
	.size = sizeof(struct audit_net),
1687
};
1688

1689
/* Initialize audit support at boot time. */
1690
static int __init audit_init(void)
1691
{
1692
	int i;
1693

1694
	if (audit_initialized == AUDIT_DISABLED)
1695
		return 0;
1696

1697
	audit_buffer_cache = KMEM_CACHE(audit_buffer, SLAB_PANIC);
1698

1699
	skb_queue_head_init(&audit_queue);
1700
	skb_queue_head_init(&audit_retry_queue);
1701
	skb_queue_head_init(&audit_hold_queue);
1702

1703
	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
1704
		INIT_LIST_HEAD(&audit_inode_hash[i]);
1705

1706
	mutex_init(&audit_cmd_mutex.lock);
1707
	audit_cmd_mutex.owner = NULL;
1708

1709
	pr_info("initializing netlink subsys (%s)\n",
1710
		str_enabled_disabled(audit_default));
1711
	register_pernet_subsys(&audit_net_ops);
1712

1713
	audit_initialized = AUDIT_INITIALIZED;
1714

1715
	kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
1716
	if (IS_ERR(kauditd_task)) {
1717
		int err = PTR_ERR(kauditd_task);
1718
		panic("audit: failed to start the kauditd thread (%d)\n", err);
1719
	}
1720

1721
	audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
1722
		"state=initialized audit_enabled=%u res=1",
1723
		 audit_enabled);
1724

1725
	return 0;
1726
}
1727
postcore_initcall(audit_init);
1728

1729
/*
1730
 * Process kernel command-line parameter at boot time.
1731
 * audit={0|off} or audit={1|on}.
1732
 */
1733
static int __init audit_enable(char *str)
1734
{
1735
	if (!strcasecmp(str, "off") || !strcmp(str, "0"))
1736
		audit_default = AUDIT_OFF;
1737
	else if (!strcasecmp(str, "on") || !strcmp(str, "1"))
1738
		audit_default = AUDIT_ON;
1739
	else {
1740
		pr_err("audit: invalid 'audit' parameter value (%s)\n", str);
1741
		audit_default = AUDIT_ON;
1742
	}
1743

1744
	if (audit_default == AUDIT_OFF)
1745
		audit_initialized = AUDIT_DISABLED;
1746
	if (audit_set_enabled(audit_default))
1747
		pr_err("audit: error setting audit state (%d)\n",
1748
		       audit_default);
1749

1750
	pr_info("%s\n", audit_default ?
1751
		"enabled (after initialization)" : "disabled (until reboot)");
1752

1753
	return 1;
1754
}
1755
__setup("audit=", audit_enable);
1756

1757
/* Process kernel command-line parameter at boot time.
1758
 * audit_backlog_limit=<n> */
1759
static int __init audit_backlog_limit_set(char *str)
1760
{
1761
	u32 audit_backlog_limit_arg;
1762

1763
	pr_info("audit_backlog_limit: ");
1764
	if (kstrtouint(str, 0, &audit_backlog_limit_arg)) {
1765
		pr_cont("using default of %u, unable to parse %s\n",
1766
			audit_backlog_limit, str);
1767
		return 1;
1768
	}
1769

1770
	audit_backlog_limit = audit_backlog_limit_arg;
1771
	pr_cont("%d\n", audit_backlog_limit);
1772

1773
	return 1;
1774
}
1775
__setup("audit_backlog_limit=", audit_backlog_limit_set);
1776

1777
static void audit_buffer_free(struct audit_buffer *ab)
1778
{
1779
	if (!ab)
1780
		return;
1781

1782
	kfree_skb(ab->skb);
1783
	kmem_cache_free(audit_buffer_cache, ab);
1784
}
1785

1786
static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
1787
					       gfp_t gfp_mask, int type)
1788
{
1789
	struct audit_buffer *ab;
1790

1791
	ab = kmem_cache_alloc(audit_buffer_cache, gfp_mask);
1792
	if (!ab)
1793
		return NULL;
1794

1795
	ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
1796
	if (!ab->skb)
1797
		goto err;
1798
	if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
1799
		goto err;
1800

