Back to home page

LXR

 
 

    


0001 /* auditsc.c -- System-call auditing support
0002  * Handles all system-call specific auditing features.
0003  *
0004  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
0005  * Copyright 2005 Hewlett-Packard Development Company, L.P.
0006  * Copyright (C) 2005, 2006 IBM Corporation
0007  * All Rights Reserved.
0008  *
0009  * This program is free software; you can redistribute it and/or modify
0010  * it under the terms of the GNU General Public License as published by
0011  * the Free Software Foundation; either version 2 of the License, or
0012  * (at your option) any later version.
0013  *
0014  * This program is distributed in the hope that it will be useful,
0015  * but WITHOUT ANY WARRANTY; without even the implied warranty of
0016  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
0017  * GNU General Public License for more details.
0018  *
0019  * You should have received a copy of the GNU General Public License
0020  * along with this program; if not, write to the Free Software
0021  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
0022  *
0023  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
0024  *
0025  * Many of the ideas implemented here are from Stephen C. Tweedie,
0026  * especially the idea of avoiding a copy by using getname.
0027  *
0028  * The method for actual interception of syscall entry and exit (not in
0029  * this file -- see entry.S) is based on a GPL'd patch written by
0030  * okir@suse.de and Copyright 2003 SuSE Linux AG.
0031  *
0032  * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
0033  * 2006.
0034  *
0035  * The support of additional filter rules compares (>, <, >=, <=) was
0036  * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
0037  *
0038  * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
0039  * filesystem information.
0040  *
0041  * Subject and object context labeling support added by <danjones@us.ibm.com>
0042  * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
0043  */
0044 
0045 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0046 
0047 #include <linux/init.h>
0048 #include <asm/types.h>
0049 #include <linux/atomic.h>
0050 #include <linux/fs.h>
0051 #include <linux/namei.h>
0052 #include <linux/mm.h>
0053 #include <linux/export.h>
0054 #include <linux/slab.h>
0055 #include <linux/mount.h>
0056 #include <linux/socket.h>
0057 #include <linux/mqueue.h>
0058 #include <linux/audit.h>
0059 #include <linux/personality.h>
0060 #include <linux/time.h>
0061 #include <linux/netlink.h>
0062 #include <linux/compiler.h>
0063 #include <asm/unistd.h>
0064 #include <linux/security.h>
0065 #include <linux/list.h>
0066 #include <linux/binfmts.h>
0067 #include <linux/highmem.h>
0068 #include <linux/syscalls.h>
0069 #include <asm/syscall.h>
0070 #include <linux/capability.h>
0071 #include <linux/fs_struct.h>
0072 #include <linux/compat.h>
0073 #include <linux/ctype.h>
0074 #include <linux/string.h>
0075 #include <linux/uaccess.h>
0076 #include <uapi/linux/limits.h>
0077 
0078 #include "audit.h"
0079 
0080 /* flags stating the success for a syscall */
0081 #define AUDITSC_INVALID 0
0082 #define AUDITSC_SUCCESS 1
0083 #define AUDITSC_FAILURE 2
0084 
0085 /* no execve audit message should be longer than this (userspace limits),
0086  * see the note near the top of audit_log_execve_info() about this value */
0087 #define MAX_EXECVE_AUDIT_LEN 7500
0088 
0089 /* max length to print of cmdline/proctitle value during audit */
0090 #define MAX_PROCTITLE_AUDIT_LEN 128
0091 
0092 /* number of audit rules */
0093 int audit_n_rules;
0094 
0095 /* determines whether we collect data for signals sent */
0096 int audit_signals;
0097 
0098 struct audit_aux_data {
0099     struct audit_aux_data   *next;
0100     int         type;
0101 };
0102 
0103 #define AUDIT_AUX_IPCPERM   0
0104 
0105 /* Number of target pids per aux struct. */
0106 #define AUDIT_AUX_PIDS  16
0107 
0108 struct audit_aux_data_pids {
0109     struct audit_aux_data   d;
0110     pid_t           target_pid[AUDIT_AUX_PIDS];
0111     kuid_t          target_auid[AUDIT_AUX_PIDS];
0112     kuid_t          target_uid[AUDIT_AUX_PIDS];
0113     unsigned int        target_sessionid[AUDIT_AUX_PIDS];
0114     u32         target_sid[AUDIT_AUX_PIDS];
0115     char            target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
0116     int         pid_count;
0117 };
0118 
0119 struct audit_aux_data_bprm_fcaps {
0120     struct audit_aux_data   d;
0121     struct audit_cap_data   fcap;
0122     unsigned int        fcap_ver;
0123     struct audit_cap_data   old_pcap;
0124     struct audit_cap_data   new_pcap;
0125 };
0126 
0127 struct audit_tree_refs {
0128     struct audit_tree_refs *next;
0129     struct audit_chunk *c[31];
0130 };
0131 
0132 static int audit_match_perm(struct audit_context *ctx, int mask)
0133 {
0134     unsigned n;
0135     if (unlikely(!ctx))
0136         return 0;
0137     n = ctx->major;
0138 
0139     switch (audit_classify_syscall(ctx->arch, n)) {
0140     case 0: /* native */
0141         if ((mask & AUDIT_PERM_WRITE) &&
0142              audit_match_class(AUDIT_CLASS_WRITE, n))
0143             return 1;
0144         if ((mask & AUDIT_PERM_READ) &&
0145              audit_match_class(AUDIT_CLASS_READ, n))
0146             return 1;
0147         if ((mask & AUDIT_PERM_ATTR) &&
0148              audit_match_class(AUDIT_CLASS_CHATTR, n))
0149             return 1;
0150         return 0;
0151     case 1: /* 32bit on biarch */
0152         if ((mask & AUDIT_PERM_WRITE) &&
0153              audit_match_class(AUDIT_CLASS_WRITE_32, n))
0154             return 1;
0155         if ((mask & AUDIT_PERM_READ) &&
0156              audit_match_class(AUDIT_CLASS_READ_32, n))
0157             return 1;
0158         if ((mask & AUDIT_PERM_ATTR) &&
0159              audit_match_class(AUDIT_CLASS_CHATTR_32, n))
0160             return 1;
0161         return 0;
0162     case 2: /* open */
0163         return mask & ACC_MODE(ctx->argv[1]);
0164     case 3: /* openat */
0165         return mask & ACC_MODE(ctx->argv[2]);
0166     case 4: /* socketcall */
0167         return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
0168     case 5: /* execve */
0169         return mask & AUDIT_PERM_EXEC;
0170     default:
0171         return 0;
0172     }
0173 }
0174 
0175 static int audit_match_filetype(struct audit_context *ctx, int val)
0176 {
0177     struct audit_names *n;
0178     umode_t mode = (umode_t)val;
0179 
0180     if (unlikely(!ctx))
0181         return 0;
0182 
0183     list_for_each_entry(n, &ctx->names_list, list) {
0184         if ((n->ino != AUDIT_INO_UNSET) &&
0185             ((n->mode & S_IFMT) == mode))
0186             return 1;
0187     }
0188 
0189     return 0;
0190 }
0191 
0192 /*
0193  * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
0194  * ->first_trees points to its beginning, ->trees - to the current end of data.
0195  * ->tree_count is the number of free entries in array pointed to by ->trees.
0196  * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
0197  * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
0198  * it's going to remain 1-element for almost any setup) until we free context itself.
0199  * References in it _are_ dropped - at the same time we free/drop aux stuff.
