auditsc.c

linux 2.6.19 kernel source code before patching

uid_t audit_get_loginuid(struct audit_context *ctx)
{
	return ctx ? ctx->loginuid : -1;
}

EXPORT_SYMBOL(audit_get_loginuid);

/**
 * __audit_mq_open - record audit data for a POSIX MQ open
 * @oflag: open flag
 * @mode: mode bits
 * @u_attr: queue attributes
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr)
{
	struct audit_aux_data_mq_open *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	if (u_attr != NULL) {
		if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		memset(&ax->attr, 0, sizeof(ax->attr));

	ax->oflag = oflag;
	ax->mode = mode;

	ax->d.type = AUDIT_MQ_OPEN;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send
 * @mqdes: MQ descriptor
 * @msg_len: Message length
 * @msg_prio: Message priority
 * @u_abs_timeout: Message timeout in absolute time
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
			const struct timespec __user *u_abs_timeout)
{
	struct audit_aux_data_mq_sendrecv *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	if (u_abs_timeout != NULL) {
		if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));

	ax->mqdes = mqdes;
	ax->msg_len = msg_len;
	ax->msg_prio = msg_prio;

	ax->d.type = AUDIT_MQ_SENDRECV;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive
 * @mqdes: MQ descriptor
 * @msg_len: Message length
 * @u_msg_prio: Message priority
 * @u_abs_timeout: Message timeout in absolute time
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len,
				unsigned int __user *u_msg_prio,
				const struct timespec __user *u_abs_timeout)
{
	struct audit_aux_data_mq_sendrecv *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	if (u_msg_prio != NULL) {
		if (get_user(ax->msg_prio, u_msg_prio)) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		ax->msg_prio = 0;

	if (u_abs_timeout != NULL) {
		if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));

	ax->mqdes = mqdes;
	ax->msg_len = msg_len;

	ax->d.type = AUDIT_MQ_SENDRECV;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_mq_notify - record audit data for a POSIX MQ notify
 * @mqdes: MQ descriptor
 * @u_notification: Notification event
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */

int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
{
	struct audit_aux_data_mq_notify *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	if (u_notification != NULL) {
		if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		memset(&ax->notification, 0, sizeof(ax->notification));

	ax->mqdes = mqdes;

	ax->d.type = AUDIT_MQ_NOTIFY;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
 * @mqdes: MQ descriptor
 * @mqstat: MQ flags
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
{
	struct audit_aux_data_mq_getsetattr *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	ax->mqdes = mqdes;
	ax->mqstat = *mqstat;

	ax->d.type = AUDIT_MQ_GETSETATTR;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * audit_ipc_obj - record audit data for ipc object
 * @ipcp: ipc permissions
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
	struct audit_aux_data_ipcctl *ax;
	struct audit_context *context = current->audit_context;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	ax->uid = ipcp->uid;
	ax->gid = ipcp->gid;
	ax->mode = ipcp->mode;
	selinux_get_ipc_sid(ipcp, &ax->osid);

	ax->d.type = AUDIT_IPC;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * audit_ipc_set_perm - record audit data for new ipc permissions
 * @qbytes: msgq bytes
 * @uid: msgq user id
 * @gid: msgq group id
 * @mode: msgq mode (permissions)
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
{
	struct audit_aux_data_ipcctl *ax;
	struct audit_context *context = current->audit_context;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	ax->qbytes = qbytes;
	ax->uid = uid;
	ax->gid = gid;
	ax->mode = mode;

	ax->d.type = AUDIT_IPC_SET_PERM;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

int audit_bprm(struct linux_binprm *bprm)
{
	struct audit_aux_data_execve *ax;
	struct audit_context *context = current->audit_context;
	unsigned long p, next;
	void *to;

	if (likely(!audit_enabled || !context || context->dummy))
		return 0;

	ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
				GFP_KERNEL);
	if (!ax)
		return -ENOMEM;

	ax->argc = bprm->argc;
	ax->envc = bprm->envc;
	for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
		struct page *page = bprm->page[p / PAGE_SIZE];
		void *kaddr = kmap(page);
		next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
		memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
		to += next - p;
		kunmap(page);
	}

	ax->d.type = AUDIT_EXECVE;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}


/**
 * audit_socketcall - record audit data for sys_socketcall
 * @nargs: number of args
 * @args: args array
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int audit_socketcall(int nargs, unsigned long *args)
{
	struct audit_aux_data_socketcall *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context || context->dummy))
		return 0;

	ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
	if (!ax)
		return -ENOMEM;

	ax->nargs = nargs;
	memcpy(ax->args, args, nargs * sizeof(unsigned long));

	ax->d.type = AUDIT_SOCKETCALL;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_fd_pair - record audit data for pipe and socketpair
 * @fd1: the first file descriptor
 * @fd2: the second file descriptor
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_fd_pair(int fd1, int fd2)
{
	struct audit_context *context = current->audit_context;
	struct audit_aux_data_fd_pair *ax;

	if (likely(!context)) {
		return 0;
	}

	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
	if (!ax) {
		return -ENOMEM;
	}

	ax->fd[0] = fd1;
	ax->fd[1] = fd2;

	ax->d.type = AUDIT_FD_PAIR;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
 * @len: data length in user space
 * @a: data address in kernel space
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int audit_sockaddr(int len, void *a)
{
	struct audit_aux_data_sockaddr *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context || context->dummy))
		return 0;

	ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
	if (!ax)
		return -ENOMEM;

	ax->len = len;
	memcpy(ax->a, a, len);

	ax->d.type = AUDIT_SOCKADDR;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

void __audit_ptrace(struct task_struct *t)
{
	struct audit_context *context = current->audit_context;

	context->target_pid = t->pid;
	selinux_get_task_sid(t, &context->target_sid);
}

/**
 * audit_avc_path - record the granting or denial of permissions
 * @dentry: dentry to record
 * @mnt: mnt to record
 *
 * Returns 0 for success or NULL context or < 0 on error.
 *
 * Called from security/selinux/avc.c::avc_audit()
 */
int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
{
	struct audit_aux_data_path *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	ax->dentry = dget(dentry);
	ax->mnt = mntget(mnt);

	ax->d.type = AUDIT_AVC_PATH;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * audit_signal_info - record signal info for shutting down audit subsystem
 * @sig: signal value
 * @t: task being signaled
 *
 * If the audit subsystem is being terminated, record the task (pid)
 * and uid that is doing that.
 */
int __audit_signal_info(int sig, struct task_struct *t)
{
	struct audit_aux_data_pids *axp;
	struct task_struct *tsk = current;
	struct audit_context *ctx = tsk->audit_context;
	extern pid_t audit_sig_pid;
	extern uid_t audit_sig_uid;
	extern u32 audit_sig_sid;

	if (audit_pid && t->tgid == audit_pid &&
	    (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) {
		audit_sig_pid = tsk->pid;
		if (ctx)
			audit_sig_uid = ctx->loginuid;
		else
			audit_sig_uid = tsk->uid;
		selinux_get_task_sid(tsk, &audit_sig_sid);
	}

	if (!audit_signals) /* audit_context checked in wrapper */
		return 0;

	/* optimize the common case by putting first signal recipient directly
	 * in audit_context */
	if (!ctx->target_pid) {
		ctx->target_pid = t->tgid;
		selinux_get_task_sid(t, &ctx->target_sid);
		return 0;
	}

	axp = (void *)ctx->aux_pids;
	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
		if (!axp)
			return -ENOMEM;

		axp->d.type = AUDIT_OBJ_PID;
		axp->d.next = ctx->aux_pids;
		ctx->aux_pids = (void *)axp;
	}
	BUG_ON(axp->pid_count > AUDIT_AUX_PIDS);

	axp->target_pid[axp->pid_count] = t->tgid;
	selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
	axp->pid_count++;

	return 0;
}

/**
 * audit_core_dumps - record information about processes that end abnormally
 * @sig: signal value
 *
 * If a process ends with a core dump, something fishy is going on and we
 * should record the event for investigation.
 */
void audit_core_dumps(long signr)
{
	struct audit_buffer *ab;
	u32 sid;

	if (!audit_enabled)
		return;

	if (signr == SIGQUIT)	/* don't care for those */
		return;

	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
	audit_log_format(ab, "auid=%u uid=%u gid=%u",
			audit_get_loginuid(current->audit_context),
			current->uid, current->gid);
	selinux_get_task_sid(current, &sid);
	if (sid) {
		char *ctx = NULL;
		u32 len;

		if (selinux_sid_to_string(sid, &ctx, &len))
			audit_log_format(ab, " ssid=%u", sid);
		else
			audit_log_format(ab, " subj=%s", ctx);
		kfree(ctx);
	}
	audit_log_format(ab, " pid=%d comm=", current->pid);
	audit_log_untrustedstring(ab, current->comm);
	audit_log_format(ab, " sig=%ld", signr);
	audit_log_end(ab);
}