1801
	ab->ctx = ctx;
1802
	ab->gfp_mask = gfp_mask;
1803

1804
	return ab;
1805

1806
err:
1807
	audit_buffer_free(ab);
1808
	return NULL;
1809
}
1810

1811
/**
1812
 * audit_serial - compute a serial number for the audit record
1813
 *
1814
 * Compute a serial number for the audit record.  Audit records are
1815
 * written to user-space as soon as they are generated, so a complete
1816
 * audit record may be written in several pieces.  The timestamp of the
1817
 * record and this serial number are used by the user-space tools to
1818
 * determine which pieces belong to the same audit record.  The
1819
 * (timestamp,serial) tuple is unique for each syscall and is live from
1820
 * syscall entry to syscall exit.
1821
 *
1822
 * NOTE: Another possibility is to store the formatted records off the
1823
 * audit context (for those records that have a context), and emit them
1824
 * all at syscall exit.  However, this could delay the reporting of
1825
 * significant errors until syscall exit (or never, if the system
1826
 * halts).
1827
 */
1828
unsigned int audit_serial(void)
1829
{
1830
	static atomic_t serial = ATOMIC_INIT(0);
1831

1832
	return atomic_inc_return(&serial);
1833
}
1834

1835
static inline void audit_get_stamp(struct audit_context *ctx,
1836
				   struct timespec64 *t, unsigned int *serial)
1837
{
1838
	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
1839
		ktime_get_coarse_real_ts64(t);
1840
		*serial = audit_serial();
1841
	}
1842
}
1843

1844
/**
1845
 * audit_log_start - obtain an audit buffer
1846
 * @ctx: audit_context (may be NULL)
1847
 * @gfp_mask: type of allocation
1848
 * @type: audit message type
1849
 *
1850
 * Returns audit_buffer pointer on success or NULL on error.
1851
 *
1852
 * Obtain an audit buffer.  This routine does locking to obtain the
1853
 * audit buffer, but then no locking is required for calls to
1854
 * audit_log_*format.  If the task (ctx) is a task that is currently in a
1855
 * syscall, then the syscall is marked as auditable and an audit record
1856
 * will be written at syscall exit.  If there is no associated task, then
1857
 * task context (ctx) should be NULL.
1858
 */
1859
struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1860
				     int type)
1861
{
1862
	struct audit_buffer *ab;
1863
	struct timespec64 t;
1864
	unsigned int serial;
1865

1866
	if (audit_initialized != AUDIT_INITIALIZED)
1867
		return NULL;
1868

1869
	if (unlikely(!audit_filter(type, AUDIT_FILTER_EXCLUDE)))
1870
		return NULL;
1871

1872
	/* NOTE: don't ever fail/sleep on these two conditions:
1873
	 * 1. auditd generated record - since we need auditd to drain the
1874
	 *    queue; also, when we are checking for auditd, compare PIDs using
1875
	 *    task_tgid_vnr() since auditd_pid is set in audit_receive_msg()
1876
	 *    using a PID anchored in the caller's namespace
1877
	 * 2. generator holding the audit_cmd_mutex - we don't want to block
1878
	 *    while holding the mutex, although we do penalize the sender
1879
	 *    later in audit_receive() when it is safe to block
1880
	 */
1881
	if (!(auditd_test_task(current) || audit_ctl_owner_current())) {
1882
		long stime = audit_backlog_wait_time;
1883

1884
		while (audit_backlog_limit &&
1885
		       (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
1886
			/* wake kauditd to try and flush the queue */
1887
			wake_up_interruptible(&kauditd_wait);
1888

1889
			/* sleep if we are allowed and we haven't exhausted our
1890
			 * backlog wait limit */
1891
			if (gfpflags_allow_blocking(gfp_mask) && (stime > 0)) {
1892
				long rtime = stime;
1893