0200  */
0201 
0202 #ifdef CONFIG_AUDIT_TREE
0203 static void audit_set_auditable(struct audit_context *ctx)
0204 {
0205     if (!ctx->prio) {
0206         ctx->prio = 1;
0207         ctx->current_state = AUDIT_RECORD_CONTEXT;
0208     }
0209 }
0210 
0211 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
0212 {
0213     struct audit_tree_refs *p = ctx->trees;
0214     int left = ctx->tree_count;
0215     if (likely(left)) {
0216         p->c[--left] = chunk;
0217         ctx->tree_count = left;
0218         return 1;
0219     }
0220     if (!p)
0221         return 0;
0222     p = p->next;
0223     if (p) {
0224         p->c[30] = chunk;
0225         ctx->trees = p;
0226         ctx->tree_count = 30;
0227         return 1;
0228     }
0229     return 0;
0230 }
0231 
0232 static int grow_tree_refs(struct audit_context *ctx)
0233 {
0234     struct audit_tree_refs *p = ctx->trees;
0235     ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
0236     if (!ctx->trees) {
0237         ctx->trees = p;
0238         return 0;
0239     }
0240     if (p)
0241         p->next = ctx->trees;
0242     else
0243         ctx->first_trees = ctx->trees;
0244     ctx->tree_count = 31;
0245     return 1;
0246 }
0247 #endif
0248 
0249 static void unroll_tree_refs(struct audit_context *ctx,
0250               struct audit_tree_refs *p, int count)
0251 {
0252 #ifdef CONFIG_AUDIT_TREE
0253     struct audit_tree_refs *q;
0254     int n;
0255     if (!p) {
0256         /* we started with empty chain */
0257         p = ctx->first_trees;
0258         count = 31;
0259         /* if the very first allocation has failed, nothing to do */
0260         if (!p)
0261             return;
0262     }
0263     n = count;
0264     for (q = p; q != ctx->trees; q = q->next, n = 31) {
0265         while (n--) {
0266             audit_put_chunk(q->c[n]);
0267             q->c[n] = NULL;
0268         }
0269     }
0270     while (n-- > ctx->tree_count) {
0271         audit_put_chunk(q->c[n]);
0272         q->c[n] = NULL;
0273     }
0274     ctx->trees = p;
0275     ctx->tree_count = count;
0276 #endif
0277 }
0278 
0279 static void free_tree_refs(struct audit_context *ctx)
0280 {
0281     struct audit_tree_refs *p, *q;
0282     for (p = ctx->first_trees; p; p = q) {
0283         q = p->next;
0284         kfree(p);
0285     }
0286 }
0287 
0288 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
0289 {
0290 #ifdef CONFIG_AUDIT_TREE
0291     struct audit_tree_refs *p;
0292     int n;
0293     if (!tree)
0294         return 0;
0295     /* full ones */
0296     for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
0297         for (n = 0; n < 31; n++)
0298             if (audit_tree_match(p->c[n], tree))
0299                 return 1;
0300     }
0301     /* partial */
0302     if (p) {
0303         for (n = ctx->tree_count; n < 31; n++)
0304             if (audit_tree_match(p->c[n], tree))
0305                 return 1;
0306     }
0307 #endif
0308     return 0;
0309 }
0310 
0311 static int audit_compare_uid(kuid_t uid,
0312                  struct audit_names *name,
0313                  struct audit_field *f,
0314                  struct audit_context *ctx)
0315 {
0316     struct audit_names *n;
0317     int rc;
0318  
0319     if (name) {
0320         rc = audit_uid_comparator(uid, f->op, name->uid);
0321         if (rc)
0322             return rc;
0323     }
0324  
0325     if (ctx) {
0326         list_for_each_entry(n, &ctx->names_list, list) {
0327             rc = audit_uid_comparator(uid, f->op, n->uid);
0328             if (rc)
0329                 return rc;
0330         }
0331     }
0332     return 0;
0333 }
0334 
0335 static int audit_compare_gid(kgid_t gid,
0336                  struct audit_names *name,
0337                  struct audit_field *f,
0338                  struct audit_context *ctx)
0339 {
0340     struct audit_names *n;
0341     int rc;
0342  
0343     if (name) {
0344         rc = audit_gid_comparator(gid, f->op, name->gid);
0345         if (rc)
0346             return rc;
0347     }
0348  
0349     if (ctx) {
0350         list_for_each_entry(n, &ctx->names_list, list) {
0351             rc = audit_gid_comparator(gid, f->op, n->gid);
0352             if (rc)
0353                 return rc;
0354         }
0355     }
0356     return 0;
0357 }
0358 
0359 static int audit_field_compare(struct task_struct *tsk,
0360                    const struct cred *cred,
0361                    struct audit_field *f,
0362                    struct audit_context *ctx,
0363                    struct audit_names *name)
0364 {
0365     switch (f->val) {
0366     /* process to file object comparisons */
0367     case AUDIT_COMPARE_UID_TO_OBJ_UID:
0368         return audit_compare_uid(cred->uid, name, f, ctx);
0369     case AUDIT_COMPARE_GID_TO_OBJ_GID:
0370         return audit_compare_gid(cred->gid, name, f, ctx);
0371     case AUDIT_COMPARE_EUID_TO_OBJ_UID:
0372         return audit_compare_uid(cred->euid, name, f, ctx);
0373     case AUDIT_COMPARE_EGID_TO_OBJ_GID:
0374         return audit_compare_gid(cred->egid, name, f, ctx);
0375     case AUDIT_COMPARE_AUID_TO_OBJ_UID:
0376         return audit_compare_uid(tsk->loginuid, name, f, ctx);
0377     case AUDIT_COMPARE_SUID_TO_OBJ_UID:
0378         return audit_compare_uid(cred->suid, name, f, ctx);
0379     case AUDIT_COMPARE_SGID_TO_OBJ_GID:
0380         return audit_compare_gid(cred->sgid, name, f, ctx);
0381     case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
0382         return audit_compare_uid(cred->fsuid, name, f, ctx);
0383     case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
0384         return audit_compare_gid(cred->fsgid, name, f, ctx);
0385     /* uid comparisons */
0386     case AUDIT_COMPARE_UID_TO_AUID:
0387         return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
0388     case AUDIT_COMPARE_UID_TO_EUID:
0389         return audit_uid_comparator(cred->uid, f->op, cred->euid);
0390     case AUDIT_COMPARE_UID_TO_SUID:
0391         return audit_uid_comparator(cred->uid, f->op, cred->suid);
0392     case AUDIT_COMPARE_UID_TO_FSUID:
0393         return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
0394     /* auid comparisons */
0395     case AUDIT_COMPARE_AUID_TO_EUID:
0396         return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
0397     case AUDIT_COMPARE_AUID_TO_SUID:
0398         return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
0399     case AUDIT_COMPARE_AUID_TO_FSUID:
0400         return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
0401     /* euid comparisons */
0402     case AUDIT_COMPARE_EUID_TO_SUID:
0403         return audit_uid_comparator(cred->euid, f->op, cred->suid);
0404     case AUDIT_COMPARE_EUID_TO_FSUID:
0405         return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
0406     /* suid comparisons */
0407     case AUDIT_COMPARE_SUID_TO_FSUID:
0408         return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
0409     /* gid comparisons */
0410     case AUDIT_COMPARE_GID_TO_EGID:
0411         return audit_gid_comparator(cred->gid, f->op, cred->egid);
0412     case AUDIT_COMPARE_GID_TO_SGID:
0413         return audit_gid_comparator(cred->gid, f->op, cred->sgid);
0414     case AUDIT_COMPARE_GID_TO_FSGID:
0415         return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
0416     /* egid comparisons */
0417     case AUDIT_COMPARE_EGID_TO_SGID:
0418         return audit_gid_comparator(cred->egid, f->op, cred->sgid);
0419     case AUDIT_COMPARE_EGID_TO_FSGID:
0420         return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
0421     /* sgid comparison */
0422     case AUDIT_COMPARE_SGID_TO_FSGID:
0423         return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
0424     default:
0425         WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
0426         return 0;
0427     }
0428     return 0;
0429 }
0430 
0431 /* Determine if any context name data matches a rule's watch data */
0432 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
0433  * otherwise.
0434  *
0435  * If task_creation is true, this is an explicit indication that we are
0436  * filtering a task rule at task creation time.  This and tsk == current are
0437  * the only situations where tsk->cred may be accessed without an rcu read lock.
0438  */
0439 static int audit_filter_rules(struct task_struct *tsk,
0440                   struct audit_krule *rule,
0441                   struct audit_context *ctx,
0442                   struct audit_names *name,
0443                   enum audit_state *state,
0444                   bool task_creation)
0445 {
0446     const struct cred *cred;
0447     int i, need_sid = 1;
0448     u32 sid;
0449     unsigned int sessionid;
0450 
0451     cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
0452 
0453     for (i = 0; i < rule->field_count; i++) {
0454         struct audit_field *f = &rule->fields[i];
0455         struct audit_names *n;
0456         int result = 0;
0457         pid_t pid;
0458 
0459         switch (f->type) {
0460         case AUDIT_PID:
0461             pid = task_tgid_nr(tsk);
0462             result = audit_comparator(pid, f->op, f->val);
0463             break;
0464         case AUDIT_PPID:
0465             if (ctx) {
0466                 if (!ctx->ppid)
0467                     ctx->ppid = task_ppid_nr(tsk);
0468                 result = audit_comparator(ctx->ppid, f->op, f->val);
0469             }
0470             break;
0471         case AUDIT_EXE:
0472             result = audit_exe_compare(tsk, rule->exe);
0473             break;
0474         case AUDIT_UID:
0475             result = audit_uid_comparator(cred->uid, f->op, f->uid);
0476             break;
0477         case AUDIT_EUID:
0478             result = audit_uid_comparator(cred->euid, f->op, f->uid);
0479             break;
0480         case AUDIT_SUID:
0481             result = audit_uid_comparator(cred->suid, f->op, f->uid);
0482             break;
0483         case AUDIT_FSUID:
0484             result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
0485             break;
0486         case AUDIT_GID:
0487             result = audit_gid_comparator(cred->gid, f->op, f->gid);
0488             if (f->op == Audit_equal) {
0489                 if (!result)
0490                     result = in_group_p(f->gid);
0491             } else if (f->op == Audit_not_equal) {
0492                 if (result)
0493                     result = !in_group_p(f->gid);
0494             }
0495             break;
0496         case AUDIT_EGID:
0497             result = audit_gid_comparator(cred->egid, f->op, f->gid);
0498             if (f->op == Audit_equal) {
0499                 if (!result)
0500                     result = in_egroup_p(f->gid);
0501             } else if (f->op == Audit_not_equal) {
0502                 if (result)
0503                     result = !in_egroup_p(f->gid);
0504             }
0505             break;
0506         case AUDIT_SGID:
0507             result = audit_gid_comparator(cred->sgid, f->op, f->gid);
0508             break;
0509         case AUDIT_FSGID:
0510             result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
0511             break;
0512         case AUDIT_SESSIONID:
0513             sessionid = audit_get_sessionid(current);
0514             result = audit_comparator(sessionid, f->op, f->val);
0515             break;
0516         case AUDIT_PERS:
0517             result = audit_comparator(tsk->personality, f->op, f->val);
0518             break;
0519         case AUDIT_ARCH:
0520             if (ctx)
0521                 result = audit_comparator(ctx->arch, f->op, f->val);
0522             break;
0523 
0524         case AUDIT_EXIT:
0525             if (ctx && ctx->return_valid)
0526                 result = audit_comparator(ctx->return_code, f->op, f->val);
0527             break;
0528         case AUDIT_SUCCESS:
0529             if (ctx && ctx->return_valid) {
0530                 if (f->val)
0531                     result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
0532                 else
0533                     result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
0534             }
0535             break;
0536         case AUDIT_DEVMAJOR:
0537             if (name) {
0538                 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
0539                     audit_comparator(MAJOR(name->rdev), f->op, f->val))
0540                     ++result;
0541             } else if (ctx) {
0542                 list_for_each_entry(n, &ctx->names_list, list) {
0543                     if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
0544                         audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
0545                         ++result;
0546                         break;
0547                     }
0548                 }
0549             }
0550             break;
0551         case AUDIT_DEVMINOR:
0552             if (name) {
0553                 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
0554                     audit_comparator(MINOR(name->rdev), f->op, f->val))
0555                     ++result;
0556             } else if (ctx) {
0557                 list_for_each_entry(n, &ctx->names_list, list) {
0558                     if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
0559                         audit_comparator(MINOR(n->rdev), f->op, f->val)) {
