Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/kernel/auditsc.c
26243 views
1
// SPDX-License-Identifier: GPL-2.0-or-later

2
/* auditsc.c -- System-call auditing support

3
 * Handles all system-call specific auditing features.

4
 *

5
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.

6
 * Copyright 2005 Hewlett-Packard Development Company, L.P.

7
 * Copyright (C) 2005, 2006 IBM Corporation

8
 * All Rights Reserved.

9
 *

10
 * Written by Rickard E. (Rik) Faith <[email protected]>

11
 *

12
 * Many of the ideas implemented here are from Stephen C. Tweedie,

13
 * especially the idea of avoiding a copy by using getname.

14
 *

15
 * The method for actual interception of syscall entry and exit (not in

16
 * this file -- see entry.S) is based on a GPL'd patch written by

17
 * [email protected] and Copyright 2003 SuSE Linux AG.

18
 *

19
 * POSIX message queue support added by George Wilson <[email protected]>,

20
 * 2006.

21
 *

22
 * The support of additional filter rules compares (>, <, >=, <=) was

23
 * added by Dustin Kirkland <[email protected]>, 2005.

24
 *

25
 * Modified by Amy Griffis <[email protected]> to collect additional

26
 * filesystem information.

27
 *

28
 * Subject and object context labeling support added by <[email protected]>

29
 * and <[email protected]> for LSPP certification compliance.

30
 */

31


32
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

33


34
#include <linux/init.h>

35
#include <asm/types.h>

36
#include <linux/atomic.h>

37
#include <linux/fs.h>

38
#include <linux/namei.h>

39
#include <linux/mm.h>

40
#include <linux/export.h>

41
#include <linux/slab.h>

42
#include <linux/mount.h>

43
#include <linux/socket.h>

44
#include <linux/mqueue.h>

45
#include <linux/audit.h>

46
#include <linux/personality.h>

47
#include <linux/time.h>

48
#include <linux/netlink.h>

49
#include <linux/compiler.h>

50
#include <asm/unistd.h>

51
#include <linux/security.h>

52
#include <linux/list.h>

53
#include <linux/binfmts.h>

54
#include <linux/highmem.h>

55
#include <linux/syscalls.h>

56
#include <asm/syscall.h>

57
#include <linux/capability.h>

58
#include <linux/fs_struct.h>

59
#include <linux/compat.h>

60
#include <linux/ctype.h>

61
#include <linux/string.h>

62
#include <linux/uaccess.h>

63
#include <linux/fsnotify_backend.h>

64
#include <uapi/linux/limits.h>

65
#include <uapi/linux/netfilter/nf_tables.h>

66
#include <uapi/linux/openat2.h> // struct open_how

67
#include <uapi/linux/fanotify.h>

68


69
#include "audit.h"

70


71
/* flags stating the success for a syscall */

72
#define AUDITSC_INVALID 0

73
#define AUDITSC_SUCCESS 1

74
#define AUDITSC_FAILURE 2

75


76
/* no execve audit message should be longer than this (userspace limits),

77
 * see the note near the top of audit_log_execve_info() about this value */

78
#define MAX_EXECVE_AUDIT_LEN 7500

79


80
/* max length to print of cmdline/proctitle value during audit */

81
#define MAX_PROCTITLE_AUDIT_LEN 128

82


83
/* number of audit rules */

84
int audit_n_rules;

85


86
/* determines whether we collect data for signals sent */

87
int audit_signals;

88


89
struct audit_aux_data {

90
	struct audit_aux_data	*next;

91
	int			type;

92
};

93


94
/* Number of target pids per aux struct. */

95
#define AUDIT_AUX_PIDS	16

96


97
struct audit_aux_data_pids {

98
	struct audit_aux_data	d;

99
	pid_t			target_pid[AUDIT_AUX_PIDS];

100
	kuid_t			target_auid[AUDIT_AUX_PIDS];

101
	kuid_t			target_uid[AUDIT_AUX_PIDS];

102
	unsigned int		target_sessionid[AUDIT_AUX_PIDS];

103
	struct lsm_prop		target_ref[AUDIT_AUX_PIDS];

104
	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];

105
	int			pid_count;

106
};

107


108
struct audit_aux_data_bprm_fcaps {

109
	struct audit_aux_data	d;

110
	struct audit_cap_data	fcap;

111
	unsigned int		fcap_ver;

112
	struct audit_cap_data	old_pcap;

113
	struct audit_cap_data	new_pcap;

114
};

115


116
struct audit_tree_refs {

117
	struct audit_tree_refs *next;

118
	struct audit_chunk *c[31];

119
};

120


121
struct audit_nfcfgop_tab {

122
	enum audit_nfcfgop	op;

123
	const char		*s;

124
};

125


126
static const struct audit_nfcfgop_tab audit_nfcfgs[] = {

127
	{ AUDIT_XT_OP_REGISTER,			"xt_register"		   },

128
	{ AUDIT_XT_OP_REPLACE,			"xt_replace"		   },

129
	{ AUDIT_XT_OP_UNREGISTER,		"xt_unregister"		   },

130
	{ AUDIT_NFT_OP_TABLE_REGISTER,		"nft_register_table"	   },

131
	{ AUDIT_NFT_OP_TABLE_UNREGISTER,	"nft_unregister_table"	   },

132
	{ AUDIT_NFT_OP_CHAIN_REGISTER,		"nft_register_chain"	   },

133
	{ AUDIT_NFT_OP_CHAIN_UNREGISTER,	"nft_unregister_chain"	   },

134
	{ AUDIT_NFT_OP_RULE_REGISTER,		"nft_register_rule"	   },

135
	{ AUDIT_NFT_OP_RULE_UNREGISTER,		"nft_unregister_rule"	   },

136
	{ AUDIT_NFT_OP_SET_REGISTER,		"nft_register_set"	   },

137
	{ AUDIT_NFT_OP_SET_UNREGISTER,		"nft_unregister_set"	   },

138
	{ AUDIT_NFT_OP_SETELEM_REGISTER,	"nft_register_setelem"	   },

139
	{ AUDIT_NFT_OP_SETELEM_UNREGISTER,	"nft_unregister_setelem"   },

140
	{ AUDIT_NFT_OP_GEN_REGISTER,		"nft_register_gen"	   },

141
	{ AUDIT_NFT_OP_OBJ_REGISTER,		"nft_register_obj"	   },

142
	{ AUDIT_NFT_OP_OBJ_UNREGISTER,		"nft_unregister_obj"	   },

143
	{ AUDIT_NFT_OP_OBJ_RESET,		"nft_reset_obj"		   },

144
	{ AUDIT_NFT_OP_FLOWTABLE_REGISTER,	"nft_register_flowtable"   },

145
	{ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,	"nft_unregister_flowtable" },

146
	{ AUDIT_NFT_OP_SETELEM_RESET,		"nft_reset_setelem"        },

147
	{ AUDIT_NFT_OP_RULE_RESET,		"nft_reset_rule"           },

148
	{ AUDIT_NFT_OP_INVALID,			"nft_invalid"		   },

149
};

150


151
static int audit_match_perm(struct audit_context *ctx, int mask)

152
{

153
	unsigned n;

154


155
	if (unlikely(!ctx))

156
		return 0;

157
	n = ctx->major;

158


159
	switch (audit_classify_syscall(ctx->arch, n)) {

160
	case AUDITSC_NATIVE:

161
		if ((mask & AUDIT_PERM_WRITE) &&

162
		     audit_match_class(AUDIT_CLASS_WRITE, n))

163
			return 1;

164
		if ((mask & AUDIT_PERM_READ) &&

165
		     audit_match_class(AUDIT_CLASS_READ, n))

166
			return 1;

167
		if ((mask & AUDIT_PERM_ATTR) &&

168
		     audit_match_class(AUDIT_CLASS_CHATTR, n))

169
			return 1;

170
		return 0;

171
	case AUDITSC_COMPAT: /* 32bit on biarch */

172
		if ((mask & AUDIT_PERM_WRITE) &&

173
		     audit_match_class(AUDIT_CLASS_WRITE_32, n))

174
			return 1;

175
		if ((mask & AUDIT_PERM_READ) &&

176
		     audit_match_class(AUDIT_CLASS_READ_32, n))

177
			return 1;

178
		if ((mask & AUDIT_PERM_ATTR) &&

179
		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))

180
			return 1;

181
		return 0;

182
	case AUDITSC_OPEN:

183
		return mask & ACC_MODE(ctx->argv[1]);

184
	case AUDITSC_OPENAT:

185
		return mask & ACC_MODE(ctx->argv[2]);

186
	case AUDITSC_SOCKETCALL:

187
		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);

188
	case AUDITSC_EXECVE:

189
		return mask & AUDIT_PERM_EXEC;

190
	case AUDITSC_OPENAT2:

191
		return mask & ACC_MODE((u32)ctx->openat2.flags);

192
	default:

193
		return 0;

194
	}

195
}

196


197
static int audit_match_filetype(struct audit_context *ctx, int val)

198
{

199
	struct audit_names *n;

200
	umode_t mode = (umode_t)val;

201


202
	if (unlikely(!ctx))

203
		return 0;

204


205
	list_for_each_entry(n, &ctx->names_list, list) {

206
		if ((n->ino != AUDIT_INO_UNSET) &&

207
		    ((n->mode & S_IFMT) == mode))

208
			return 1;

209
	}

210


211
	return 0;

212
}

213


214
/*

215
 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;

216
 * ->first_trees points to its beginning, ->trees - to the current end of data.

217
 * ->tree_count is the number of free entries in array pointed to by ->trees.

218
 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,

219
 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,

220
 * it's going to remain 1-element for almost any setup) until we free context itself.

221
 * References in it _are_ dropped - at the same time we free/drop aux stuff.

222
 */

223


224
static void audit_set_auditable(struct audit_context *ctx)

225
{

226
	if (!ctx->prio) {

227
		ctx->prio = 1;

228
		ctx->current_state = AUDIT_STATE_RECORD;

229
	}

230
}

231


232
static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)

233
{

234
	struct audit_tree_refs *p = ctx->trees;

235
	int left = ctx->tree_count;

236


237
	if (likely(left)) {

238
		p->c[--left] = chunk;

239
		ctx->tree_count = left;

240
		return 1;

241
	}

242
	if (!p)

243
		return 0;

244
	p = p->next;

245
	if (p) {

246
		p->c[30] = chunk;

247
		ctx->trees = p;

248
		ctx->tree_count = 30;

249
		return 1;

250
	}

251
	return 0;

252
}

253


254
static int grow_tree_refs(struct audit_context *ctx)

255
{

256
	struct audit_tree_refs *p = ctx->trees;

257


258
	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);

259
	if (!ctx->trees) {

260
		ctx->trees = p;

261
		return 0;

262
	}

263
	if (p)

264
		p->next = ctx->trees;

265
	else

266
		ctx->first_trees = ctx->trees;

267
	ctx->tree_count = 31;

268
	return 1;

269
}

270


271
static void unroll_tree_refs(struct audit_context *ctx,

272
		      struct audit_tree_refs *p, int count)

273
{

274
	struct audit_tree_refs *q;

275
	int n;

276


277
	if (!p) {

278
		/* we started with empty chain */

279
		p = ctx->first_trees;

280
		count = 31;

281
		/* if the very first allocation has failed, nothing to do */

282
		if (!p)

283
			return;

284
	}

285
	n = count;

286
	for (q = p; q != ctx->trees; q = q->next, n = 31) {

287
		while (n--) {

288
			audit_put_chunk(q->c[n]);

289
			q->c[n] = NULL;

290
		}

291
	}

292
	while (n-- > ctx->tree_count) {

293
		audit_put_chunk(q->c[n]);

294
		q->c[n] = NULL;

295
	}

296
	ctx->trees = p;

297
	ctx->tree_count = count;

298
}

299


300
static void free_tree_refs(struct audit_context *ctx)

301
{

302
	struct audit_tree_refs *p, *q;

303


304
	for (p = ctx->first_trees; p; p = q) {

305
		q = p->next;

306
		kfree(p);

307
	}

308
}

309


310
static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)

311
{

312
	struct audit_tree_refs *p;

313
	int n;

314


315
	if (!tree)

316
		return 0;

317
	/* full ones */

318
	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {

319
		for (n = 0; n < 31; n++)

320
			if (audit_tree_match(p->c[n], tree))

321
				return 1;

322
	}

323
	/* partial */

324
	if (p) {

325
		for (n = ctx->tree_count; n < 31; n++)

326
			if (audit_tree_match(p->c[n], tree))

327
				return 1;

328
	}

329
	return 0;

330
}

331


332
static int audit_compare_uid(kuid_t uid,

333
			     struct audit_names *name,

334
			     struct audit_field *f,

335
			     struct audit_context *ctx)

336
{

337
	struct audit_names *n;

338
	int rc;

339


340
	if (name) {

341
		rc = audit_uid_comparator(uid, f->op, name->uid);

342
		if (rc)

343
			return rc;

344
	}

345


346
	if (ctx) {

347
		list_for_each_entry(n, &ctx->names_list, list) {

348
			rc = audit_uid_comparator(uid, f->op, n->uid);

349
			if (rc)

350
				return rc;

351
		}

352
	}

353
	return 0;

354
}

355


356
static int audit_compare_gid(kgid_t gid,

357
			     struct audit_names *name,

358
			     struct audit_field *f,

359
			     struct audit_context *ctx)

360
{

361
	struct audit_names *n;

362
	int rc;

363


364
	if (name) {

365
		rc = audit_gid_comparator(gid, f->op, name->gid);

366
		if (rc)

367
			return rc;

368
	}

369


370
	if (ctx) {

371
		list_for_each_entry(n, &ctx->names_list, list) {

372
			rc = audit_gid_comparator(gid, f->op, n->gid);

