Merge branch 'audit.b46' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit...
authorLinus Torvalds <torvalds@linux-foundation.org>
Fri, 1 Feb 2008 21:37:03 +0000 (08:37 +1100)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 1 Feb 2008 21:37:03 +0000 (08:37 +1100)
* 'audit.b46' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
  [AUDIT] Add uid, gid fields to ANOM_PROMISCUOUS message
  [AUDIT] ratelimit printk messages audit
  [patch 2/2] audit: complement va_copy with va_end()
  [patch 1/2] kernel/audit.c: warning fix
  [AUDIT] create context if auditing was ever enabled
  [AUDIT] clean up audit_receive_msg()
  [AUDIT] make audit=0 really stop audit messages
  [AUDIT] break large execve argument logging into smaller messages
  [AUDIT] include audit type in audit message when using printk
  [AUDIT] do not panic on exclude messages in audit_log_pid_context()
  [AUDIT] Add End of Event record
  [AUDIT] add session id to audit messages
  [AUDIT] collect uid, loginuid, and comm in OBJ_PID records
  [AUDIT] return EINTR not ERESTART*
  [PATCH] get rid of loginuid races
  [PATCH] switch audit_get_loginuid() to task_struct *

16 files changed:
Documentation/filesystems/proc.txt
drivers/char/tty_audit.c
fs/proc/base.c
include/linux/audit.h
include/linux/init_task.h
include/linux/sched.h
kernel/audit.c
kernel/auditfilter.c
kernel/auditsc.c
kernel/sysctl.c
net/core/dev.c
net/key/af_key.c
net/netlink/af_netlink.c
net/xfrm/xfrm_state.c
security/selinux/selinuxfs.c
security/selinux/ss/services.c

index 11fe51c036bf36a3fc243b6620fd098929966e9a..194c8f35132065496048f8ae0bd80b688240d96c 100644 (file)
@@ -1134,13 +1134,6 @@ check the amount of free space (value is in seconds). Default settings are: 4,
 resume it  if we have a value of 3 or more percent; consider information about
 the amount of free space valid for 30 seconds
 
-audit_argv_kb
--------------
-
-The file contains a single value denoting the limit on the argv array size
-for execve (in KiB). This limit is only applied when system call auditing for
-execve is enabled, otherwise the value is ignored.
-
 ctrl-alt-del
 ------------
 
index d222012c1b0ca039a4c41c6f7a450a4fbe2ba8a0..bacded0eefabcb76aab68de33bea773bd4e8e21f 100644 (file)
@@ -73,6 +73,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
  *     @tsk with @loginuid.  @buf->mutex must be locked.
  */
 static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
+                              unsigned int sessionid,
                               struct tty_audit_buf *buf)
 {
        struct audit_buffer *ab;
@@ -85,9 +86,9 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
        if (ab) {
                char name[sizeof(tsk->comm)];
 
-               audit_log_format(ab, "tty pid=%u uid=%u auid=%u major=%d "
-                                "minor=%d comm=", tsk->pid, tsk->uid,
-                                loginuid, buf->major, buf->minor);
+               audit_log_format(ab, "tty pid=%u uid=%u auid=%u ses=%u "
+                                "major=%d minor=%d comm=", tsk->pid, tsk->uid,
+                                loginuid, sessionid, buf->major, buf->minor);
                get_task_comm(name, tsk);
                audit_log_untrustedstring(ab, name);
                audit_log_format(ab, " data=");
@@ -105,8 +106,9 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
  */
 static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
 {
-       tty_audit_buf_push(current, audit_get_loginuid(current->audit_context),
-                          buf);
+       uid_t auid = audit_get_loginuid(current);
+       unsigned int sessionid = audit_get_sessionid(current);
+       tty_audit_buf_push(current, auid, sessionid, buf);
 }
 