0560                         ++result;
0561                         break;
0562                     }
0563                 }
0564             }
0565             break;
0566         case AUDIT_INODE:
0567             if (name)
0568                 result = audit_comparator(name->ino, f->op, f->val);
0569             else if (ctx) {
0570                 list_for_each_entry(n, &ctx->names_list, list) {
0571                     if (audit_comparator(n->ino, f->op, f->val)) {
0572                         ++result;
0573                         break;
0574                     }
0575                 }
0576             }
0577             break;
0578         case AUDIT_OBJ_UID:
0579             if (name) {
0580                 result = audit_uid_comparator(name->uid, f->op, f->uid);
0581             } else if (ctx) {
0582                 list_for_each_entry(n, &ctx->names_list, list) {
0583                     if (audit_uid_comparator(n->uid, f->op, f->uid)) {
0584                         ++result;
0585                         break;
0586                     }
0587                 }
0588             }
0589             break;
0590         case AUDIT_OBJ_GID:
0591             if (name) {
0592                 result = audit_gid_comparator(name->gid, f->op, f->gid);
0593             } else if (ctx) {
0594                 list_for_each_entry(n, &ctx->names_list, list) {
0595                     if (audit_gid_comparator(n->gid, f->op, f->gid)) {
0596                         ++result;
0597                         break;
0598                     }
0599                 }
0600             }
0601             break;
0602         case AUDIT_WATCH:
0603             if (name)
0604                 result = audit_watch_compare(rule->watch, name->ino, name->dev);
0605             break;
0606         case AUDIT_DIR:
0607             if (ctx)
0608                 result = match_tree_refs(ctx, rule->tree);
0609             break;
0610         case AUDIT_LOGINUID:
0611             result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
0612             break;
0613         case AUDIT_LOGINUID_SET:
0614             result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
0615             break;
0616         case AUDIT_SUBJ_USER:
0617         case AUDIT_SUBJ_ROLE:
0618         case AUDIT_SUBJ_TYPE:
0619         case AUDIT_SUBJ_SEN:
0620         case AUDIT_SUBJ_CLR:
0621             /* NOTE: this may return negative values indicating
0622                a temporary error.  We simply treat this as a
0623                match for now to avoid losing information that
0624                may be wanted.   An error message will also be
0625                logged upon error */
0626             if (f->lsm_rule) {
0627                 if (need_sid) {
0628                     security_task_getsecid(tsk, &sid);
0629                     need_sid = 0;
0630                 }
0631                 result = security_audit_rule_match(sid, f->type,
0632                                                   f->op,
0633                                                   f->lsm_rule,
0634                                                   ctx);
0635             }
0636             break;
0637         case AUDIT_OBJ_USER:
0638         case AUDIT_OBJ_ROLE:
0639         case AUDIT_OBJ_TYPE:
0640         case AUDIT_OBJ_LEV_LOW:
0641         case AUDIT_OBJ_LEV_HIGH:
0642             /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
0643                also applies here */
0644             if (f->lsm_rule) {
0645                 /* Find files that match */
0646                 if (name) {
0647                     result = security_audit_rule_match(
0648                                name->osid, f->type, f->op,
0649                                f->lsm_rule, ctx);
0650                 } else if (ctx) {
0651                     list_for_each_entry(n, &ctx->names_list, list) {
0652                         if (security_audit_rule_match(n->osid, f->type,
0653                                           f->op, f->lsm_rule,
0654                                           ctx)) {
0655                             ++result;
0656                             break;
0657                         }
0658                     }
0659                 }
0660                 /* Find ipc objects that match */
0661                 if (!ctx || ctx->type != AUDIT_IPC)
0662                     break;
0663                 if (security_audit_rule_match(ctx->ipc.osid,
0664                                   f->type, f->op,
0665                                   f->lsm_rule, ctx))
0666                     ++result;
0667             }
0668             break;
0669         case AUDIT_ARG0:
0670         case AUDIT_ARG1:
0671         case AUDIT_ARG2:
0672         case AUDIT_ARG3:
0673             if (ctx)
0674                 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
0675             break;
0676         case AUDIT_FILTERKEY:
0677             /* ignore this field for filtering */
0678             result = 1;
0679             break;
0680         case AUDIT_PERM:
0681             result = audit_match_perm(ctx, f->val);
0682             break;
0683         case AUDIT_FILETYPE:
0684             result = audit_match_filetype(ctx, f->val);
0685             break;
0686         case AUDIT_FIELD_COMPARE:
0687             result = audit_field_compare(tsk, cred, f, ctx, name);
0688             break;
0689         }
0690         if (!result)
0691             return 0;
0692     }
0693 
0694     if (ctx) {
0695         if (rule->prio <= ctx->prio)
0696             return 0;
0697         if (rule->filterkey) {
0698             kfree(ctx->filterkey);
0699             ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
0700         }
0701         ctx->prio = rule->prio;
0702     }
0703     switch (rule->action) {
0704     case AUDIT_NEVER:
0705         *state = AUDIT_DISABLED;
0706         break;
0707     case AUDIT_ALWAYS:
0708         *state = AUDIT_RECORD_CONTEXT;
0709         break;
0710     }
0711     return 1;
0712 }
0713 
0714 /* At process creation time, we can determine if system-call auditing is
0715  * completely disabled for this task.  Since we only have the task
0716  * structure at this point, we can only check uid and gid.
0717  */
0718 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
0719 {
0720     struct audit_entry *e;
0721     enum audit_state   state;
0722 
0723     rcu_read_lock();
0724     list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
0725         if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
0726                        &state, true)) {
0727             if (state == AUDIT_RECORD_CONTEXT)
0728                 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
0729             rcu_read_unlock();
0730             return state;
0731         }
0732     }
0733     rcu_read_unlock();
0734     return AUDIT_BUILD_CONTEXT;
0735 }
0736 
0737 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
0738 {
0739     int word, bit;
0740 
0741     if (val > 0xffffffff)
0742         return false;
0743 
0744     word = AUDIT_WORD(val);
0745     if (word >= AUDIT_BITMASK_SIZE)
0746         return false;
0747 
0748     bit = AUDIT_BIT(val);
0749 
0750     return rule->mask[word] & bit;
0751 }
0752 
0753 /* At syscall entry and exit time, this filter is called if the
0754  * audit_state is not low enough that auditing cannot take place, but is
0755  * also not high enough that we already know we have to write an audit
0756  * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
0757  */
0758 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
0759                          struct audit_context *ctx,
0760                          struct list_head *list)
0761 {
0762     struct audit_entry *e;
0763     enum audit_state state;
0764 
0765     if (audit_pid && tsk->tgid == audit_pid)
0766         return AUDIT_DISABLED;
0767 
0768     rcu_read_lock();
0769     if (!list_empty(list)) {
0770         list_for_each_entry_rcu(e, list, list) {
0771             if (audit_in_mask(&e->rule, ctx->major) &&
0772                 audit_filter_rules(tsk, &e->rule, ctx, NULL,
0773                            &state, false)) {
0774                 rcu_read_unlock();
0775                 ctx->current_state = state;
0776                 return state;
0777             }
0778         }
0779     }
0780     rcu_read_unlock();
0781     return AUDIT_BUILD_CONTEXT;
0782 }
0783 
0784 /*
0785  * Given an audit_name check the inode hash table to see if they match.
0786  * Called holding the rcu read lock to protect the use of audit_inode_hash
0787  */
0788 static int audit_filter_inode_name(struct task_struct *tsk,
0789                    struct audit_names *n,
0790                    struct audit_context *ctx) {
0791     int h = audit_hash_ino((u32)n->ino);
0792     struct list_head *list = &audit_inode_hash[h];
0793     struct audit_entry *e;
0794     enum audit_state state;
0795 
0796     if (list_empty(list))
0797         return 0;
0798 
0799     list_for_each_entry_rcu(e, list, list) {
0800         if (audit_in_mask(&e->rule, ctx->major) &&
0801             audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
0802             ctx->current_state = state;
0803             return 1;
0804         }
0805     }
0806 
0807     return 0;
0808 }
0809 
0810 /* At syscall exit time, this filter is called if any audit_names have been
0811  * collected during syscall processing.  We only check rules in sublists at hash
0812  * buckets applicable to the inode numbers in audit_names.
0813  * Regarding audit_state, same rules apply as for audit_filter_syscall().
0814  */
0815 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
0816 {
0817     struct audit_names *n;
0818 
0819     if (audit_pid && tsk->tgid == audit_pid)
0820         return;
0821 
0822     rcu_read_lock();
0823 
0824     list_for_each_entry(n, &ctx->names_list, list) {
0825         if (audit_filter_inode_name(tsk, n, ctx))
0826             break;
0827     }
0828     rcu_read_unlock();
0829 }
0830 
0831 /* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
0832 static inline struct audit_context *audit_take_context(struct task_struct *tsk,
0833                               int return_valid,
0834                               long return_code)
0835 {
0836     struct audit_context *context = tsk->audit_context;
0837 
0838     if (!context)
0839         return NULL;
0840     context->return_valid = return_valid;
0841 
0842     /*
0843      * we need to fix up the return code in the audit logs if the actual
0844      * return codes are later going to be fixed up by the arch specific
0845      * signal handlers
0846      *
0847      * This is actually a test for:
0848      * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
0849      * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
0850      *
0851      * but is faster than a bunch of ||
0852      */
0853     if (unlikely(return_code <= -ERESTARTSYS) &&
0854         (return_code >= -ERESTART_RESTARTBLOCK) &&
0855         (return_code != -ENOIOCTLCMD))
0856         context->return_code = -EINTR;
0857     else
0858         context->return_code  = return_code;
0859 
0860     if (context->in_syscall && !context->dummy) {
0861         audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
0862         audit_filter_inodes(tsk, context);
0863     }
0864 
0865     tsk->audit_context = NULL;
0866     return context;
0867 }
0868 
0869 static inline void audit_proctitle_free(struct audit_context *context)
0870 {
0871     kfree(context->proctitle.value);
0872     context->proctitle.value = NULL;
0873     context->proctitle.len = 0;
0874 }
0875 
0876 static inline void audit_free_names(struct audit_context *context)
0877 {
0878     struct audit_names *n, *next;
0879 
0880     list_for_each_entry_safe(n, next, &context->names_list, list) {
0881         list_del(&n->list);
0882         if (n->name)
0883             putname(n->name);
0884         if (n->should_free)
0885             kfree(n);
0886     }
0887     context->name_count = 0;
0888     path_put(&context->pwd);
0889     context->pwd.dentry = NULL;
0890     context->pwd.mnt = NULL;
0891 }
0892 
0893 static inline void audit_free_aux(struct audit_context *context)
0894 {
0895     struct audit_aux_data *aux;
0896 
0897     while ((aux = context->aux)) {
0898         context->aux = aux->next;
0899         kfree(aux);
0900     }
0901     while ((aux = context->aux_pids)) {
0902         context->aux_pids = aux->next;
0903         kfree(aux);
0904     }
0905 }
0906 
0907 static inline struct audit_context *audit_alloc_context(enum audit_state state)
0908 {
0909     struct audit_context *context;
0910 
0911     context = kzalloc(sizeof(*context), GFP_KERNEL);
0912     if (!context)
0913         return NULL;
0914     context->state = state;
0915     context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
0916     INIT_LIST_HEAD(&context->killed_trees);
0917     INIT_LIST_HEAD(&context->names_list);
0918     return context;
0919 }
0920 
0921 /**
0922  * audit_alloc - allocate an audit context block for a task
0923  * @tsk: task
0924  *
0925  * Filter on the task information and allocate a per-task audit context
0926  * if necessary.  Doing so turns on system call auditing for the
0927  * specified task.  This is called from copy_process, so no lock is
0928  * needed.