1894
				DECLARE_WAITQUEUE(wait, current);
1895

1896
				add_wait_queue_exclusive(&audit_backlog_wait,
1897
							 &wait);
1898
				set_current_state(TASK_UNINTERRUPTIBLE);
1899
				stime = schedule_timeout(rtime);
1900
				atomic_add(rtime - stime, &audit_backlog_wait_time_actual);
1901
				remove_wait_queue(&audit_backlog_wait, &wait);
1902
			} else {
1903
				if (audit_rate_check() && printk_ratelimit())
1904
					pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
1905
						skb_queue_len(&audit_queue),
1906
						audit_backlog_limit);
1907
				audit_log_lost("backlog limit exceeded");
1908
				return NULL;
1909
			}
1910
		}
1911
	}
1912

1913
	ab = audit_buffer_alloc(ctx, gfp_mask, type);
1914
	if (!ab) {
1915
		audit_log_lost("out of memory in audit_log_start");
1916
		return NULL;
1917
	}
1918

1919
	audit_get_stamp(ab->ctx, &t, &serial);
1920
	/* cancel dummy context to enable supporting records */
1921
	if (ctx)
1922
		ctx->dummy = 0;
1923
	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
1924
			 (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
1925

1926
	return ab;
1927
}
1928

1929
/**
1930
 * audit_expand - expand skb in the audit buffer
1931
 * @ab: audit_buffer
1932
 * @extra: space to add at tail of the skb
1933
 *
1934
 * Returns 0 (no space) on failed expansion, or available space if
1935
 * successful.
1936
 */
1937
static inline int audit_expand(struct audit_buffer *ab, int extra)
1938
{
1939
	struct sk_buff *skb = ab->skb;
1940
	int oldtail = skb_tailroom(skb);
1941
	int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
1942
	int newtail = skb_tailroom(skb);
1943

1944
	if (ret < 0) {
1945
		audit_log_lost("out of memory in audit_expand");
1946
		return 0;
1947
	}
1948

1949
	skb->truesize += newtail - oldtail;
1950
	return newtail;
1951
}
1952

1953
/*
1954
 * Format an audit message into the audit buffer.  If there isn't enough
1955
 * room in the audit buffer, more room will be allocated and vsnprint
1956
 * will be called a second time.  Currently, we assume that a printk
1957
 * can't format message larger than 1024 bytes, so we don't either.
1958
 */
1959
static __printf(2, 0)
1960
void audit_log_vformat(struct audit_buffer *ab, const char *fmt, va_list args)
1961
{
1962
	int len, avail;
1963
	struct sk_buff *skb;
1964
	va_list args2;
1965

1966
	if (!ab)
1967
		return;
1968

1969
	BUG_ON(!ab->skb);
1970
	skb = ab->skb;
1971
	avail = skb_tailroom(skb);
1972
	if (avail == 0) {
1973
		avail = audit_expand(ab, AUDIT_BUFSIZ);
1974
		if (!avail)
1975
			goto out;
1976
	}
1977
	va_copy(args2, args);
1978
	len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
1979
	if (len >= avail) {
1980
		/* The printk buffer is 1024 bytes long, so if we get
1981
		 * here and AUDIT_BUFSIZ is at least 1024, then we can
1982
		 * log everything that printk could have logged. */
1983
		avail = audit_expand(ab,
1984
			max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
1985
		if (!avail)
1986
			goto out_va_end;
1987
		len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
1988
	}
1989
	if (len > 0)
1990
		skb_put(skb, len);
1991
out_va_end:
1992
	va_end(args2);
1993
out:
1994
	return;
1995
}
1996

1997
/**
1998
 * audit_log_format - format a message into the audit buffer.
1999
 * @ab: audit_buffer
2000
 * @fmt: format string
2001
 * @...: optional parameters matching @fmt string
2002
 *
2003
 * All the work is done in audit_log_vformat.
2004
 */
2005
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
2006
{
2007
	va_list args;
2008

2009
	if (!ab)
2010
		return;
2011
	va_start(args, fmt);
2012
	audit_log_vformat(ab, fmt, args);
2013
	va_end(args);
2014
}
2015