 /**
@@ -152,6 +154,11 @@ void tty_audit_fork(struct signal_struct *sig)
 void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
 {
        struct tty_audit_buf *buf;
+       /* FIXME I think this is correct.  Check against netlink once that is
+        * I really need to read this code more closely.  But that's for
+        * another patch.
+        */
+       unsigned int sessionid = audit_get_sessionid(tsk);
 
        spin_lock_irq(&tsk->sighand->siglock);
        buf = tsk->signal->tty_audit_buf;
@@ -162,7 +169,7 @@ void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
                return;
 
        mutex_lock(&buf->mutex);
-       tty_audit_buf_push(tsk, loginuid, buf);
+       tty_audit_buf_push(tsk, loginuid, sessionid, buf);
        mutex_unlock(&buf->mutex);
 
        tty_audit_buf_put(buf);
index 9fa9708cc7153c12ad10d62b760df88ba50e9681..33537487f5abe4dadb7c90068dfb961528bdaaaf 100644 (file)
@@ -984,7 +984,7 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
        if (!task)
                return -ESRCH;
        length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
-                               audit_get_loginuid(task->audit_context));
+                               audit_get_loginuid(task));
        put_task_struct(task);
        return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }
index bdd6f5de5fc4bb654f489dab723e3cb09f66f3d0..97153027207a27d3ded23f099c105321613c9372 100644 (file)
@@ -98,6 +98,7 @@
 #define AUDIT_FD_PAIR          1317    /* audit record for pipe/socketpair */
 #define AUDIT_OBJ_PID          1318    /* ptrace target */
 #define AUDIT_TTY              1319    /* Input on an administrative TTY */
+#define AUDIT_EOE              1320    /* End of multi-record event */
 
 #define AUDIT_AVC              1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR      1401    /* Internal SE Linux Errors */
@@ -409,7 +410,8 @@ extern unsigned int audit_serial(void);
 extern void auditsc_get_stamp(struct audit_context *ctx,
                              struct timespec *t, unsigned int *serial);
 extern int  audit_set_loginuid(struct task_struct *task, uid_t loginuid);
-extern uid_t audit_get_loginuid(struct audit_context *ctx);
+#define audit_get_loginuid(t) ((t)->loginuid)
+#define audit_get_sessionid(t) ((t)->sessionid)
 extern void audit_log_task_context(struct audit_buffer *ab);
 extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
@@ -488,7 +490,8 @@ extern int audit_signals;
 #define audit_inode_child(d,i,p) do { ; } while (0)
 #define audit_core_dumps(i) do { ; } while (0)
 #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
-#define audit_get_loginuid(c) ({ -1; })
+#define audit_get_loginuid(t) (-1)
+#define audit_get_sessionid(t) (-1)
 #define audit_log_task_context(b) do { ; } while (0)
 #define audit_ipc_obj(i) ({ 0; })
 #define audit_ipc_set_perm(q,u,g,m) ({ 0; })
@@ -522,9 +525,11 @@ extern void                    audit_log_end(struct audit_buffer *ab);
 extern void                audit_log_hex(struct audit_buffer *ab,
                                          const unsigned char *buf,
                                          size_t len);
-extern const char *        audit_log_untrustedstring(struct audit_buffer *ab,
+extern int                 audit_string_contains_control(const char *string,
+                                                         size_t len);
+extern void                audit_log_untrustedstring(struct audit_buffer *ab,
                                                      const char *string);
-extern const char *        audit_log_n_untrustedstring(struct audit_buffer *ab,
+extern void                audit_log_n_untrustedstring(struct audit_buffer *ab,
                                                        size_t n,
                                                        const char *string);
 extern void                audit_log_d_path(struct audit_buffer *ab,
index e6b3f70806790b2a8e7810b3258cddc8b69cb748..f42663eaf655b697a452ed944847c505a1ad0607 100644 (file)
@@ -114,6 +114,13 @@ extern struct group_info init_groups;
        .pid = &init_struct_pid,                                \
 }
 
+#ifdef CONFIG_AUDITSYSCALL
+#define INIT_IDS \
+       .loginuid = -1, \
+       .sessionid = -1,
+#else
+#define INIT_IDS
+#endif
 /*
  *  INIT_TASK is used to set up the first task table, touch at
  * your own risk!. Base=0, limit=0x1fffff (=2MB)
@@ -173,6 +180,7 @@ extern struct group_info init_groups;
                [PIDTYPE_SID]  = INIT_PID_LINK(PIDTYPE_SID),            \
        },                                                              \
        .dirties = INIT_PROP_LOCAL_SINGLE(dirties),                     \
+       INIT_IDS                                                        \
        INIT_TRACE_IRQFLAGS                                             \
        INIT_LOCKDEP                                                    \
 }
index 6c333579d9da0e2c66788516948e83886b0fe7ed..af6947e69b40cb2c9cce3ba291bca296ccb5edd7 100644 (file)
@@ -1139,6 +1139,10 @@ struct task_struct {
        void *security;
 #endif
        struct audit_context *audit_context;
+#ifdef CONFIG_AUDITSYSCALL
+       uid_t loginuid;
+       unsigned int sessionid;
+#endif
        seccomp_t seccomp;
 