0929  */
0930 int audit_alloc(struct task_struct *tsk)
0931 {
0932     struct audit_context *context;
0933     enum audit_state     state;
0934     char *key = NULL;
0935 
0936     if (likely(!audit_ever_enabled))
0937         return 0; /* Return if not auditing. */
0938 
0939     state = audit_filter_task(tsk, &key);
0940     if (state == AUDIT_DISABLED) {
0941         clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
0942         return 0;
0943     }
0944 
0945     if (!(context = audit_alloc_context(state))) {
0946         kfree(key);
0947         audit_log_lost("out of memory in audit_alloc");
0948         return -ENOMEM;
0949     }
0950     context->filterkey = key;
0951 
0952     tsk->audit_context  = context;
0953     set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
0954     return 0;
0955 }
0956 
0957 static inline void audit_free_context(struct audit_context *context)
0958 {
0959     audit_free_names(context);
0960     unroll_tree_refs(context, NULL, 0);
0961     free_tree_refs(context);
0962     audit_free_aux(context);
0963     kfree(context->filterkey);
0964     kfree(context->sockaddr);
0965     audit_proctitle_free(context);
0966     kfree(context);
0967 }
0968 
0969 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
0970                  kuid_t auid, kuid_t uid, unsigned int sessionid,
0971                  u32 sid, char *comm)
0972 {
0973     struct audit_buffer *ab;
0974     char *ctx = NULL;
0975     u32 len;
0976     int rc = 0;
0977 
0978     ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
0979     if (!ab)
0980         return rc;
0981 
0982     audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
0983              from_kuid(&init_user_ns, auid),
0984              from_kuid(&init_user_ns, uid), sessionid);
0985     if (sid) {
0986         if (security_secid_to_secctx(sid, &ctx, &len)) {
0987             audit_log_format(ab, " obj=(none)");
0988             rc = 1;
0989         } else {
0990             audit_log_format(ab, " obj=%s", ctx);
0991             security_release_secctx(ctx, len);
0992         }
0993     }
0994     audit_log_format(ab, " ocomm=");
0995     audit_log_untrustedstring(ab, comm);
0996     audit_log_end(ab);
0997 
0998     return rc;
0999 }
1000 
1001 static void audit_log_execve_info(struct audit_context *context,
1002                   struct audit_buffer **ab)
1003 {
1004     long len_max;
1005     long len_rem;
1006     long len_full;
1007     long len_buf;
1008     long len_abuf = 0;
1009     long len_tmp;
1010     bool require_data;
1011     bool encode;
1012     unsigned int iter;
1013     unsigned int arg;
1014     char *buf_head;
1015     char *buf;
1016     const char __user *p = (const char __user *)current->mm->arg_start;
1017 
1018     /* NOTE: this buffer needs to be large enough to hold all the non-arg
1019      *       data we put in the audit record for this argument (see the
1020      *       code below) ... at this point in time 96 is plenty */
1021     char abuf[96];
1022 
1023     /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1024      *       current value of 7500 is not as important as the fact that it
1025      *       is less than 8k, a setting of 7500 gives us plenty of wiggle
1026      *       room if we go over a little bit in the logging below */
1027     WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1028     len_max = MAX_EXECVE_AUDIT_LEN;
1029 
1030     /* scratch buffer to hold the userspace args */
1031     buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1032     if (!buf_head) {
1033         audit_panic("out of memory for argv string");
1034         return;
1035     }
1036     buf = buf_head;
1037 
1038     audit_log_format(*ab, "argc=%d", context->execve.argc);
1039 
1040     len_rem = len_max;
1041     len_buf = 0;
1042     len_full = 0;
1043     require_data = true;
1044     encode = false;
1045     iter = 0;
1046     arg = 0;
1047     do {
1048         /* NOTE: we don't ever want to trust this value for anything
1049          *       serious, but the audit record format insists we
1050          *       provide an argument length for really long arguments,
1051          *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1052          *       to use strncpy_from_user() to obtain this value for
1053          *       recording in the log, although we don't use it
1054          *       anywhere here to avoid a double-fetch problem */
1055         if (len_full == 0)
1056             len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1057 
1058         /* read more data from userspace */
1059         if (require_data) {
1060             /* can we make more room in the buffer? */
1061             if (buf != buf_head) {
1062                 memmove(buf_head, buf, len_buf);
1063                 buf = buf_head;
1064             }
1065 
1066             /* fetch as much as we can of the argument */
1067             len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1068                             len_max - len_buf);
1069             if (len_tmp == -EFAULT) {
1070                 /* unable to copy from userspace */
1071                 send_sig(SIGKILL, current, 0);
1072                 goto out;
1073             } else if (len_tmp == (len_max - len_buf)) {
1074                 /* buffer is not large enough */
1075                 require_data = true;
1076                 /* NOTE: if we are going to span multiple
1077                  *       buffers force the encoding so we stand
1078                  *       a chance at a sane len_full value and
1079                  *       consistent record encoding */
1080                 encode = true;
1081                 len_full = len_full * 2;
1082                 p += len_tmp;
1083             } else {
1084                 require_data = false;
1085                 if (!encode)
1086                     encode = audit_string_contains_control(
1087                                 buf, len_tmp);
1088                 /* try to use a trusted value for len_full */
1089                 if (len_full < len_max)
1090                     len_full = (encode ?
1091                             len_tmp * 2 : len_tmp);
1092                 p += len_tmp + 1;
1093             }
1094             len_buf += len_tmp;
1095             buf_head[len_buf] = '\0';
1096 
1097             /* length of the buffer in the audit record? */
1098             len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1099         }
1100 
1101         /* write as much as we can to the audit log */
1102         if (len_buf > 0) {
1103             /* NOTE: some magic numbers here - basically if we
1104              *       can't fit a reasonable amount of data into the
1105              *       existing audit buffer, flush it and start with
1106              *       a new buffer */
1107             if ((sizeof(abuf) + 8) > len_rem) {
1108                 len_rem = len_max;
1109                 audit_log_end(*ab);
1110                 *ab = audit_log_start(context,
1111                               GFP_KERNEL, AUDIT_EXECVE);
1112                 if (!*ab)
1113                     goto out;
1114             }
1115 
1116             /* create the non-arg portion of the arg record */
1117             len_tmp = 0;
1118             if (require_data || (iter > 0) ||
1119                 ((len_abuf + sizeof(abuf)) > len_rem)) {
1120                 if (iter == 0) {
1121                     len_tmp += snprintf(&abuf[len_tmp],
1122                             sizeof(abuf) - len_tmp,
1123                             " a%d_len=%lu",
1124                             arg, len_full);
1125                 }
1126                 len_tmp += snprintf(&abuf[len_tmp],
1127                             sizeof(abuf) - len_tmp,
1128                             " a%d[%d]=", arg, iter++);
1129             } else
1130                 len_tmp += snprintf(&abuf[len_tmp],
1131                             sizeof(abuf) - len_tmp,
1132                             " a%d=", arg);
1133             WARN_ON(len_tmp >= sizeof(abuf));
1134             abuf[sizeof(abuf) - 1] = '\0';
1135 
1136             /* log the arg in the audit record */
1137             audit_log_format(*ab, "%s", abuf);
1138             len_rem -= len_tmp;
1139             len_tmp = len_buf;
1140             if (encode) {
1141                 if (len_abuf > len_rem)
1142                     len_tmp = len_rem / 2; /* encoding */
1143                 audit_log_n_hex(*ab, buf, len_tmp);
1144                 len_rem -= len_tmp * 2;
1145                 len_abuf -= len_tmp * 2;
1146             } else {
1147                 if (len_abuf > len_rem)
1148                     len_tmp = len_rem - 2; /* quotes */
1149                 audit_log_n_string(*ab, buf, len_tmp);
1150                 len_rem -= len_tmp + 2;
1151                 /* don't subtract the "2" because we still need
1152                  * to add quotes to the remaining string */
1153                 len_abuf -= len_tmp;
1154             }
1155             len_buf -= len_tmp;
1156             buf += len_tmp;
1157         }
1158 
1159         /* ready to move to the next argument? */
1160         if ((len_buf == 0) && !require_data) {
1161             arg++;
1162             iter = 0;
1163             len_full = 0;
1164             require_data = true;
1165             encode = false;
1166         }
1167     } while (arg < context->execve.argc);
1168 
1169     /* NOTE: the caller handles the final audit_log_end() call */
1170 
1171 out:
1172     kfree(buf_head);
1173 }
1174 
1175 static void show_special(struct audit_context *context, int *call_panic)
1176 {
1177     struct audit_buffer *ab;
1178     int i;
1179 
1180     ab = audit_log_start(context, GFP_KERNEL, context->type);
1181     if (!ab)
1182         return;
1183 
1184     switch (context->type) {
1185     case AUDIT_SOCKETCALL: {
1186         int nargs = context->socketcall.nargs;
1187         audit_log_format(ab, "nargs=%d", nargs);
1188         for (i = 0; i < nargs; i++)
1189             audit_log_format(ab, " a%d=%lx", i,
1190                 context->socketcall.args[i]);
1191         break; }
1192     case AUDIT_IPC: {
1193         u32 osid = context->ipc.osid;
1194 
1195         audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1196                  from_kuid(&init_user_ns, context->ipc.uid),
1197                  from_kgid(&init_user_ns, context->ipc.gid),
1198                  context->ipc.mode);
1199         if (osid) {
1200             char *ctx = NULL;
1201             u32 len;
1202             if (security_secid_to_secctx(osid, &ctx, &len)) {
1203                 audit_log_format(ab, " osid=%u", osid);
1204                 *call_panic = 1;
1205             } else {
1206                 audit_log_format(ab, " obj=%s", ctx);
1207                 security_release_secctx(ctx, len);
1208             }
1209         }
1210         if (context->ipc.has_perm) {
1211             audit_log_end(ab);
1212             ab = audit_log_start(context, GFP_KERNEL,