2016
/**
2017
 * audit_log_n_hex - convert a buffer to hex and append it to the audit skb
2018
 * @ab: the audit_buffer
2019
 * @buf: buffer to convert to hex
2020
 * @len: length of @buf to be converted
2021
 *
2022
 * No return value; failure to expand is silently ignored.
2023
 *
2024
 * This function will take the passed buf and convert it into a string of
2025
 * ascii hex digits. The new string is placed onto the skb.
2026
 */
2027
void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
2028
		size_t len)
2029
{
2030
	int i, avail, new_len;
2031
	unsigned char *ptr;
2032
	struct sk_buff *skb;
2033

2034
	if (!ab)
2035
		return;
2036

2037
	BUG_ON(!ab->skb);
2038
	skb = ab->skb;
2039
	avail = skb_tailroom(skb);
2040
	new_len = len<<1;
2041
	if (new_len >= avail) {
2042
		/* Round the buffer request up to the next multiple */
2043
		new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
2044
		avail = audit_expand(ab, new_len);
2045
		if (!avail)
2046
			return;
2047
	}
2048

2049
	ptr = skb_tail_pointer(skb);
2050
	for (i = 0; i < len; i++)
2051
		ptr = hex_byte_pack_upper(ptr, buf[i]);
2052
	*ptr = 0;
2053
	skb_put(skb, len << 1); /* new string is twice the old string */
2054
}
2055

2056
/*
2057
 * Format a string of no more than slen characters into the audit buffer,
2058
 * enclosed in quote marks.
2059
 */
2060
void audit_log_n_string(struct audit_buffer *ab, const char *string,
2061
			size_t slen)
2062
{
2063
	int avail, new_len;
2064
	unsigned char *ptr;
2065
	struct sk_buff *skb;
2066

2067
	if (!ab)
2068
		return;
2069

2070
	BUG_ON(!ab->skb);
2071
	skb = ab->skb;
2072
	avail = skb_tailroom(skb);
2073
	new_len = slen + 3;	/* enclosing quotes + null terminator */
2074
	if (new_len > avail) {
2075
		avail = audit_expand(ab, new_len);
2076
		if (!avail)
2077
			return;
2078
	}
2079
	ptr = skb_tail_pointer(skb);
2080
	*ptr++ = '"';
2081
	memcpy(ptr, string, slen);
2082
	ptr += slen;
2083
	*ptr++ = '"';
2084
	*ptr = 0;
2085
	skb_put(skb, slen + 2);	/* don't include null terminator */
2086
}
2087

2088
/**
2089
 * audit_string_contains_control - does a string need to be logged in hex
2090
 * @string: string to be checked
2091
 * @len: max length of the string to check
2092
 */
2093
bool audit_string_contains_control(const char *string, size_t len)
2094
{
2095
	const unsigned char *p;
2096
	for (p = string; p < (const unsigned char *)string + len; p++) {
2097
		if (*p == '"' || *p < 0x21 || *p > 0x7e)
2098
			return true;
2099
	}
2100
	return false;
2101
}
2102

2103
/**
2104
 * audit_log_n_untrustedstring - log a string that may contain random characters
2105
 * @ab: audit_buffer
2106
 * @string: string to be logged
2107
 * @len: length of string (not including trailing null)
2108
 *
2109
 * This code will escape a string that is passed to it if the string
2110
 * contains a control character, unprintable character, double quote mark,
2111
 * or a space. Unescaped strings will start and end with a double quote mark.
2112
 * Strings that are escaped are printed in hex (2 digits per char).
2113
 *
2114
 * The caller specifies the number of characters in the string to log, which may
2115
 * or may not be the entire string.
2116
 */
2117
void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string,
2118
				 size_t len)
2119
{
2120
	if (audit_string_contains_control(string, len))
2121
		audit_log_n_hex(ab, string, len);
2122
	else
2123
		audit_log_n_string(ab, string, len);
2124
}
2125

2126
/**
2127
 * audit_log_untrustedstring - log a string that may contain random characters
2128
 * @ab: audit_buffer
2129
 * @string: string to be logged
2130
 *
2131
 * Same as audit_log_n_untrustedstring(), except that strlen is used to
2132
 * determine string length.
2133
 */
2134
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
2135
{
2136
	audit_log_n_untrustedstring(ab, string, strlen(string));
2137
}
2138