373
			if (rc)

374
				return rc;

375
		}

376
	}

377
	return 0;

378
}

379


380
static int audit_field_compare(struct task_struct *tsk,

381
			       const struct cred *cred,

382
			       struct audit_field *f,

383
			       struct audit_context *ctx,

384
			       struct audit_names *name)

385
{

386
	switch (f->val) {

387
	/* process to file object comparisons */

388
	case AUDIT_COMPARE_UID_TO_OBJ_UID:

389
		return audit_compare_uid(cred->uid, name, f, ctx);

390
	case AUDIT_COMPARE_GID_TO_OBJ_GID:

391
		return audit_compare_gid(cred->gid, name, f, ctx);

392
	case AUDIT_COMPARE_EUID_TO_OBJ_UID:

393
		return audit_compare_uid(cred->euid, name, f, ctx);

394
	case AUDIT_COMPARE_EGID_TO_OBJ_GID:

395
		return audit_compare_gid(cred->egid, name, f, ctx);

396
	case AUDIT_COMPARE_AUID_TO_OBJ_UID:

397
		return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);

398
	case AUDIT_COMPARE_SUID_TO_OBJ_UID:

399
		return audit_compare_uid(cred->suid, name, f, ctx);

400
	case AUDIT_COMPARE_SGID_TO_OBJ_GID:

401
		return audit_compare_gid(cred->sgid, name, f, ctx);

402
	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:

403
		return audit_compare_uid(cred->fsuid, name, f, ctx);

404
	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:

405
		return audit_compare_gid(cred->fsgid, name, f, ctx);

406
	/* uid comparisons */

407
	case AUDIT_COMPARE_UID_TO_AUID:

408
		return audit_uid_comparator(cred->uid, f->op,

409
					    audit_get_loginuid(tsk));

410
	case AUDIT_COMPARE_UID_TO_EUID:

411
		return audit_uid_comparator(cred->uid, f->op, cred->euid);

412
	case AUDIT_COMPARE_UID_TO_SUID:

413
		return audit_uid_comparator(cred->uid, f->op, cred->suid);

414
	case AUDIT_COMPARE_UID_TO_FSUID:

415
		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);

416
	/* auid comparisons */

417
	case AUDIT_COMPARE_AUID_TO_EUID:

418
		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,

419
					    cred->euid);

420
	case AUDIT_COMPARE_AUID_TO_SUID:

421
		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,

422
					    cred->suid);

423
	case AUDIT_COMPARE_AUID_TO_FSUID:

424
		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,

425
					    cred->fsuid);

426
	/* euid comparisons */

427
	case AUDIT_COMPARE_EUID_TO_SUID:

428
		return audit_uid_comparator(cred->euid, f->op, cred->suid);

429
	case AUDIT_COMPARE_EUID_TO_FSUID:

430
		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);

431
	/* suid comparisons */

432
	case AUDIT_COMPARE_SUID_TO_FSUID:

433
		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);

434
	/* gid comparisons */

435
	case AUDIT_COMPARE_GID_TO_EGID:

436
		return audit_gid_comparator(cred->gid, f->op, cred->egid);

437
	case AUDIT_COMPARE_GID_TO_SGID:

438
		return audit_gid_comparator(cred->gid, f->op, cred->sgid);

439
	case AUDIT_COMPARE_GID_TO_FSGID:

440
		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);

441
	/* egid comparisons */

442
	case AUDIT_COMPARE_EGID_TO_SGID:

443
		return audit_gid_comparator(cred->egid, f->op, cred->sgid);

444
	case AUDIT_COMPARE_EGID_TO_FSGID:

445
		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);

446
	/* sgid comparison */

447
	case AUDIT_COMPARE_SGID_TO_FSGID:

448
		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);

449
	default:

450
		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");

451
		return 0;

452
	}

453
	return 0;

454
}

455


456
/* Determine if any context name data matches a rule's watch data */

457
/* Compare a task_struct with an audit_rule.  Return 1 on match, 0

458
 * otherwise.

459
 *

460
 * If task_creation is true, this is an explicit indication that we are

461
 * filtering a task rule at task creation time.  This and tsk == current are

462
 * the only situations where tsk->cred may be accessed without an rcu read lock.

463
 */

464
static int audit_filter_rules(struct task_struct *tsk,

465
			      struct audit_krule *rule,

466
			      struct audit_context *ctx,

467
			      struct audit_names *name,

468
			      enum audit_state *state,

469
			      bool task_creation)

470
{

471
	const struct cred *cred;

472
	int i, need_sid = 1;

473
	struct lsm_prop prop = { };

474
	unsigned int sessionid;

475


476
	if (ctx && rule->prio <= ctx->prio)

477
		return 0;

478


479
	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);

480


481
	for (i = 0; i < rule->field_count; i++) {

482
		struct audit_field *f = &rule->fields[i];

483
		struct audit_names *n;

484
		int result = 0;

485
		pid_t pid;

486


487
		switch (f->type) {

488
		case AUDIT_PID:

489
			pid = task_tgid_nr(tsk);

490
			result = audit_comparator(pid, f->op, f->val);

491
			break;

492
		case AUDIT_PPID:

493
			if (ctx) {

494
				if (!ctx->ppid)

495
					ctx->ppid = task_ppid_nr(tsk);

496
				result = audit_comparator(ctx->ppid, f->op, f->val);

497
			}

498
			break;

499
		case AUDIT_EXE:

500
			result = audit_exe_compare(tsk, rule->exe);

501
			if (f->op == Audit_not_equal)

502
				result = !result;

503
			break;

504
		case AUDIT_UID:

505
			result = audit_uid_comparator(cred->uid, f->op, f->uid);

506
			break;

507
		case AUDIT_EUID:

508
			result = audit_uid_comparator(cred->euid, f->op, f->uid);

509
			break;

510
		case AUDIT_SUID:

511
			result = audit_uid_comparator(cred->suid, f->op, f->uid);

512
			break;

513
		case AUDIT_FSUID:

514
			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);

515
			break;

516
		case AUDIT_GID:

517
			result = audit_gid_comparator(cred->gid, f->op, f->gid);

518
			if (f->op == Audit_equal) {

519
				if (!result)

520
					result = groups_search(cred->group_info, f->gid);

521
			} else if (f->op == Audit_not_equal) {

522
				if (result)

523
					result = !groups_search(cred->group_info, f->gid);

524
			}

525
			break;

526
		case AUDIT_EGID:

527
			result = audit_gid_comparator(cred->egid, f->op, f->gid);

528
			if (f->op == Audit_equal) {

529
				if (!result)

530
					result = groups_search(cred->group_info, f->gid);

531
			} else if (f->op == Audit_not_equal) {

532
				if (result)

533
					result = !groups_search(cred->group_info, f->gid);

534
			}

535
			break;

536
		case AUDIT_SGID:

537
			result = audit_gid_comparator(cred->sgid, f->op, f->gid);

538
			break;

539
		case AUDIT_FSGID:

540
			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);

541
			break;

542
		case AUDIT_SESSIONID:

543
			sessionid = audit_get_sessionid(tsk);

544
			result = audit_comparator(sessionid, f->op, f->val);

545
			break;

546
		case AUDIT_PERS:

547
			result = audit_comparator(tsk->personality, f->op, f->val);

548
			break;

549
		case AUDIT_ARCH:

550
			if (ctx)

551
				result = audit_comparator(ctx->arch, f->op, f->val);

552
			break;

553


554
		case AUDIT_EXIT:

555
			if (ctx && ctx->return_valid != AUDITSC_INVALID)

556
				result = audit_comparator(ctx->return_code, f->op, f->val);

557
			break;

558
		case AUDIT_SUCCESS:

559
			if (ctx && ctx->return_valid != AUDITSC_INVALID) {

560
				if (f->val)

561
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);

562
				else

563
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);

564
			}

565
			break;

566
		case AUDIT_DEVMAJOR:

567
			if (name) {

568
				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||

569
				    audit_comparator(MAJOR(name->rdev), f->op, f->val))

570
					++result;

571
			} else if (ctx) {

572
				list_for_each_entry(n, &ctx->names_list, list) {

573
					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||

574
					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {

575
						++result;

576
						break;

577
					}

578
				}

579
			}

580
			break;

581
		case AUDIT_DEVMINOR:

582
			if (name) {

583
				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||

584
				    audit_comparator(MINOR(name->rdev), f->op, f->val))

585
					++result;

586
			} else if (ctx) {

587
				list_for_each_entry(n, &ctx->names_list, list) {

588
					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||

589
					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {

590
						++result;

591
						break;

592
					}

593
				}

594
			}

595
			break;

596
		case AUDIT_INODE:

597
			if (name)

598
				result = audit_comparator(name->ino, f->op, f->val);

599
			else if (ctx) {

600
				list_for_each_entry(n, &ctx->names_list, list) {

601
					if (audit_comparator(n->ino, f->op, f->val)) {

602
						++result;

603
						break;

604
					}

605
				}

606
			}

607
			break;

608
		case AUDIT_OBJ_UID:

609
			if (name) {

610
				result = audit_uid_comparator(name->uid, f->op, f->uid);

611
			} else if (ctx) {

612
				list_for_each_entry(n, &ctx->names_list, list) {

613
					if (audit_uid_comparator(n->uid, f->op, f->uid)) {

614
						++result;

615
						break;

616
					}

617
				}

618
			}

619
			break;

620
		case AUDIT_OBJ_GID:

621
			if (name) {

622
				result = audit_gid_comparator(name->gid, f->op, f->gid);

623
			} else if (ctx) {

624
				list_for_each_entry(n, &ctx->names_list, list) {

625
					if (audit_gid_comparator(n->gid, f->op, f->gid)) {

626
						++result;

627
						break;

628
					}

629
				}

630
			}

631
			break;

632
		case AUDIT_WATCH:

633
			if (name) {

634
				result = audit_watch_compare(rule->watch,

635
							     name->ino,

636
							     name->dev);

637
				if (f->op == Audit_not_equal)

638
					result = !result;

639
			}

640
			break;

641
		case AUDIT_DIR:

642
			if (ctx) {

643
				result = match_tree_refs(ctx, rule->tree);

644
				if (f->op == Audit_not_equal)

645
					result = !result;

646
			}

647
			break;

648
		case AUDIT_LOGINUID:

649
			result = audit_uid_comparator(audit_get_loginuid(tsk),

650
						      f->op, f->uid);

651
			break;

652
		case AUDIT_LOGINUID_SET:

653
			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);

654
			break;

655
		case AUDIT_SADDR_FAM:

656
			if (ctx && ctx->sockaddr)

657
				result = audit_comparator(ctx->sockaddr->ss_family,

658
							  f->op, f->val);

659
			break;

660
		case AUDIT_SUBJ_USER:

661
		case AUDIT_SUBJ_ROLE:

662
		case AUDIT_SUBJ_TYPE:

663
		case AUDIT_SUBJ_SEN:

664
		case AUDIT_SUBJ_CLR:

665
			/* NOTE: this may return negative values indicating

666
			   a temporary error.  We simply treat this as a

667
			   match for now to avoid losing information that

668
			   may be wanted.   An error message will also be

669
			   logged upon error */

670
			if (f->lsm_rule) {

671
				if (need_sid) {

672
					/* @tsk should always be equal to

673
					 * @current with the exception of

674
					 * fork()/copy_process() in which case

675
					 * the new @tsk creds are still a dup

676
					 * of @current's creds so we can still

677
					 * use

678
					 * security_current_getlsmprop_subj()

679
					 * here even though it always refs

680
					 * @current's creds

681
					 */

682
					security_current_getlsmprop_subj(&prop);

683
					need_sid = 0;

684
				}

685
				result = security_audit_rule_match(&prop,

686
								   f->type,

687
								   f->op,

688
								   f->lsm_rule);

689
			}

690
			break;

691
		case AUDIT_OBJ_USER:

692
		case AUDIT_OBJ_ROLE:

693
		case AUDIT_OBJ_TYPE:

694
		case AUDIT_OBJ_LEV_LOW:

695
		case AUDIT_OBJ_LEV_HIGH:

696
			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR

697
			   also applies here */

698
			if (f->lsm_rule) {

699
				/* Find files that match */

700
				if (name) {

701
					result = security_audit_rule_match(

702
								&name->oprop,

703
								f->type,

704
								f->op,

705
								f->lsm_rule);

706
				} else if (ctx) {

707
					list_for_each_entry(n, &ctx->names_list, list) {

708
						if (security_audit_rule_match(

709
								&n->oprop,

710
								f->type,

711
								f->op,

712
								f->lsm_rule)) {

713
							++result;

714
							break;

715
						}

716
					}

717
				}

718
				/* Find ipc objects that match */

719
				if (!ctx || ctx->type != AUDIT_IPC)

720
					break;

721
				if (security_audit_rule_match(&ctx->ipc.oprop,

722
							      f->type, f->op,

723
							      f->lsm_rule))

724
					++result;

725
			}

726
			break;

727
		case AUDIT_ARG0:

728
		case AUDIT_ARG1:

729
		case AUDIT_ARG2:

730
		case AUDIT_ARG3:

731
			if (ctx)

732
				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);

733
			break;

734
		case AUDIT_FILTERKEY:

735
			/* ignore this field for filtering */

736
			result = 1;

737
			break;

738
		case AUDIT_PERM:

739
			result = audit_match_perm(ctx, f->val);

740
			if (f->op == Audit_not_equal)

741
				result = !result;

742
			break;

743
		case AUDIT_FILETYPE:

744
			result = audit_match_filetype(ctx, f->val);

745
			if (f->op == Audit_not_equal)

746
				result = !result;

747
			break;

748
		case AUDIT_FIELD_COMPARE:

749
			result = audit_field_compare(tsk, cred, f, ctx, name);

750
			break;

751
		}

752
		if (!result)

753
			return 0;

754
	}

755


756
	if (ctx) {

757
		if (rule->filterkey) {

758
			kfree(ctx->filterkey);

759
			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);

760
		}

761
		ctx->prio = rule->prio;

762
	}

763
	switch (rule->action) {

764
	case AUDIT_NEVER:

765
		*state = AUDIT_STATE_DISABLED;

766
		break;

767
	case AUDIT_ALWAYS:

768
		*state = AUDIT_STATE_RECORD;

769
		break;

770
	}

771
	return 1;

772
}

773


774
/* At process creation time, we can determine if system-call auditing is

775
 * completely disabled for this task.  Since we only have the task

776
 * structure at this point, we can only check uid and gid.

