audit.c

linux 2.6.19 kernel source code before patching

/* audit.c -- Auditing support
 * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
 * System-call specific features have moved to auditsc.c
 *
 * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
 * Goals: 1) Integrate fully with SELinux.
 *	  2) Minimal run-time overhead:
 *	     a) Minimal when syscall auditing is disabled (audit_enable=0).
 *	     b) Small when syscall auditing is enabled and no audit record
 *		is generated (defer as much work as possible to record
 *		generation time):
 *		i) context is allocated,
 *		ii) names from getname are stored without a copy, and
 *		iii) inode information stored from path_lookup.
 *	  3) Ability to disable syscall auditing at boot time (audit=0).
 *	  4) Usable by other parts of the kernel (if audit_log* is called,
 *	     then a syscall record will be generated automatically for the
 *	     current syscall).
 *	  5) Netlink interface to user-space.
 *	  6) Support low-overhead kernel-based filtering to minimize the
 *	     information that must be passed to user-space.
 *
 * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
 */

#include <linux/init.h>
#include <asm/types.h>
#include <asm/atomic.h>
#include <linux/mm.h>
#include <linux/module.h>
#include <linux/err.h>
#include <linux/kthread.h>

#include <linux/audit.h>

#include <net/sock.h>
#include <net/netlink.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
#include <linux/selinux.h>
#include <linux/inotify.h>
#include <linux/freezer.h>

#include "audit.h"

/* No auditing will take place until audit_initialized != 0.
 * (Initialization happens after skb_init is called.) */
static int	audit_initialized;

/* 0 - no auditing
 * 1 - auditing enabled
 * 2 - auditing enabled and configuration is locked/unchangeable. */
int		audit_enabled;

/* Default state when kernel boots without any parameters. */
static int	audit_default;

/* If auditing cannot proceed, audit_failure selects what happens. */
static int	audit_failure = AUDIT_FAIL_PRINTK;

/* If audit records are to be written to the netlink socket, audit_pid
 * contains the (non-zero) pid. */
int		audit_pid;

/* If audit_rate_limit is non-zero, limit the rate of sending audit records
 * to that number per second.  This prevents DoS attacks, but results in
 * audit records being dropped. */
static int	audit_rate_limit;

/* Number of outstanding audit_buffers allowed. */
static int	audit_backlog_limit = 64;
static int	audit_backlog_wait_time = 60 * HZ;
static int	audit_backlog_wait_overflow = 0;

/* The identity of the user shutting down the audit system. */
uid_t		audit_sig_uid = -1;
pid_t		audit_sig_pid = -1;
u32		audit_sig_sid = 0;

/* Records can be lost in several ways:
   0) [suppressed in audit_alloc]
   1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
   2) out of memory in audit_log_move [alloc_skb]
   3) suppressed due to audit_rate_limit
   4) suppressed due to audit_backlog_limit
*/
static atomic_t    audit_lost = ATOMIC_INIT(0);

/* The netlink socket. */
static struct sock *audit_sock;

/* Inotify handle. */
struct inotify_handle *audit_ih;

/* Hash for inode-based rules */
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];

/* The audit_freelist is a list of pre-allocated audit buffers (if more
 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
 * being placed on the freelist). */
static DEFINE_SPINLOCK(audit_freelist_lock);
static int	   audit_freelist_count;
static LIST_HEAD(audit_freelist);

static struct sk_buff_head audit_skb_queue;
static struct task_struct *kauditd_task;
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);

/* Serialize requests from userspace. */
static DEFINE_MUTEX(audit_cmd_mutex);

/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
 * audit records.  Since printk uses a 1024 byte buffer, this buffer
 * should be at least that large. */
#define AUDIT_BUFSIZ 1024

/* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
 * audit_freelist.  Doing so eliminates many kmalloc/kfree calls. */
#define AUDIT_MAXFREE  (2*NR_CPUS)

/* The audit_buffer is used when formatting an audit record.  The caller
 * locks briefly to get the record off the freelist or to allocate the
 * buffer, and locks briefly to send the buffer to the netlink layer or
 * to place it on a transmit queue.  Multiple audit_buffers can be in
 * use simultaneously. */
struct audit_buffer {
	struct list_head     list;
	struct sk_buff       *skb;	/* formatted skb ready to send */
	struct audit_context *ctx;	/* NULL or associated context */
	gfp_t		     gfp_mask;
};

static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
{
	struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
	nlh->nlmsg_pid = pid;
}

void audit_panic(const char *message)
{
	switch (audit_failure)
	{
	case AUDIT_FAIL_SILENT:
		break;
	case AUDIT_FAIL_PRINTK:
		printk(KERN_ERR "audit: %s\n", message);
		break;
	case AUDIT_FAIL_PANIC:
		panic("audit: %s\n", message);
		break;
	}
}

static inline int audit_rate_check(void)
{
	static unsigned long	last_check = 0;
	static int		messages   = 0;
	static DEFINE_SPINLOCK(lock);
	unsigned long		flags;
	unsigned long		now;
	unsigned long		elapsed;
	int			retval	   = 0;

	if (!audit_rate_limit) return 1;

	spin_lock_irqsave(&lock, flags);
	if (++messages < audit_rate_limit) {
		retval = 1;
	} else {
		now     = jiffies;
		elapsed = now - last_check;
		if (elapsed > HZ) {
			last_check = now;
			messages   = 0;
			retval     = 1;
		}
	}
	spin_unlock_irqrestore(&lock, flags);

