LCOV - code coverage report
Current view: top level - kernel - audit.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 105 677 15.5 %
Date: 2015-04-12 14:34:49 Functions: 13 54 24.1 %

          Line data    Source code
       1             : /* audit.c -- Auditing support
       2             :  * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
       3             :  * System-call specific features have moved to auditsc.c
       4             :  *
       5             :  * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
       6             :  * All Rights Reserved.
       7             :  *
       8             :  * This program is free software; you can redistribute it and/or modify
       9             :  * it under the terms of the GNU General Public License as published by
      10             :  * the Free Software Foundation; either version 2 of the License, or
      11             :  * (at your option) any later version.
      12             :  *
      13             :  * This program is distributed in the hope that it will be useful,
      14             :  * but WITHOUT ANY WARRANTY; without even the implied warranty of
      15             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      16             :  * GNU General Public License for more details.
      17             :  *
      18             :  * You should have received a copy of the GNU General Public License
      19             :  * along with this program; if not, write to the Free Software
      20             :  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
      21             :  *
      22             :  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
      23             :  *
      24             :  * Goals: 1) Integrate fully with Security Modules.
      25             :  *        2) Minimal run-time overhead:
      26             :  *           a) Minimal when syscall auditing is disabled (audit_enable=0).
      27             :  *           b) Small when syscall auditing is enabled and no audit record
      28             :  *              is generated (defer as much work as possible to record
      29             :  *              generation time):
      30             :  *              i) context is allocated,
      31             :  *              ii) names from getname are stored without a copy, and
      32             :  *              iii) inode information stored from path_lookup.
      33             :  *        3) Ability to disable syscall auditing at boot time (audit=0).
      34             :  *        4) Usable by other parts of the kernel (if audit_log* is called,
      35             :  *           then a syscall record will be generated automatically for the
      36             :  *           current syscall).
      37             :  *        5) Netlink interface to user-space.
      38             :  *        6) Support low-overhead kernel-based filtering to minimize the
      39             :  *           information that must be passed to user-space.
      40             :  *
      41             :  * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
      42             :  */
      43             : 
      44             : #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
      45             : 
      46             : #include <linux/init.h>
      47             : #include <linux/types.h>
      48             : #include <linux/atomic.h>
      49             : #include <linux/mm.h>
      50             : #include <linux/export.h>
      51             : #include <linux/slab.h>
      52             : #include <linux/err.h>
      53             : #include <linux/kthread.h>
      54             : #include <linux/kernel.h>
      55             : #include <linux/syscalls.h>
      56             : 
      57             : #include <linux/audit.h>
      58             : 
      59             : #include <net/sock.h>
      60             : #include <net/netlink.h>
      61             : #include <linux/skbuff.h>
      62             : #ifdef CONFIG_SECURITY
      63             : #include <linux/security.h>
      64             : #endif
      65             : #include <linux/freezer.h>
      66             : #include <linux/tty.h>
      67             : #include <linux/pid_namespace.h>
      68             : #include <net/netns/generic.h>
      69             : 
      70             : #include "audit.h"
      71             : 
      72             : /* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
      73             :  * (Initialization happens after skb_init is called.) */
      74             : #define AUDIT_DISABLED          -1
      75             : #define AUDIT_UNINITIALIZED     0
      76             : #define AUDIT_INITIALIZED       1
      77             : static int      audit_initialized;
      78             : 
      79             : #define AUDIT_OFF       0
      80             : #define AUDIT_ON        1
      81             : #define AUDIT_LOCKED    2
      82             : u32             audit_enabled;
      83             : u32             audit_ever_enabled;
      84             : 
      85             : EXPORT_SYMBOL_GPL(audit_enabled);
      86             : 
      87             : /* Default state when kernel boots without any parameters. */
      88             : static u32      audit_default;
      89             : 
      90             : /* If auditing cannot proceed, audit_failure selects what happens. */
      91             : static u32      audit_failure = AUDIT_FAIL_PRINTK;
      92             : 
      93             : /*
      94             :  * If audit records are to be written to the netlink socket, audit_pid
      95             :  * contains the pid of the auditd process and audit_nlk_portid contains
      96             :  * the portid to use to send netlink messages to that process.
      97             :  */
      98             : int             audit_pid;
      99             : static __u32    audit_nlk_portid;
     100             : 
     101             : /* If audit_rate_limit is non-zero, limit the rate of sending audit records
     102             :  * to that number per second.  This prevents DoS attacks, but results in
     103             :  * audit records being dropped. */
     104             : static u32      audit_rate_limit;
     105             : 
     106             : /* Number of outstanding audit_buffers allowed.
     107             :  * When set to zero, this means unlimited. */
     108             : static u32      audit_backlog_limit = 64;
     109             : #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
     110             : static u32      audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
     111             : static u32      audit_backlog_wait_overflow = 0;
     112             : 
     113             : /* The identity of the user shutting down the audit system. */
     114             : kuid_t          audit_sig_uid = INVALID_UID;
     115             : pid_t           audit_sig_pid = -1;
     116             : u32             audit_sig_sid = 0;
     117             : 
     118             : /* Records can be lost in several ways:
     119             :    0) [suppressed in audit_alloc]
     120             :    1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
     121             :    2) out of memory in audit_log_move [alloc_skb]
     122             :    3) suppressed due to audit_rate_limit
     123             :    4) suppressed due to audit_backlog_limit
     124             : */
     125             : static atomic_t    audit_lost = ATOMIC_INIT(0);
     126             : 
     127             : /* The netlink socket. */
     128             : static struct sock *audit_sock;
     129             : static int audit_net_id;
     130             : 
     131             : /* Hash for inode-based rules */
     132             : struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
     133             : 
     134             : /* The audit_freelist is a list of pre-allocated audit buffers (if more
     135             :  * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
     136             :  * being placed on the freelist). */
     137             : static DEFINE_SPINLOCK(audit_freelist_lock);
     138             : static int         audit_freelist_count;
     139             : static LIST_HEAD(audit_freelist);
     140             : 
     141             : static struct sk_buff_head audit_skb_queue;
     142             : /* queue of skbs to send to auditd when/if it comes back */
     143             : static struct sk_buff_head audit_skb_hold_queue;
     144             : static struct task_struct *kauditd_task;
     145             : static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
     146             : static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
     147             : 
     148             : static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION,
     149             :                                    .mask = -1,
     150             :                                    .features = 0,
     151             :                                    .lock = 0,};
     152             : 
     153             : static char *audit_feature_names[2] = {
     154             :         "only_unset_loginuid",
     155             :         "loginuid_immutable",
     156             : };
     157             : 
     158             : 
     159             : /* Serialize requests from userspace. */
     160             : DEFINE_MUTEX(audit_cmd_mutex);
     161             : 
     162             : /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
     163             :  * audit records.  Since printk uses a 1024 byte buffer, this buffer
     164             :  * should be at least that large. */
     165             : #define AUDIT_BUFSIZ 1024
     166             : 
     167             : /* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
     168             :  * audit_freelist.  Doing so eliminates many kmalloc/kfree calls. */
     169             : #define AUDIT_MAXFREE  (2*NR_CPUS)
     170             : 
     171             : /* The audit_buffer is used when formatting an audit record.  The caller
     172             :  * locks briefly to get the record off the freelist or to allocate the
     173             :  * buffer, and locks briefly to send the buffer to the netlink layer or
     174             :  * to place it on a transmit queue.  Multiple audit_buffers can be in
     175             :  * use simultaneously. */
     176             : struct audit_buffer {
     177             :         struct list_head     list;
     178             :         struct sk_buff       *skb;      /* formatted skb ready to send */
     179             :         struct audit_context *ctx;      /* NULL or associated context */
     180             :         gfp_t                gfp_mask;
     181             : };
     182             : 
     183             : struct audit_reply {
     184             :         __u32 portid;
     185             :         struct net *net;
     186             :         struct sk_buff *skb;
     187             : };
     188             : 
     189             : static void audit_set_portid(struct audit_buffer *ab, __u32 portid)
     190             : {
     191           0 :         if (ab) {
     192           0 :                 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
     193           0 :                 nlh->nlmsg_pid = portid;
     194             :         }
     195             : }
     196             : 
     197           0 : void audit_panic(const char *message)
     198             : {
     199           0 :         switch (audit_failure) {
     200             :         case AUDIT_FAIL_SILENT:
     201             :                 break;
     202             :         case AUDIT_FAIL_PRINTK:
     203           0 :                 if (printk_ratelimit())
     204           0 :                         pr_err("%s\n", message);
     205             :                 break;
     206             :         case AUDIT_FAIL_PANIC:
     207             :                 /* test audit_pid since printk is always losey, why bother? */
     208           0 :                 if (audit_pid)
     209           0 :                         panic("audit: %s\n", message);
     210             :                 break;
     211             :         }
     212           0 : }
     213             : 
     214             : static inline int audit_rate_check(void)
     215             : {
     216             :         static unsigned long    last_check = 0;
     217             :         static int              messages   = 0;
     218             :         static DEFINE_SPINLOCK(lock);
     219             :         unsigned long           flags;
     220             :         unsigned long           now;
     221             :         unsigned long           elapsed;
     222             :         int                     retval     = 0;
     223             : 
     224           1 :         if (!audit_rate_limit) return 1;
     225             : 
     226           0 :         spin_lock_irqsave(&lock, flags);
     227           0 :         if (++messages < audit_rate_limit) {
     228             :                 retval = 1;
     229             :         } else {
     230           0 :                 now     = jiffies;
     231           0 :                 elapsed = now - last_check;
     232           0 :                 if (elapsed > HZ) {
     233           0 :                         last_check = now;
     234           0 :                         messages   = 0;
     235             :                         retval     = 1;
     236             :                 }
     237             :         }
     238             :         spin_unlock_irqrestore(&lock, flags);
     239             : 
     240             :         return retval;
     241             : }
     242             : 
     243             : /**
     244             :  * audit_log_lost - conditionally log lost audit message event
     245             :  * @message: the message stating reason for lost audit message
     246             :  *
     247             :  * Emit at least 1 message per second, even if audit_rate_check is
     248             :  * throttling.
     249             :  * Always increment the lost messages counter.
