auditsc.c

Kernel code of linux kernel

				" old ses=%u new ses=%u",
				task->pid, task->uid,
				task->loginuid, loginuid,
				task->sessionid, sessionid);
			audit_log_end(ab);
		}
	}
	task->sessionid = sessionid;
	task->loginuid = loginuid;
	return 0;
}

/**
 * __audit_mq_open - record audit data for a POSIX MQ open
 * @oflag: open flag
 * @mode: mode bits
 * @u_attr: queue attributes
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr)
{
	struct audit_aux_data_mq_open *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	if (u_attr != NULL) {
		if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		memset(&ax->attr, 0, sizeof(ax->attr));

	ax->oflag = oflag;
	ax->mode = mode;

	ax->d.type = AUDIT_MQ_OPEN;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send
 * @mqdes: MQ descriptor
 * @msg_len: Message length
 * @msg_prio: Message priority
 * @u_abs_timeout: Message timeout in absolute time
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
			const struct timespec __user *u_abs_timeout)
{
	struct audit_aux_data_mq_sendrecv *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	if (u_abs_timeout != NULL) {
		if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));

	ax->mqdes = mqdes;
	ax->msg_len = msg_len;
	ax->msg_prio = msg_prio;

	ax->d.type = AUDIT_MQ_SENDRECV;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive
 * @mqdes: MQ descriptor
 * @msg_len: Message length
 * @u_msg_prio: Message priority
 * @u_abs_timeout: Message timeout in absolute time
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len,
				unsigned int __user *u_msg_prio,
				const struct timespec __user *u_abs_timeout)
{
	struct audit_aux_data_mq_sendrecv *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	if (u_msg_prio != NULL) {
		if (get_user(ax->msg_prio, u_msg_prio)) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		ax->msg_prio = 0;

	if (u_abs_timeout != NULL) {
		if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout));

	ax->mqdes = mqdes;
	ax->msg_len = msg_len;

	ax->d.type = AUDIT_MQ_SENDRECV;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_mq_notify - record audit data for a POSIX MQ notify
 * @mqdes: MQ descriptor
 * @u_notification: Notification event
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */

int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
{
	struct audit_aux_data_mq_notify *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	if (u_notification != NULL) {
		if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) {
			kfree(ax);
			return -EFAULT;
		}
	} else
		memset(&ax->notification, 0, sizeof(ax->notification));

	ax->mqdes = mqdes;

	ax->d.type = AUDIT_MQ_NOTIFY;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
 * @mqdes: MQ descriptor
 * @mqstat: MQ flags
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
{
	struct audit_aux_data_mq_getsetattr *ax;
	struct audit_context *context = current->audit_context;

	if (!audit_enabled)
		return 0;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	ax->mqdes = mqdes;
	ax->mqstat = *mqstat;

	ax->d.type = AUDIT_MQ_GETSETATTR;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * audit_ipc_obj - record audit data for ipc object
 * @ipcp: ipc permissions
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
	struct audit_aux_data_ipcctl *ax;
	struct audit_context *context = current->audit_context;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	ax->uid = ipcp->uid;
	ax->gid = ipcp->gid;
	ax->mode = ipcp->mode;
	security_ipc_getsecid(ipcp, &ax->osid);
	ax->d.type = AUDIT_IPC;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * audit_ipc_set_perm - record audit data for new ipc permissions
 * @qbytes: msgq bytes
 * @uid: msgq user id
 * @gid: msgq group id
 * @mode: msgq mode (permissions)
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
{
	struct audit_aux_data_ipcctl *ax;
	struct audit_context *context = current->audit_context;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	ax->qbytes = qbytes;
	ax->uid = uid;
	ax->gid = gid;
	ax->mode = mode;

	ax->d.type = AUDIT_IPC_SET_PERM;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

int audit_bprm(struct linux_binprm *bprm)
{
	struct audit_aux_data_execve *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!audit_enabled || !context || context->dummy))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
	if (!ax)
		return -ENOMEM;

	ax->argc = bprm->argc;
	ax->envc = bprm->envc;
	ax->mm = bprm->mm;
	ax->d.type = AUDIT_EXECVE;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}


/**
 * audit_socketcall - record audit data for sys_socketcall
 * @nargs: number of args
 * @args: args array
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int audit_socketcall(int nargs, unsigned long *args)
{
	struct audit_aux_data_socketcall *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context || context->dummy))
		return 0;

	ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
	if (!ax)
		return -ENOMEM;

	ax->nargs = nargs;
	memcpy(ax->args, args, nargs * sizeof(unsigned long));

	ax->d.type = AUDIT_SOCKETCALL;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * __audit_fd_pair - record audit data for pipe and socketpair
 * @fd1: the first file descriptor
 * @fd2: the second file descriptor
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int __audit_fd_pair(int fd1, int fd2)
{
	struct audit_context *context = current->audit_context;
	struct audit_aux_data_fd_pair *ax;

	if (likely(!context)) {
		return 0;
	}

	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
	if (!ax) {
		return -ENOMEM;
	}

	ax->fd[0] = fd1;
	ax->fd[1] = fd2;

	ax->d.type = AUDIT_FD_PAIR;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

/**
 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
 * @len: data length in user space
 * @a: data address in kernel space
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
int audit_sockaddr(int len, void *a)
{
	struct audit_aux_data_sockaddr *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context || context->dummy))
		return 0;

	ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
	if (!ax)
		return -ENOMEM;

	ax->len = len;
	memcpy(ax->a, a, len);

	ax->d.type = AUDIT_SOCKADDR;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

void __audit_ptrace(struct task_struct *t)
{
	struct audit_context *context = current->audit_context;

	context->target_pid = t->pid;
	context->target_auid = audit_get_loginuid(t);
	context->target_uid = t->uid;
	context->target_sessionid = audit_get_sessionid(t);
	security_task_getsecid(t, &context->target_sid);
	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
}

/**
 * audit_signal_info - record signal info for shutting down audit subsystem
 * @sig: signal value
 * @t: task being signaled
 *
 * If the audit subsystem is being terminated, record the task (pid)
 * and uid that is doing that.
 */
int __audit_signal_info(int sig, struct task_struct *t)
{
	struct audit_aux_data_pids *axp;
	struct task_struct *tsk = current;
	struct audit_context *ctx = tsk->audit_context;

	if (audit_pid && t->tgid == audit_pid) {
		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
			audit_sig_pid = tsk->pid;
			if (tsk->loginuid != -1)
				audit_sig_uid = tsk->loginuid;
			else
				audit_sig_uid = tsk->uid;
			security_task_getsecid(tsk, &audit_sig_sid);
		}
		if (!audit_signals || audit_dummy_context())
			return 0;
	}

	/* optimize the common case by putting first signal recipient directly
	 * in audit_context */
	if (!ctx->target_pid) {
		ctx->target_pid = t->tgid;
		ctx->target_auid = audit_get_loginuid(t);
		ctx->target_uid = t->uid;
		ctx->target_sessionid = audit_get_sessionid(t);
		security_task_getsecid(t, &ctx->target_sid);
		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
		return 0;
	}

	axp = (void *)ctx->aux_pids;
	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
		if (!axp)
			return -ENOMEM;

		axp->d.type = AUDIT_OBJ_PID;
		axp->d.next = ctx->aux_pids;
		ctx->aux_pids = (void *)axp;
	}
	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);

	axp->target_pid[axp->pid_count] = t->tgid;
	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
	axp->target_uid[axp->pid_count] = t->uid;
	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
	axp->pid_count++;

	return 0;
}

/**
 * audit_core_dumps - record information about processes that end abnormally
 * @signr: signal value
 *
 * If a process ends with a core dump, something fishy is going on and we
 * should record the event for investigation.
 */
void audit_core_dumps(long signr)
{
	struct audit_buffer *ab;
	u32 sid;
	uid_t auid = audit_get_loginuid(current);
	unsigned int sessionid = audit_get_sessionid(current);

	if (!audit_enabled)
		return;

	if (signr == SIGQUIT)	/* don't care for those */
		return;

	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
			auid, current->uid, current->gid, sessionid);
	security_task_getsecid(current, &sid);
	if (sid) {
		char *ctx = NULL;
		u32 len;

		if (security_secid_to_secctx(sid, &ctx, &len))
			audit_log_format(ab, " ssid=%u", sid);
		else {
			audit_log_format(ab, " subj=%s", ctx);
			security_release_secctx(ctx, len);
		}
	}
	audit_log_format(ab, " pid=%d comm=", current->pid);
	audit_log_untrustedstring(ab, current->comm);
	audit_log_format(ab, " sig=%ld", signr);
	audit_log_end(ab);
}