2139
/* This is a helper-function to print the escaped d_path */
2140
void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
2141
		      const struct path *path)
2142
{
2143
	char *p, *pathname;
2144

2145
	if (prefix)
2146
		audit_log_format(ab, "%s", prefix);
2147

2148
	/* We will allow 11 spaces for ' (deleted)' to be appended */
2149
	pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
2150
	if (!pathname) {
2151
		audit_log_format(ab, "\"<no_memory>\"");
2152
		return;
2153
	}
2154
	p = d_path(path, pathname, PATH_MAX+11);
2155
	if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
2156
		/* FIXME: can we save some information here? */
2157
		audit_log_format(ab, "\"<too_long>\"");
2158
	} else
2159
		audit_log_untrustedstring(ab, p);
2160
	kfree(pathname);
2161
}
2162

2163
void audit_log_session_info(struct audit_buffer *ab)
2164
{
2165
	unsigned int sessionid = audit_get_sessionid(current);
2166
	uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
2167

2168
	audit_log_format(ab, "auid=%u ses=%u", auid, sessionid);
2169
}
2170

2171
void audit_log_key(struct audit_buffer *ab, char *key)
2172
{
2173
	audit_log_format(ab, " key=");
2174
	if (key)
2175
		audit_log_untrustedstring(ab, key);
2176
	else
2177
		audit_log_format(ab, "(null)");
2178
}
2179

2180
int audit_log_task_context(struct audit_buffer *ab)
2181
{
2182
	struct lsm_prop prop;
2183
	struct lsm_context ctx;
2184
	int error;
2185

2186
	security_current_getlsmprop_subj(&prop);
2187
	if (!lsmprop_is_set(&prop))
2188
		return 0;
2189

2190
	error = security_lsmprop_to_secctx(&prop, &ctx);
2191
	if (error < 0) {
2192
		if (error != -EINVAL)
2193
			goto error_path;
2194
		return 0;
2195
	}
2196

2197
	audit_log_format(ab, " subj=%s", ctx.context);
2198
	security_release_secctx(&ctx);
2199
	return 0;
2200

2201
error_path:
2202
	audit_panic("error in audit_log_task_context");
2203
	return error;
2204
}
2205
EXPORT_SYMBOL(audit_log_task_context);
2206

2207
void audit_log_d_path_exe(struct audit_buffer *ab,
2208
			  struct mm_struct *mm)
2209
{
2210
	struct file *exe_file;
2211

2212
	if (!mm)
2213
		goto out_null;
2214

2215
	exe_file = get_mm_exe_file(mm);
2216
	if (!exe_file)
2217
		goto out_null;
2218

2219
	audit_log_d_path(ab, " exe=", &exe_file->f_path);
2220
	fput(exe_file);
2221
	return;
2222
out_null:
2223
	audit_log_format(ab, " exe=(null)");
2224
}
2225

2226
struct tty_struct *audit_get_tty(void)
2227
{
2228
	struct tty_struct *tty = NULL;
2229
	unsigned long flags;
2230

2231
	spin_lock_irqsave(&current->sighand->siglock, flags);
2232
	if (current->signal)
2233
		tty = tty_kref_get(current->signal->tty);
2234
	spin_unlock_irqrestore(&current->sighand->siglock, flags);
2235
	return tty;
2236
}
2237

2238
void audit_put_tty(struct tty_struct *tty)
2239
{
2240
	tty_kref_put(tty);
2241
}
2242

2243
void audit_log_task_info(struct audit_buffer *ab)
2244
{
2245
	const struct cred *cred;
2246
	char comm[sizeof(current->comm)];
2247
	struct tty_struct *tty;
2248