 /* Thread group tracking */
index 801c946dd24b639520e6037b63dd96860c2e60d9..c8555b18021386b59a089b2e34fe4db355deab40 100644 (file)
  * (Initialization happens after skb_init is called.) */
 static int     audit_initialized;
 
-/* 0 - no auditing
- * 1 - auditing enabled
- * 2 - auditing enabled and configuration is locked/unchangeable. */
+#define AUDIT_OFF      0
+#define AUDIT_ON       1
+#define AUDIT_LOCKED   2
 int            audit_enabled;
+int            audit_ever_enabled;
 
 /* Default state when kernel boots without any parameters. */
 static int     audit_default;
@@ -152,8 +153,10 @@ struct audit_buffer {
 
 static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
 {
-       struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
-       nlh->nlmsg_pid = pid;
+       if (ab) {
+               struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
+               nlh->nlmsg_pid = pid;
+       }
 }
 
 void audit_panic(const char *message)
@@ -163,7 +166,8 @@ void audit_panic(const char *message)
        case AUDIT_FAIL_SILENT:
                break;
        case AUDIT_FAIL_PRINTK:
-               printk(KERN_ERR "audit: %s\n", message);
+               if (printk_ratelimit())
+                       printk(KERN_ERR "audit: %s\n", message);
                break;
        case AUDIT_FAIL_PANIC:
                panic("audit: %s\n", message);
@@ -231,161 +235,107 @@ void audit_log_lost(const char *message)
        }
 
        if (print) {
-               printk(KERN_WARNING
-                      "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
-                      atomic_read(&audit_lost),
-                      audit_rate_limit,
-                      audit_backlog_limit);
+               if (printk_ratelimit())
+                       printk(KERN_WARNING
+                               "audit: audit_lost=%d audit_rate_limit=%d "
+                               "audit_backlog_limit=%d\n",
+                               atomic_read(&audit_lost),
+                               audit_rate_limit,
+                               audit_backlog_limit);
                audit_panic(message);
        }
 }
 
-static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
+static int audit_log_config_change(char *function_name, int new, int old,
+                                  uid_t loginuid, u32 sid, int allow_changes)
 {
-       int res, rc = 0, old = audit_rate_limit;
-
-       /* check if we are locked */
-       if (audit_enabled == 2)
-               res = 0;
-       else
-               res = 1;
+       struct audit_buffer *ab;
+       int rc = 0;
 
+       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+       audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
+                        old, loginuid);
        if (sid) {
                char *ctx = NULL;
                u32 len;
-               if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                       audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                               "audit_rate_limit=%d old=%d by auid=%u"
-                               " subj=%s res=%d",
-                               limit, old, loginuid, ctx, res);
+
+               rc = selinux_sid_to_string(sid, &ctx, &len);
+               if (rc) {
+                       audit_log_format(ab, " sid=%u", sid);
+                       allow_changes = 0; /* Something weird, deny request */
+               } else {
+                       audit_log_format(ab, " subj=%s", ctx);
                        kfree(ctx);
-               } else
-                       res = 0; /* Something weird, deny request */
+               }
        }
-       audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-               "audit_rate_limit=%d old=%d by auid=%u res=%d",
-               limit, old, loginuid, res);
-
-       /* If we are allowed, make the change */
-       if (res == 1)
-               audit_rate_limit = limit;
-       /* Not allowed, update reason */
-       else if (rc == 0)
-               rc = -EPERM;
+       audit_log_format(ab, " res=%d", allow_changes);
+       audit_log_end(ab);
        return rc;
 }
 