1213                          AUDIT_IPC_SET_PERM);
1214             if (unlikely(!ab))
1215                 return;
1216             audit_log_format(ab,
1217                 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1218                 context->ipc.qbytes,
1219                 context->ipc.perm_uid,
1220                 context->ipc.perm_gid,
1221                 context->ipc.perm_mode);
1222         }
1223         break; }
1224     case AUDIT_MQ_OPEN: {
1225         audit_log_format(ab,
1226             "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1227             "mq_msgsize=%ld mq_curmsgs=%ld",
1228             context->mq_open.oflag, context->mq_open.mode,
1229             context->mq_open.attr.mq_flags,
1230             context->mq_open.attr.mq_maxmsg,
1231             context->mq_open.attr.mq_msgsize,
1232             context->mq_open.attr.mq_curmsgs);
1233         break; }
1234     case AUDIT_MQ_SENDRECV: {
1235         audit_log_format(ab,
1236             "mqdes=%d msg_len=%zd msg_prio=%u "
1237             "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1238             context->mq_sendrecv.mqdes,
1239             context->mq_sendrecv.msg_len,
1240             context->mq_sendrecv.msg_prio,
1241             context->mq_sendrecv.abs_timeout.tv_sec,
1242             context->mq_sendrecv.abs_timeout.tv_nsec);
1243         break; }
1244     case AUDIT_MQ_NOTIFY: {
1245         audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1246                 context->mq_notify.mqdes,
1247                 context->mq_notify.sigev_signo);
1248         break; }
1249     case AUDIT_MQ_GETSETATTR: {
1250         struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1251         audit_log_format(ab,
1252             "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1253             "mq_curmsgs=%ld ",
1254             context->mq_getsetattr.mqdes,
1255             attr->mq_flags, attr->mq_maxmsg,
1256             attr->mq_msgsize, attr->mq_curmsgs);
1257         break; }
1258     case AUDIT_CAPSET: {
1259         audit_log_format(ab, "pid=%d", context->capset.pid);
1260         audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1261         audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1262         audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1263         break; }
1264     case AUDIT_MMAP: {
1265         audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1266                  context->mmap.flags);
1267         break; }
1268     case AUDIT_EXECVE: {
1269         audit_log_execve_info(context, &ab);
1270         break; }
1271     }
1272     audit_log_end(ab);
1273 }
1274 
1275 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1276 {
1277     char *end = proctitle + len - 1;
1278     while (end > proctitle && !isprint(*end))
1279         end--;
1280 
1281     /* catch the case where proctitle is only 1 non-print character */
1282     len = end - proctitle + 1;
1283     len -= isprint(proctitle[len-1]) == 0;
1284     return len;
1285 }
1286 
1287 static void audit_log_proctitle(struct task_struct *tsk,
1288              struct audit_context *context)
1289 {
1290     int res;
1291     char *buf;
1292     char *msg = "(null)";
1293     int len = strlen(msg);
1294     struct audit_buffer *ab;
1295 
1296     ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1297     if (!ab)
1298         return; /* audit_panic or being filtered */
1299 
1300     audit_log_format(ab, "proctitle=");
1301 
1302     /* Not  cached */
1303     if (!context->proctitle.value) {
1304         buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1305         if (!buf)
1306             goto out;
1307         /* Historically called this from procfs naming */
1308         res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1309         if (res == 0) {
1310             kfree(buf);
1311             goto out;
1312         }
1313         res = audit_proctitle_rtrim(buf, res);
1314         if (res == 0) {
1315             kfree(buf);
1316             goto out;
1317         }
1318         context->proctitle.value = buf;
1319         context->proctitle.len = res;
1320     }
1321     msg = context->proctitle.value;
1322     len = context->proctitle.len;
1323 out:
1324     audit_log_n_untrustedstring(ab, msg, len);
1325     audit_log_end(ab);
1326 }
1327 
1328 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1329 {
1330     int i, call_panic = 0;
1331     struct audit_buffer *ab;
1332     struct audit_aux_data *aux;
1333     struct audit_names *n;
1334 
1335     /* tsk == current */
1336     context->personality = tsk->personality;
1337 
1338     ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1339     if (!ab)
1340         return;     /* audit_panic has been called */
1341     audit_log_format(ab, "arch=%x syscall=%d",
1342              context->arch, context->major);
1343     if (context->personality != PER_LINUX)
1344         audit_log_format(ab, " per=%lx", context->personality);
1345     if (context->return_valid)
1346         audit_log_format(ab, " success=%s exit=%ld",
1347                  (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1348                  context->return_code);
1349 
1350     audit_log_format(ab,
1351              " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1352              context->argv[0],
1353              context->argv[1],
1354              context->argv[2],
1355              context->argv[3],
1356              context->name_count);
1357 
1358     audit_log_task_info(ab, tsk);
1359     audit_log_key(ab, context->filterkey);
1360     audit_log_end(ab);
1361 
1362     for (aux = context->aux; aux; aux = aux->next) {
1363 
1364         ab = audit_log_start(context, GFP_KERNEL, aux->type);
1365         if (!ab)
1366             continue; /* audit_panic has been called */
1367 
1368         switch (aux->type) {
1369 
1370         case AUDIT_BPRM_FCAPS: {
1371             struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1372             audit_log_format(ab, "fver=%x", axs->fcap_ver);
1373             audit_log_cap(ab, "fp", &axs->fcap.permitted);
1374             audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1375             audit_log_format(ab, " fe=%d", axs->fcap.fE);
1376             audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1377             audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1378             audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1379             audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1380             audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1381             audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1382             break; }
1383 
1384         }
1385         audit_log_end(ab);
1386     }
1387 
1388     if (context->type)
1389         show_special(context, &call_panic);
1390 
1391     if (context->fds[0] >= 0) {
1392         ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1393         if (ab) {
1394             audit_log_format(ab, "fd0=%d fd1=%d",
1395                     context->fds[0], context->fds[1]);
1396             audit_log_end(ab);
1397         }
1398     }
1399 
1400     if (context->sockaddr_len) {
1401         ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1402         if (ab) {
1403             audit_log_format(ab, "saddr=");
1404             audit_log_n_hex(ab, (void *)context->sockaddr,
1405                     context->sockaddr_len);
1406             audit_log_end(ab);
1407         }
1408     }
1409 
1410     for (aux = context->aux_pids; aux; aux = aux->next) {
1411         struct audit_aux_data_pids *axs = (void *)aux;
1412 
1413         for (i = 0; i < axs->pid_count; i++)
1414             if (audit_log_pid_context(context, axs->target_pid[i],
1415                           axs->target_auid[i],
1416                           axs->target_uid[i],
1417                           axs->target_sessionid[i],
1418                           axs->target_sid[i],
1419                           axs->target_comm[i]))
1420                 call_panic = 1;
1421     }
1422 
1423     if (context->target_pid &&
1424         audit_log_pid_context(context, context->target_pid,
1425                   context->target_auid, context->target_uid,
1426                   context->target_sessionid,
1427                   context->target_sid, context->target_comm))
1428             call_panic = 1;
1429 
1430     if (context->pwd.dentry && context->pwd.mnt) {
1431         ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1432         if (ab) {
1433             audit_log_d_path(ab, "cwd=", &context->pwd);
1434             audit_log_end(ab);
1435         }
1436     }
1437 
1438     i = 0;
1439     list_for_each_entry(n, &context->names_list, list) {
1440         if (n->hidden)
1441             continue;
1442         audit_log_name(context, n, NULL, i++, &call_panic);
1443     }
1444 
1445     audit_log_proctitle(tsk, context);
1446 
1447     /* Send end of event record to help user space know we are finished */
1448     ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1449     if (ab)
1450         audit_log_end(ab);
1451     if (call_panic)
1452         audit_panic("error converting sid to string");
1453 }
1454 
1455 /**
1456  * audit_free - free a per-task audit context
1457  * @tsk: task whose audit context block to free
1458  *
1459  * Called from copy_process and do_exit
1460  */
1461 void __audit_free(struct task_struct *tsk)
1462 {
1463     struct audit_context *context;
1464 
1465     context = audit_take_context(tsk, 0, 0);
1466     if (!context)
1467         return;
1468 
1469     /* Check for system calls that do not go through the exit
1470      * function (e.g., exit_group), then free context block.
1471      * We use GFP_ATOMIC here because we might be doing this
1472      * in the context of the idle thread */
1473     /* that can happen only if we are called from do_exit() */
1474     if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1475         audit_log_exit(context, tsk);
1476     if (!list_empty(&context->killed_trees))
1477         audit_kill_trees(&context->killed_trees);
1478 
1479     audit_free_context(context);
1480 }
1481 
1482 /**
1483  * audit_syscall_entry - fill in an audit record at syscall entry
1484  * @major: major syscall type (function)
1485  * @a1: additional syscall register 1
1486  * @a2: additional syscall register 2
1487  * @a3: additional syscall register 3
1488  * @a4: additional syscall register 4
1489  *
1490  * Fill in audit context at syscall entry.  This only happens if the
1491  * audit context was created when the task was created and the state or
1492  * filters demand the audit context be built.  If the state from the
1493  * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1494  * then the record will be written at syscall exit time (otherwise, it
1495  * will only be written if another part of the kernel requests that it
1496  * be written).