2249
	if (!ab)
2250
		return;
2251

2252
	cred = current_cred();
2253
	tty = audit_get_tty();
2254
	audit_log_format(ab,
2255
			 " ppid=%d pid=%d auid=%u uid=%u gid=%u"
2256
			 " euid=%u suid=%u fsuid=%u"
2257
			 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
2258
			 task_ppid_nr(current),
2259
			 task_tgid_nr(current),
2260
			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
2261
			 from_kuid(&init_user_ns, cred->uid),
2262
			 from_kgid(&init_user_ns, cred->gid),
2263
			 from_kuid(&init_user_ns, cred->euid),
2264
			 from_kuid(&init_user_ns, cred->suid),
2265
			 from_kuid(&init_user_ns, cred->fsuid),
2266
			 from_kgid(&init_user_ns, cred->egid),
2267
			 from_kgid(&init_user_ns, cred->sgid),
2268
			 from_kgid(&init_user_ns, cred->fsgid),
2269
			 tty ? tty_name(tty) : "(none)",
2270
			 audit_get_sessionid(current));
2271
	audit_put_tty(tty);
2272
	audit_log_format(ab, " comm=");
2273
	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2274
	audit_log_d_path_exe(ab, current->mm);
2275
	audit_log_task_context(ab);
2276
}
2277
EXPORT_SYMBOL(audit_log_task_info);
2278

2279
/**
2280
 * audit_log_path_denied - report a path restriction denial
2281
 * @type: audit message type (AUDIT_ANOM_LINK, AUDIT_ANOM_CREAT, etc)
2282
 * @operation: specific operation name
2283
 */
2284
void audit_log_path_denied(int type, const char *operation)
2285
{
2286
	struct audit_buffer *ab;
2287

2288
	if (!audit_enabled)
2289
		return;
2290

2291
	/* Generate log with subject, operation, outcome. */
2292
	ab = audit_log_start(audit_context(), GFP_KERNEL, type);
2293
	if (!ab)
2294
		return;
2295
	audit_log_format(ab, "op=%s", operation);
2296
	audit_log_task_info(ab);
2297
	audit_log_format(ab, " res=0");
2298
	audit_log_end(ab);
2299
}
2300

2301
/* global counter which is incremented every time something logs in */
2302
static atomic_t session_id = ATOMIC_INIT(0);
2303

2304
static int audit_set_loginuid_perm(kuid_t loginuid)
2305
{
2306
	/* if we are unset, we don't need privs */
2307
	if (!audit_loginuid_set(current))
2308
		return 0;
2309
	/* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
2310
	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
2311
		return -EPERM;
2312
	/* it is set, you need permission */
2313
	if (!capable(CAP_AUDIT_CONTROL))
2314
		return -EPERM;
2315
	/* reject if this is not an unset and we don't allow that */
2316
	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID)
2317
				 && uid_valid(loginuid))
2318
		return -EPERM;
2319
	return 0;
2320
}
2321

2322
static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
2323
				   unsigned int oldsessionid,
2324
				   unsigned int sessionid, int rc)
2325
{
2326
	struct audit_buffer *ab;
2327
	uid_t uid, oldloginuid, loginuid;
2328
	struct tty_struct *tty;
2329

2330
	if (!audit_enabled)
2331
		return;
2332

2333
	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOGIN);
2334
	if (!ab)
2335
		return;
2336

2337
	uid = from_kuid(&init_user_ns, task_uid(current));
2338
	oldloginuid = from_kuid(&init_user_ns, koldloginuid);
2339
	loginuid = from_kuid(&init_user_ns, kloginuid);
2340
	tty = audit_get_tty();
2341

2342
	audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
2343
	audit_log_task_context(ab);
2344
	audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
2345
			 oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
2346
			 oldsessionid, sessionid, !rc);
2347
	audit_put_tty(tty);
2348
	audit_log_end(ab);
2349
}
2350

2351
/**
2352
 * audit_set_loginuid - set current task's loginuid
2353
 * @loginuid: loginuid value
2354
 *
2355
 * Returns 0.
2356
 *
2357
 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2358
 */
2359
int audit_set_loginuid(kuid_t loginuid)
2360
{
2361
	unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
2362
	kuid_t oldloginuid;
2363
	int rc;
2364

2365
	oldloginuid = audit_get_loginuid(current);
2366
	oldsessionid = audit_get_sessionid(current);
2367