-static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
+static int audit_do_config_change(char *function_name, int *to_change,
+                                 int new, uid_t loginuid, u32 sid)
 {
-       int res, rc = 0, old = audit_backlog_limit;
+       int allow_changes, rc = 0, old = *to_change;
 
        /* check if we are locked */
-       if (audit_enabled == 2)
-               res = 0;
+       if (audit_enabled == AUDIT_LOCKED)
+               allow_changes = 0;
        else
-               res = 1;
+               allow_changes = 1;
 
-       if (sid) {
-               char *ctx = NULL;
-               u32 len;
-               if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                       audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                               "audit_backlog_limit=%d old=%d by auid=%u"
-                               " subj=%s res=%d",
-                               limit, old, loginuid, ctx, res);
-                       kfree(ctx);
-               } else
-                       res = 0; /* Something weird, deny request */
+       if (audit_enabled != AUDIT_OFF) {
+               rc = audit_log_config_change(function_name, new, old,
+                                            loginuid, sid, allow_changes);
+               if (rc)
+                       allow_changes = 0;
        }
-       audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-               "audit_backlog_limit=%d old=%d by auid=%u res=%d",
-               limit, old, loginuid, res);
 
        /* If we are allowed, make the change */
-       if (res == 1)
-               audit_backlog_limit = limit;
+       if (allow_changes == 1)
+               *to_change = new;
        /* Not allowed, update reason */
        else if (rc == 0)
                rc = -EPERM;
        return rc;
 }
 
-static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
+static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
+{
+       return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
+                                     limit, loginuid, sid);
+}
+
+static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
 {
-       int res, rc = 0, old = audit_enabled;
+       return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
+                                     limit, loginuid, sid);
+}
 
-       if (state < 0 || state > 2)
+static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
+{
+       int rc;
+       if (state < AUDIT_OFF || state > AUDIT_LOCKED)
                return -EINVAL;
 
-       /* check if we are locked */
-       if (audit_enabled == 2)
-               res = 0;
-       else
-               res = 1;
+       rc =  audit_do_config_change("audit_enabled", &audit_enabled, state,
+                                    loginuid, sid);
 
-       if (sid) {
-               char *ctx = NULL;
-               u32 len;
-               if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                       audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                               "audit_enabled=%d old=%d by auid=%u"
-                               " subj=%s res=%d",
-                               state, old, loginuid, ctx, res);
-                       kfree(ctx);
-               } else
-                       res = 0; /* Something weird, deny request */
-       }
-       audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-               "audit_enabled=%d old=%d by auid=%u res=%d",
-               state, old, loginuid, res);
+       if (!rc)
+               audit_ever_enabled |= !!state;
 
-       /* If we are allowed, make the change */
-       if (res == 1)
-               audit_enabled = state;
-       /* Not allowed, update reason */
-       else if (rc == 0)
-               rc = -EPERM;
        return rc;
 }
 
 static int audit_set_failure(int state, uid_t loginuid, u32 sid)
 {
-       int res, rc = 0, old = audit_failure;
-
        if (state != AUDIT_FAIL_SILENT
            && state != AUDIT_FAIL_PRINTK
            && state != AUDIT_FAIL_PANIC)
                return -EINVAL;
 
-       /* check if we are locked */
-       if (audit_enabled == 2)
-               res = 0;
-       else
-               res = 1;
-
-       if (sid) {
-               char *ctx = NULL;
-               u32 len;
-               if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
-                       audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                               "audit_failure=%d old=%d by auid=%u"
-                               " subj=%s res=%d",
-                               state, old, loginuid, ctx, res);
-                       kfree(ctx);
-               } else
-                       res = 0; /* Something weird, deny request */
-       }
-       audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-               "audit_failure=%d old=%d by auid=%u res=%d",
-               state, old, loginuid, res);
-
-       /* If we are allowed, make the change */
-       if (res == 1)
-               audit_failure = state;
-       /* Not allowed, update reason */
-       else if (rc == 0)
-               rc = -EPERM;
-       return rc;
+       return audit_do_config_change("audit_failure", &audit_failure, state,
+                                     loginuid, sid);
 }
 
 static int kauditd_thread(void *dummy)
@@ -405,7 +355,11 @@ static int kauditd_thread(void *dummy)
                                        audit_pid = 0;
                                }
                        } else {
-                               printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
+                               if (printk_ratelimit())
+                                       printk(KERN_NOTICE "%s\n", skb->data +
+                                               NLMSG_SPACE(0));
+                               else
+                                       audit_log_lost("printk limit exceeded\n");
                                kfree_skb(skb);
                        }
                } else {
@@ -573,6 +527,33 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
        return err;
 }
 