1497  */
1498 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1499                unsigned long a3, unsigned long a4)
1500 {
1501     struct task_struct *tsk = current;
1502     struct audit_context *context = tsk->audit_context;
1503     enum audit_state     state;
1504 
1505     if (!context)
1506         return;
1507 
1508     BUG_ON(context->in_syscall || context->name_count);
1509 
1510     if (!audit_enabled)
1511         return;
1512 
1513     context->arch       = syscall_get_arch();
1514     context->major      = major;
1515     context->argv[0]    = a1;
1516     context->argv[1]    = a2;
1517     context->argv[2]    = a3;
1518     context->argv[3]    = a4;
1519 
1520     state = context->state;
1521     context->dummy = !audit_n_rules;
1522     if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1523         context->prio = 0;
1524         state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1525     }
1526     if (state == AUDIT_DISABLED)
1527         return;
1528 
1529     context->serial     = 0;
1530     context->ctime      = CURRENT_TIME;
1531     context->in_syscall = 1;
1532     context->current_state  = state;
1533     context->ppid       = 0;
1534 }
1535 
1536 /**
1537  * audit_syscall_exit - deallocate audit context after a system call
1538  * @success: success value of the syscall
1539  * @return_code: return value of the syscall
1540  *
1541  * Tear down after system call.  If the audit context has been marked as
1542  * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1543  * filtering, or because some other part of the kernel wrote an audit
1544  * message), then write out the syscall information.  In call cases,
1545  * free the names stored from getname().
1546  */
1547 void __audit_syscall_exit(int success, long return_code)
1548 {
1549     struct task_struct *tsk = current;
1550     struct audit_context *context;
1551 
1552     if (success)
1553         success = AUDITSC_SUCCESS;
1554     else
1555         success = AUDITSC_FAILURE;
1556 
1557     context = audit_take_context(tsk, success, return_code);
1558     if (!context)
1559         return;
1560 
1561     if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1562         audit_log_exit(context, tsk);
1563 
1564     context->in_syscall = 0;
1565     context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1566 
1567     if (!list_empty(&context->killed_trees))
1568         audit_kill_trees(&context->killed_trees);
1569 
1570     audit_free_names(context);
1571     unroll_tree_refs(context, NULL, 0);
1572     audit_free_aux(context);
1573     context->aux = NULL;
1574     context->aux_pids = NULL;
1575     context->target_pid = 0;
1576     context->target_sid = 0;
1577     context->sockaddr_len = 0;
1578     context->type = 0;
1579     context->fds[0] = -1;
1580     if (context->state != AUDIT_RECORD_CONTEXT) {
1581         kfree(context->filterkey);
1582         context->filterkey = NULL;
1583     }
1584     tsk->audit_context = context;
1585 }
1586 
1587 static inline void handle_one(const struct inode *inode)
1588 {
1589 #ifdef CONFIG_AUDIT_TREE
1590     struct audit_context *context;
1591     struct audit_tree_refs *p;
1592     struct audit_chunk *chunk;
1593     int count;
1594     if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1595         return;
1596     context = current->audit_context;
1597     p = context->trees;
1598     count = context->tree_count;
1599     rcu_read_lock();
1600     chunk = audit_tree_lookup(inode);
1601     rcu_read_unlock();
1602     if (!chunk)
1603         return;
1604     if (likely(put_tree_ref(context, chunk)))
1605         return;
1606     if (unlikely(!grow_tree_refs(context))) {
1607         pr_warn("out of memory, audit has lost a tree reference\n");
1608         audit_set_auditable(context);
1609         audit_put_chunk(chunk);
1610         unroll_tree_refs(context, p, count);
1611         return;
1612     }
1613     put_tree_ref(context, chunk);
1614 #endif
1615 }
1616 
1617 static void handle_path(const struct dentry *dentry)
1618 {
1619 #ifdef CONFIG_AUDIT_TREE
1620     struct audit_context *context;
1621     struct audit_tree_refs *p;
1622     const struct dentry *d, *parent;
1623     struct audit_chunk *drop;
1624     unsigned long seq;
1625     int count;
1626 
1627     context = current->audit_context;
1628     p = context->trees;
1629     count = context->tree_count;
1630 retry:
1631     drop = NULL;
1632     d = dentry;
1633     rcu_read_lock();
1634     seq = read_seqbegin(&rename_lock);
1635     for(;;) {
1636         struct inode *inode = d_backing_inode(d);
1637         if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1638             struct audit_chunk *chunk;
1639             chunk = audit_tree_lookup(inode);
1640             if (chunk) {
1641                 if (unlikely(!put_tree_ref(context, chunk))) {
1642                     drop = chunk;
1643                     break;
1644                 }
1645             }
1646         }
1647         parent = d->d_parent;
1648         if (parent == d)
1649             break;
1650         d = parent;
1651     }
1652     if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1653         rcu_read_unlock();
1654         if (!drop) {
1655             /* just a race with rename */
1656             unroll_tree_refs(context, p, count);
1657             goto retry;
1658         }
1659         audit_put_chunk(drop);
1660         if (grow_tree_refs(context)) {
1661             /* OK, got more space */
1662             unroll_tree_refs(context, p, count);
1663             goto retry;
1664         }
1665         /* too bad */
1666         pr_warn("out of memory, audit has lost a tree reference\n");
1667         unroll_tree_refs(context, p, count);
1668         audit_set_auditable(context);
1669         return;
1670     }
1671     rcu_read_unlock();
1672 #endif
1673 }
1674 
1675 static struct audit_names *audit_alloc_name(struct audit_context *context,
1676                         unsigned char type)
1677 {
1678     struct audit_names *aname;
1679 
1680     if (context->name_count < AUDIT_NAMES) {
1681         aname = &context->preallocated_names[context->name_count];
1682         memset(aname, 0, sizeof(*aname));
1683     } else {
1684         aname = kzalloc(sizeof(*aname), GFP_NOFS);
1685         if (!aname)
1686             return NULL;
1687         aname->should_free = true;
1688     }
1689 
1690     aname->ino = AUDIT_INO_UNSET;
1691     aname->type = type;
1692     list_add_tail(&aname->list, &context->names_list);
1693 
1694     context->name_count++;
1695     return aname;
1696 }
1697 
1698 /**
1699  * audit_reusename - fill out filename with info from existing entry
1700  * @uptr: userland ptr to pathname
1701  *
1702  * Search the audit_names list for the current audit context. If there is an
1703  * existing entry with a matching "uptr" then return the filename
1704  * associated with that audit_name. If not, return NULL.
1705  */
1706 struct filename *
1707 __audit_reusename(const __user char *uptr)
1708 {
1709     struct audit_context *context = current->audit_context;
1710     struct audit_names *n;
1711 
1712     list_for_each_entry(n, &context->names_list, list) {
1713         if (!n->name)
1714             continue;
1715         if (n->name->uptr == uptr) {
1716             n->name->refcnt++;
1717             return n->name;
1718         }
1719     }
1720     return NULL;
1721 }
1722 
1723 /**
1724  * audit_getname - add a name to the list
1725  * @name: name to add
1726  *
1727  * Add a name to the list of audit names for this context.
1728  * Called from fs/namei.c:getname().
1729  */
1730 void __audit_getname(struct filename *name)
1731 {
1732     struct audit_context *context = current->audit_context;
1733     struct audit_names *n;
1734 
1735     if (!context->in_syscall)
1736         return;
1737 
1738     n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1739     if (!n)
1740         return;
1741 
1742     n->name = name;
1743     n->name_len = AUDIT_NAME_FULL;
1744     name->aname = n;
1745     name->refcnt++;
1746 
1747     if (!context->pwd.dentry)
1748         get_fs_pwd(current->fs, &context->pwd);
1749 }
1750 
1751 /**
1752  * __audit_inode - store the inode and device from a lookup
1753  * @name: name being audited
1754  * @dentry: dentry being audited
1755  * @flags: attributes for this particular entry
1756  */
1757 void __audit_inode(struct filename *name, const struct dentry *dentry,
1758            unsigned int flags)
1759 {
1760     struct audit_context *context = current->audit_context;
1761     struct inode *inode = d_backing_inode(dentry);
1762     struct audit_names *n;
1763     bool parent = flags & AUDIT_INODE_PARENT;
1764 
1765     if (!context->in_syscall)
1766         return;
1767 
1768     if (!name)
1769         goto out_alloc;
1770 
1771     /*
1772      * If we have a pointer to an audit_names entry already, then we can
1773      * just use it directly if the type is correct.
1774      */
1775     n = name->aname;
1776     if (n) {
1777         if (parent) {
1778             if (n->type == AUDIT_TYPE_PARENT ||
1779                 n->type == AUDIT_TYPE_UNKNOWN)
1780                 goto out;
1781         } else {
1782             if (n->type != AUDIT_TYPE_PARENT)
1783                 goto out;
1784         }
1785     }
1786 
1787     list_for_each_entry_reverse(n, &context->names_list, list) {
1788         if (n->ino) {
1789             /* valid inode number, use that for the comparison */
1790             if (n->ino != inode->i_ino ||
1791                 n->dev != inode->i_sb->s_dev)
1792                 continue;
1793         } else if (n->name) {
1794             /* inode number has not been set, check the name */
1795             if (strcmp(n->name->name, name->name))
1796                 continue;
1797         } else
1798             /* no inode and no name (?!) ... this is odd ... */
1799             continue;
1800 
1801         /* match the correct record type */
1802         if (parent) {
1803             if (n->type == AUDIT_TYPE_PARENT ||
1804                 n->type == AUDIT_TYPE_UNKNOWN)
1805                 goto out;
1806         } else {
1807             if (n->type != AUDIT_TYPE_PARENT)
1808                 goto out;
1809         }
1810     }
1811 
1812 out_alloc:
1813     /* unable to find an entry with both a matching name and type */
1814     n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1815     if (!n)
1816         return;
1817     if (name) {
1818         n->name = name;
1819         name->refcnt++;
1820     }
1821 
1822 out:
1823     if (parent) {
1824         n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
1825         n->type = AUDIT_TYPE_PARENT;
1826         if (flags & AUDIT_INODE_HIDDEN)
1827             n->hidden = true;
1828     } else {
1829         n->name_len = AUDIT_NAME_FULL;
1830         n->type = AUDIT_TYPE_NORMAL;
1831     }
1832     handle_path(dentry);
1833     audit_copy_inode(n, dentry, inode);
1834 }
1835 
1836 void __audit_file(const struct file *file)
1837 {
1838     __audit_inode(NULL, file->f_path.dentry, 0);
1839 }
1840 
1841 /**
1842  * __audit_inode_child - collect inode info for created/removed objects
1843  * @parent: inode of dentry parent
1844  * @dentry: dentry being audited
1845  * @type:   AUDIT_TYPE_* value that we're looking for
1846  *
1847  * For syscalls that create or remove filesystem objects, audit_inode
1848  * can only collect information for the filesystem object's parent.