     250             : */
     251           0 : void audit_log_lost(const char *message)
     252             : {
     253             :         static unsigned long    last_msg = 0;
     254             :         static DEFINE_SPINLOCK(lock);
     255             :         unsigned long           flags;
     256             :         unsigned long           now;
     257             :         int                     print;
     258             : 
     259             :         atomic_inc(&audit_lost);
     260             : 
     261           0 :         print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
     262             : 
     263           0 :         if (!print) {
     264           0 :                 spin_lock_irqsave(&lock, flags);
     265           0 :                 now = jiffies;
     266           0 :                 if (now - last_msg > HZ) {
     267             :                         print = 1;
     268           0 :                         last_msg = now;
     269             :                 }
     270             :                 spin_unlock_irqrestore(&lock, flags);
     271             :         }
     272             : 
     273           0 :         if (print) {
     274           0 :                 if (printk_ratelimit())
     275           0 :                         pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n",
     276             :                                 atomic_read(&audit_lost),
     277             :                                 audit_rate_limit,
     278             :                                 audit_backlog_limit);
     279           0 :                 audit_panic(message);
     280             :         }
     281           0 : }
     282             : 
     283           0 : static int audit_log_config_change(char *function_name, u32 new, u32 old,
     284             :                                    int allow_changes)
     285             : {
     286             :         struct audit_buffer *ab;
     287             :         int rc = 0;
     288             : 
     289           0 :         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
     290           0 :         if (unlikely(!ab))
     291             :                 return rc;
     292           0 :         audit_log_format(ab, "%s=%u old=%u", function_name, new, old);
     293             :         audit_log_session_info(ab);
     294             :         rc = audit_log_task_context(ab);
     295             :         if (rc)
     296             :                 allow_changes = 0; /* Something weird, deny request */
     297           0 :         audit_log_format(ab, " res=%d", allow_changes);
     298           0 :         audit_log_end(ab);
     299           0 :         return rc;
     300             : }
     301             : 
     302           0 : static int audit_do_config_change(char *function_name, u32 *to_change, u32 new)
     303             : {
     304             :         int allow_changes, rc = 0;
     305           0 :         u32 old = *to_change;
     306             : 
     307             :         /* check if we are locked */
     308           0 :         if (audit_enabled == AUDIT_LOCKED)
     309             :                 allow_changes = 0;
     310             :         else
     311             :                 allow_changes = 1;
     312             : 
     313           0 :         if (audit_enabled != AUDIT_OFF) {
     314           0 :                 rc = audit_log_config_change(function_name, new, old, allow_changes);
     315           0 :                 if (rc)
     316             :                         allow_changes = 0;
     317             :         }
     318             : 
     319             :         /* If we are allowed, make the change */
     320           0 :         if (allow_changes == 1)
     321           0 :                 *to_change = new;
     322             :         /* Not allowed, update reason */
     323           0 :         else if (rc == 0)
     324             :                 rc = -EPERM;
     325           0 :         return rc;
     326             : }
     327             : 
     328             : static int audit_set_rate_limit(u32 limit)
     329             : {
     330           0 :         return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
     331             : }
     332             : 
     333             : static int audit_set_backlog_limit(u32 limit)
     334             : {
     335           0 :         return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
     336             : }
     337             : 
     338             : static int audit_set_backlog_wait_time(u32 timeout)
     339             : {
     340           0 :         return audit_do_config_change("audit_backlog_wait_time",
     341             :                                       &audit_backlog_wait_time, timeout);
     342             : }
     343             : 
     344           0 : static int audit_set_enabled(u32 state)
     345             : {
     346             :         int rc;
     347           0 :         if (state < AUDIT_OFF || state > AUDIT_LOCKED)
     348             :                 return -EINVAL;
     349             : 
     350           0 :         rc =  audit_do_config_change("audit_enabled", &audit_enabled, state);
     351           0 :         if (!rc)
     352           0 :                 audit_ever_enabled |= !!state;
     353             : 
     354           0 :         return rc;
     355             : }
     356             : 
     357             : static int audit_set_failure(u32 state)
     358             : {
     359           0 :         if (state != AUDIT_FAIL_SILENT
     360             :             && state != AUDIT_FAIL_PRINTK
     361             :             && state != AUDIT_FAIL_PANIC)
     362             :                 return -EINVAL;
     363             : 
     364           0 :         return audit_do_config_change("audit_failure", &audit_failure, state);
     365             : }
     366             : 
     367             : /*
     368             :  * Queue skbs to be sent to auditd when/if it comes back.  These skbs should
     369             :  * already have been sent via prink/syslog and so if these messages are dropped
     370             :  * it is not a huge concern since we already passed the audit_log_lost()
     371             :  * notification and stuff.  This is just nice to get audit messages during
     372             :  * boot before auditd is running or messages generated while auditd is stopped.
     373             :  * This only holds messages is audit_default is set, aka booting with audit=1
     374             :  * or building your kernel that way.
     375             :  */
     376           1 : static void audit_hold_skb(struct sk_buff *skb)
     377             : {
     378           1 :         if (audit_default &&
     379           0 :             (!audit_backlog_limit ||
     380           0 :              skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit))
     381           0 :                 skb_queue_tail(&audit_skb_hold_queue, skb);
     382             :         else
     383           1 :                 kfree_skb(skb);
     384           1 : }
     385             : 
     386             : /*
     387             :  * For one reason or another this nlh isn't getting delivered to the userspace
     388             :  * audit daemon, just send it to printk.
     389             :  */
     390           1 : static void audit_printk_skb(struct sk_buff *skb)
     391             : {
     392             :         struct nlmsghdr *nlh = nlmsg_hdr(skb);
     393           1 :         char *data = nlmsg_data(nlh);
     394             : 
     395           1 :         if (nlh->nlmsg_type != AUDIT_EOE) {
     396           1 :                 if (printk_ratelimit())
     397           1 :                         pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
     398             :                 else
     399           0 :                         audit_log_lost("printk limit exceeded");
     400             :         }
     401             : 
     402           1 :         audit_hold_skb(skb);
     403           1 : }
     404             : 
     405           0 : static void kauditd_send_skb(struct sk_buff *skb)
     406             : {
     407             :         int err;
     408             :         /* take a reference in case we can't send it and we want to hold it */
     409             :         skb_get(skb);
     410           0 :         err = netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
     411           0 :         if (err < 0) {
     412             :                 BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */
     413           0 :                 if (audit_pid) {
     414           0 :                         pr_err("*NO* daemon at audit_pid=%d\n", audit_pid);
     415           0 :                         audit_log_lost("auditd disappeared");
     416           0 :                         audit_pid = 0;
     417           0 :                         audit_sock = NULL;
     418             :                 }
     419             :                 /* we might get lucky and get this in the next auditd */
     420           0 :                 audit_hold_skb(skb);
     421             :         } else
     422             :                 /* drop the extra reference if sent ok */
     423           0 :                 consume_skb(skb);
     424           0 : }
     425             : 
     426             : /*
     427             :  * kauditd_send_multicast_skb - send the skb to multicast userspace listeners
     428             :  *
     429             :  * This function doesn't consume an skb as might be expected since it has to
     430             :  * copy it anyways.
     431             :  */
     432           1 : static void kauditd_send_multicast_skb(struct sk_buff *skb, gfp_t gfp_mask)
     433             : {
     434             :         struct sk_buff          *copy;
     435           1 :         struct audit_net        *aunet = net_generic(&init_net, audit_net_id);
     436           1 :         struct sock             *sock = aunet->nlsk;
     437             : 
     438           1 :         if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG))
     439             :                 return;
     440             : 
     441             :         /*
     442             :          * The seemingly wasteful skb_copy() rather than bumping the refcount
     443             :          * using skb_get() is necessary because non-standard mods are made to
     444             :          * the skb by the original kaudit unicast socket send routine.  The
     445             :          * existing auditd daemon assumes this breakage.  Fixing this would
     446             :          * require co-ordinating a change in the established protocol between
     447             :          * the kaudit kernel subsystem and the auditd userspace code.  There is
     448             :          * no reason for new multicast clients to continue with this
     449             :          * non-compliance.
     450             :          */
     451           0 :         copy = skb_copy(skb, gfp_mask);
     452           0 :         if (!copy)
     453             :                 return;
     454             : 
     455             :         nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, gfp_mask);
     456             : }
     457             : 
     458             : /*
     459             :  * flush_hold_queue - empty the hold queue if auditd appears
     460             :  *
     461             :  * If auditd just started, drain the queue of messages already
     462             :  * sent to syslog/printk.  Remember loss here is ok.  We already
     463             :  * called audit_log_lost() if it didn't go out normally.  so the
     464             :  * race between the skb_dequeue and the next check for audit_pid
     465             :  * doesn't matter.
     466             :  *
     467             :  * If you ever find kauditd to be too slow we can get a perf win
     468             :  * by doing our own locking and keeping better track if there
     469             :  * are messages in this queue.  I don't see the need now, but
     470             :  * in 5 years when I want to play with this again I'll see this
     471             :  * note and still have no friggin idea what i'm thinking today.