2368
	rc = audit_set_loginuid_perm(loginuid);
2369
	if (rc)
2370
		goto out;
2371

2372
	/* are we setting or clearing? */
2373
	if (uid_valid(loginuid)) {
2374
		sessionid = (unsigned int)atomic_inc_return(&session_id);
2375
		if (unlikely(sessionid == AUDIT_SID_UNSET))
2376
			sessionid = (unsigned int)atomic_inc_return(&session_id);
2377
	}
2378

2379
	current->sessionid = sessionid;
2380
	current->loginuid = loginuid;
2381
out:
2382
	audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2383
	return rc;
2384
}
2385

2386
/**
2387
 * audit_signal_info - record signal info for shutting down audit subsystem
2388
 * @sig: signal value
2389
 * @t: task being signaled
2390
 *
2391
 * If the audit subsystem is being terminated, record the task (pid)
2392
 * and uid that is doing that.
2393
 */
2394
int audit_signal_info(int sig, struct task_struct *t)
2395
{
2396
	kuid_t uid = current_uid(), auid;
2397

2398
	if (auditd_test_task(t) &&
2399
	    (sig == SIGTERM || sig == SIGHUP ||
2400
	     sig == SIGUSR1 || sig == SIGUSR2)) {
2401
		audit_sig_pid = task_tgid_nr(current);
2402
		auid = audit_get_loginuid(current);
2403
		if (uid_valid(auid))
2404
			audit_sig_uid = auid;
2405
		else
2406
			audit_sig_uid = uid;
2407
		security_current_getlsmprop_subj(&audit_sig_lsm);
2408
	}
2409

2410
	return audit_signal_info_syscall(t);
2411
}
2412

2413
/**
2414
 * audit_log_end - end one audit record
2415
 * @ab: the audit_buffer
2416
 *
2417
 * We can not do a netlink send inside an irq context because it blocks (last
2418
 * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
2419
 * queue and a kthread is scheduled to remove them from the queue outside the
2420
 * irq context.  May be called in any context.
2421
 */
2422
void audit_log_end(struct audit_buffer *ab)
2423
{
2424
	struct sk_buff *skb;
2425
	struct nlmsghdr *nlh;
2426

2427
	if (!ab)
2428
		return;
2429

2430
	if (audit_rate_check()) {
2431
		skb = ab->skb;
2432
		ab->skb = NULL;
2433

2434
		/* setup the netlink header, see the comments in
2435
		 * kauditd_send_multicast_skb() for length quirks */
2436
		nlh = nlmsg_hdr(skb);
2437
		nlh->nlmsg_len = skb->len - NLMSG_HDRLEN;
2438

2439
		/* queue the netlink packet and poke the kauditd thread */
2440
		skb_queue_tail(&audit_queue, skb);
2441
		wake_up_interruptible(&kauditd_wait);
2442
	} else
2443
		audit_log_lost("rate limit exceeded");
2444

2445
	audit_buffer_free(ab);
2446
}
2447

2448
/**
2449
 * audit_log - Log an audit record
2450
 * @ctx: audit context
2451
 * @gfp_mask: type of allocation
2452
 * @type: audit message type
2453
 * @fmt: format string to use
2454
 * @...: variable parameters matching the format string
2455
 *
2456
 * This is a convenience function that calls audit_log_start,
2457
 * audit_log_vformat, and audit_log_end.  It may be called
2458
 * in any context.
2459
 */
2460
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
2461
	       const char *fmt, ...)
2462
{
2463
	struct audit_buffer *ab;
2464
	va_list args;
2465

2466
	ab = audit_log_start(ctx, gfp_mask, type);
2467
	if (ab) {
2468
		va_start(args, fmt);
2469
		audit_log_vformat(ab, fmt, args);
2470
		va_end(args);
2471
		audit_log_end(ab);
2472
	}
2473
}
2474

2475
EXPORT_SYMBOL(audit_log_start);
2476
EXPORT_SYMBOL(audit_log_end);
2477
EXPORT_SYMBOL(audit_log_format);
2478
EXPORT_SYMBOL(audit_log);
2479

2480