777
 */

778
static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)

779
{

780
	struct audit_entry *e;

781
	enum audit_state   state;

782


783
	rcu_read_lock();

784
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {

785
		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,

786
				       &state, true)) {

787
			if (state == AUDIT_STATE_RECORD)

788
				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);

789
			rcu_read_unlock();

790
			return state;

791
		}

792
	}

793
	rcu_read_unlock();

794
	return AUDIT_STATE_BUILD;

795
}

796


797
static int audit_in_mask(const struct audit_krule *rule, unsigned long val)

798
{

799
	int word, bit;

800


801
	if (val > 0xffffffff)

802
		return false;

803


804
	word = AUDIT_WORD(val);

805
	if (word >= AUDIT_BITMASK_SIZE)

806
		return false;

807


808
	bit = AUDIT_BIT(val);

809


810
	return rule->mask[word] & bit;

811
}

812


813
/**

814
 * __audit_filter_op - common filter helper for operations (syscall/uring/etc)

815
 * @tsk: associated task

816
 * @ctx: audit context

817
 * @list: audit filter list

818
 * @name: audit_name (can be NULL)

819
 * @op: current syscall/uring_op

820
 *

821
 * Run the udit filters specified in @list against @tsk using @ctx,

822
 * @name, and @op, as necessary; the caller is responsible for ensuring

823
 * that the call is made while the RCU read lock is held. The @name

824
 * parameter can be NULL, but all others must be specified.

825
 * Returns 1/true if the filter finds a match, 0/false if none are found.

826
 */

827
static int __audit_filter_op(struct task_struct *tsk,

828
			   struct audit_context *ctx,

829
			   struct list_head *list,

830
			   struct audit_names *name,

831
			   unsigned long op)

832
{

833
	struct audit_entry *e;

834
	enum audit_state state;

835


836
	list_for_each_entry_rcu(e, list, list) {

837
		if (audit_in_mask(&e->rule, op) &&

838
		    audit_filter_rules(tsk, &e->rule, ctx, name,

839
				       &state, false)) {

840
			ctx->current_state = state;

841
			return 1;

842
		}

843
	}

844
	return 0;

845
}

846


847
/**

848
 * audit_filter_uring - apply filters to an io_uring operation

849
 * @tsk: associated task

850
 * @ctx: audit context

851
 */

852
static void audit_filter_uring(struct task_struct *tsk,

853
			       struct audit_context *ctx)

854
{

855
	if (auditd_test_task(tsk))

856
		return;

857


858
	rcu_read_lock();

859
	__audit_filter_op(tsk, ctx, &audit_filter_list[AUDIT_FILTER_URING_EXIT],

860
			NULL, ctx->uring_op);

861
	rcu_read_unlock();

862
}

863


864
/* At syscall exit time, this filter is called if the audit_state is

865
 * not low enough that auditing cannot take place, but is also not

866
 * high enough that we already know we have to write an audit record

867
 * (i.e., the state is AUDIT_STATE_BUILD).

868
 */

869
static void audit_filter_syscall(struct task_struct *tsk,

870
				 struct audit_context *ctx)

871
{

872
	if (auditd_test_task(tsk))

873
		return;

874


875
	rcu_read_lock();

876
	__audit_filter_op(tsk, ctx, &audit_filter_list[AUDIT_FILTER_EXIT],

877
			NULL, ctx->major);

878
	rcu_read_unlock();

879
}

880


881
/*

882
 * Given an audit_name check the inode hash table to see if they match.

883
 * Called holding the rcu read lock to protect the use of audit_inode_hash

884
 */

885
static int audit_filter_inode_name(struct task_struct *tsk,

886
				   struct audit_names *n,

887
				   struct audit_context *ctx)

888
{

889
	int h = audit_hash_ino((u32)n->ino);

890
	struct list_head *list = &audit_inode_hash[h];

891


892
	return __audit_filter_op(tsk, ctx, list, n, ctx->major);

893
}

894


895
/* At syscall exit time, this filter is called if any audit_names have been

896
 * collected during syscall processing.  We only check rules in sublists at hash

897
 * buckets applicable to the inode numbers in audit_names.

898
 * Regarding audit_state, same rules apply as for audit_filter_syscall().

899
 */

900
void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)

901
{

902
	struct audit_names *n;

903


904
	if (auditd_test_task(tsk))

905
		return;

906


907
	rcu_read_lock();

908


909
	list_for_each_entry(n, &ctx->names_list, list) {

910
		if (audit_filter_inode_name(tsk, n, ctx))

911
			break;

912
	}

913
	rcu_read_unlock();

914
}

915


916
static inline void audit_proctitle_free(struct audit_context *context)

917
{

918
	kfree(context->proctitle.value);

919
	context->proctitle.value = NULL;

920
	context->proctitle.len = 0;

921
}

922


923
static inline void audit_free_module(struct audit_context *context)

924
{

925
	if (context->type == AUDIT_KERN_MODULE) {

926
		kfree(context->module.name);

927
		context->module.name = NULL;

928
	}

929
}

930
static inline void audit_free_names(struct audit_context *context)

931
{

932
	struct audit_names *n, *next;

933


934
	list_for_each_entry_safe(n, next, &context->names_list, list) {

935
		list_del(&n->list);

936
		if (n->name)

937
			putname(n->name);

938
		if (n->should_free)

939
			kfree(n);

940
	}

941
	context->name_count = 0;

942
	path_put(&context->pwd);

943
	context->pwd.dentry = NULL;

944
	context->pwd.mnt = NULL;

945
}

946


947
static inline void audit_free_aux(struct audit_context *context)

948
{

949
	struct audit_aux_data *aux;

950


951
	while ((aux = context->aux)) {

952
		context->aux = aux->next;

953
		kfree(aux);

954
	}

955
	context->aux = NULL;

956
	while ((aux = context->aux_pids)) {

957
		context->aux_pids = aux->next;

958
		kfree(aux);

959
	}

960
	context->aux_pids = NULL;

961
}

962


963
/**

964
 * audit_reset_context - reset a audit_context structure

965
 * @ctx: the audit_context to reset

966
 *

967
 * All fields in the audit_context will be reset to an initial state, all

968
 * references held by fields will be dropped, and private memory will be

969
 * released.  When this function returns the audit_context will be suitable

970
 * for reuse, so long as the passed context is not NULL or a dummy context.

971
 */

972
static void audit_reset_context(struct audit_context *ctx)

973
{

974
	if (!ctx)

975
		return;

976


977
	/* if ctx is non-null, reset the "ctx->context" regardless */

978
	ctx->context = AUDIT_CTX_UNUSED;

979
	if (ctx->dummy)

980
		return;

981


982
	/*

983
	 * NOTE: It shouldn't matter in what order we release the fields, so

984
	 *       release them in the order in which they appear in the struct;

985
	 *       this gives us some hope of quickly making sure we are

986
	 *       resetting the audit_context properly.

987
	 *

988
	 *       Other things worth mentioning:

989
	 *       - we don't reset "dummy"

990
	 *       - we don't reset "state", we do reset "current_state"

991
	 *       - we preserve "filterkey" if "state" is AUDIT_STATE_RECORD

992
	 *       - much of this is likely overkill, but play it safe for now

993
	 *       - we really need to work on improving the audit_context struct

994
	 */

995


996
	ctx->current_state = ctx->state;

997
	ctx->serial = 0;

998
	ctx->major = 0;

999
	ctx->uring_op = 0;

1000
	ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };

1001
	memset(ctx->argv, 0, sizeof(ctx->argv));

1002
	ctx->return_code = 0;

1003
	ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);

1004
	ctx->return_valid = AUDITSC_INVALID;

1005
	audit_free_names(ctx);

1006
	if (ctx->state != AUDIT_STATE_RECORD) {

1007
		kfree(ctx->filterkey);

1008
		ctx->filterkey = NULL;

1009
	}

1010
	audit_free_aux(ctx);

1011
	kfree(ctx->sockaddr);

1012
	ctx->sockaddr = NULL;

1013
	ctx->sockaddr_len = 0;

1014
	ctx->ppid = 0;

1015
	ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0);

1016
	ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0);

1017
	ctx->personality = 0;

1018
	ctx->arch = 0;

1019
	ctx->target_pid = 0;

1020
	ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);

1021
	ctx->target_sessionid = 0;

1022
	lsmprop_init(&ctx->target_ref);

1023
	ctx->target_comm[0] = '\0';

1024
	unroll_tree_refs(ctx, NULL, 0);

1025
	WARN_ON(!list_empty(&ctx->killed_trees));

1026
	audit_free_module(ctx);

1027
	ctx->fds[0] = -1;

1028
	ctx->type = 0; /* reset last for audit_free_*() */

1029
}

1030


1031
static inline struct audit_context *audit_alloc_context(enum audit_state state)

1032
{

1033
	struct audit_context *context;

1034


1035
	context = kzalloc(sizeof(*context), GFP_KERNEL);

1036
	if (!context)

1037
		return NULL;

1038
	context->context = AUDIT_CTX_UNUSED;

1039
	context->state = state;

1040
	context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0;

1041
	INIT_LIST_HEAD(&context->killed_trees);

1042
	INIT_LIST_HEAD(&context->names_list);

1043
	context->fds[0] = -1;

1044
	context->return_valid = AUDITSC_INVALID;

1045
	return context;

1046
}

1047


1048
/**

1049
 * audit_alloc - allocate an audit context block for a task

1050
 * @tsk: task

1051
 *

1052
 * Filter on the task information and allocate a per-task audit context

1053
 * if necessary.  Doing so turns on system call auditing for the

1054
 * specified task.  This is called from copy_process, so no lock is

1055
 * needed.

1056
 */

1057
int audit_alloc(struct task_struct *tsk)

1058
{

1059
	struct audit_context *context;

1060
	enum audit_state     state;

1061
	char *key = NULL;

1062


1063
	if (likely(!audit_ever_enabled))

1064
		return 0;

1065


1066
	state = audit_filter_task(tsk, &key);

1067
	if (state == AUDIT_STATE_DISABLED) {

1068
		clear_task_syscall_work(tsk, SYSCALL_AUDIT);

1069
		return 0;

1070
	}

1071


1072
	context = audit_alloc_context(state);

1073
	if (!context) {

1074
		kfree(key);

1075
		audit_log_lost("out of memory in audit_alloc");

1076
		return -ENOMEM;

1077
	}

1078
	context->filterkey = key;

1079


1080
	audit_set_context(tsk, context);

1081
	set_task_syscall_work(tsk, SYSCALL_AUDIT);

1082
	return 0;

1083
}

1084


1085
static inline void audit_free_context(struct audit_context *context)

1086
{

1087
	/* resetting is extra work, but it is likely just noise */

1088
	audit_reset_context(context);

1089
	audit_proctitle_free(context);

1090
	free_tree_refs(context);

1091
	kfree(context->filterkey);

1092
	kfree(context);

1093
}

1094


1095
static int audit_log_pid_context(struct audit_context *context, pid_t pid,

1096
				 kuid_t auid, kuid_t uid,

1097
				 unsigned int sessionid, struct lsm_prop *prop,

1098
				 char *comm)

1099
{

1100
	struct audit_buffer *ab;

1101
	struct lsm_context ctx;

1102
	int rc = 0;

1103


1104
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);

1105
	if (!ab)

1106
		return rc;

1107


1108
	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,

1109
			 from_kuid(&init_user_ns, auid),

1110
			 from_kuid(&init_user_ns, uid), sessionid);

1111
	if (lsmprop_is_set(prop)) {

1112
		if (security_lsmprop_to_secctx(prop, &ctx) < 0) {

1113
			audit_log_format(ab, " obj=(none)");

1114
			rc = 1;

1115
		} else {

1116
			audit_log_format(ab, " obj=%s", ctx.context);

1117
			security_release_secctx(&ctx);

1118
		}

1119
	}

1120
	audit_log_format(ab, " ocomm=");

1121
	audit_log_untrustedstring(ab, comm);

1122
	audit_log_end(ab);

1123


1124
	return rc;

1125
}

1126


1127
static void audit_log_execve_info(struct audit_context *context,

1128
				  struct audit_buffer **ab)

1129
{

1130
	long len_max;

1131
	long len_rem;

1132
	long len_full;

1133
	long len_buf;

1134
	long len_abuf = 0;

1135
	long len_tmp;

1136
	bool require_data;

1137
	bool encode;

1138
	unsigned int iter;

1139
	unsigned int arg;

1140
	char *buf_head;

1141
	char *buf;

1142
	const char __user *p = (const char __user *)current->mm->arg_start;

1143


1144
	/* NOTE: this buffer needs to be large enough to hold all the non-arg

1145
	 *       data we put in the audit record for this argument (see the

1146
	 *       code below) ... at this point in time 96 is plenty */

1147
	char abuf[96];

1148


1149
	/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the

1150
	 *       current value of 7500 is not as important as the fact that it

1151
	 *       is less than 8k, a setting of 7500 gives us plenty of wiggle

1152
	 *       room if we go over a little bit in the logging below */

1153
	WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);

1154
	len_max = MAX_EXECVE_AUDIT_LEN;