	return retval;
}

/**
 * audit_log_lost - conditionally log lost audit message event
 * @message: the message stating reason for lost audit message
 *
 * Emit at least 1 message per second, even if audit_rate_check is
 * throttling.
 * Always increment the lost messages counter.
*/
void audit_log_lost(const char *message)
{
	static unsigned long	last_msg = 0;
	static DEFINE_SPINLOCK(lock);
	unsigned long		flags;
	unsigned long		now;
	int			print;

	atomic_inc(&audit_lost);

	print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);

	if (!print) {
		spin_lock_irqsave(&lock, flags);
		now = jiffies;
		if (now - last_msg > HZ) {
			print = 1;
			last_msg = now;
		}
		spin_unlock_irqrestore(&lock, flags);
	}

	if (print) {
		printk(KERN_WARNING
		       "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
		       atomic_read(&audit_lost),
		       audit_rate_limit,
		       audit_backlog_limit);
		audit_panic(message);
	}
}

static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
{
	int res, rc = 0, old = audit_rate_limit;

	/* check if we are locked */
	if (audit_enabled == 2)
		res = 0;
	else
		res = 1;

	if (sid) {
		char *ctx = NULL;
		u32 len;
		if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
				"audit_rate_limit=%d old=%d by auid=%u"
				" subj=%s res=%d",
				limit, old, loginuid, ctx, res);
			kfree(ctx);
		} else
			res = 0; /* Something weird, deny request */
	}
	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		"audit_rate_limit=%d old=%d by auid=%u res=%d",
		limit, old, loginuid, res);

	/* If we are allowed, make the change */
	if (res == 1)
		audit_rate_limit = limit;
	/* Not allowed, update reason */
	else if (rc == 0)
		rc = -EPERM;
	return rc;
}

static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
{
	int res, rc = 0, old = audit_backlog_limit;

	/* check if we are locked */
	if (audit_enabled == 2)
		res = 0;
	else
		res = 1;

	if (sid) {
		char *ctx = NULL;
		u32 len;
		if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
				"audit_backlog_limit=%d old=%d by auid=%u"
				" subj=%s res=%d",
				limit, old, loginuid, ctx, res);
			kfree(ctx);
		} else
			res = 0; /* Something weird, deny request */
	}
	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		"audit_backlog_limit=%d old=%d by auid=%u res=%d",
		limit, old, loginuid, res);

	/* If we are allowed, make the change */
	if (res == 1)
		audit_backlog_limit = limit;
	/* Not allowed, update reason */
	else if (rc == 0)
		rc = -EPERM;
	return rc;
}

static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
{
	int res, rc = 0, old = audit_enabled;

	if (state < 0 || state > 2)
		return -EINVAL;

	/* check if we are locked */
	if (audit_enabled == 2)
		res = 0;
	else
		res = 1;

	if (sid) {
		char *ctx = NULL;
		u32 len;
		if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
				"audit_enabled=%d old=%d by auid=%u"
				" subj=%s res=%d",
				state, old, loginuid, ctx, res);
			kfree(ctx);
		} else
			res = 0; /* Something weird, deny request */
	}
	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		"audit_enabled=%d old=%d by auid=%u res=%d",
		state, old, loginuid, res);

	/* If we are allowed, make the change */
	if (res == 1)
		audit_enabled = state;
	/* Not allowed, update reason */
	else if (rc == 0)
		rc = -EPERM;
	return rc;
}

static int audit_set_failure(int state, uid_t loginuid, u32 sid)
{
	int res, rc = 0, old = audit_failure;

	if (state != AUDIT_FAIL_SILENT
	    && state != AUDIT_FAIL_PRINTK
	    && state != AUDIT_FAIL_PANIC)
		return -EINVAL;

	/* check if we are locked */
	if (audit_enabled == 2)
		res = 0;
	else
		res = 1;

	if (sid) {
		char *ctx = NULL;
		u32 len;
		if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
				"audit_failure=%d old=%d by auid=%u"
				" subj=%s res=%d",
				state, old, loginuid, ctx, res);
			kfree(ctx);
		} else
			res = 0; /* Something weird, deny request */
	}
	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		"audit_failure=%d old=%d by auid=%u res=%d",
		state, old, loginuid, res);

	/* If we are allowed, make the change */
	if (res == 1)
		audit_failure = state;
	/* Not allowed, update reason */
	else if (rc == 0)
		rc = -EPERM;
	return rc;
}

static int kauditd_thread(void *dummy)
{
	struct sk_buff *skb;

	while (!kthread_should_stop()) {
		skb = skb_dequeue(&audit_skb_queue);
		wake_up(&audit_backlog_wait);
		if (skb) {
			if (audit_pid) {
				int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
				if (err < 0) {
					BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
					printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
					audit_pid = 0;
				}
			} else {
				printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
				kfree_skb(skb);
			}
		} else {
			DECLARE_WAITQUEUE(wait, current);
			set_current_state(TASK_INTERRUPTIBLE);
			add_wait_queue(&kauditd_wait, &wait);

			if (!skb_queue_len(&audit_skb_queue)) {
				try_to_freeze();
				schedule();
			}

			__set_current_state(TASK_RUNNING);
			remove_wait_queue(&kauditd_wait, &wait);
		}
	}
	return 0;
}

int audit_send_list(void *_dest)
{
	struct audit_netlink_list *dest = _dest;
	int pid = dest->pid;
	struct sk_buff *skb;

	/* wait for parent to finish and send an ACK */
	mutex_lock(&audit_cmd_mutex);
	mutex_unlock(&audit_cmd_mutex);

	while ((skb = __skb_dequeue(&dest->q)) != NULL)
		netlink_unicast(audit_sock, skb, pid, 0);