     472             :  */
     473           0 : static void flush_hold_queue(void)
     474             : {
     475             :         struct sk_buff *skb;
     476             : 
     477           0 :         if (!audit_default || !audit_pid)
     478             :                 return;
     479             : 
     480           0 :         skb = skb_dequeue(&audit_skb_hold_queue);
     481           0 :         if (likely(!skb))
     482             :                 return;
     483             : 
     484           0 :         while (skb && audit_pid) {
     485           0 :                 kauditd_send_skb(skb);
     486           0 :                 skb = skb_dequeue(&audit_skb_hold_queue);
     487             :         }
     488             : 
     489             :         /*
     490             :          * if auditd just disappeared but we
     491             :          * dequeued an skb we need to drop ref
     492             :          */
     493           0 :         if (skb)
     494           0 :                 consume_skb(skb);
     495             : }
     496             : 
     497           0 : static int kauditd_thread(void *dummy)
     498             : {
     499           0 :         set_freezable();
     500           0 :         while (!kthread_should_stop()) {
     501             :                 struct sk_buff *skb;
     502             : 
     503           0 :                 flush_hold_queue();
     504             : 
     505           0 :                 skb = skb_dequeue(&audit_skb_queue);
     506             : 
     507           0 :                 if (skb) {
     508           0 :                         if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit)
     509           0 :                                 wake_up(&audit_backlog_wait);
     510           0 :                         if (audit_pid)
     511           0 :                                 kauditd_send_skb(skb);
     512             :                         else
     513           0 :                                 audit_printk_skb(skb);
     514           0 :                         continue;
     515             :                 }
     516             : 
     517           0 :                 wait_event_freezable(kauditd_wait, skb_queue_len(&audit_skb_queue));
     518             :         }
     519           0 :         return 0;
     520             : }
     521             : 
     522           0 : int audit_send_list(void *_dest)
     523             : {
     524             :         struct audit_netlink_list *dest = _dest;
     525             :         struct sk_buff *skb;
     526           0 :         struct net *net = dest->net;
     527           0 :         struct audit_net *aunet = net_generic(net, audit_net_id);
     528             : 
     529             :         /* wait for parent to finish and send an ACK */
     530           0 :         mutex_lock(&audit_cmd_mutex);
     531           0 :         mutex_unlock(&audit_cmd_mutex);
     532             : 
     533           0 :         while ((skb = __skb_dequeue(&dest->q)) != NULL)
     534           0 :                 netlink_unicast(aunet->nlsk, skb, dest->portid, 0);
     535             : 
     536             :         put_net(net);
     537           0 :         kfree(dest);
     538             : 
     539           0 :         return 0;
     540             : }
     541             : 
     542           0 : struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, int done,
     543             :                                  int multi, const void *payload, int size)
     544             : {
     545             :         struct sk_buff  *skb;
     546             :         struct nlmsghdr *nlh;
     547             :         void            *data;
     548           0 :         int             flags = multi ? NLM_F_MULTI : 0;
     549           0 :         int             t     = done  ? NLMSG_DONE  : type;
     550             : 
     551             :         skb = nlmsg_new(size, GFP_KERNEL);
     552           0 :         if (!skb)
     553             :                 return NULL;
     554             : 
     555           0 :         nlh     = nlmsg_put(skb, portid, seq, t, size, flags);
     556           0 :         if (!nlh)
     557             :                 goto out_kfree_skb;
     558           0 :         data = nlmsg_data(nlh);
     559           0 :         memcpy(data, payload, size);
     560           0 :         return skb;
     561             : 
     562             : out_kfree_skb:
     563           0 :         kfree_skb(skb);
     564           0 :         return NULL;
     565             : }
     566             : 
     567           0 : static int audit_send_reply_thread(void *arg)
     568             : {
     569             :         struct audit_reply *reply = (struct audit_reply *)arg;
     570           0 :         struct net *net = reply->net;
     571           0 :         struct audit_net *aunet = net_generic(net, audit_net_id);
     572             : 
     573           0 :         mutex_lock(&audit_cmd_mutex);
     574           0 :         mutex_unlock(&audit_cmd_mutex);
     575             : 
     576             :         /* Ignore failure. It'll only happen if the sender goes away,
     577             :            because our timeout is set to infinite. */
     578           0 :         netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0);
     579             :         put_net(net);
     580           0 :         kfree(reply);
     581           0 :         return 0;
     582             : }
     583             : /**
     584             :  * audit_send_reply - send an audit reply message via netlink
     585             :  * @request_skb: skb of request we are replying to (used to target the reply)
     586             :  * @seq: sequence number
     587             :  * @type: audit message type
     588             :  * @done: done (last) flag
     589             :  * @multi: multi-part message flag
     590             :  * @payload: payload data
     591             :  * @size: payload size
     592             :  *
     593             :  * Allocates an skb, builds the netlink message, and sends it to the port id.
     594             :  * No failure notifications.
     595             :  */
     596           0 : static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done,
     597             :                              int multi, const void *payload, int size)
     598             : {
     599           0 :         u32 portid = NETLINK_CB(request_skb).portid;
     600           0 :         struct net *net = sock_net(NETLINK_CB(request_skb).sk);
     601             :         struct sk_buff *skb;
     602             :         struct task_struct *tsk;
     603             :         struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
     604             :                                             GFP_KERNEL);
     605             : 
     606           0 :         if (!reply)
     607             :                 return;
     608             : 
     609           0 :         skb = audit_make_reply(portid, seq, type, done, multi, payload, size);
     610           0 :         if (!skb)
     611             :                 goto out;
     612             : 
     613           0 :         reply->net = get_net(net);
     614           0 :         reply->portid = portid;
     615           0 :         reply->skb = skb;
     616             : 
     617           0 :         tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
     618           0 :         if (!IS_ERR(tsk))
     619             :                 return;
     620           0 :         kfree_skb(skb);
     621             : out:
     622           0 :         kfree(reply);
     623             : }
     624             : 
     625             : /*
     626             :  * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
     627             :  * control messages.
     628             :  */
     629           0 : static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
     630             : {
     631             :         int err = 0;
     632             : 
     633             :         /* Only support initial user namespace for now. */
     634             :         /*
     635             :          * We return ECONNREFUSED because it tricks userspace into thinking
     636             :          * that audit was not configured into the kernel.  Lots of users
     637             :          * configure their PAM stack (because that's what the distro does)
     638             :          * to reject login if unable to send messages to audit.  If we return
     639             :          * ECONNREFUSED the PAM stack thinks the kernel does not have audit
     640             :          * configured in and will let login proceed.  If we return EPERM
     641             :          * userspace will reject all logins.  This should be removed when we
     642             :          * support non init namespaces!!
     643             :          */
     644             :         if (current_user_ns() != &init_user_ns)
     645             :                 return -ECONNREFUSED;
     646             : 
     647           0 :         switch (msg_type) {
     648             :         case AUDIT_LIST:
     649             :         case AUDIT_ADD:
     650             :         case AUDIT_DEL:
     651             :                 return -EOPNOTSUPP;
     652             :         case AUDIT_GET:
     653             :         case AUDIT_SET:
     654             :         case AUDIT_GET_FEATURE:
     655             :         case AUDIT_SET_FEATURE:
     656             :         case AUDIT_LIST_RULES:
     657             :         case AUDIT_ADD_RULE:
     658             :         case AUDIT_DEL_RULE:
     659             :         case AUDIT_SIGNAL_INFO:
     660             :         case AUDIT_TTY_GET:
     661             :         case AUDIT_TTY_SET:
     662             :         case AUDIT_TRIM:
     663             :         case AUDIT_MAKE_EQUIV:
     664             :                 /* Only support auditd and auditctl in initial pid namespace
     665             :                  * for now. */
     666           0 :                 if ((task_active_pid_ns(current) != &init_pid_ns))
     667             :                         return -EPERM;
     668             : 
     669           0 :                 if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
     670             :                         err = -EPERM;
     671             :                 break;
     672             :         case AUDIT_USER:
     673             :         case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
     674             :         case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
     675           0 :                 if (!netlink_capable(skb, CAP_AUDIT_WRITE))
     676             :                         err = -EPERM;
     677             :                 break;
     678             :         default:  /* bad msg */
     679             :                 err = -EINVAL;
     680             :         }
     681             : 
     682           0 :         return err;
     683             : }
     684             : 
     685           0 : static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
     686             : {
     687             :         int rc = 0;
     688           0 :         uid_t uid = from_kuid(&init_user_ns, current_uid());
     689             :         pid_t pid = task_tgid_nr(current);
     690             : 
     691           0 :         if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
     692           0 :                 *ab = NULL;
     693           0 :                 return rc;
     694             :         }
     695             : 
     696           0 :         *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
     697           0 :         if (unlikely(!*ab))
     698             :                 return rc;
     699           0 :         audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
     700           0 :         audit_log_session_info(*ab);
     701             :         audit_log_task_context(*ab);
     702             : 
     703           0 :         return rc;
     704             : }
     705             : 
     706           0 : int is_audit_feature_set(int i)
     707             : {
     708           0 :         return af.features & AUDIT_FEATURE_TO_MASK(i);
     709             : }
     710             : 
     711             : 
     712           0 : static int audit_get_feature(struct sk_buff *skb)
     713             : {
     714             :         u32 seq;
     715             : 
     716           0 :         seq = nlmsg_hdr(skb)->nlmsg_seq;
     717             : 
     718           0 :         audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af));
     719             : 
     720           0 :         return 0;
     721             : }
     722             : 
     723           0 : static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature,
     724             :                                      u32 old_lock, u32 new_lock, int res)
     725             : {
     726             :         struct audit_buffer *ab;
     727             : 
     728           0 :         if (audit_enabled == AUDIT_OFF)
     729           0 :                 return;
     730             : 
     731           0 :         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
     732           0 :         audit_log_task_info(ab, current);
     733           0 :         audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
     734             :                          audit_feature_names[which], !!old_feature, !!new_feature,
     735             :                          !!old_lock, !!new_lock, res);
     736           0 :         audit_log_end(ab);
     737             : }
     738             : 
     739           0 : static int audit_set_feature(struct sk_buff *skb)
     740             : {
     741             :         struct audit_features *uaf;
     742             :         int i;
     743             : 
     744             :         BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
     745             :         uaf = nlmsg_data(nlmsg_hdr(skb));
     746             : 
     747             :         /* if there is ever a version 2 we should handle that here */
     748             : 
     749           0 :         for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
     750           0 :                 u32 feature = AUDIT_FEATURE_TO_MASK(i);
     751             :                 u32 old_feature, new_feature, old_lock, new_lock;
     752             : 
     753             :                 /* if we are not changing this feature, move along */
     754           0 :                 if (!(feature & uaf->mask))
     755           0 :                         continue;
     756             : 
     757           0 :                 old_feature = af.features & feature;
     758           0 :                 new_feature = uaf->features & feature;
     759           0 :                 new_lock = (uaf->lock | af.lock) & feature;
     760           0 :                 old_lock = af.lock & feature;
     761             : 
     762             :                 /* are we changing a locked feature? */
     763           0 :                 if (old_lock && (new_feature != old_feature)) {
     764           0 :                         audit_log_feature_change(i, old_feature, new_feature,
     765             :                                                  old_lock, new_lock, 0);
     766           0 :                         return -EPERM;
     767             :                 }
     768             :         }
     769             :         /* nothing invalid, do the changes */
     770           0 :         for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
     771           0 :                 u32 feature = AUDIT_FEATURE_TO_MASK(i);
     772             :                 u32 old_feature, new_feature, old_lock, new_lock;
     773             : 
     774             :                 /* if we are not changing this feature, move along */
     775           0 :                 if (!(feature & uaf->mask))
     776           0 :                         continue;
     777             : 
     778           0 :                 old_feature = af.features & feature;
     779           0 :                 new_feature = uaf->features & feature;
     780           0 :                 old_lock = af.lock & feature;
     781           0 :                 new_lock = (uaf->lock | af.lock) & feature;
     782             : 
     783           0 :                 if (new_feature != old_feature)
     784           0 :                         audit_log_feature_change(i, old_feature, new_feature,
     785             :                                                  old_lock, new_lock, 1);
     786             : 
     787           0 :                 if (new_feature)
     788           0 :                         af.features |= feature;
     789             :                 else
     790           0 :                         af.features &= ~feature;
     791           0 :                 af.lock |= new_lock;
     792             :         }
     793             : 
     794             :         return 0;
     795             : }
     796             : 
     797           0 : static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