1849  * This call updates the audit context with the child's information.
1850  * Syscalls that create a new filesystem object must be hooked after
1851  * the object is created.  Syscalls that remove a filesystem object
1852  * must be hooked prior, in order to capture the target inode during
1853  * unsuccessful attempts.
1854  */
1855 void __audit_inode_child(struct inode *parent,
1856              const struct dentry *dentry,
1857              const unsigned char type)
1858 {
1859     struct audit_context *context = current->audit_context;
1860     struct inode *inode = d_backing_inode(dentry);
1861     const char *dname = dentry->d_name.name;
1862     struct audit_names *n, *found_parent = NULL, *found_child = NULL;
1863 
1864     if (!context->in_syscall)
1865         return;
1866 
1867     if (inode)
1868         handle_one(inode);
1869 
1870     /* look for a parent entry first */
1871     list_for_each_entry(n, &context->names_list, list) {
1872         if (!n->name ||
1873             (n->type != AUDIT_TYPE_PARENT &&
1874              n->type != AUDIT_TYPE_UNKNOWN))
1875             continue;
1876 
1877         if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
1878             !audit_compare_dname_path(dname,
1879                           n->name->name, n->name_len)) {
1880             if (n->type == AUDIT_TYPE_UNKNOWN)
1881                 n->type = AUDIT_TYPE_PARENT;
1882             found_parent = n;
1883             break;
1884         }
1885     }
1886 
1887     /* is there a matching child entry? */
1888     list_for_each_entry(n, &context->names_list, list) {
1889         /* can only match entries that have a name */
1890         if (!n->name ||
1891             (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
1892             continue;
1893 
1894         if (!strcmp(dname, n->name->name) ||
1895             !audit_compare_dname_path(dname, n->name->name,
1896                         found_parent ?
1897                         found_parent->name_len :
1898                         AUDIT_NAME_FULL)) {
1899             if (n->type == AUDIT_TYPE_UNKNOWN)
1900                 n->type = type;
1901             found_child = n;
1902             break;
1903         }
1904     }
1905 
1906     if (!found_parent) {
1907         /* create a new, "anonymous" parent record */
1908         n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1909         if (!n)
1910             return;
1911         audit_copy_inode(n, NULL, parent);
1912     }
1913 
1914     if (!found_child) {
1915         found_child = audit_alloc_name(context, type);
1916         if (!found_child)
1917             return;
1918 
1919         /* Re-use the name belonging to the slot for a matching parent
1920          * directory. All names for this context are relinquished in
1921          * audit_free_names() */
1922         if (found_parent) {
1923             found_child->name = found_parent->name;
1924             found_child->name_len = AUDIT_NAME_FULL;
1925             found_child->name->refcnt++;
1926         }
1927     }
1928 
1929     if (inode)
1930         audit_copy_inode(found_child, dentry, inode);
1931     else
1932         found_child->ino = AUDIT_INO_UNSET;
1933 }
1934 EXPORT_SYMBOL_GPL(__audit_inode_child);
1935 
1936 /**
1937  * auditsc_get_stamp - get local copies of audit_context values
1938  * @ctx: audit_context for the task
1939  * @t: timespec to store time recorded in the audit_context
1940  * @serial: serial value that is recorded in the audit_context
1941  *
1942  * Also sets the context as auditable.
1943  */
1944 int auditsc_get_stamp(struct audit_context *ctx,
1945                struct timespec *t, unsigned int *serial)
1946 {
1947     if (!ctx->in_syscall)
1948         return 0;
1949     if (!ctx->serial)
1950         ctx->serial = audit_serial();
1951     t->tv_sec  = ctx->ctime.tv_sec;
1952     t->tv_nsec = ctx->ctime.tv_nsec;
1953     *serial    = ctx->serial;
1954     if (!ctx->prio) {
1955         ctx->prio = 1;
1956         ctx->current_state = AUDIT_RECORD_CONTEXT;
1957     }
1958     return 1;
1959 }
1960 
1961 /* global counter which is incremented every time something logs in */
1962 static atomic_t session_id = ATOMIC_INIT(0);
1963 
1964 static int audit_set_loginuid_perm(kuid_t loginuid)
1965 {
1966     /* if we are unset, we don't need privs */
1967     if (!audit_loginuid_set(current))
1968         return 0;
1969     /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
1970     if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
1971         return -EPERM;
1972     /* it is set, you need permission */
1973     if (!capable(CAP_AUDIT_CONTROL))
1974         return -EPERM;
1975     /* reject if this is not an unset and we don't allow that */
1976     if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
1977         return -EPERM;
1978     return 0;
1979 }
1980 
1981 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
1982                    unsigned int oldsessionid, unsigned int sessionid,
1983                    int rc)
1984 {
1985     struct audit_buffer *ab;
1986     uid_t uid, oldloginuid, loginuid;
1987     struct tty_struct *tty;
1988 
1989     if (!audit_enabled)
1990         return;
1991 
1992     ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1993     if (!ab)
1994         return;
1995 
1996     uid = from_kuid(&init_user_ns, task_uid(current));
1997     oldloginuid = from_kuid(&init_user_ns, koldloginuid);
1998     loginuid = from_kuid(&init_user_ns, kloginuid),
1999     tty = audit_get_tty(current);
2000 
2001     audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
2002     audit_log_task_context(ab);
2003     audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
2004              oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
2005              oldsessionid, sessionid, !rc);
2006     audit_put_tty(tty);
2007     audit_log_end(ab);
2008 }
2009 
2010 /**
2011  * audit_set_loginuid - set current task's audit_context loginuid
2012  * @loginuid: loginuid value
2013  *
2014  * Returns 0.
2015  *
2016  * Called (set) from fs/proc/base.c::proc_loginuid_write().
2017  */
2018 int audit_set_loginuid(kuid_t loginuid)
2019 {
2020     struct task_struct *task = current;
2021     unsigned int oldsessionid, sessionid = (unsigned int)-1;
2022     kuid_t oldloginuid;
2023     int rc;
2024 
2025     oldloginuid = audit_get_loginuid(current);
2026     oldsessionid = audit_get_sessionid(current);
2027 
2028     rc = audit_set_loginuid_perm(loginuid);
2029     if (rc)
2030         goto out;
2031 
2032     /* are we setting or clearing? */
2033     if (uid_valid(loginuid)) {
2034         sessionid = (unsigned int)atomic_inc_return(&session_id);
2035         if (unlikely(sessionid == (unsigned int)-1))
2036             sessionid = (unsigned int)atomic_inc_return(&session_id);
2037     }
2038 
2039     task->sessionid = sessionid;
2040     task->loginuid = loginuid;
2041 out:
2042     audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2043     return rc;
2044 }
2045 
2046 /**
2047  * __audit_mq_open - record audit data for a POSIX MQ open
2048  * @oflag: open flag
2049  * @mode: mode bits
2050  * @attr: queue attributes
2051  *
2052  */
2053 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2054 {
2055     struct audit_context *context = current->audit_context;
2056 
2057     if (attr)
2058         memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2059     else
2060         memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2061 
2062     context->mq_open.oflag = oflag;
2063     context->mq_open.mode = mode;
2064 
2065     context->type = AUDIT_MQ_OPEN;
2066 }
2067 
2068 /**
2069  * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2070  * @mqdes: MQ descriptor
2071  * @msg_len: Message length
2072  * @msg_prio: Message priority
2073  * @abs_timeout: Message timeout in absolute time
2074  *
2075  */
2076 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2077             const struct timespec *abs_timeout)
2078 {
2079     struct audit_context *context = current->audit_context;
2080     struct timespec *p = &context->mq_sendrecv.abs_timeout;
2081 
2082     if (abs_timeout)
2083         memcpy(p, abs_timeout, sizeof(struct timespec));
2084     else
2085         memset(p, 0, sizeof(struct timespec));
2086 
2087     context->mq_sendrecv.mqdes = mqdes;
2088     context->mq_sendrecv.msg_len = msg_len;
2089     context->mq_sendrecv.msg_prio = msg_prio;
2090 
2091     context->type = AUDIT_MQ_SENDRECV;
2092 }
2093 
2094 /**
2095  * __audit_mq_notify - record audit data for a POSIX MQ notify
2096  * @mqdes: MQ descriptor
2097  * @notification: Notification event
2098  *
2099  */
2100 
2101 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2102 {
2103     struct audit_context *context = current->audit_context;
2104 
2105     if (notification)
2106         context->mq_notify.sigev_signo = notification->sigev_signo;
2107     else
2108         context->mq_notify.sigev_signo = 0;
2109 
2110     context->mq_notify.mqdes = mqdes;
2111     context->type = AUDIT_MQ_NOTIFY;
2112 }
2113 
2114 /**
2115  * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2116  * @mqdes: MQ descriptor
2117  * @mqstat: MQ flags
2118  *
2119  */
2120 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2121 {
2122     struct audit_context *context = current->audit_context;
2123     context->mq_getsetattr.mqdes = mqdes;
2124     context->mq_getsetattr.mqstat = *mqstat;
2125     context->type = AUDIT_MQ_GETSETATTR;
2126 }
2127 
2128 /**
2129  * audit_ipc_obj - record audit data for ipc object
2130  * @ipcp: ipc permissions
2131  *
2132  */
2133 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2134 {
2135     struct audit_context *context = current->audit_context;
2136     context->ipc.uid = ipcp->uid;
2137     context->ipc.gid = ipcp->gid;
2138     context->ipc.mode = ipcp->mode;
2139     context->ipc.has_perm = 0;
2140     security_ipc_getsecid(ipcp, &context->ipc.osid);
2141     context->type = AUDIT_IPC;
2142 }
2143 
2144 /**
2145  * audit_ipc_set_perm - record audit data for new ipc permissions
2146  * @qbytes: msgq bytes
2147  * @uid: msgq user id
2148  * @gid: msgq group id
2149  * @mode: msgq mode (permissions)
2150  *
2151  * Called only after audit_ipc_obj().