1155


1156
	/* scratch buffer to hold the userspace args */

1157
	buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);

1158
	if (!buf_head) {

1159
		audit_panic("out of memory for argv string");

1160
		return;

1161
	}

1162
	buf = buf_head;

1163


1164
	audit_log_format(*ab, "argc=%d", context->execve.argc);

1165


1166
	len_rem = len_max;

1167
	len_buf = 0;

1168
	len_full = 0;

1169
	require_data = true;

1170
	encode = false;

1171
	iter = 0;

1172
	arg = 0;

1173
	do {

1174
		/* NOTE: we don't ever want to trust this value for anything

1175
		 *       serious, but the audit record format insists we

1176
		 *       provide an argument length for really long arguments,

1177
		 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but

1178
		 *       to use strncpy_from_user() to obtain this value for

1179
		 *       recording in the log, although we don't use it

1180
		 *       anywhere here to avoid a double-fetch problem */

1181
		if (len_full == 0)

1182
			len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;

1183


1184
		/* read more data from userspace */

1185
		if (require_data) {

1186
			/* can we make more room in the buffer? */

1187
			if (buf != buf_head) {

1188
				memmove(buf_head, buf, len_buf);

1189
				buf = buf_head;

1190
			}

1191


1192
			/* fetch as much as we can of the argument */

1193
			len_tmp = strncpy_from_user(&buf_head[len_buf], p,

1194
						    len_max - len_buf);

1195
			if (len_tmp == -EFAULT) {

1196
				/* unable to copy from userspace */

1197
				send_sig(SIGKILL, current, 0);

1198
				goto out;

1199
			} else if (len_tmp == (len_max - len_buf)) {

1200
				/* buffer is not large enough */

1201
				require_data = true;

1202
				/* NOTE: if we are going to span multiple

1203
				 *       buffers force the encoding so we stand

1204
				 *       a chance at a sane len_full value and

1205
				 *       consistent record encoding */

1206
				encode = true;

1207
				len_full = len_full * 2;

1208
				p += len_tmp;

1209
			} else {

1210
				require_data = false;

1211
				if (!encode)

1212
					encode = audit_string_contains_control(

1213
								buf, len_tmp);

1214
				/* try to use a trusted value for len_full */

1215
				if (len_full < len_max)

1216
					len_full = (encode ?

1217
						    len_tmp * 2 : len_tmp);

1218
				p += len_tmp + 1;

1219
			}

1220
			len_buf += len_tmp;

1221
			buf_head[len_buf] = '\0';

1222


1223
			/* length of the buffer in the audit record? */

1224
			len_abuf = (encode ? len_buf * 2 : len_buf + 2);

1225
		}

1226


1227
		/* write as much as we can to the audit log */

1228
		if (len_buf >= 0) {

1229
			/* NOTE: some magic numbers here - basically if we

1230
			 *       can't fit a reasonable amount of data into the

1231
			 *       existing audit buffer, flush it and start with

1232
			 *       a new buffer */

1233
			if ((sizeof(abuf) + 8) > len_rem) {

1234
				len_rem = len_max;

1235
				audit_log_end(*ab);

1236
				*ab = audit_log_start(context,

1237
						      GFP_KERNEL, AUDIT_EXECVE);

1238
				if (!*ab)

1239
					goto out;

1240
			}

1241


1242
			/* create the non-arg portion of the arg record */

1243
			len_tmp = 0;

1244
			if (require_data || (iter > 0) ||

1245
			    ((len_abuf + sizeof(abuf)) > len_rem)) {

1246
				if (iter == 0) {

1247
					len_tmp += snprintf(&abuf[len_tmp],

1248
							sizeof(abuf) - len_tmp,

1249
							" a%d_len=%lu",

1250
							arg, len_full);

1251
				}

1252
				len_tmp += snprintf(&abuf[len_tmp],

1253
						    sizeof(abuf) - len_tmp,

1254
						    " a%d[%d]=", arg, iter++);

1255
			} else

1256
				len_tmp += snprintf(&abuf[len_tmp],

1257
						    sizeof(abuf) - len_tmp,

1258
						    " a%d=", arg);

1259
			WARN_ON(len_tmp >= sizeof(abuf));

1260
			abuf[sizeof(abuf) - 1] = '\0';

1261


1262
			/* log the arg in the audit record */

1263
			audit_log_format(*ab, "%s", abuf);

1264
			len_rem -= len_tmp;

1265
			len_tmp = len_buf;

1266
			if (encode) {

1267
				if (len_abuf > len_rem)

1268
					len_tmp = len_rem / 2; /* encoding */

1269
				audit_log_n_hex(*ab, buf, len_tmp);

1270
				len_rem -= len_tmp * 2;

1271
				len_abuf -= len_tmp * 2;

1272
			} else {

1273
				if (len_abuf > len_rem)

1274
					len_tmp = len_rem - 2; /* quotes */

1275
				audit_log_n_string(*ab, buf, len_tmp);

1276
				len_rem -= len_tmp + 2;

1277
				/* don't subtract the "2" because we still need

1278
				 * to add quotes to the remaining string */

1279
				len_abuf -= len_tmp;

1280
			}

1281
			len_buf -= len_tmp;

1282
			buf += len_tmp;

1283
		}

1284


1285
		/* ready to move to the next argument? */

1286
		if ((len_buf == 0) && !require_data) {

1287
			arg++;

1288
			iter = 0;

1289
			len_full = 0;

1290
			require_data = true;

1291
			encode = false;

1292
		}

1293
	} while (arg < context->execve.argc);

1294


1295
	/* NOTE: the caller handles the final audit_log_end() call */

1296


1297
out:

1298
	kfree(buf_head);

1299
}

1300


1301
static void audit_log_cap(struct audit_buffer *ab, char *prefix,

1302
			  kernel_cap_t *cap)

1303
{

1304
	if (cap_isclear(*cap)) {

1305
		audit_log_format(ab, " %s=0", prefix);

1306
		return;

1307
	}

1308
	audit_log_format(ab, " %s=%016llx", prefix, cap->val);

1309
}

1310


1311
static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)

1312
{

1313
	if (name->fcap_ver == -1) {

1314
		audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");

1315
		return;

1316
	}

1317
	audit_log_cap(ab, "cap_fp", &name->fcap.permitted);

1318
	audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);

1319
	audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",

1320
			 name->fcap.fE, name->fcap_ver,

1321
			 from_kuid(&init_user_ns, name->fcap.rootid));

1322
}

1323


1324
static void audit_log_time(struct audit_context *context, struct audit_buffer **ab)

1325
{

1326
	const struct audit_ntp_data *ntp = &context->time.ntp_data;

1327
	const struct timespec64 *tk = &context->time.tk_injoffset;

1328
	static const char * const ntp_name[] = {

1329
		"offset",

1330
		"freq",

1331
		"status",

1332
		"tai",

1333
		"tick",

1334
		"adjust",

1335
	};

1336
	int type;

1337


1338
	if (context->type == AUDIT_TIME_ADJNTPVAL) {

1339
		for (type = 0; type < AUDIT_NTP_NVALS; type++) {

1340
			if (ntp->vals[type].newval != ntp->vals[type].oldval) {

1341
				if (!*ab) {

1342
					*ab = audit_log_start(context,

1343
							GFP_KERNEL,

1344
							AUDIT_TIME_ADJNTPVAL);

1345
					if (!*ab)

1346
						return;

1347
				}

1348
				audit_log_format(*ab, "op=%s old=%lli new=%lli",

1349
						 ntp_name[type],

1350
						 ntp->vals[type].oldval,

1351
						 ntp->vals[type].newval);

1352
				audit_log_end(*ab);

1353
				*ab = NULL;

1354
			}

1355
		}

1356
	}

1357
	if (tk->tv_sec != 0 || tk->tv_nsec != 0) {

1358
		if (!*ab) {

1359
			*ab = audit_log_start(context, GFP_KERNEL,

1360
					      AUDIT_TIME_INJOFFSET);

1361
			if (!*ab)

1362
				return;

1363
		}

1364
		audit_log_format(*ab, "sec=%lli nsec=%li",

1365
				 (long long)tk->tv_sec, tk->tv_nsec);

1366
		audit_log_end(*ab);

1367
		*ab = NULL;

1368
	}

1369
}

1370


1371
static void show_special(struct audit_context *context, int *call_panic)

1372
{

1373
	struct audit_buffer *ab;

1374
	int i;

1375


1376
	ab = audit_log_start(context, GFP_KERNEL, context->type);

1377
	if (!ab)

1378
		return;

1379


1380
	switch (context->type) {

1381
	case AUDIT_SOCKETCALL: {

1382
		int nargs = context->socketcall.nargs;

1383


1384
		audit_log_format(ab, "nargs=%d", nargs);

1385
		for (i = 0; i < nargs; i++)

1386
			audit_log_format(ab, " a%d=%lx", i,

1387
				context->socketcall.args[i]);

1388
		break; }

1389
	case AUDIT_IPC:

1390
		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",

1391
				 from_kuid(&init_user_ns, context->ipc.uid),

1392
				 from_kgid(&init_user_ns, context->ipc.gid),

1393
				 context->ipc.mode);

1394
		if (lsmprop_is_set(&context->ipc.oprop)) {

1395
			struct lsm_context lsmctx;

1396


1397
			if (security_lsmprop_to_secctx(&context->ipc.oprop,

1398
						       &lsmctx) < 0) {

1399
				*call_panic = 1;

1400
			} else {

1401
				audit_log_format(ab, " obj=%s", lsmctx.context);

1402
				security_release_secctx(&lsmctx);

1403
			}

1404
		}

1405
		if (context->ipc.has_perm) {

1406
			audit_log_end(ab);

1407
			ab = audit_log_start(context, GFP_KERNEL,

1408
					     AUDIT_IPC_SET_PERM);

1409
			if (unlikely(!ab))

1410
				return;

1411
			audit_log_format(ab,

1412
				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",

1413
				context->ipc.qbytes,

1414
				context->ipc.perm_uid,

1415
				context->ipc.perm_gid,

1416
				context->ipc.perm_mode);

1417
		}

1418
		break;

1419
	case AUDIT_MQ_OPEN:

1420
		audit_log_format(ab,

1421
			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "

1422
			"mq_msgsize=%ld mq_curmsgs=%ld",

1423
			context->mq_open.oflag, context->mq_open.mode,

1424
			context->mq_open.attr.mq_flags,

1425
			context->mq_open.attr.mq_maxmsg,

1426
			context->mq_open.attr.mq_msgsize,

1427
			context->mq_open.attr.mq_curmsgs);

1428
		break;

1429
	case AUDIT_MQ_SENDRECV:

1430
		audit_log_format(ab,

1431
			"mqdes=%d msg_len=%zd msg_prio=%u "

1432
			"abs_timeout_sec=%lld abs_timeout_nsec=%ld",

1433
			context->mq_sendrecv.mqdes,

1434
			context->mq_sendrecv.msg_len,

1435
			context->mq_sendrecv.msg_prio,

1436
			(long long) context->mq_sendrecv.abs_timeout.tv_sec,

1437
			context->mq_sendrecv.abs_timeout.tv_nsec);

1438
		break;

1439
	case AUDIT_MQ_NOTIFY:

1440
		audit_log_format(ab, "mqdes=%d sigev_signo=%d",

1441
				context->mq_notify.mqdes,

1442
				context->mq_notify.sigev_signo);

1443
		break;

1444
	case AUDIT_MQ_GETSETATTR: {

1445
		struct mq_attr *attr = &context->mq_getsetattr.mqstat;

1446


1447
		audit_log_format(ab,

1448
			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "

1449
			"mq_curmsgs=%ld ",

1450
			context->mq_getsetattr.mqdes,

1451
			attr->mq_flags, attr->mq_maxmsg,

1452
			attr->mq_msgsize, attr->mq_curmsgs);

1453
		break; }

1454
	case AUDIT_CAPSET:

1455
		audit_log_format(ab, "pid=%d", context->capset.pid);

1456
		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);

1457
		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);

1458
		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);

1459
		audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);

1460
		break;

1461
	case AUDIT_MMAP:

1462
		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,

1463
				 context->mmap.flags);

1464
		break;

1465
	case AUDIT_OPENAT2:

1466
		audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx",

1467
				 context->openat2.flags,

1468
				 context->openat2.mode,

1469
				 context->openat2.resolve);

1470
		break;

1471
	case AUDIT_EXECVE:

1472
		audit_log_execve_info(context, &ab);

1473
		break;

1474
	case AUDIT_KERN_MODULE:

1475
		audit_log_format(ab, "name=");

1476
		if (context->module.name) {

1477
			audit_log_untrustedstring(ab, context->module.name);

1478
		} else

1479
			audit_log_format(ab, "(null)");

1480


1481
		break;

1482
	case AUDIT_TIME_ADJNTPVAL:

1483
	case AUDIT_TIME_INJOFFSET:

1484
		/* this call deviates from the rest, eating the buffer */

1485
		audit_log_time(context, &ab);

1486
		break;

1487
	}

1488
	audit_log_end(ab);

1489
}

1490


1491
static inline int audit_proctitle_rtrim(char *proctitle, int len)

1492
{

1493
	char *end = proctitle + len - 1;

1494


1495
	while (end > proctitle && !isprint(*end))

1496
		end--;

1497


1498
	/* catch the case where proctitle is only 1 non-print character */

1499
	len = end - proctitle + 1;

1500
	len -= isprint(proctitle[len-1]) == 0;

1501
	return len;

1502
}

1503


1504
/*

1505
 * audit_log_name - produce AUDIT_PATH record from struct audit_names

1506
 * @context: audit_context for the task

1507
 * @n: audit_names structure with reportable details

1508
 * @path: optional path to report instead of audit_names->name

1509
 * @record_num: record number to report when handling a list of names

1510
 * @call_panic: optional pointer to int that will be updated if secid fails

1511
 */

1512
static void audit_log_name(struct audit_context *context, struct audit_names *n,