     798             : {
     799             :         u32                     seq;
     800             :         void                    *data;
     801             :         int                     err;
     802             :         struct audit_buffer     *ab;
     803           0 :         u16                     msg_type = nlh->nlmsg_type;
     804             :         struct audit_sig_info   *sig_data;
     805             :         char                    *ctx = NULL;
     806             :         u32                     len;
     807             : 
     808           0 :         err = audit_netlink_ok(skb, msg_type);
     809           0 :         if (err)
     810             :                 return err;
     811             : 
     812             :         /* As soon as there's any sign of userspace auditd,
     813             :          * start kauditd to talk to it */
     814           0 :         if (!kauditd_task) {
     815           0 :                 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
     816           0 :                 if (IS_ERR(kauditd_task)) {
     817             :                         err = PTR_ERR(kauditd_task);
     818           0 :                         kauditd_task = NULL;
     819           0 :                         return err;
     820             :                 }
     821             :         }
     822           0 :         seq  = nlh->nlmsg_seq;
     823           0 :         data = nlmsg_data(nlh);
     824             : 
     825           0 :         switch (msg_type) {
     826             :         case AUDIT_GET: {
     827             :                 struct audit_status     s;
     828           0 :                 memset(&s, 0, sizeof(s));
     829           0 :                 s.enabled               = audit_enabled;
     830           0 :                 s.failure               = audit_failure;
     831           0 :                 s.pid                   = audit_pid;
     832           0 :                 s.rate_limit            = audit_rate_limit;
     833           0 :                 s.backlog_limit         = audit_backlog_limit;
     834           0 :                 s.lost                  = atomic_read(&audit_lost);
     835           0 :                 s.backlog               = skb_queue_len(&audit_skb_queue);
     836           0 :                 s.feature_bitmap        = AUDIT_FEATURE_BITMAP_ALL;
     837           0 :                 s.backlog_wait_time     = audit_backlog_wait_time;
     838           0 :                 audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
     839             :                 break;
     840             :         }
     841             :         case AUDIT_SET: {
     842             :                 struct audit_status     s;
     843           0 :                 memset(&s, 0, sizeof(s));
     844             :                 /* guard against past and future API changes */
     845           0 :                 memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
     846           0 :                 if (s.mask & AUDIT_STATUS_ENABLED) {
     847           0 :                         err = audit_set_enabled(s.enabled);
     848           0 :                         if (err < 0)
     849           0 :                                 return err;
     850             :                 }
     851           0 :                 if (s.mask & AUDIT_STATUS_FAILURE) {
     852           0 :                         err = audit_set_failure(s.failure);
     853           0 :                         if (err < 0)
     854             :                                 return err;
     855             :                 }
     856           0 :                 if (s.mask & AUDIT_STATUS_PID) {
     857           0 :                         int new_pid = s.pid;
     858             : 
     859           0 :                         if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
     860             :                                 return -EACCES;
     861           0 :                         if (audit_enabled != AUDIT_OFF)
     862           0 :                                 audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
     863           0 :                         audit_pid = new_pid;
     864           0 :                         audit_nlk_portid = NETLINK_CB(skb).portid;
     865           0 :                         audit_sock = skb->sk;
     866             :                 }
     867           0 :                 if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
     868           0 :                         err = audit_set_rate_limit(s.rate_limit);
     869           0 :                         if (err < 0)
     870             :                                 return err;
     871             :                 }
     872           0 :                 if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
     873           0 :                         err = audit_set_backlog_limit(s.backlog_limit);
     874           0 :                         if (err < 0)
     875             :                                 return err;
     876             :                 }
     877           0 :                 if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
     878           0 :                         if (sizeof(s) > (size_t)nlh->nlmsg_len)
     879             :                                 return -EINVAL;
     880           0 :                         if (s.backlog_wait_time < 0 ||
     881           0 :                             s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
     882             :                                 return -EINVAL;
     883             :                         err = audit_set_backlog_wait_time(s.backlog_wait_time);
     884           0 :                         if (err < 0)
     885             :                                 return err;
     886             :                 }
     887           0 :                 break;
     888             :         }
     889             :         case AUDIT_GET_FEATURE:
     890           0 :                 err = audit_get_feature(skb);
     891           0 :                 if (err)
     892             :                         return err;
     893             :                 break;
     894             :         case AUDIT_SET_FEATURE:
     895           0 :                 err = audit_set_feature(skb);
     896           0 :                 if (err)
     897             :                         return err;
     898             :                 break;
     899             :         case AUDIT_USER:
     900             :         case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
     901             :         case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
     902           0 :                 if (!audit_enabled && msg_type != AUDIT_USER_AVC)
     903             :                         return 0;
     904             : 
     905           0 :                 err = audit_filter_user(msg_type);
     906           0 :                 if (err == 1) { /* match or error */
     907             :                         err = 0;
     908           0 :                         if (msg_type == AUDIT_USER_TTY) {
     909           0 :                                 err = tty_audit_push_current();
     910           0 :                                 if (err)
     911             :                                         break;
     912             :                         }
     913           0 :                         mutex_unlock(&audit_cmd_mutex);
     914           0 :                         audit_log_common_recv_msg(&ab, msg_type);
     915           0 :                         if (msg_type != AUDIT_USER_TTY)
     916           0 :                                 audit_log_format(ab, " msg='%.*s'",
     917             :                                                  AUDIT_MESSAGE_TEXT_MAX,
     918             :                                                  (char *)data);
     919             :                         else {
     920             :                                 int size;
     921             : 
     922           0 :                                 audit_log_format(ab, " data=");
     923             :                                 size = nlmsg_len(nlh);
     924           0 :                                 if (size > 0 &&
     925           0 :                                     ((unsigned char *)data)[size - 1] == '\0')
     926           0 :                                         size--;
     927           0 :                                 audit_log_n_untrustedstring(ab, data, size);
     928             :                         }
     929           0 :                         audit_set_portid(ab, NETLINK_CB(skb).portid);
     930           0 :                         audit_log_end(ab);
     931           0 :                         mutex_lock(&audit_cmd_mutex);
     932             :                 }
     933             :                 break;
     934             :         case AUDIT_ADD_RULE:
     935             :         case AUDIT_DEL_RULE:
     936           0 :                 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
     937             :                         return -EINVAL;
     938           0 :                 if (audit_enabled == AUDIT_LOCKED) {
     939           0 :                         audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
     940           0 :                         audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled);
     941           0 :                         audit_log_end(ab);
     942           0 :                         return -EPERM;
     943             :                 }
     944           0 :                 err = audit_rule_change(msg_type, NETLINK_CB(skb).portid,
     945             :                                            seq, data, nlmsg_len(nlh));
     946           0 :                 break;
     947             :         case AUDIT_LIST_RULES:
     948           0 :                 err = audit_list_rules_send(skb, seq);
     949           0 :                 break;
     950             :         case AUDIT_TRIM:
     951             :                 audit_trim_trees();
     952           0 :                 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
     953           0 :                 audit_log_format(ab, " op=trim res=1");
     954           0 :                 audit_log_end(ab);
     955           0 :                 break;
     956             :         case AUDIT_MAKE_EQUIV: {
     957           0 :                 void *bufp = data;
     958             :                 u32 sizes[2];
     959           0 :                 size_t msglen = nlmsg_len(nlh);
     960             :                 char *old, *new;
     961             : 
     962             :                 err = -EINVAL;
     963           0 :                 if (msglen < 2 * sizeof(u32))
     964             :                         break;
     965           0 :                 memcpy(sizes, bufp, 2 * sizeof(u32));
     966           0 :                 bufp += 2 * sizeof(u32);
     967           0 :                 msglen -= 2 * sizeof(u32);
     968           0 :                 old = audit_unpack_string(&bufp, &msglen, sizes[0]);
     969           0 :                 if (IS_ERR(old)) {
     970             :                         err = PTR_ERR(old);
     971           0 :                         break;
     972             :                 }
     973           0 :                 new = audit_unpack_string(&bufp, &msglen, sizes[1]);
     974           0 :                 if (IS_ERR(new)) {
     975             :                         err = PTR_ERR(new);
     976           0 :                         kfree(old);
     977           0 :                         break;
     978             :                 }
     979             :                 /* OK, here comes... */
     980             :                 err = audit_tag_tree(old, new);
     981             : 
     982           0 :                 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
     983             : 
     984           0 :                 audit_log_format(ab, " op=make_equiv old=");
     985           0 :                 audit_log_untrustedstring(ab, old);
     986           0 :                 audit_log_format(ab, " new=");
     987           0 :                 audit_log_untrustedstring(ab, new);
     988           0 :                 audit_log_format(ab, " res=%d", !err);
     989           0 :                 audit_log_end(ab);
     990           0 :                 kfree(old);
     991           0 :                 kfree(new);
     992           0 :                 break;
     993             :         }
     994             :         case AUDIT_SIGNAL_INFO:
     995             :                 len = 0;
     996           0 :                 if (audit_sig_sid) {
     997             :                         err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
     998             :                         if (err)
     999             :                                 return err;
    1000             :                 }
    1001             :                 sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
    1002           0 :                 if (!sig_data) {
    1003             :                         if (audit_sig_sid)
    1004             :                                 security_release_secctx(ctx, len);
    1005             :                         return -ENOMEM;
    1006             :                 }
    1007           0 :                 sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
    1008           0 :                 sig_data->pid = audit_sig_pid;
    1009             :                 if (audit_sig_sid) {
    1010             :                         memcpy(sig_data->ctx, ctx, len);
    1011             :                         security_release_secctx(ctx, len);
    1012             :                 }
    1013           0 :                 audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
    1014             :                                  sig_data, sizeof(*sig_data) + len);
    1015           0 :                 kfree(sig_data);
    1016           0 :                 break;
    1017             :         case AUDIT_TTY_GET: {
    1018             :                 struct audit_tty_status s;
    1019           0 :                 struct task_struct *tsk = current;
    1020             : 
    1021             :                 spin_lock(&tsk->sighand->siglock);
    1022           0 :                 s.enabled = tsk->signal->audit_tty;
    1023           0 :                 s.log_passwd = tsk->signal->audit_tty_log_passwd;
    1024             :                 spin_unlock(&tsk->sighand->siglock);
    1025             : 
    1026           0 :                 audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
    1027             :                 break;
    1028             :         }
    1029             :         case AUDIT_TTY_SET: {
    1030             :                 struct audit_tty_status s, old;
    1031           0 :                 struct task_struct *tsk = current;
    1032             :                 struct audit_buffer     *ab;
    1033             : 
    1034           0 :                 memset(&s, 0, sizeof(s));
    1035             :                 /* guard against past and future API changes */
    1036           0 :                 memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
    1037             :                 /* check if new data is valid */
    1038           0 :                 if ((s.enabled != 0 && s.enabled != 1) ||
    1039           0 :                     (s.log_passwd != 0 && s.log_passwd != 1))
    1040             :                         err = -EINVAL;
    1041             : 
    1042             :                 spin_lock(&tsk->sighand->siglock);
    1043           0 :                 old.enabled = tsk->signal->audit_tty;
    1044           0 :                 old.log_passwd = tsk->signal->audit_tty_log_passwd;
    1045           0 :                 if (!err) {
    1046           0 :                         tsk->signal->audit_tty = s.enabled;
    1047           0 :                         tsk->signal->audit_tty_log_passwd = s.log_passwd;
    1048             :                 }
    1049             :                 spin_unlock(&tsk->sighand->siglock);
    1050             : 
    1051           0 :                 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
    1052           0 :                 audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"
    1053             :                                  " old-log_passwd=%d new-log_passwd=%d res=%d",
    1054             :                                  old.enabled, s.enabled, old.log_passwd,
    1055             :                                  s.log_passwd, !err);
    1056           0 :                 audit_log_end(ab);
    1057             :                 break;
    1058             :         }
    1059             :         default:
    1060             :                 err = -EINVAL;
    1061             :                 break;
    1062             :         }
    1063             : 
    1064           0 :         return err < 0 ? err : 0;
    1065             : }
    1066             : 
    1067             : /*
    1068             :  * Get message from skb.  Each message is processed by audit_receive_msg.