+static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
+                                    u32 pid, u32 uid, uid_t auid, u32 sid)
+{
+       int rc = 0;
+       char *ctx = NULL;
+       u32 len;
+
+       if (!audit_enabled) {
+               *ab = NULL;
+               return rc;
+       }
+
+       *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
+       audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
+                        pid, uid, auid);
+       if (sid) {
+               rc = selinux_sid_to_string(sid, &ctx, &len);
+               if (rc)
+                       audit_log_format(*ab, " ssid=%u", sid);
+               else
+                       audit_log_format(*ab, " subj=%s", ctx);
+               kfree(ctx);
+       }
+
+       return rc;
+}
+
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
        u32                     uid, pid, seq, sid;
@@ -583,7 +564,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        u16                     msg_type = nlh->nlmsg_type;
        uid_t                   loginuid; /* loginuid of sender */
        struct audit_sig_info   *sig_data;
-       char                    *ctx;
+       char                    *ctx = NULL;
        u32                     len;
 
        err = audit_netlink_ok(skb, msg_type);
@@ -634,23 +615,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_PID) {
-                       int old   = audit_pid;
-                       if (sid) {
-                               if ((err = selinux_sid_to_string(
-                                               sid, &ctx, &len)))
-                                       return err;
-                               else
-                                       audit_log(NULL, GFP_KERNEL,
-                                               AUDIT_CONFIG_CHANGE,
-                                               "audit_pid=%d old=%d by auid=%u subj=%s",
-                                               status_get->pid, old,
-                                               loginuid, ctx);
-                               kfree(ctx);
-                       } else
-                               audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                       "audit_pid=%d old=%d by auid=%u",
-                                         status_get->pid, old, loginuid);
-                       audit_pid = status_get->pid;
+                       int new_pid = status_get->pid;
+
+                       if (audit_enabled != AUDIT_OFF)
+                               audit_log_config_change("audit_pid", new_pid,
+                                                       audit_pid, loginuid,
+                                                       sid, 1);
+
+                       audit_pid = new_pid;
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
                        err = audit_set_rate_limit(status_get->rate_limit,
@@ -673,64 +645,35 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                if (err)
                                        break;
                        }
-                       ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
-                       if (ab) {
-                               audit_log_format(ab,
-                                                "user pid=%d uid=%u auid=%u",
-                                                pid, uid, loginuid);
-                               if (sid) {
-                                       if (selinux_sid_to_string(
-                                                       sid, &ctx, &len)) {
-                                               audit_log_format(ab,
-                                                       " ssid=%u", sid);
-                                               /* Maybe call audit_panic? */
-                                       } else
-                                               audit_log_format(ab,
-                                                       " subj=%s", ctx);
-                                       kfree(ctx);
-                               }
-                               if (msg_type != AUDIT_USER_TTY)
-                                       audit_log_format(ab, " msg='%.1024s'",
-                                                        (char *)data);
-                               else {
-                                       int size;
-
-                                       audit_log_format(ab, " msg=");
-                                       size = nlmsg_len(nlh);
-                                       audit_log_n_untrustedstring(ab, size,
-                                                                   data);
-                               }
-                               audit_set_pid(ab, pid);
-                               audit_log_end(ab);
+                       audit_log_common_recv_msg(&ab, msg_type, pid, uid,
+                                                 loginuid, sid);
+
+                       if (msg_type != AUDIT_USER_TTY)
+                               audit_log_format(ab, " msg='%.1024s'",
+                                                (char *)data);
+                       else {
+                               int size;
+
+                               audit_log_format(ab, " msg=");
+                               size = nlmsg_len(nlh);
+                               audit_log_n_untrustedstring(ab, size,
+                                                           data);
                        }
+                       audit_set_pid(ab, pid);
+                       audit_log_end(ab);
                }
                break;
        case AUDIT_ADD:
        case AUDIT_DEL:
                if (nlmsg_len(nlh) < sizeof(struct audit_rule))
                        return -EINVAL;
-               if (audit_enabled == 2) {