1513
		    const struct path *path, int record_num, int *call_panic)

1514
{

1515
	struct audit_buffer *ab;

1516


1517
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);

1518
	if (!ab)

1519
		return;

1520


1521
	audit_log_format(ab, "item=%d", record_num);

1522


1523
	if (path)

1524
		audit_log_d_path(ab, " name=", path);

1525
	else if (n->name) {

1526
		switch (n->name_len) {

1527
		case AUDIT_NAME_FULL:

1528
			/* log the full path */

1529
			audit_log_format(ab, " name=");

1530
			audit_log_untrustedstring(ab, n->name->name);

1531
			break;

1532
		case 0:

1533
			/* name was specified as a relative path and the

1534
			 * directory component is the cwd

1535
			 */

1536
			if (context->pwd.dentry && context->pwd.mnt)

1537
				audit_log_d_path(ab, " name=", &context->pwd);

1538
			else

1539
				audit_log_format(ab, " name=(null)");

1540
			break;

1541
		default:

1542
			/* log the name's directory component */

1543
			audit_log_format(ab, " name=");

1544
			audit_log_n_untrustedstring(ab, n->name->name,

1545
						    n->name_len);

1546
		}

1547
	} else

1548
		audit_log_format(ab, " name=(null)");

1549


1550
	if (n->ino != AUDIT_INO_UNSET)

1551
		audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",

1552
				 n->ino,

1553
				 MAJOR(n->dev),

1554
				 MINOR(n->dev),

1555
				 n->mode,

1556
				 from_kuid(&init_user_ns, n->uid),

1557
				 from_kgid(&init_user_ns, n->gid),

1558
				 MAJOR(n->rdev),

1559
				 MINOR(n->rdev));

1560
	if (lsmprop_is_set(&n->oprop)) {

1561
		struct lsm_context ctx;

1562


1563
		if (security_lsmprop_to_secctx(&n->oprop, &ctx) < 0) {

1564
			if (call_panic)

1565
				*call_panic = 2;

1566
		} else {

1567
			audit_log_format(ab, " obj=%s", ctx.context);

1568
			security_release_secctx(&ctx);

1569
		}

1570
	}

1571


1572
	/* log the audit_names record type */

1573
	switch (n->type) {

1574
	case AUDIT_TYPE_NORMAL:

1575
		audit_log_format(ab, " nametype=NORMAL");

1576
		break;

1577
	case AUDIT_TYPE_PARENT:

1578
		audit_log_format(ab, " nametype=PARENT");

1579
		break;

1580
	case AUDIT_TYPE_CHILD_DELETE:

1581
		audit_log_format(ab, " nametype=DELETE");

1582
		break;

1583
	case AUDIT_TYPE_CHILD_CREATE:

1584
		audit_log_format(ab, " nametype=CREATE");

1585
		break;

1586
	default:

1587
		audit_log_format(ab, " nametype=UNKNOWN");

1588
		break;

1589
	}

1590


1591
	audit_log_fcaps(ab, n);

1592
	audit_log_end(ab);

1593
}

1594


1595
static void audit_log_proctitle(void)

1596
{

1597
	int res;

1598
	char *buf;

1599
	char *msg = "(null)";

1600
	int len = strlen(msg);

1601
	struct audit_context *context = audit_context();

1602
	struct audit_buffer *ab;

1603


1604
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);

1605
	if (!ab)

1606
		return;	/* audit_panic or being filtered */

1607


1608
	audit_log_format(ab, "proctitle=");

1609


1610
	/* Not  cached */

1611
	if (!context->proctitle.value) {

1612
		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);

1613
		if (!buf)

1614
			goto out;

1615
		/* Historically called this from procfs naming */

1616
		res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);

1617
		if (res == 0) {

1618
			kfree(buf);

1619
			goto out;

1620
		}

1621
		res = audit_proctitle_rtrim(buf, res);

1622
		if (res == 0) {

1623
			kfree(buf);

1624
			goto out;

1625
		}

1626
		context->proctitle.value = buf;

1627
		context->proctitle.len = res;

1628
	}

1629
	msg = context->proctitle.value;

1630
	len = context->proctitle.len;

1631
out:

1632
	audit_log_n_untrustedstring(ab, msg, len);

1633
	audit_log_end(ab);

1634
}

1635


1636
/**

1637
 * audit_log_uring - generate a AUDIT_URINGOP record

1638
 * @ctx: the audit context

1639
 */

1640
static void audit_log_uring(struct audit_context *ctx)

1641
{

1642
	struct audit_buffer *ab;

1643
	const struct cred *cred;

1644


1645
	ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_URINGOP);

1646
	if (!ab)

1647
		return;

1648
	cred = current_cred();

1649
	audit_log_format(ab, "uring_op=%d", ctx->uring_op);

1650
	if (ctx->return_valid != AUDITSC_INVALID)

1651
		audit_log_format(ab, " success=%s exit=%ld",

1652
				 str_yes_no(ctx->return_valid ==

1653
					    AUDITSC_SUCCESS),

1654
				 ctx->return_code);

1655
	audit_log_format(ab,

1656
			 " items=%d"

1657
			 " ppid=%d pid=%d uid=%u gid=%u euid=%u suid=%u"

1658
			 " fsuid=%u egid=%u sgid=%u fsgid=%u",

1659
			 ctx->name_count,

1660
			 task_ppid_nr(current), task_tgid_nr(current),

1661
			 from_kuid(&init_user_ns, cred->uid),

1662
			 from_kgid(&init_user_ns, cred->gid),

1663
			 from_kuid(&init_user_ns, cred->euid),

1664
			 from_kuid(&init_user_ns, cred->suid),

1665
			 from_kuid(&init_user_ns, cred->fsuid),

1666
			 from_kgid(&init_user_ns, cred->egid),

1667
			 from_kgid(&init_user_ns, cred->sgid),

1668
			 from_kgid(&init_user_ns, cred->fsgid));

1669
	audit_log_task_context(ab);

1670
	audit_log_key(ab, ctx->filterkey);

1671
	audit_log_end(ab);

1672
}

1673


1674
static void audit_log_exit(void)

1675
{

1676
	int i, call_panic = 0;

1677
	struct audit_context *context = audit_context();

1678
	struct audit_buffer *ab;

1679
	struct audit_aux_data *aux;

1680
	struct audit_names *n;

1681


1682
	context->personality = current->personality;

1683


1684
	switch (context->context) {

1685
	case AUDIT_CTX_SYSCALL:

1686
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);

1687
		if (!ab)

1688
			return;

1689
		audit_log_format(ab, "arch=%x syscall=%d",

1690
				 context->arch, context->major);

1691
		if (context->personality != PER_LINUX)

1692
			audit_log_format(ab, " per=%lx", context->personality);

1693
		if (context->return_valid != AUDITSC_INVALID)

1694
			audit_log_format(ab, " success=%s exit=%ld",

1695
					 str_yes_no(context->return_valid ==

1696
						    AUDITSC_SUCCESS),

1697
					 context->return_code);

1698
		audit_log_format(ab,

1699
				 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",

1700
				 context->argv[0],

1701
				 context->argv[1],

1702
				 context->argv[2],

1703
				 context->argv[3],

1704
				 context->name_count);

1705
		audit_log_task_info(ab);

1706
		audit_log_key(ab, context->filterkey);

1707
		audit_log_end(ab);

1708
		break;

1709
	case AUDIT_CTX_URING:

1710
		audit_log_uring(context);

1711
		break;

1712
	default:

1713
		BUG();

1714
		break;

1715
	}

1716


1717
	for (aux = context->aux; aux; aux = aux->next) {

1718


1719
		ab = audit_log_start(context, GFP_KERNEL, aux->type);

1720
		if (!ab)

1721
			continue; /* audit_panic has been called */

1722


1723
		switch (aux->type) {

1724


1725
		case AUDIT_BPRM_FCAPS: {

1726
			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;

1727


1728
			audit_log_format(ab, "fver=%x", axs->fcap_ver);

1729
			audit_log_cap(ab, "fp", &axs->fcap.permitted);

1730
			audit_log_cap(ab, "fi", &axs->fcap.inheritable);

1731
			audit_log_format(ab, " fe=%d", axs->fcap.fE);

1732
			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);

1733
			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);

1734
			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);

1735
			audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);

1736
			audit_log_cap(ab, "pp", &axs->new_pcap.permitted);

1737
			audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);

1738
			audit_log_cap(ab, "pe", &axs->new_pcap.effective);

1739
			audit_log_cap(ab, "pa", &axs->new_pcap.ambient);

1740
			audit_log_format(ab, " frootid=%d",

1741
					 from_kuid(&init_user_ns,

1742
						   axs->fcap.rootid));

1743
			break; }

1744


1745
		}

1746
		audit_log_end(ab);

1747
	}

1748


1749
	if (context->type)

1750
		show_special(context, &call_panic);

1751


1752
	if (context->fds[0] >= 0) {

1753
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);

1754
		if (ab) {

1755
			audit_log_format(ab, "fd0=%d fd1=%d",

1756
					context->fds[0], context->fds[1]);

1757
			audit_log_end(ab);

1758
		}

1759
	}

1760


1761
	if (context->sockaddr_len) {

1762
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);

1763
		if (ab) {

1764
			audit_log_format(ab, "saddr=");

1765
			audit_log_n_hex(ab, (void *)context->sockaddr,

1766
					context->sockaddr_len);

1767
			audit_log_end(ab);

1768
		}

1769
	}

1770


1771
	for (aux = context->aux_pids; aux; aux = aux->next) {

1772
		struct audit_aux_data_pids *axs = (void *)aux;

1773


1774
		for (i = 0; i < axs->pid_count; i++)

1775
			if (audit_log_pid_context(context, axs->target_pid[i],

1776
						  axs->target_auid[i],

1777
						  axs->target_uid[i],

1778
						  axs->target_sessionid[i],

1779
						  &axs->target_ref[i],

1780
						  axs->target_comm[i]))

1781
				call_panic = 1;

1782
	}

1783


1784
	if (context->target_pid &&

1785
	    audit_log_pid_context(context, context->target_pid,

1786
				  context->target_auid, context->target_uid,

1787
				  context->target_sessionid,

1788
				  &context->target_ref, context->target_comm))

1789
			call_panic = 1;

1790


1791
	if (context->pwd.dentry && context->pwd.mnt) {

1792
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);

1793
		if (ab) {

1794
			audit_log_d_path(ab, "cwd=", &context->pwd);

1795
			audit_log_end(ab);

1796
		}

1797
	}

1798


1799
	i = 0;

1800
	list_for_each_entry(n, &context->names_list, list) {

1801
		if (n->hidden)

1802
			continue;

1803
		audit_log_name(context, n, NULL, i++, &call_panic);

1804
	}

1805


1806
	if (context->context == AUDIT_CTX_SYSCALL)

1807
		audit_log_proctitle();

1808


1809
	/* Send end of event record to help user space know we are finished */

1810
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);

1811
	if (ab)

1812
		audit_log_end(ab);

1813
	if (call_panic)

1814
		audit_panic("error in audit_log_exit()");

1815
}

1816


1817
/**

1818
 * __audit_free - free a per-task audit context

1819
 * @tsk: task whose audit context block to free

1820
 *

1821
 * Called from copy_process, do_exit, and the io_uring code

1822
 */

1823
void __audit_free(struct task_struct *tsk)

1824
{

1825
	struct audit_context *context = tsk->audit_context;

1826


1827
	if (!context)

1828
		return;

1829


1830
	/* this may generate CONFIG_CHANGE records */

1831
	if (!list_empty(&context->killed_trees))

1832
		audit_kill_trees(context);

1833


1834
	/* We are called either by do_exit() or the fork() error handling code;

1835
	 * in the former case tsk == current and in the latter tsk is a

1836
	 * random task_struct that doesn't have any meaningful data we

1837
	 * need to log via audit_log_exit().

1838
	 */

1839
	if (tsk == current && !context->dummy) {

1840
		context->return_valid = AUDITSC_INVALID;

1841
		context->return_code = 0;

1842
		if (context->context == AUDIT_CTX_SYSCALL) {

1843
			audit_filter_syscall(tsk, context);

1844
			audit_filter_inodes(tsk, context);

1845
			if (context->current_state == AUDIT_STATE_RECORD)

1846
				audit_log_exit();

1847
		} else if (context->context == AUDIT_CTX_URING) {

1848
			/* TODO: verify this case is real and valid */

1849
			audit_filter_uring(tsk, context);

1850
			audit_filter_inodes(tsk, context);

1851
			if (context->current_state == AUDIT_STATE_RECORD)

1852
				audit_log_uring(context);

1853
		}

1854
	}

1855


1856
	audit_set_context(tsk, NULL);

1857
	audit_free_context(context);

1858
}

1859


1860
/**

1861
 * audit_return_fixup - fixup the return codes in the audit_context

1862
 * @ctx: the audit_context

1863
 * @success: true/false value to indicate if the operation succeeded or not

1864
 * @code: operation return code

1865
 *

1866
 * We need to fixup the return code in the audit logs if the actual return

1867
 * codes are later going to be fixed by the arch specific signal handlers.