    1069             :  * Malformed skbs with wrong length are discarded silently.
    1070             :  */
    1071           0 : static void audit_receive_skb(struct sk_buff *skb)
    1072             : {
    1073             :         struct nlmsghdr *nlh;
    1074             :         /*
    1075             :          * len MUST be signed for nlmsg_next to be able to dec it below 0
    1076             :          * if the nlmsg_len was not aligned
    1077             :          */
    1078             :         int len;
    1079             :         int err;
    1080             : 
    1081             :         nlh = nlmsg_hdr(skb);
    1082           0 :         len = skb->len;
    1083             : 
    1084           0 :         while (nlmsg_ok(nlh, len)) {
    1085           0 :                 err = audit_receive_msg(skb, nlh);
    1086             :                 /* if err or if this message says it wants a response */
    1087           0 :                 if (err || (nlh->nlmsg_flags & NLM_F_ACK))
    1088           0 :                         netlink_ack(skb, nlh, err);
    1089             : 
    1090             :                 nlh = nlmsg_next(nlh, &len);
    1091             :         }
    1092           0 : }
    1093             : 
    1094             : /* Receive messages from netlink socket. */
    1095           0 : static void audit_receive(struct sk_buff  *skb)
    1096             : {
    1097           0 :         mutex_lock(&audit_cmd_mutex);
    1098           0 :         audit_receive_skb(skb);
    1099           0 :         mutex_unlock(&audit_cmd_mutex);
    1100           0 : }
    1101             : 
    1102             : /* Run custom bind function on netlink socket group connect or bind requests. */
    1103           0 : static int audit_bind(struct net *net, int group)
    1104             : {
    1105           0 :         if (!capable(CAP_AUDIT_READ))
    1106             :                 return -EPERM;
    1107             : 
    1108           0 :         return 0;
    1109             : }
    1110             : 
    1111           1 : static int __net_init audit_net_init(struct net *net)
    1112             : {
    1113           1 :         struct netlink_kernel_cfg cfg = {
    1114             :                 .input  = audit_receive,
    1115             :                 .bind   = audit_bind,
    1116             :                 .flags  = NL_CFG_F_NONROOT_RECV,
    1117             :                 .groups = AUDIT_NLGRP_MAX,
    1118             :         };
    1119             : 
    1120           1 :         struct audit_net *aunet = net_generic(net, audit_net_id);
    1121             : 
    1122           1 :         aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
    1123           1 :         if (aunet->nlsk == NULL) {
    1124           0 :                 audit_panic("cannot initialize netlink socket in namespace");
    1125           0 :                 return -ENOMEM;
    1126             :         }
    1127           1 :         aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
    1128           1 :         return 0;
    1129             : }
    1130             : 
    1131           0 : static void __net_exit audit_net_exit(struct net *net)
    1132             : {
    1133           0 :         struct audit_net *aunet = net_generic(net, audit_net_id);
    1134           0 :         struct sock *sock = aunet->nlsk;
    1135           0 :         if (sock == audit_sock) {
    1136           0 :                 audit_pid = 0;
    1137           0 :                 audit_sock = NULL;
    1138             :         }
    1139             : 
    1140           0 :         RCU_INIT_POINTER(aunet->nlsk, NULL);
    1141           0 :         synchronize_net();
    1142           0 :         netlink_kernel_release(sock);
    1143           0 : }
    1144             : 
    1145             : static struct pernet_operations audit_net_ops __net_initdata = {
    1146             :         .init = audit_net_init,
    1147             :         .exit = audit_net_exit,
    1148             :         .id = &audit_net_id,
    1149             :         .size = sizeof(struct audit_net),
    1150             : };
    1151             : 
    1152             : /* Initialize audit support at boot time. */
    1153           1 : static int __init audit_init(void)
    1154             : {
    1155             :         int i;
    1156             : 
    1157           1 :         if (audit_initialized == AUDIT_DISABLED)
    1158             :                 return 0;
    1159             : 
    1160           1 :         pr_info("initializing netlink subsys (%s)\n",
    1161             :                 audit_default ? "enabled" : "disabled");
    1162           1 :         register_pernet_subsys(&audit_net_ops);
    1163             : 
    1164             :         skb_queue_head_init(&audit_skb_queue);
    1165             :         skb_queue_head_init(&audit_skb_hold_queue);
    1166           1 :         audit_initialized = AUDIT_INITIALIZED;
    1167           1 :         audit_enabled = audit_default;
    1168           1 :         audit_ever_enabled |= !!audit_default;
    1169             : 
    1170           1 :         audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
    1171             : 
    1172          33 :         for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
    1173          32 :                 INIT_LIST_HEAD(&audit_inode_hash[i]);
    1174             : 
    1175             :         return 0;
    1176             : }
    1177             : __initcall(audit_init);
    1178             : 
    1179             : /* Process kernel command-line parameter at boot time.  audit=0 or audit=1. */
    1180           0 : static int __init audit_enable(char *str)
    1181             : {
    1182           0 :         audit_default = !!simple_strtol(str, NULL, 0);
    1183           0 :         if (!audit_default)
    1184           0 :                 audit_initialized = AUDIT_DISABLED;
    1185             : 
    1186           0 :         pr_info("%s\n", audit_default ?
    1187             :                 "enabled (after initialization)" : "disabled (until reboot)");
    1188             : 
    1189           0 :         return 1;
    1190             : }
    1191             : __setup("audit=", audit_enable);
    1192             : 
    1193             : /* Process kernel command-line parameter at boot time.
    1194             :  * audit_backlog_limit=<n> */
    1195           0 : static int __init audit_backlog_limit_set(char *str)
    1196             : {
    1197             :         u32 audit_backlog_limit_arg;
    1198             : 
    1199           0 :         pr_info("audit_backlog_limit: ");
    1200           0 :         if (kstrtouint(str, 0, &audit_backlog_limit_arg)) {
    1201           0 :                 pr_cont("using default of %u, unable to parse %s\n",
    1202             :                         audit_backlog_limit, str);
    1203           0 :                 return 1;
    1204             :         }
    1205             : 
    1206           0 :         audit_backlog_limit = audit_backlog_limit_arg;
    1207           0 :         pr_cont("%d\n", audit_backlog_limit);
    1208             : 
    1209           0 :         return 1;
    1210             : }
    1211             : __setup("audit_backlog_limit=", audit_backlog_limit_set);
    1212             : 
    1213           1 : static void audit_buffer_free(struct audit_buffer *ab)
    1214             : {
    1215             :         unsigned long flags;
    1216             : 
    1217           1 :         if (!ab)
    1218           1 :                 return;
    1219             : 
    1220           1 :         if (ab->skb)
    1221           0 :                 kfree_skb(ab->skb);
    1222             : 
    1223           1 :         spin_lock_irqsave(&audit_freelist_lock, flags);
    1224           1 :         if (audit_freelist_count > AUDIT_MAXFREE)
    1225           0 :                 kfree(ab);
    1226             :         else {
    1227           1 :                 audit_freelist_count++;
    1228           1 :                 list_add(&ab->list, &audit_freelist);
    1229             :         }
    1230             :         spin_unlock_irqrestore(&audit_freelist_lock, flags);
    1231             : }
    1232             : 
    1233           1 : static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
    1234             :                                                 gfp_t gfp_mask, int type)
    1235             : {
    1236             :         unsigned long flags;
    1237             :         struct audit_buffer *ab = NULL;
    1238             :         struct nlmsghdr *nlh;
    1239             : 
    1240           1 :         spin_lock_irqsave(&audit_freelist_lock, flags);
    1241           1 :         if (!list_empty(&audit_freelist)) {
    1242             :                 ab = list_entry(audit_freelist.next,
    1243             :                                 struct audit_buffer, list);
    1244             :                 list_del(&ab->list);
    1245           0 :                 --audit_freelist_count;
    1246             :         }
    1247             :         spin_unlock_irqrestore(&audit_freelist_lock, flags);
    1248             : 
    1249           1 :         if (!ab) {
    1250             :                 ab = kmalloc(sizeof(*ab), gfp_mask);
    1251           1 :                 if (!ab)
    1252             :                         goto err;
    1253             :         }
    1254             : 
    1255           1 :         ab->ctx = ctx;
    1256           1 :         ab->gfp_mask = gfp_mask;
    1257             : 
    1258           1 :         ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
    1259           1 :         if (!ab->skb)
    1260             :                 goto err;
    1261             : 
    1262             :         nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0);
    1263           1 :         if (!nlh)
    1264             :                 goto out_kfree_skb;
    1265             : 
    1266             :         return ab;
    1267             : 
    1268             : out_kfree_skb:
    1269           0 :         kfree_skb(ab->skb);
    1270           0 :         ab->skb = NULL;
    1271             : err:
    1272           0 :         audit_buffer_free(ab);
    1273           0 :         return NULL;
    1274             : }
    1275             : 
    1276             : /**
    1277             :  * audit_serial - compute a serial number for the audit record
    1278             :  *
    1279             :  * Compute a serial number for the audit record.  Audit records are
    1280             :  * written to user-space as soon as they are generated, so a complete
    1281             :  * audit record may be written in several pieces.  The timestamp of the
    1282             :  * record and this serial number are used by the user-space tools to
    1283             :  * determine which pieces belong to the same audit record.  The
    1284             :  * (timestamp,serial) tuple is unique for each syscall and is live from
    1285             :  * syscall entry to syscall exit.