2152  */
2153 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2154 {
2155     struct audit_context *context = current->audit_context;
2156 
2157     context->ipc.qbytes = qbytes;
2158     context->ipc.perm_uid = uid;
2159     context->ipc.perm_gid = gid;
2160     context->ipc.perm_mode = mode;
2161     context->ipc.has_perm = 1;
2162 }
2163 
2164 void __audit_bprm(struct linux_binprm *bprm)
2165 {
2166     struct audit_context *context = current->audit_context;
2167 
2168     context->type = AUDIT_EXECVE;
2169     context->execve.argc = bprm->argc;
2170 }
2171 
2172 
2173 /**
2174  * audit_socketcall - record audit data for sys_socketcall
2175  * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2176  * @args: args array
2177  *
2178  */
2179 int __audit_socketcall(int nargs, unsigned long *args)
2180 {
2181     struct audit_context *context = current->audit_context;
2182 
2183     if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2184         return -EINVAL;
2185     context->type = AUDIT_SOCKETCALL;
2186     context->socketcall.nargs = nargs;
2187     memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2188     return 0;
2189 }
2190 
2191 /**
2192  * __audit_fd_pair - record audit data for pipe and socketpair
2193  * @fd1: the first file descriptor
2194  * @fd2: the second file descriptor
2195  *
2196  */
2197 void __audit_fd_pair(int fd1, int fd2)
2198 {
2199     struct audit_context *context = current->audit_context;
2200     context->fds[0] = fd1;
2201     context->fds[1] = fd2;
2202 }
2203 
2204 /**
2205  * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2206  * @len: data length in user space
2207  * @a: data address in kernel space
2208  *
2209  * Returns 0 for success or NULL context or < 0 on error.
2210  */
2211 int __audit_sockaddr(int len, void *a)
2212 {
2213     struct audit_context *context = current->audit_context;
2214 
2215     if (!context->sockaddr) {
2216         void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2217         if (!p)
2218             return -ENOMEM;
2219         context->sockaddr = p;
2220     }
2221 
2222     context->sockaddr_len = len;
2223     memcpy(context->sockaddr, a, len);
2224     return 0;
2225 }
2226 
2227 void __audit_ptrace(struct task_struct *t)
2228 {
2229     struct audit_context *context = current->audit_context;
2230 
2231     context->target_pid = task_tgid_nr(t);
2232     context->target_auid = audit_get_loginuid(t);
2233     context->target_uid = task_uid(t);
2234     context->target_sessionid = audit_get_sessionid(t);
2235     security_task_getsecid(t, &context->target_sid);
2236     memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2237 }
2238 
2239 /**
2240  * audit_signal_info - record signal info for shutting down audit subsystem
2241  * @sig: signal value
2242  * @t: task being signaled
2243  *
2244  * If the audit subsystem is being terminated, record the task (pid)
2245  * and uid that is doing that.
2246  */
2247 int __audit_signal_info(int sig, struct task_struct *t)
2248 {
2249     struct audit_aux_data_pids *axp;
2250     struct task_struct *tsk = current;
2251     struct audit_context *ctx = tsk->audit_context;
2252     kuid_t uid = current_uid(), t_uid = task_uid(t);
2253 
2254     if (audit_pid && t->tgid == audit_pid) {
2255         if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2256             audit_sig_pid = task_tgid_nr(tsk);
2257             if (uid_valid(tsk->loginuid))
2258                 audit_sig_uid = tsk->loginuid;
2259             else
2260                 audit_sig_uid = uid;
2261             security_task_getsecid(tsk, &audit_sig_sid);
2262         }
2263         if (!audit_signals || audit_dummy_context())
2264             return 0;
2265     }
2266 
2267     /* optimize the common case by putting first signal recipient directly
2268      * in audit_context */
2269     if (!ctx->target_pid) {
2270         ctx->target_pid = task_tgid_nr(t);
2271         ctx->target_auid = audit_get_loginuid(t);
2272         ctx->target_uid = t_uid;
2273         ctx->target_sessionid = audit_get_sessionid(t);
2274         security_task_getsecid(t, &ctx->target_sid);
2275         memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2276         return 0;
2277     }
2278 
2279     axp = (void *)ctx->aux_pids;
2280     if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2281         axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2282         if (!axp)
2283             return -ENOMEM;
2284 
2285         axp->d.type = AUDIT_OBJ_PID;
2286         axp->d.next = ctx->aux_pids;
2287         ctx->aux_pids = (void *)axp;
2288     }
2289     BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2290 
2291     axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2292     axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2293     axp->target_uid[axp->pid_count] = t_uid;
2294     axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2295     security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2296     memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2297     axp->pid_count++;
2298 
2299     return 0;
2300 }
2301 
2302 /**
2303  * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2304  * @bprm: pointer to the bprm being processed
2305  * @new: the proposed new credentials
2306  * @old: the old credentials
2307  *
2308  * Simply check if the proc already has the caps given by the file and if not
2309  * store the priv escalation info for later auditing at the end of the syscall
2310  *
2311  * -Eric
2312  */
2313 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2314                const struct cred *new, const struct cred *old)
2315 {
2316     struct audit_aux_data_bprm_fcaps *ax;
2317     struct audit_context *context = current->audit_context;
2318     struct cpu_vfs_cap_data vcaps;
2319 
2320     ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2321     if (!ax)
2322         return -ENOMEM;
2323 
2324     ax->d.type = AUDIT_BPRM_FCAPS;
2325     ax->d.next = context->aux;
2326     context->aux = (void *)ax;
2327 
2328     get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
2329 
2330     ax->fcap.permitted = vcaps.permitted;
2331     ax->fcap.inheritable = vcaps.inheritable;
2332     ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2333     ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2334 
2335     ax->old_pcap.permitted   = old->cap_permitted;
2336     ax->old_pcap.inheritable = old->cap_inheritable;
2337     ax->old_pcap.effective   = old->cap_effective;
2338 
2339     ax->new_pcap.permitted   = new->cap_permitted;
2340     ax->new_pcap.inheritable = new->cap_inheritable;
2341     ax->new_pcap.effective   = new->cap_effective;
2342     return 0;
2343 }
2344 
2345 /**
2346  * __audit_log_capset - store information about the arguments to the capset syscall
2347  * @new: the new credentials
2348  * @old: the old (current) credentials
2349  *
2350  * Record the arguments userspace sent to sys_capset for later printing by the
2351  * audit system if applicable
2352  */
2353 void __audit_log_capset(const struct cred *new, const struct cred *old)
2354 {
2355     struct audit_context *context = current->audit_context;
2356     context->capset.pid = task_tgid_nr(current);
2357     context->capset.cap.effective   = new->cap_effective;
2358     context->capset.cap.inheritable = new->cap_effective;
2359     context->capset.cap.permitted   = new->cap_permitted;
2360     context->type = AUDIT_CAPSET;
2361 }
2362 
2363 void __audit_mmap_fd(int fd, int flags)
2364 {
2365     struct audit_context *context = current->audit_context;
2366     context->mmap.fd = fd;
2367     context->mmap.flags = flags;
2368     context->type = AUDIT_MMAP;
2369 }
2370 
2371 static void audit_log_task(struct audit_buffer *ab)
2372 {
2373     kuid_t auid, uid;
2374     kgid_t gid;
2375     unsigned int sessionid;
2376     char comm[sizeof(current->comm)];
2377 
2378     auid = audit_get_loginuid(current);
2379     sessionid = audit_get_sessionid(current);
2380     current_uid_gid(&uid, &gid);
2381 
2382     audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2383              from_kuid(&init_user_ns, auid),
2384              from_kuid(&init_user_ns, uid),
2385              from_kgid(&init_user_ns, gid),
2386              sessionid);
2387     audit_log_task_context(ab);
2388     audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2389     audit_log_untrustedstring(ab, get_task_comm(comm, current));
2390     audit_log_d_path_exe(ab, current->mm);
2391 }
2392 
2393 /**
2394  * audit_core_dumps - record information about processes that end abnormally
2395  * @signr: signal value
2396  *
2397  * If a process ends with a core dump, something fishy is going on and we
2398  * should record the event for investigation.
2399  */
2400 void audit_core_dumps(long signr)
2401 {
2402     struct audit_buffer *ab;
2403 
2404     if (!audit_enabled)
2405         return;
2406 
2407     if (signr == SIGQUIT)   /* don't care for those */
2408         return;
2409 
2410     ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2411     if (unlikely(!ab))
2412         return;
2413     audit_log_task(ab);
2414     audit_log_format(ab, " sig=%ld", signr);
2415     audit_log_end(ab);
2416 }
2417 
2418 void __audit_seccomp(unsigned long syscall, long signr, int code)
2419 {
2420     struct audit_buffer *ab;
2421 
2422     ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
2423     if (unlikely(!ab))
2424         return;
2425     audit_log_task(ab);
2426     audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2427              signr, syscall_get_arch(), syscall,
2428              in_compat_syscall(), KSTK_EIP(current), code);
2429     audit_log_end(ab);
2430 }
2431 
2432 struct list_head *audit_killed_trees(void)
2433 {
2434     struct audit_context *ctx = current->audit_context;
2435     if (likely(!ctx || !ctx->in_syscall))
2436         return NULL;
2437     return &ctx->killed_trees;
2438 }