1868
 */

1869
static void audit_return_fixup(struct audit_context *ctx,

1870
			       int success, long code)

1871
{

1872
	/*

1873
	 * This is actually a test for:

1874
	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||

1875
	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)

1876
	 *

1877
	 * but is faster than a bunch of ||

1878
	 */

1879
	if (unlikely(code <= -ERESTARTSYS) &&

1880
	    (code >= -ERESTART_RESTARTBLOCK) &&

1881
	    (code != -ENOIOCTLCMD))

1882
		ctx->return_code = -EINTR;

1883
	else

1884
		ctx->return_code  = code;

1885
	ctx->return_valid = (success ? AUDITSC_SUCCESS : AUDITSC_FAILURE);

1886
}

1887


1888
/**

1889
 * __audit_uring_entry - prepare the kernel task's audit context for io_uring

1890
 * @op: the io_uring opcode

1891
 *

1892
 * This is similar to audit_syscall_entry() but is intended for use by io_uring

1893
 * operations.  This function should only ever be called from

1894
 * audit_uring_entry() as we rely on the audit context checking present in that

1895
 * function.

1896
 */

1897
void __audit_uring_entry(u8 op)

1898
{

1899
	struct audit_context *ctx = audit_context();

1900


1901
	if (ctx->state == AUDIT_STATE_DISABLED)

1902
		return;

1903


1904
	/*

1905
	 * NOTE: It's possible that we can be called from the process' context

1906
	 *       before it returns to userspace, and before audit_syscall_exit()

1907
	 *       is called.  In this case there is not much to do, just record

1908
	 *       the io_uring details and return.

1909
	 */

1910
	ctx->uring_op = op;

1911
	if (ctx->context == AUDIT_CTX_SYSCALL)

1912
		return;

1913


1914
	ctx->dummy = !audit_n_rules;

1915
	if (!ctx->dummy && ctx->state == AUDIT_STATE_BUILD)

1916
		ctx->prio = 0;

1917


1918
	ctx->context = AUDIT_CTX_URING;

1919
	ctx->current_state = ctx->state;

1920
	ktime_get_coarse_real_ts64(&ctx->ctime);

1921
}

1922


1923
/**

1924
 * __audit_uring_exit - wrap up the kernel task's audit context after io_uring

1925
 * @success: true/false value to indicate if the operation succeeded or not

1926
 * @code: operation return code

1927
 *

1928
 * This is similar to audit_syscall_exit() but is intended for use by io_uring

1929
 * operations.  This function should only ever be called from

1930
 * audit_uring_exit() as we rely on the audit context checking present in that

1931
 * function.

1932
 */

1933
void __audit_uring_exit(int success, long code)

1934
{

1935
	struct audit_context *ctx = audit_context();

1936


1937
	if (ctx->dummy) {

1938
		if (ctx->context != AUDIT_CTX_URING)

1939
			return;

1940
		goto out;

1941
	}

1942


1943
	audit_return_fixup(ctx, success, code);

1944
	if (ctx->context == AUDIT_CTX_SYSCALL) {

1945
		/*

1946
		 * NOTE: See the note in __audit_uring_entry() about the case

1947
		 *       where we may be called from process context before we

1948
		 *       return to userspace via audit_syscall_exit().  In this

1949
		 *       case we simply emit a URINGOP record and bail, the

1950
		 *       normal syscall exit handling will take care of

1951
		 *       everything else.

1952
		 *       It is also worth mentioning that when we are called,

1953
		 *       the current process creds may differ from the creds

1954
		 *       used during the normal syscall processing; keep that

1955
		 *       in mind if/when we move the record generation code.

1956
		 */

1957


1958
		/*

1959
		 * We need to filter on the syscall info here to decide if we

1960
		 * should emit a URINGOP record.  I know it seems odd but this

1961
		 * solves the problem where users have a filter to block *all*

1962
		 * syscall records in the "exit" filter; we want to preserve

1963
		 * the behavior here.

1964
		 */

1965
		audit_filter_syscall(current, ctx);

1966
		if (ctx->current_state != AUDIT_STATE_RECORD)

1967
			audit_filter_uring(current, ctx);

1968
		audit_filter_inodes(current, ctx);

1969
		if (ctx->current_state != AUDIT_STATE_RECORD)

1970
			return;

1971


1972
		audit_log_uring(ctx);

1973
		return;

1974
	}

1975


1976
	/* this may generate CONFIG_CHANGE records */

1977
	if (!list_empty(&ctx->killed_trees))

1978
		audit_kill_trees(ctx);

1979


1980
	/* run through both filters to ensure we set the filterkey properly */

1981
	audit_filter_uring(current, ctx);

1982
	audit_filter_inodes(current, ctx);

1983
	if (ctx->current_state != AUDIT_STATE_RECORD)

1984
		goto out;

1985
	audit_log_exit();

1986


1987
out:

1988
	audit_reset_context(ctx);

1989
}

1990


1991
/**

1992
 * __audit_syscall_entry - fill in an audit record at syscall entry

1993
 * @major: major syscall type (function)

1994
 * @a1: additional syscall register 1

1995
 * @a2: additional syscall register 2

1996
 * @a3: additional syscall register 3

1997
 * @a4: additional syscall register 4

1998
 *

1999
 * Fill in audit context at syscall entry.  This only happens if the

2000
 * audit context was created when the task was created and the state or

2001
 * filters demand the audit context be built.  If the state from the

2002
 * per-task filter or from the per-syscall filter is AUDIT_STATE_RECORD,

2003
 * then the record will be written at syscall exit time (otherwise, it

2004
 * will only be written if another part of the kernel requests that it

2005
 * be written).

2006
 */

2007
void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,

2008
			   unsigned long a3, unsigned long a4)

2009
{

2010
	struct audit_context *context = audit_context();

2011
	enum audit_state     state;

2012


2013
	if (!audit_enabled || !context)

2014
		return;

2015


2016
	WARN_ON(context->context != AUDIT_CTX_UNUSED);

2017
	WARN_ON(context->name_count);

2018
	if (context->context != AUDIT_CTX_UNUSED || context->name_count) {

2019
		audit_panic("unrecoverable error in audit_syscall_entry()");

2020
		return;

2021
	}

2022


2023
	state = context->state;

2024
	if (state == AUDIT_STATE_DISABLED)

2025
		return;

2026


2027
	context->dummy = !audit_n_rules;

2028
	if (!context->dummy && state == AUDIT_STATE_BUILD) {

2029
		context->prio = 0;

2030
		if (auditd_test_task(current))

2031
			return;

2032
	}

2033


2034
	context->arch	    = syscall_get_arch(current);

2035
	context->major      = major;

2036
	context->argv[0]    = a1;

2037
	context->argv[1]    = a2;

2038
	context->argv[2]    = a3;

2039
	context->argv[3]    = a4;

2040
	context->context = AUDIT_CTX_SYSCALL;

2041
	context->current_state  = state;

2042
	ktime_get_coarse_real_ts64(&context->ctime);

2043
}

2044


2045
/**

2046
 * __audit_syscall_exit - deallocate audit context after a system call

2047
 * @success: success value of the syscall

2048
 * @return_code: return value of the syscall

2049
 *

2050
 * Tear down after system call.  If the audit context has been marked as

2051
 * auditable (either because of the AUDIT_STATE_RECORD state from

2052
 * filtering, or because some other part of the kernel wrote an audit

2053
 * message), then write out the syscall information.  In call cases,

2054
 * free the names stored from getname().

2055
 */

2056
void __audit_syscall_exit(int success, long return_code)

2057
{

2058
	struct audit_context *context = audit_context();

2059


2060
	if (!context || context->dummy ||

2061
	    context->context != AUDIT_CTX_SYSCALL)

2062
		goto out;

2063


2064
	/* this may generate CONFIG_CHANGE records */

2065
	if (!list_empty(&context->killed_trees))

2066
		audit_kill_trees(context);

2067


2068
	audit_return_fixup(context, success, return_code);

2069
	/* run through both filters to ensure we set the filterkey properly */

2070
	audit_filter_syscall(current, context);

2071
	audit_filter_inodes(current, context);

2072
	if (context->current_state != AUDIT_STATE_RECORD)

2073
		goto out;

2074


2075
	audit_log_exit();

2076


2077
out:

2078
	audit_reset_context(context);

2079
}

2080


2081
static inline void handle_one(const struct inode *inode)

2082
{

2083
	struct audit_context *context;

2084
	struct audit_tree_refs *p;

2085
	struct audit_chunk *chunk;

2086
	int count;

2087


2088
	if (likely(!inode->i_fsnotify_marks))

2089
		return;

2090
	context = audit_context();

2091
	p = context->trees;

2092
	count = context->tree_count;

2093
	rcu_read_lock();

2094
	chunk = audit_tree_lookup(inode);

2095
	rcu_read_unlock();

2096
	if (!chunk)

2097
		return;

2098
	if (likely(put_tree_ref(context, chunk)))

2099
		return;

2100
	if (unlikely(!grow_tree_refs(context))) {

2101
		pr_warn("out of memory, audit has lost a tree reference\n");

2102
		audit_set_auditable(context);

2103
		audit_put_chunk(chunk);

2104
		unroll_tree_refs(context, p, count);

2105
		return;

2106
	}

2107
	put_tree_ref(context, chunk);

2108
}

2109


2110
static void handle_path(const struct dentry *dentry)

2111
{

2112
	struct audit_context *context;

2113
	struct audit_tree_refs *p;

2114
	const struct dentry *d, *parent;

2115
	struct audit_chunk *drop;

2116
	unsigned long seq;

2117
	int count;

2118


2119
	context = audit_context();

2120
	p = context->trees;

2121
	count = context->tree_count;

2122
retry:

2123
	drop = NULL;

2124
	d = dentry;

2125
	rcu_read_lock();

2126
	seq = read_seqbegin(&rename_lock);

2127
	for (;;) {

2128
		struct inode *inode = d_backing_inode(d);

2129


2130
		if (inode && unlikely(inode->i_fsnotify_marks)) {

2131
			struct audit_chunk *chunk;

2132


2133
			chunk = audit_tree_lookup(inode);

2134
			if (chunk) {

2135
				if (unlikely(!put_tree_ref(context, chunk))) {

2136
					drop = chunk;

2137
					break;

2138
				}

2139
			}

2140
		}

2141
		parent = d->d_parent;

2142
		if (parent == d)

2143
			break;

2144
		d = parent;

2145
	}

2146
	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */

2147
		rcu_read_unlock();

2148
		if (!drop) {

2149
			/* just a race with rename */

2150
			unroll_tree_refs(context, p, count);

2151
			goto retry;

2152
		}

2153
		audit_put_chunk(drop);

2154
		if (grow_tree_refs(context)) {

2155
			/* OK, got more space */

2156
			unroll_tree_refs(context, p, count);

2157
			goto retry;

2158
		}

2159
		/* too bad */

2160
		pr_warn("out of memory, audit has lost a tree reference\n");

2161
		unroll_tree_refs(context, p, count);

2162
		audit_set_auditable(context);

2163
		return;

2164
	}

2165
	rcu_read_unlock();

2166
}

2167


2168
static struct audit_names *audit_alloc_name(struct audit_context *context,

2169
						unsigned char type)

2170
{

2171
	struct audit_names *aname;

2172


2173
	if (context->name_count < AUDIT_NAMES) {

2174
		aname = &context->preallocated_names[context->name_count];

2175
		memset(aname, 0, sizeof(*aname));

2176
	} else {

2177
		aname = kzalloc(sizeof(*aname), GFP_NOFS);

2178
		if (!aname)

2179
			return NULL;

2180
		aname->should_free = true;

2181
	}

2182


2183
	aname->ino = AUDIT_INO_UNSET;

2184
	aname->type = type;

2185
	list_add_tail(&aname->list, &context->names_list);

2186


2187
	context->name_count++;

2188
	if (!context->pwd.dentry)

2189
		get_fs_pwd(current->fs, &context->pwd);

2190
	return aname;

2191
}

2192


2193
/**

2194
 * __audit_reusename - fill out filename with info from existing entry

2195
 * @uptr: userland ptr to pathname

2196
 *

2197
 * Search the audit_names list for the current audit context. If there is an

2198
 * existing entry with a matching "uptr" then return the filename

2199
 * associated with that audit_name. If not, return NULL.

2200
 */

2201
struct filename *

2202
__audit_reusename(const __user char *uptr)

2203
{

2204
	struct audit_context *context = audit_context();

2205
	struct audit_names *n;

2206


2207
	list_for_each_entry(n, &context->names_list, list) {

2208
		if (!n->name)

2209
			continue;

2210
		if (n->name->uptr == uptr)

2211
			return refname(n->name);

2212
	}

2213
	return NULL;

2214
}

2215


2216
/**

2217
 * __audit_getname - add a name to the list

2218
 * @name: name to add

2219
 *

2220
 * Add a name to the list of audit names for this context.

2221
 * Called from fs/namei.c:getname().