    1286             :  *
    1287             :  * NOTE: Another possibility is to store the formatted records off the
    1288             :  * audit context (for those records that have a context), and emit them
    1289             :  * all at syscall exit.  However, this could delay the reporting of
    1290             :  * significant errors until syscall exit (or never, if the system
    1291             :  * halts).
    1292             :  */
    1293           1 : unsigned int audit_serial(void)
    1294             : {
    1295             :         static atomic_t serial = ATOMIC_INIT(0);
    1296             : 
    1297           1 :         return atomic_add_return(1, &serial);
    1298             : }
    1299             : 
    1300             : static inline void audit_get_stamp(struct audit_context *ctx,
    1301             :                                    struct timespec *t, unsigned int *serial)
    1302             : {
    1303             :         if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
    1304           1 :                 *t = CURRENT_TIME;
    1305           1 :                 *serial = audit_serial();
    1306             :         }
    1307             : }
    1308             : 
    1309             : /*
    1310             :  * Wait for auditd to drain the queue a little
    1311             :  */
    1312           0 : static long wait_for_auditd(long sleep_time)
    1313             : {
    1314           0 :         DECLARE_WAITQUEUE(wait, current);
    1315           0 :         set_current_state(TASK_UNINTERRUPTIBLE);
    1316           0 :         add_wait_queue_exclusive(&audit_backlog_wait, &wait);
    1317             : 
    1318           0 :         if (audit_backlog_limit &&
    1319           0 :             skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
    1320           0 :                 sleep_time = schedule_timeout(sleep_time);
    1321             : 
    1322           0 :         __set_current_state(TASK_RUNNING);
    1323           0 :         remove_wait_queue(&audit_backlog_wait, &wait);
    1324             : 
    1325           0 :         return sleep_time;
    1326             : }
    1327             : 
    1328             : /**
    1329             :  * audit_log_start - obtain an audit buffer
    1330             :  * @ctx: audit_context (may be NULL)
    1331             :  * @gfp_mask: type of allocation
    1332             :  * @type: audit message type
    1333             :  *
    1334             :  * Returns audit_buffer pointer on success or NULL on error.
    1335             :  *
    1336             :  * Obtain an audit buffer.  This routine does locking to obtain the
    1337             :  * audit buffer, but then no locking is required for calls to
    1338             :  * audit_log_*format.  If the task (ctx) is a task that is currently in a
    1339             :  * syscall, then the syscall is marked as auditable and an audit record
    1340             :  * will be written at syscall exit.  If there is no associated task, then
    1341             :  * task context (ctx) should be NULL.
    1342             :  */
    1343           1 : struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
    1344             :                                      int type)
    1345             : {
    1346             :         struct audit_buffer     *ab     = NULL;
    1347             :         struct timespec         t;
    1348             :         unsigned int            uninitialized_var(serial);
    1349             :         int reserve = 5; /* Allow atomic callers to go up to five
    1350             :                             entries over the normal backlog limit */
    1351           1 :         unsigned long timeout_start = jiffies;
    1352             : 
    1353           1 :         if (audit_initialized != AUDIT_INITIALIZED)
    1354             :                 return NULL;
    1355             : 
    1356           1 :         if (unlikely(audit_filter_type(type)))
    1357             :                 return NULL;
    1358             : 
    1359           1 :         if (gfp_mask & __GFP_WAIT) {
    1360           1 :                 if (audit_pid && audit_pid == current->pid)
    1361           0 :                         gfp_mask &= ~__GFP_WAIT;
    1362             :                 else
    1363             :                         reserve = 0;
    1364             :         }
    1365             : 
    1366           1 :         while (audit_backlog_limit
    1367           1 :                && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
    1368           0 :                 if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) {
    1369             :                         long sleep_time;
    1370             : 
    1371           0 :                         sleep_time = timeout_start + audit_backlog_wait_time - jiffies;
    1372           0 :                         if (sleep_time > 0) {
    1373           0 :                                 sleep_time = wait_for_auditd(sleep_time);
    1374           0 :                                 if (sleep_time > 0)
    1375           0 :                                         continue;
    1376             :                         }
    1377             :                 }
    1378           0 :                 if (audit_rate_check() && printk_ratelimit())
    1379           0 :                         pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
    1380             :                                 skb_queue_len(&audit_skb_queue),
    1381             :                                 audit_backlog_limit);
    1382           0 :                 audit_log_lost("backlog limit exceeded");
    1383           0 :                 audit_backlog_wait_time = audit_backlog_wait_overflow;
    1384           0 :                 wake_up(&audit_backlog_wait);
    1385           0 :                 return NULL;
    1386             :         }
    1387             : 
    1388           1 :         audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
    1389             : 
    1390           1 :         ab = audit_buffer_alloc(ctx, gfp_mask, type);
    1391           1 :         if (!ab) {
    1392           0 :                 audit_log_lost("out of memory in audit_log_start");
    1393           0 :                 return NULL;
    1394             :         }
    1395             : 
    1396             :         audit_get_stamp(ab->ctx, &t, &serial);
    1397             : 
    1398           2 :         audit_log_format(ab, "audit(%lu.%03lu:%u): ",
    1399           1 :                          t.tv_sec, t.tv_nsec/1000000, serial);
    1400           1 :         return ab;
    1401             : }
    1402             : 
    1403             : /**
    1404             :  * audit_expand - expand skb in the audit buffer
    1405             :  * @ab: audit_buffer
    1406             :  * @extra: space to add at tail of the skb
    1407             :  *
    1408             :  * Returns 0 (no space) on failed expansion, or available space if
    1409             :  * successful.
    1410             :  */
    1411             : static inline int audit_expand(struct audit_buffer *ab, int extra)
    1412             : {
    1413             :         struct sk_buff *skb = ab->skb;
    1414             :         int oldtail = skb_tailroom(skb);
    1415           0 :         int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
    1416             :         int newtail = skb_tailroom(skb);
    1417             : 
    1418           0 :         if (ret < 0) {
    1419           0 :                 audit_log_lost("out of memory in audit_expand");
    1420             :                 return 0;
    1421             :         }
    1422             : 
    1423           0 :         skb->truesize += newtail - oldtail;
    1424             :         return newtail;
    1425             : }
    1426             : 
    1427             : /*
    1428             :  * Format an audit message into the audit buffer.  If there isn't enough
    1429             :  * room in the audit buffer, more room will be allocated and vsnprint
    1430             :  * will be called a second time.  Currently, we assume that a printk
    1431             :  * can't format message larger than 1024 bytes, so we don't either.
    1432             :  */
    1433           2 : static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
    1434             :                               va_list args)
    1435             : {
    1436             :         int len, avail;
    1437           2 :         struct sk_buff *skb;
    1438             :         va_list args2;
    1439             : 
    1440           2 :         if (!ab)
    1441             :                 return;
    1442             : 
    1443             :         BUG_ON(!ab->skb);
    1444           2 :         skb = ab->skb;
    1445             :         avail = skb_tailroom(skb);
    1446           2 :         if (avail == 0) {
    1447             :                 avail = audit_expand(ab, AUDIT_BUFSIZ);
    1448           0 :                 if (!avail)
    1449             :                         goto out;
    1450             :         }
    1451           2 :         va_copy(args2, args);
    1452           2 :         len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
    1453           2 :         if (len >= avail) {
    1454             :                 /* The printk buffer is 1024 bytes long, so if we get
    1455             :                  * here and AUDIT_BUFSIZ is at least 1024, then we can
    1456             :                  * log everything that printk could have logged. */
    1457           0 :                 avail = audit_expand(ab,
    1458           0 :                         max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
    1459           0 :                 if (!avail)
    1460             :                         goto out_va_end;
    1461           0 :                 len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
    1462             :         }
    1463           2 :         if (len > 0)
    1464           2 :                 skb_put(skb, len);
    1465             : out_va_end:
    1466           2 :         va_end(args2);
    1467             : out:
    1468             :         return;
    1469             : }
    1470             : 
    1471             : /**
    1472             :  * audit_log_format - format a message into the audit buffer.
    1473             :  * @ab: audit_buffer
    1474             :  * @fmt: format string
    1475             :  * @...: optional parameters matching @fmt string
    1476             :  *
    1477             :  * All the work is done in audit_log_vformat.
    1478             :  */
    1479           1 : void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
    1480             : {
    1481             :         va_list args;
    1482             : 
    1483           1 :         if (!ab)
    1484           0 :                 return;
    1485           1 :         va_start(args, fmt);
    1486           1 :         audit_log_vformat(ab, fmt, args);
    1487           1 :         va_end(args);
    1488             : }
    1489             : 
    1490             : /**
    1491             :  * audit_log_hex - convert a buffer to hex and append it to the audit skb
    1492             :  * @ab: the audit_buffer
    1493             :  * @buf: buffer to convert to hex
    1494             :  * @len: length of @buf to be converted
    1495             :  *
    1496             :  * No return value; failure to expand is silently ignored.
    1497             :  *
    1498             :  * This function will take the passed buf and convert it into a string of
    1499             :  * ascii hex digits. The new string is placed onto the skb.
    1500             :  */
    1501           0 : void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
    1502             :                 size_t len)
    1503             : {
    1504             :         int i, avail, new_len;
    1505             :         unsigned char *ptr;
    1506           0 :         struct sk_buff *skb;
    1507             : 
    1508           0 :         if (!ab)
    1509             :                 return;
    1510             : 
    1511             :         BUG_ON(!ab->skb);
    1512           0 :         skb = ab->skb;
    1513             :         avail = skb_tailroom(skb);
    1514           0 :         new_len = len<<1;
    1515           0 :         if (new_len >= avail) {
    1516             :                 /* Round the buffer request up to the next multiple */
    1517           0 :                 new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
    1518             :                 avail = audit_expand(ab, new_len);
    1519           0 :                 if (!avail)
    1520             :                         return;
    1521             :         }
    1522             : 
    1523             :         ptr = skb_tail_pointer(skb);
    1524           0 :         for (i = 0; i < len; i++)
    1525           0 :                 ptr = hex_byte_pack_upper(ptr, buf[i]);
    1526           0 :         *ptr = 0;
    1527           0 :         skb_put(skb, len << 1); /* new string is twice the old string */
    1528             : }
    1529             : 
    1530             : /*
    1531             :  * Format a string of no more than slen characters into the audit buffer,
    1532             :  * enclosed in quote marks.