2222
 */

2223
void __audit_getname(struct filename *name)

2224
{

2225
	struct audit_context *context = audit_context();

2226
	struct audit_names *n;

2227


2228
	if (context->context == AUDIT_CTX_UNUSED)

2229
		return;

2230


2231
	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);

2232
	if (!n)

2233
		return;

2234


2235
	n->name = name;

2236
	n->name_len = AUDIT_NAME_FULL;

2237
	name->aname = n;

2238
	refname(name);

2239
}

2240


2241
static inline int audit_copy_fcaps(struct audit_names *name,

2242
				   const struct dentry *dentry)

2243
{

2244
	struct cpu_vfs_cap_data caps;

2245
	int rc;

2246


2247
	if (!dentry)

2248
		return 0;

2249


2250
	rc = get_vfs_caps_from_disk(&nop_mnt_idmap, dentry, &caps);

2251
	if (rc)

2252
		return rc;

2253


2254
	name->fcap.permitted = caps.permitted;

2255
	name->fcap.inheritable = caps.inheritable;

2256
	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);

2257
	name->fcap.rootid = caps.rootid;

2258
	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>

2259
				VFS_CAP_REVISION_SHIFT;

2260


2261
	return 0;

2262
}

2263


2264
/* Copy inode data into an audit_names. */

2265
static void audit_copy_inode(struct audit_names *name,

2266
			     const struct dentry *dentry,

2267
			     struct inode *inode, unsigned int flags)

2268
{

2269
	name->ino   = inode->i_ino;

2270
	name->dev   = inode->i_sb->s_dev;

2271
	name->mode  = inode->i_mode;

2272
	name->uid   = inode->i_uid;

2273
	name->gid   = inode->i_gid;

2274
	name->rdev  = inode->i_rdev;

2275
	security_inode_getlsmprop(inode, &name->oprop);

2276
	if (flags & AUDIT_INODE_NOEVAL) {

2277
		name->fcap_ver = -1;

2278
		return;

2279
	}

2280
	audit_copy_fcaps(name, dentry);

2281
}

2282


2283
/**

2284
 * __audit_inode - store the inode and device from a lookup

2285
 * @name: name being audited

2286
 * @dentry: dentry being audited

2287
 * @flags: attributes for this particular entry

2288
 */

2289
void __audit_inode(struct filename *name, const struct dentry *dentry,

2290
		   unsigned int flags)

2291
{

2292
	struct audit_context *context = audit_context();

2293
	struct inode *inode = d_backing_inode(dentry);

2294
	struct audit_names *n;

2295
	bool parent = flags & AUDIT_INODE_PARENT;

2296
	struct audit_entry *e;

2297
	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];

2298
	int i;

2299


2300
	if (context->context == AUDIT_CTX_UNUSED)

2301
		return;

2302


2303
	rcu_read_lock();

2304
	list_for_each_entry_rcu(e, list, list) {

2305
		for (i = 0; i < e->rule.field_count; i++) {

2306
			struct audit_field *f = &e->rule.fields[i];

2307


2308
			if (f->type == AUDIT_FSTYPE

2309
			    && audit_comparator(inode->i_sb->s_magic,

2310
						f->op, f->val)

2311
			    && e->rule.action == AUDIT_NEVER) {

2312
				rcu_read_unlock();

2313
				return;

2314
			}

2315
		}

2316
	}

2317
	rcu_read_unlock();

2318


2319
	if (!name)

2320
		goto out_alloc;

2321


2322
	/*

2323
	 * If we have a pointer to an audit_names entry already, then we can

2324
	 * just use it directly if the type is correct.

2325
	 */

2326
	n = name->aname;

2327
	if (n) {

2328
		if (parent) {

2329
			if (n->type == AUDIT_TYPE_PARENT ||

2330
			    n->type == AUDIT_TYPE_UNKNOWN)

2331
				goto out;

2332
		} else {

2333
			if (n->type != AUDIT_TYPE_PARENT)

2334
				goto out;

2335
		}

2336
	}

2337


2338
	list_for_each_entry_reverse(n, &context->names_list, list) {

2339
		if (n->ino) {

2340
			/* valid inode number, use that for the comparison */

2341
			if (n->ino != inode->i_ino ||

2342
			    n->dev != inode->i_sb->s_dev)

2343
				continue;

2344
		} else if (n->name) {

2345
			/* inode number has not been set, check the name */

2346
			if (strcmp(n->name->name, name->name))

2347
				continue;

2348
		} else

2349
			/* no inode and no name (?!) ... this is odd ... */

2350
			continue;

2351


2352
		/* match the correct record type */

2353
		if (parent) {

2354
			if (n->type == AUDIT_TYPE_PARENT ||

2355
			    n->type == AUDIT_TYPE_UNKNOWN)

2356
				goto out;

2357
		} else {

2358
			if (n->type != AUDIT_TYPE_PARENT)

2359
				goto out;

2360
		}

2361
	}

2362


2363
out_alloc:

2364
	/* unable to find an entry with both a matching name and type */

2365
	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);

2366
	if (!n)

2367
		return;

2368
	if (name) {

2369
		n->name = name;

2370
		refname(name);

2371
	}

2372


2373
out:

2374
	if (parent) {

2375
		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;

2376
		n->type = AUDIT_TYPE_PARENT;

2377
		if (flags & AUDIT_INODE_HIDDEN)

2378
			n->hidden = true;

2379
	} else {

2380
		n->name_len = AUDIT_NAME_FULL;

2381
		n->type = AUDIT_TYPE_NORMAL;

2382
	}

2383
	handle_path(dentry);

2384
	audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);

2385
}

2386


2387
void __audit_file(const struct file *file)

2388
{

2389
	__audit_inode(NULL, file->f_path.dentry, 0);

2390
}

2391


2392
/**

2393
 * __audit_inode_child - collect inode info for created/removed objects

2394
 * @parent: inode of dentry parent

2395
 * @dentry: dentry being audited

2396
 * @type:   AUDIT_TYPE_* value that we're looking for

2397
 *

2398
 * For syscalls that create or remove filesystem objects, audit_inode

2399
 * can only collect information for the filesystem object's parent.

2400
 * This call updates the audit context with the child's information.

2401
 * Syscalls that create a new filesystem object must be hooked after

2402
 * the object is created.  Syscalls that remove a filesystem object

2403
 * must be hooked prior, in order to capture the target inode during

2404
 * unsuccessful attempts.

2405
 */

2406
void __audit_inode_child(struct inode *parent,

2407
			 const struct dentry *dentry,

2408
			 const unsigned char type)

2409
{

2410
	struct audit_context *context = audit_context();

2411
	struct inode *inode = d_backing_inode(dentry);

2412
	const struct qstr *dname = &dentry->d_name;

2413
	struct audit_names *n, *found_parent = NULL, *found_child = NULL;

2414
	struct audit_entry *e;

2415
	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];

2416
	int i;

2417


2418
	if (context->context == AUDIT_CTX_UNUSED)

2419
		return;

2420


2421
	rcu_read_lock();

2422
	list_for_each_entry_rcu(e, list, list) {

2423
		for (i = 0; i < e->rule.field_count; i++) {

2424
			struct audit_field *f = &e->rule.fields[i];

2425


2426
			if (f->type == AUDIT_FSTYPE

2427
			    && audit_comparator(parent->i_sb->s_magic,

2428
						f->op, f->val)

2429
			    && e->rule.action == AUDIT_NEVER) {

2430
				rcu_read_unlock();

2431
				return;

2432
			}

2433
		}

2434
	}

2435
	rcu_read_unlock();

2436


2437
	if (inode)

2438
		handle_one(inode);

2439


2440
	/* look for a parent entry first */

2441
	list_for_each_entry(n, &context->names_list, list) {

2442
		if (!n->name ||

2443
		    (n->type != AUDIT_TYPE_PARENT &&

2444
		     n->type != AUDIT_TYPE_UNKNOWN))

2445
			continue;

2446


2447
		if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&

2448
		    !audit_compare_dname_path(dname,

2449
					      n->name->name, n->name_len)) {

2450
			if (n->type == AUDIT_TYPE_UNKNOWN)

2451
				n->type = AUDIT_TYPE_PARENT;

2452
			found_parent = n;

2453
			break;

2454
		}

2455
	}

2456


2457
	cond_resched();

2458


2459
	/* is there a matching child entry? */

2460
	list_for_each_entry(n, &context->names_list, list) {

2461
		/* can only match entries that have a name */

2462
		if (!n->name ||

2463
		    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))

2464
			continue;

2465


2466
		if (!strcmp(dname->name, n->name->name) ||

2467
		    !audit_compare_dname_path(dname, n->name->name,

2468
						found_parent ?

2469
						found_parent->name_len :

2470
						AUDIT_NAME_FULL)) {

2471
			if (n->type == AUDIT_TYPE_UNKNOWN)

2472
				n->type = type;

2473
			found_child = n;

2474
			break;

2475
		}

2476
	}

2477


2478
	if (!found_parent) {

2479
		/* create a new, "anonymous" parent record */

2480
		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);

2481
		if (!n)

2482
			return;

2483
		audit_copy_inode(n, NULL, parent, 0);

2484
	}

2485


2486
	if (!found_child) {

2487
		found_child = audit_alloc_name(context, type);

2488
		if (!found_child)

2489
			return;

2490


2491
		/* Re-use the name belonging to the slot for a matching parent

2492
		 * directory. All names for this context are relinquished in

2493
		 * audit_free_names() */

2494
		if (found_parent) {

2495
			found_child->name = found_parent->name;

2496
			found_child->name_len = AUDIT_NAME_FULL;

2497
			refname(found_child->name);

2498
		}

2499
	}

2500


2501
	if (inode)

2502
		audit_copy_inode(found_child, dentry, inode, 0);

2503
	else

2504
		found_child->ino = AUDIT_INO_UNSET;

2505
}

2506
EXPORT_SYMBOL_GPL(__audit_inode_child);

2507


2508
/**

2509
 * auditsc_get_stamp - get local copies of audit_context values

2510
 * @ctx: audit_context for the task

2511
 * @t: timespec64 to store time recorded in the audit_context

2512
 * @serial: serial value that is recorded in the audit_context

2513
 *

2514
 * Also sets the context as auditable.

2515
 */

2516
int auditsc_get_stamp(struct audit_context *ctx,

2517
		       struct timespec64 *t, unsigned int *serial)

2518
{

2519
	if (ctx->context == AUDIT_CTX_UNUSED)

2520
		return 0;

2521
	if (!ctx->serial)

2522
		ctx->serial = audit_serial();

2523
	t->tv_sec  = ctx->ctime.tv_sec;

2524
	t->tv_nsec = ctx->ctime.tv_nsec;

2525
	*serial    = ctx->serial;

2526
	if (!ctx->prio) {

2527
		ctx->prio = 1;

2528
		ctx->current_state = AUDIT_STATE_RECORD;

2529
	}

2530
	return 1;

2531
}

2532


2533
/**

2534
 * __audit_mq_open - record audit data for a POSIX MQ open

2535
 * @oflag: open flag

2536
 * @mode: mode bits

2537
 * @attr: queue attributes

2538
 *

2539
 */

2540
void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)

2541
{

2542
	struct audit_context *context = audit_context();

2543


2544
	if (attr)

2545
		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));

2546
	else

2547
		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));

2548


2549
	context->mq_open.oflag = oflag;

2550
	context->mq_open.mode = mode;

2551


2552
	context->type = AUDIT_MQ_OPEN;

2553
}

2554


2555
/**

2556
 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive

2557
 * @mqdes: MQ descriptor

2558
 * @msg_len: Message length

2559
 * @msg_prio: Message priority

2560
 * @abs_timeout: Message timeout in absolute time

2561
 *

2562
 */

2563
void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,

2564
			const struct timespec64 *abs_timeout)

2565
{

2566
	struct audit_context *context = audit_context();

2567
	struct timespec64 *p = &context->mq_sendrecv.abs_timeout;

2568


2569
	if (abs_timeout)

2570
		memcpy(p, abs_timeout, sizeof(*p));

2571
	else

2572
		memset(p, 0, sizeof(*p));

2573


2574
	context->mq_sendrecv.mqdes = mqdes;

2575
	context->mq_sendrecv.msg_len = msg_len;

2576
	context->mq_sendrecv.msg_prio = msg_prio;

2577


2578
	context->type = AUDIT_MQ_SENDRECV;

2579
}

2580


2581
/**

2582
 * __audit_mq_notify - record audit data for a POSIX MQ notify

2583
 * @mqdes: MQ descriptor

2584
 * @notification: Notification event

2585
 *

2586
 */

2587


2588
void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)

2589
{

2590
	struct audit_context *context = audit_context();

2591


2592
	if (notification)

2593
		context->mq_notify.sigev_signo = notification->sigev_signo;

2594
	else

2595
		context->mq_notify.sigev_signo = 0;

2596


2597
	context->mq_notify.mqdes = mqdes;

2598
	context->type = AUDIT_MQ_NOTIFY;

2599
}

2600


2601
/**

2602
 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute

2603
 * @mqdes: MQ descriptor

2604
 * @mqstat: MQ flags

2605
 *

2606
 */

2607
void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)

2608
{

2609
	struct audit_context *context = audit_context();

2610


2611
	context->mq_getsetattr.mqdes = mqdes;

2612
	context->mq_getsetattr.mqstat = *mqstat;

2613
	context->type = AUDIT_MQ_GETSETATTR;

2614
}

2615


2616
/**

2617
 * __audit_ipc_obj - record audit data for ipc object

2618
 * @ipcp: ipc permissions

2619
 *

2620
 */

2621
void __audit_ipc_obj(struct kern_ipc_perm *ipcp)

2622
{

2623
	struct audit_context *context = audit_context();

2624


2625
	context->ipc.uid = ipcp->uid;

2626
	context->ipc.gid = ipcp->gid;

2627
	context->ipc.mode = ipcp->mode;

2628
	context->ipc.has_perm = 0;

2629
	security_ipc_getlsmprop(ipcp, &context->ipc.oprop);

2630
	context->type = AUDIT_IPC;

2631
}

2632


2633
/**

2634
 * __audit_ipc_set_perm - record audit data for new ipc permissions

2635
 * @qbytes: msgq bytes

2636
 * @uid: msgq user id

2637
 * @gid: msgq group id

2638
 * @mode: msgq mode (permissions)

2639
 *

2640
 * Called only after audit_ipc_obj().

2641
 */

2642
void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)

2643
{

2644
	struct audit_context *context = audit_context();

2645


2646
	context->ipc.qbytes = qbytes;

2647
	context->ipc.perm_uid = uid;

2648
	context->ipc.perm_gid = gid;

2649
	context->ipc.perm_mode = mode;

2650
	context->ipc.has_perm = 1;

2651
}

2652


2653
void __audit_bprm(struct linux_binprm *bprm)

2654
{

2655
	struct audit_context *context = audit_context();

2656


2657
	context->type = AUDIT_EXECVE;

2658
	context->execve.argc = bprm->argc;

2659
}

2660


2661


2662
/**

2663
 * __audit_socketcall - record audit data for sys_socketcall

2664
 * @nargs: number of args, which should not be more than AUDITSC_ARGS.

2665
 * @args: args array

2666
 *

2667
 */

2668
int __audit_socketcall(int nargs, unsigned long *args)

2669
{

2670
	struct audit_context *context = audit_context();

2671


2672
	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)

2673
		return -EINVAL;

2674
	context->type = AUDIT_SOCKETCALL;

2675
	context->socketcall.nargs = nargs;

2676
	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));

2677
	return 0;

2678
}

2679


2680
/**

2681
 * __audit_fd_pair - record audit data for pipe and socketpair

2682
 * @fd1: the first file descriptor

2683
 * @fd2: the second file descriptor

2684
 *

2685
 */

2686
void __audit_fd_pair(int fd1, int fd2)

2687
{

2688
	struct audit_context *context = audit_context();

2689


2690
	context->fds[0] = fd1;

2691
	context->fds[1] = fd2;

2692
}

2693


2694
/**

2695
 * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto

2696
 * @len: data length in user space

2697
 * @a: data address in kernel space

2698
 *

2699
 * Returns 0 for success or NULL context or < 0 on error.

2700
 */

2701
int __audit_sockaddr(int len, void *a)

2702
{

2703
	struct audit_context *context = audit_context();

2704


2705
	if (!context->sockaddr) {

2706
		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);

2707


2708
		if (!p)

2709
			return -ENOMEM;

2710
		context->sockaddr = p;

2711
	}

2712


2713
	context->sockaddr_len = len;

2714
	memcpy(context->sockaddr, a, len);

2715
	return 0;

2716
}

2717


2718
void __audit_ptrace(struct task_struct *t)

2719
{

2720
	struct audit_context *context = audit_context();

2721


2722
	context->target_pid = task_tgid_nr(t);

2723
	context->target_auid = audit_get_loginuid(t);

2724
	context->target_uid = task_uid(t);

2725
	context->target_sessionid = audit_get_sessionid(t);

2726
	strscpy(context->target_comm, t->comm);

2727
	security_task_getlsmprop_obj(t, &context->target_ref);

2728
}

2729


2730
/**

2731
 * audit_signal_info_syscall - record signal info for syscalls

2732
 * @t: task being signaled

2733
 *

2734
 * If the audit subsystem is being terminated, record the task (pid)

2735
 * and uid that is doing that.

2736
 */

2737
int audit_signal_info_syscall(struct task_struct *t)

2738
{

2739
	struct audit_aux_data_pids *axp;

2740
	struct audit_context *ctx = audit_context();

2741
	kuid_t t_uid = task_uid(t);

2742


2743
	if (!audit_signals || audit_dummy_context())

2744
		return 0;

2745


2746
	/* optimize the common case by putting first signal recipient directly

2747
	 * in audit_context */

2748
	if (!ctx->target_pid) {

2749
		ctx->target_pid = task_tgid_nr(t);

2750
		ctx->target_auid = audit_get_loginuid(t);

2751
		ctx->target_uid = t_uid;

2752
		ctx->target_sessionid = audit_get_sessionid(t);

2753
		strscpy(ctx->target_comm, t->comm);

2754
		security_task_getlsmprop_obj(t, &ctx->target_ref);

2755
		return 0;

2756
	}

2757


2758
	axp = (void *)ctx->aux_pids;

2759
	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {

2760
		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);

2761
		if (!axp)

2762
			return -ENOMEM;

2763


2764
		axp->d.type = AUDIT_OBJ_PID;

2765
		axp->d.next = ctx->aux_pids;

2766
		ctx->aux_pids = (void *)axp;

2767
	}

2768
	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);

2769


2770
	axp->target_pid[axp->pid_count] = task_tgid_nr(t);

2771
	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);

2772
	axp->target_uid[axp->pid_count] = t_uid;

2773
	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);

2774
	security_task_getlsmprop_obj(t, &axp->target_ref[axp->pid_count]);

2775
	strscpy(axp->target_comm[axp->pid_count], t->comm);

2776
	axp->pid_count++;

2777


2778
	return 0;

2779
}

2780


2781
/**

2782
 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps

2783
 * @bprm: pointer to the bprm being processed

2784
 * @new: the proposed new credentials

2785
 * @old: the old credentials

2786
 *

2787
 * Simply check if the proc already has the caps given by the file and if not

2788
 * store the priv escalation info for later auditing at the end of the syscall

2789
 *

2790
 * -Eric

2791
 */

2792
int __audit_log_bprm_fcaps(struct linux_binprm *bprm,

2793
			   const struct cred *new, const struct cred *old)

2794
{

2795
	struct audit_aux_data_bprm_fcaps *ax;

2796
	struct audit_context *context = audit_context();

2797
	struct cpu_vfs_cap_data vcaps;

2798


2799
	ax = kmalloc(sizeof(*ax), GFP_KERNEL);

2800
	if (!ax)

2801
		return -ENOMEM;

2802


2803
	ax->d.type = AUDIT_BPRM_FCAPS;

2804
	ax->d.next = context->aux;

2805
	context->aux = (void *)ax;

2806


2807
	get_vfs_caps_from_disk(&nop_mnt_idmap,

2808
			       bprm->file->f_path.dentry, &vcaps);

2809


2810
	ax->fcap.permitted = vcaps.permitted;

2811
	ax->fcap.inheritable = vcaps.inheritable;

2812
	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);

2813
	ax->fcap.rootid = vcaps.rootid;

2814
	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;

2815


2816
	ax->old_pcap.permitted   = old->cap_permitted;

2817
	ax->old_pcap.inheritable = old->cap_inheritable;

2818
	ax->old_pcap.effective   = old->cap_effective;

2819
	ax->old_pcap.ambient     = old->cap_ambient;

2820


2821
	ax->new_pcap.permitted   = new->cap_permitted;

2822
	ax->new_pcap.inheritable = new->cap_inheritable;

2823
	ax->new_pcap.effective   = new->cap_effective;

2824
	ax->new_pcap.ambient     = new->cap_ambient;

2825
	return 0;

2826
}

2827


2828
/**

2829
 * __audit_log_capset - store information about the arguments to the capset syscall

2830
 * @new: the new credentials

2831
 * @old: the old (current) credentials

2832
 *

2833
 * Record the arguments userspace sent to sys_capset for later printing by the

2834
 * audit system if applicable

2835
 */

2836
void __audit_log_capset(const struct cred *new, const struct cred *old)

2837
{

2838
	struct audit_context *context = audit_context();

2839


2840
	context->capset.pid = task_tgid_nr(current);

2841
	context->capset.cap.effective   = new->cap_effective;

2842
	context->capset.cap.inheritable = new->cap_effective;

2843
	context->capset.cap.permitted   = new->cap_permitted;

2844
	context->capset.cap.ambient     = new->cap_ambient;

2845
	context->type = AUDIT_CAPSET;

2846
}

2847


2848
void __audit_mmap_fd(int fd, int flags)

2849
{

2850
	struct audit_context *context = audit_context();

2851


2852
	context->mmap.fd = fd;

2853
	context->mmap.flags = flags;

2854
	context->type = AUDIT_MMAP;

2855
}

2856


2857
void __audit_openat2_how(struct open_how *how)

2858
{

2859
	struct audit_context *context = audit_context();

2860


2861
	context->openat2.flags = how->flags;

2862
	context->openat2.mode = how->mode;

2863
	context->openat2.resolve = how->resolve;

2864
	context->type = AUDIT_OPENAT2;

2865
}

2866


2867
void __audit_log_kern_module(const char *name)

2868
{

2869
	struct audit_context *context = audit_context();

2870


2871
	context->module.name = kstrdup(name, GFP_KERNEL);

2872
	if (!context->module.name)

2873
		audit_log_lost("out of memory in __audit_log_kern_module");

2874
	context->type = AUDIT_KERN_MODULE;

2875
}

2876


2877
void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)

2878
{

2879
	/* {subj,obj}_trust values are {0,1,2}: no,yes,unknown */

2880
	switch (friar->hdr.type) {

2881
	case FAN_RESPONSE_INFO_NONE:

2882
		audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,

2883
			  "resp=%u fan_type=%u fan_info=0 subj_trust=2 obj_trust=2",

2884
			  response, FAN_RESPONSE_INFO_NONE);

2885
		break;

2886
	case FAN_RESPONSE_INFO_AUDIT_RULE:

2887
		audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,

2888
			  "resp=%u fan_type=%u fan_info=%X subj_trust=%u obj_trust=%u",

2889
			  response, friar->hdr.type, friar->rule_number,

2890
			  friar->subj_trust, friar->obj_trust);

2891
	}

2892
}

2893


2894
void __audit_tk_injoffset(struct timespec64 offset)

2895
{

2896
	struct audit_context *context = audit_context();

2897


2898
	/* only set type if not already set by NTP */

2899
	if (!context->type)

2900
		context->type = AUDIT_TIME_INJOFFSET;

2901
	memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));

2902
}

2903


2904
void __audit_ntp_log(const struct audit_ntp_data *ad)

2905
{

2906
	struct audit_context *context = audit_context();

2907
	int type;

2908


2909
	for (type = 0; type < AUDIT_NTP_NVALS; type++)

2910
		if (ad->vals[type].newval != ad->vals[type].oldval) {

2911
			/* unconditionally set type, overwriting TK */

2912
			context->type = AUDIT_TIME_ADJNTPVAL;

2913
			memcpy(&context->time.ntp_data, ad, sizeof(*ad));

2914
			break;

2915
		}

2916
}

2917


2918
void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,

2919
		       enum audit_nfcfgop op, gfp_t gfp)

2920
{

2921
	struct audit_buffer *ab;

2922
	char comm[sizeof(current->comm)];

2923


2924
	ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG);

2925
	if (!ab)

2926
		return;

2927
	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",

2928
			 name, af, nentries, audit_nfcfgs[op].s);

2929


2930
	audit_log_format(ab, " pid=%u", task_tgid_nr(current));

2931
	audit_log_task_context(ab); /* subj= */

2932
	audit_log_format(ab, " comm=");

2933
	audit_log_untrustedstring(ab, get_task_comm(comm, current));

2934
	audit_log_end(ab);

2935
}

2936
EXPORT_SYMBOL_GPL(__audit_log_nfcfg);

2937


2938
static void audit_log_task(struct audit_buffer *ab)

2939
{

2940
	kuid_t auid, uid;

2941
	kgid_t gid;

2942
	unsigned int sessionid;

2943
	char comm[sizeof(current->comm)];

2944


2945
	auid = audit_get_loginuid(current);

2946
	sessionid = audit_get_sessionid(current);

2947
	current_uid_gid(&uid, &gid);

2948


2949
	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",

2950
			 from_kuid(&init_user_ns, auid),

2951
			 from_kuid(&init_user_ns, uid),

2952
			 from_kgid(&init_user_ns, gid),

2953
			 sessionid);

2954
	audit_log_task_context(ab);

2955
	audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));

2956
	audit_log_untrustedstring(ab, get_task_comm(comm, current));

2957
	audit_log_d_path_exe(ab, current->mm);

2958
}

2959


2960
/**

2961
 * audit_core_dumps - record information about processes that end abnormally

2962
 * @signr: signal value

2963
 *

2964
 * If a process ends with a core dump, something fishy is going on and we

2965
 * should record the event for investigation.

2966
 */

2967
void audit_core_dumps(long signr)

2968
{

2969
	struct audit_buffer *ab;

2970


2971
	if (!audit_enabled)

2972
		return;

2973


2974
	if (signr == SIGQUIT)	/* don't care for those */

2975
		return;

2976


2977
	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);

2978
	if (unlikely(!ab))

2979
		return;

2980
	audit_log_task(ab);

2981
	audit_log_format(ab, " sig=%ld res=1", signr);

2982
	audit_log_end(ab);

2983
}

2984


2985
/**

2986
 * audit_seccomp - record information about a seccomp action

2987
 * @syscall: syscall number

2988
 * @signr: signal value

2989
 * @code: the seccomp action

2990
 *

2991
 * Record the information associated with a seccomp action. Event filtering for

2992
 * seccomp actions that are not to be logged is done in seccomp_log().

2993
 * Therefore, this function forces auditing independent of the audit_enabled

2994
 * and dummy context state because seccomp actions should be logged even when

2995
 * audit is not in use.

2996
 */

2997
void audit_seccomp(unsigned long syscall, long signr, int code)

2998
{

2999
	struct audit_buffer *ab;

3000


3001
	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);

3002
	if (unlikely(!ab))

3003
		return;

3004
	audit_log_task(ab);

3005
	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",

3006
			 signr, syscall_get_arch(current), syscall,

3007
			 in_compat_syscall(), KSTK_EIP(current), code);

3008
	audit_log_end(ab);

3009
}

3010


3011
void audit_seccomp_actions_logged(const char *names, const char *old_names,

3012
				  int res)

3013
{

3014
	struct audit_buffer *ab;

3015


3016
	if (!audit_enabled)

3017
		return;

3018


3019
	ab = audit_log_start(audit_context(), GFP_KERNEL,

3020
			     AUDIT_CONFIG_CHANGE);

3021
	if (unlikely(!ab))

3022
		return;

3023


3024
	audit_log_format(ab,

3025
			 "op=seccomp-logging actions=%s old-actions=%s res=%d",

3026
			 names, old_names, res);

3027
	audit_log_end(ab);

3028
}

3029


3030
struct list_head *audit_killed_trees(void)

3031
{

3032
	struct audit_context *ctx = audit_context();

3033
	if (likely(!ctx || ctx->context == AUDIT_CTX_UNUSED))

3034
		return NULL;

3035
	return &ctx->killed_trees;

3036
}

3037


3038