    1533             :  */
    1534           0 : void audit_log_n_string(struct audit_buffer *ab, const char *string,
    1535             :                         size_t slen)
    1536             : {
    1537             :         int avail, new_len;
    1538             :         unsigned char *ptr;
    1539           0 :         struct sk_buff *skb;
    1540             : 
    1541           0 :         if (!ab)
    1542             :                 return;
    1543             : 
    1544             :         BUG_ON(!ab->skb);
    1545           0 :         skb = ab->skb;
    1546             :         avail = skb_tailroom(skb);
    1547           0 :         new_len = slen + 3;     /* enclosing quotes + null terminator */
    1548           0 :         if (new_len > avail) {
    1549             :                 avail = audit_expand(ab, new_len);
    1550           0 :                 if (!avail)
    1551             :                         return;
    1552             :         }
    1553             :         ptr = skb_tail_pointer(skb);
    1554           0 :         *ptr++ = '"';
    1555           0 :         memcpy(ptr, string, slen);
    1556           0 :         ptr += slen;
    1557           0 :         *ptr++ = '"';
    1558           0 :         *ptr = 0;
    1559           0 :         skb_put(skb, slen + 2); /* don't include null terminator */
    1560             : }
    1561             : 
    1562             : /**
    1563             :  * audit_string_contains_control - does a string need to be logged in hex
    1564             :  * @string: string to be checked
    1565             :  * @len: max length of the string to check
    1566             :  */
    1567           0 : int audit_string_contains_control(const char *string, size_t len)
    1568             : {
    1569             :         const unsigned char *p;
    1570           0 :         for (p = string; p < (const unsigned char *)string + len; p++) {
    1571           0 :                 if (*p == '"' || *p < 0x21 || *p > 0x7e)
    1572             :                         return 1;
    1573             :         }
    1574             :         return 0;
    1575             : }
    1576             : 
    1577             : /**
    1578             :  * audit_log_n_untrustedstring - log a string that may contain random characters
    1579             :  * @ab: audit_buffer
    1580             :  * @len: length of string (not including trailing null)
    1581             :  * @string: string to be logged
    1582             :  *
    1583             :  * This code will escape a string that is passed to it if the string
    1584             :  * contains a control character, unprintable character, double quote mark,
    1585             :  * or a space. Unescaped strings will start and end with a double quote mark.
    1586             :  * Strings that are escaped are printed in hex (2 digits per char).
    1587             :  *
    1588             :  * The caller specifies the number of characters in the string to log, which may
    1589             :  * or may not be the entire string.
    1590             :  */
    1591           0 : void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string,
    1592             :                                  size_t len)
    1593             : {
    1594           0 :         if (audit_string_contains_control(string, len))
    1595           0 :                 audit_log_n_hex(ab, string, len);
    1596             :         else
    1597           0 :                 audit_log_n_string(ab, string, len);
    1598           0 : }
    1599             : 
    1600             : /**
    1601             :  * audit_log_untrustedstring - log a string that may contain random characters
    1602             :  * @ab: audit_buffer
    1603             :  * @string: string to be logged
    1604             :  *
    1605             :  * Same as audit_log_n_untrustedstring(), except that strlen is used to
    1606             :  * determine string length.
    1607             :  */
    1608           0 : void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
    1609             : {
    1610           0 :         audit_log_n_untrustedstring(ab, string, strlen(string));
    1611           0 : }
    1612             : 
    1613             : /* This is a helper-function to print the escaped d_path */
    1614           0 : void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
    1615             :                       const struct path *path)
    1616             : {
    1617             :         char *p, *pathname;
    1618             : 
    1619           0 :         if (prefix)
    1620           0 :                 audit_log_format(ab, "%s", prefix);
    1621             : 
    1622             :         /* We will allow 11 spaces for ' (deleted)' to be appended */
    1623           0 :         pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
    1624           0 :         if (!pathname) {
    1625             :                 audit_log_string(ab, "<no_memory>");
    1626           0 :                 return;
    1627             :         }
    1628           0 :         p = d_path(path, pathname, PATH_MAX+11);
    1629           0 :         if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
    1630             :                 /* FIXME: can we save some information here? */
    1631             :                 audit_log_string(ab, "<too_long>");
    1632             :         } else
    1633           0 :                 audit_log_untrustedstring(ab, p);
    1634           0 :         kfree(pathname);
    1635             : }
    1636             : 
    1637           0 : void audit_log_session_info(struct audit_buffer *ab)
    1638             : {
    1639             :         unsigned int sessionid = audit_get_sessionid(current);
    1640             :         uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
    1641             : 
    1642           0 :         audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
    1643           0 : }
    1644             : 
    1645           0 : void audit_log_key(struct audit_buffer *ab, char *key)
    1646             : {
    1647           0 :         audit_log_format(ab, " key=");
    1648           0 :         if (key)
    1649           0 :                 audit_log_untrustedstring(ab, key);
    1650             :         else
    1651           0 :                 audit_log_format(ab, "(null)");
    1652           0 : }
    1653             : 
    1654           0 : void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
    1655             : {
    1656             :         int i;
    1657             : 
    1658           0 :         audit_log_format(ab, " %s=", prefix);
    1659           0 :         CAP_FOR_EACH_U32(i) {
    1660           0 :                 audit_log_format(ab, "%08x",
    1661           0 :                                  cap->cap[CAP_LAST_U32 - i]);
    1662             :         }
    1663           0 : }
    1664             : 
    1665           0 : static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
    1666             : {
    1667           0 :         kernel_cap_t *perm = &name->fcap.permitted;
    1668           0 :         kernel_cap_t *inh = &name->fcap.inheritable;
    1669             :         int log = 0;
    1670             : 
    1671           0 :         if (!cap_isclear(*perm)) {
    1672           0 :                 audit_log_cap(ab, "cap_fp", perm);
    1673             :                 log = 1;
    1674             :         }
    1675           0 :         if (!cap_isclear(*inh)) {
    1676           0 :                 audit_log_cap(ab, "cap_fi", inh);
    1677             :                 log = 1;
    1678             :         }
    1679             : 
    1680           0 :         if (log)
    1681           0 :                 audit_log_format(ab, " cap_fe=%d cap_fver=%x",
    1682             :                                  name->fcap.fE, name->fcap_ver);
    1683           0 : }
    1684             : 
    1685             : static inline int audit_copy_fcaps(struct audit_names *name,
    1686             :                                    const struct dentry *dentry)
    1687             : {
    1688             :         struct cpu_vfs_cap_data caps;
    1689             :         int rc;
    1690             : 
    1691           0 :         if (!dentry)
    1692             :                 return 0;
    1693             : 
    1694           0 :         rc = get_vfs_caps_from_disk(dentry, &caps);
    1695           0 :         if (rc)
    1696             :                 return rc;
    1697             : 
    1698           0 :         name->fcap.permitted = caps.permitted;
    1699           0 :         name->fcap.inheritable = caps.inheritable;
    1700           0 :         name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
    1701           0 :         name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
    1702             :                                 VFS_CAP_REVISION_SHIFT;
    1703             : 
    1704             :         return 0;
    1705             : }
    1706             : 
    1707             : /* Copy inode data into an audit_names. */
    1708           0 : void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
    1709             :                       const struct inode *inode)
    1710             : {
    1711           0 :         name->ino   = inode->i_ino;
    1712           0 :         name->dev   = inode->i_sb->s_dev;
    1713           0 :         name->mode  = inode->i_mode;
    1714           0 :         name->uid   = inode->i_uid;
    1715           0 :         name->gid   = inode->i_gid;
    1716           0 :         name->rdev  = inode->i_rdev;
    1717             :         security_inode_getsecid(inode, &name->osid);
    1718             :         audit_copy_fcaps(name, dentry);
    1719           0 : }
    1720             : 
    1721             : /**
    1722             :  * audit_log_name - produce AUDIT_PATH record from struct audit_names
    1723             :  * @context: audit_context for the task
    1724             :  * @n: audit_names structure with reportable details
    1725             :  * @path: optional path to report instead of audit_names->name
    1726             :  * @record_num: record number to report when handling a list of names
    1727             :  * @call_panic: optional pointer to int that will be updated if secid fails
    1728             :  */
    1729           0 : void audit_log_name(struct audit_context *context, struct audit_names *n,
    1730             :                     struct path *path, int record_num, int *call_panic)
    1731             : {
    1732             :         struct audit_buffer *ab;
    1733           0 :         ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
    1734           0 :         if (!ab)
    1735           0 :                 return;
    1736             : 
    1737           0 :         audit_log_format(ab, "item=%d", record_num);
    1738             : 
    1739           0 :         if (path)
    1740           0 :                 audit_log_d_path(ab, " name=", path);
    1741           0 :         else if (n->name) {
    1742           0 :                 switch (n->name_len) {
    1743             :                 case AUDIT_NAME_FULL:
    1744             :                         /* log the full path */
    1745           0 :                         audit_log_format(ab, " name=");
    1746           0 :                         audit_log_untrustedstring(ab, n->name->name);
    1747           0 :                         break;
    1748             :                 case 0:
    1749             :                         /* name was specified as a relative path and the
    1750             :                          * directory component is the cwd */
    1751           0 :                         audit_log_d_path(ab, " name=", &context->pwd);
    1752           0 :                         break;
    1753             :                 default:
    1754             :                         /* log the name's directory component */
    1755           0 :                         audit_log_format(ab, " name=");
    1756           0 :                         audit_log_n_untrustedstring(ab, n->name->name,
    1757           0 :                                                     n->name_len);
    1758             :                 }
    1759             :         } else
    1760           0 :                 audit_log_format(ab, " name=(null)");
    1761             : 
    1762           0 :         if (n->ino != (unsigned long)-1) {
    1763           0 :                 audit_log_format(ab, " inode=%lu"
    1764             :                                  " dev=%02x:%02x mode=%#ho"
    1765             :                                  " ouid=%u ogid=%u rdev=%02x:%02x",
    1766             :                                  n->ino,
    1767           0 :                                  MAJOR(n->dev),
    1768             :                                  MINOR(n->dev),
    1769           0 :                                  n->mode,
    1770             :                                  from_kuid(&init_user_ns, n->uid),
    1771             :                                  from_kgid(&init_user_ns, n->gid),
    1772           0 :                                  MAJOR(n->rdev),
    1773             :                                  MINOR(n->rdev));
    1774             :         }
    1775           0 :         if (n->osid != 0) {
    1776             :                 char *ctx = NULL;
    1777             :                 u32 len;
    1778             :                 if (security_secid_to_secctx(
    1779             :                         n->osid, &ctx, &len)) {
    1780           0 :                         audit_log_format(ab, " osid=%u", n->osid);
    1781           0 :                         if (call_panic)
    1782           0 :                                 *call_panic = 2;
    1783             :                 } else {
    1784             :                         audit_log_format(ab, " obj=%s", ctx);
    1785             :                         security_release_secctx(ctx, len);
    1786             :                 }
    1787             :         }
    1788             : 
    1789             :         /* log the audit_names record type */
    1790           0 :         audit_log_format(ab, " nametype=");
    1791           0 :         switch(n->type) {
    1792             :         case AUDIT_TYPE_NORMAL:
    1793           0 :                 audit_log_format(ab, "NORMAL");
    1794           0 :                 break;
    1795             :         case AUDIT_TYPE_PARENT:
    1796           0 :                 audit_log_format(ab, "PARENT");
    1797           0 :                 break;
    1798             :         case AUDIT_TYPE_CHILD_DELETE:
    1799           0 :                 audit_log_format(ab, "DELETE");
    1800           0 :                 break;
    1801             :         case AUDIT_TYPE_CHILD_CREATE:
    1802           0 :                 audit_log_format(ab, "CREATE");
    1803           0 :                 break;
    1804             :         default:
    1805           0 :                 audit_log_format(ab, "UNKNOWN");
    1806           0 :                 break;
    1807             :         }
    1808             : 
    1809           0 :         audit_log_fcaps(ab, n);
    1810           0 :         audit_log_end(ab);
    1811             : }
    1812             : 
    1813           0 : int audit_log_task_context(struct audit_buffer *ab)
    1814             : {
    1815             :         char *ctx = NULL;
    1816             :         unsigned len;
    1817             :         int error;
    1818             :         u32 sid;
    1819             : 
    1820             :         security_task_getsecid(current, &sid);
    1821             :         if (!sid)
    1822             :                 return 0;
    1823             : 
    1824             :         error = security_secid_to_secctx(sid, &ctx, &len);
    1825             :         if (error) {
    1826             :                 if (error != -EINVAL)
    1827             :                         goto error_path;
    1828             :                 return 0;
    1829             :         }
    1830             : 
    1831             :         audit_log_format(ab, " subj=%s", ctx);
    1832             :         security_release_secctx(ctx, len);
    1833             :         return 0;
    1834             : 
    1835             : error_path:
    1836             :         audit_panic("error in audit_log_task_context");
    1837             :         return error;
    1838             : }
    1839             : EXPORT_SYMBOL(audit_log_task_context);
    1840             : 
    1841           0 : void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
    1842             : {
    1843             :         const struct cred *cred;
    1844             :         char comm[sizeof(tsk->comm)];
    1845           0 :         struct mm_struct *mm = tsk->mm;
    1846             :         char *tty;
    1847             : 
    1848           0 :         if (!ab)
    1849           0 :                 return;
    1850             : 
    1851             :         /* tsk == current */
    1852           0 :         cred = current_cred();
    1853             : 
    1854             :         spin_lock_irq(&tsk->sighand->siglock);
    1855           0 :         if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
    1856           0 :                 tty = tsk->signal->tty->name;
    1857             :         else
    1858             :                 tty = "(none)";
    1859             :         spin_unlock_irq(&tsk->sighand->siglock);
    1860             : 
    1861           0 :         audit_log_format(ab,
    1862             :                          " ppid=%d pid=%d auid=%u uid=%u gid=%u"
    1863             :                          " euid=%u suid=%u fsuid=%u"
    1864             :                          " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
    1865             :                          task_ppid_nr(tsk),
    1866             :                          task_pid_nr(tsk),
    1867             :                          from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
    1868             :                          from_kuid(&init_user_ns, cred->uid),
    1869             :                          from_kgid(&init_user_ns, cred->gid),
    1870             :                          from_kuid(&init_user_ns, cred->euid),
    1871             :                          from_kuid(&init_user_ns, cred->suid),
    1872             :                          from_kuid(&init_user_ns, cred->fsuid),
    1873             :                          from_kgid(&init_user_ns, cred->egid),
    1874             :                          from_kgid(&init_user_ns, cred->sgid),
    1875             :                          from_kgid(&init_user_ns, cred->fsgid),
    1876             :                          tty, audit_get_sessionid(tsk));
    1877             : 
    1878           0 :         audit_log_format(ab, " comm=");
    1879           0 :         audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
    1880             : 
    1881           0 :         if (mm) {
    1882           0 :                 down_read(&mm->mmap_sem);
    1883           0 :                 if (mm->exe_file)
    1884           0 :                         audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
    1885           0 :                 up_read(&mm->mmap_sem);
    1886             :         } else
    1887           0 :                 audit_log_format(ab, " exe=(null)");
    1888             :         audit_log_task_context(ab);
    1889             : }
    1890             : EXPORT_SYMBOL(audit_log_task_info);
    1891             : 
    1892             : /**
    1893             :  * audit_log_link_denied - report a link restriction denial
    1894             :  * @operation: specific link opreation
    1895             :  * @link: the path that triggered the restriction
    1896             :  */
    1897           0 : void audit_log_link_denied(const char *operation, struct path *link)
    1898             : {
    1899             :         struct audit_buffer *ab;
    1900             :         struct audit_names *name;
    1901             : 
    1902             :         name = kzalloc(sizeof(*name), GFP_NOFS);
    1903           0 :         if (!name)
    1904           0 :                 return;
    1905             : 
    1906             :         /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
    1907           0 :         ab = audit_log_start(current->audit_context, GFP_KERNEL,
    1908             :                              AUDIT_ANOM_LINK);
    1909           0 :         if (!ab)
    1910             :                 goto out;
    1911           0 :         audit_log_format(ab, "op=%s", operation);
    1912           0 :         audit_log_task_info(ab, current);
    1913           0 :         audit_log_format(ab, " res=0");
    1914           0 :         audit_log_end(ab);
    1915             : 
    1916             :         /* Generate AUDIT_PATH record with object. */
    1917           0 :         name->type = AUDIT_TYPE_NORMAL;
    1918           0 :         audit_copy_inode(name, link->dentry, link->dentry->d_inode);
    1919           0 :         audit_log_name(current->audit_context, name, link, 0, NULL);
    1920             : out:
    1921           0 :         kfree(name);
    1922             : }
    1923             : 
    1924             : /**
    1925             :  * audit_log_end - end one audit record
    1926             :  * @ab: the audit_buffer
    1927             :  *
    1928             :  * netlink_unicast() cannot be called inside an irq context because it blocks
    1929             :  * (last arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed
    1930             :  * on a queue and a tasklet is scheduled to remove them from the queue outside
    1931             :  * the irq context.  May be called in any context.
    1932             :  */
    1933           1 : void audit_log_end(struct audit_buffer *ab)
    1934             : {
    1935           1 :         if (!ab)
    1936           1 :                 return;
    1937           1 :         if (!audit_rate_check()) {
    1938           0 :                 audit_log_lost("rate limit exceeded");
    1939             :         } else {
    1940           1 :                 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
    1941             : 
    1942           1 :                 nlh->nlmsg_len = ab->skb->len;
    1943           1 :                 kauditd_send_multicast_skb(ab->skb, ab->gfp_mask);
    1944             : 
    1945             :                 /*
    1946             :                  * The original kaudit unicast socket sends up messages with
    1947             :                  * nlmsg_len set to the payload length rather than the entire
    1948             :                  * message length.  This breaks the standard set by netlink.
    1949             :                  * The existing auditd daemon assumes this breakage.  Fixing
    1950             :                  * this would require co-ordinating a change in the established
    1951             :                  * protocol between the kaudit kernel subsystem and the auditd
    1952             :                  * userspace code.
    1953             :                  */
    1954           1 :                 nlh->nlmsg_len -= NLMSG_HDRLEN;
    1955             : 
    1956           1 :                 if (audit_pid) {
    1957           0 :                         skb_queue_tail(&audit_skb_queue, ab->skb);
    1958           0 :                         wake_up_interruptible(&kauditd_wait);
    1959             :                 } else {
    1960           1 :                         audit_printk_skb(ab->skb);
    1961             :                 }
    1962           1 :                 ab->skb = NULL;
    1963             :         }
    1964           1 :         audit_buffer_free(ab);
    1965             : }
    1966             : 
    1967             : /**
    1968             :  * audit_log - Log an audit record
    1969             :  * @ctx: audit context
    1970             :  * @gfp_mask: type of allocation
    1971             :  * @type: audit message type
    1972             :  * @fmt: format string to use
    1973             :  * @...: variable parameters matching the format string
    1974             :  *
    1975             :  * This is a convenience function that calls audit_log_start,
    1976             :  * audit_log_vformat, and audit_log_end.  It may be called
    1977             :  * in any context.
    1978             :  */
    1979           1 : void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
    1980             :                const char *fmt, ...)
    1981             : {
    1982             :         struct audit_buffer *ab;
    1983             :         va_list args;
    1984             : 
    1985           1 :         ab = audit_log_start(ctx, gfp_mask, type);
    1986           1 :         if (ab) {
    1987           1 :                 va_start(args, fmt);
    1988           1 :                 audit_log_vformat(ab, fmt, args);
    1989           1 :                 va_end(args);
    1990           1 :                 audit_log_end(ab);
    1991             :         }
    1992           1 : }
    1993             : 
    1994             : #ifdef CONFIG_SECURITY
    1995             : /**
    1996             :  * audit_log_secctx - Converts and logs SELinux context
    1997             :  * @ab: audit_buffer
    1998             :  * @secid: security number
    1999             :  *
    2000             :  * This is a helper function that calls security_secid_to_secctx to convert
    2001             :  * secid to secctx and then adds the (converted) SELinux context to the audit
    2002             :  * log by calling audit_log_format, thus also preventing leak of internal secid
    2003             :  * to userspace. If secid cannot be converted audit_panic is called.
    2004             :  */
    2005             : void audit_log_secctx(struct audit_buffer *ab, u32 secid)
    2006             : {
    2007             :         u32 len;
    2008             :         char *secctx;
    2009             : 
    2010             :         if (security_secid_to_secctx(secid, &secctx, &len)) {
    2011             :                 audit_panic("Cannot convert secid to context");
    2012             :         } else {
    2013             :                 audit_log_format(ab, " obj=%s", secctx);
    2014             :                 security_release_secctx(secctx, len);
    2015             :         }
    2016             : }
    2017             : EXPORT_SYMBOL(audit_log_secctx);
    2018             : #endif
    2019             : 
    2020             : EXPORT_SYMBOL(audit_log_start);
    2021             : EXPORT_SYMBOL(audit_log_end);
    2022             : EXPORT_SYMBOL(audit_log_format);
    2023             : EXPORT_SYMBOL(audit_log);

Generated by: LCOV version 1.11