-                       ab = audit_log_start(NULL, GFP_KERNEL,
-                                       AUDIT_CONFIG_CHANGE);
-                       if (ab) {
-                               audit_log_format(ab,
-                                                "pid=%d uid=%u auid=%u",
-                                                pid, uid, loginuid);
-                               if (sid) {
-                                       if (selinux_sid_to_string(
-                                                       sid, &ctx, &len)) {
-                                               audit_log_format(ab,
-                                                       " ssid=%u", sid);
-                                               /* Maybe call audit_panic? */
-                                       } else
-                                               audit_log_format(ab,
-                                                       " subj=%s", ctx);
-                                       kfree(ctx);
-                               }
-                               audit_log_format(ab, " audit_enabled=%d res=0",
-                                       audit_enabled);
-                               audit_log_end(ab);
-                       }
+               if (audit_enabled == AUDIT_LOCKED) {
+                       audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
+                                                 uid, loginuid, sid);
+
+                       audit_log_format(ab, " audit_enabled=%d res=0",
+                                        audit_enabled);
+                       audit_log_end(ab);
                        return -EPERM;
                }
                /* fallthrough */
@@ -743,28 +686,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_DEL_RULE:
                if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
                        return -EINVAL;
-               if (audit_enabled == 2) {
-                       ab = audit_log_start(NULL, GFP_KERNEL,
-                                       AUDIT_CONFIG_CHANGE);
-                       if (ab) {
-                               audit_log_format(ab,
-                                                "pid=%d uid=%u auid=%u",
-                                                pid, uid, loginuid);
-                               if (sid) {
-                                       if (selinux_sid_to_string(
-                                                       sid, &ctx, &len)) {
-                                               audit_log_format(ab,
-                                                       " ssid=%u", sid);
-                                               /* Maybe call audit_panic? */
-                                       } else
-                                               audit_log_format(ab,
-                                                       " subj=%s", ctx);
-                                       kfree(ctx);
-                               }
-                               audit_log_format(ab, " audit_enabled=%d res=0",
-                                       audit_enabled);
-                               audit_log_end(ab);
-                       }
+               if (audit_enabled == AUDIT_LOCKED) {
+                       audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
+                                                 uid, loginuid, sid);
+
+                       audit_log_format(ab, " audit_enabled=%d res=0",
+                                        audit_enabled);
+                       audit_log_end(ab);
                        return -EPERM;
                }
                /* fallthrough */
@@ -775,19 +703,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                break;
        case AUDIT_TRIM:
                audit_trim_trees();
-               ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
-               if (!ab)
-                       break;
-               audit_log_format(ab, "auid=%u", loginuid);
-               if (sid) {
-                       u32 len;
-                       ctx = NULL;
-                       if (selinux_sid_to_string(sid, &ctx, &len))
-                               audit_log_format(ab, " ssid=%u", sid);
-                       else
-                               audit_log_format(ab, " subj=%s", ctx);
-                       kfree(ctx);
-               }
+
+               audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
+                                         uid, loginuid, sid);
+
                audit_log_format(ab, " op=trim res=1");
                audit_log_end(ab);
                break;
@@ -817,22 +736,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                /* OK, here comes... */
                err = audit_tag_tree(old, new);
 
-               ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
-               if (!ab) {
-                       kfree(old);
-                       kfree(new);
-                       break;
-               }
-               audit_log_format(ab, "auid=%u", loginuid);
-               if (sid) {
-                       u32 len;
-                       ctx = NULL;
-                       if (selinux_sid_to_string(sid, &ctx, &len))
-                               audit_log_format(ab, " ssid=%u", sid);
-                       else
-                               audit_log_format(ab, " subj=%s", ctx);
-                       kfree(ctx);
-               }
+               audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
+                                         uid, loginuid, sid);
+
                audit_log_format(ab, " op=make_equiv old=");
                audit_log_untrustedstring(ab, old);
                audit_log_format(ab, " new=");
@@ -965,6 +871,7 @@ static int __init audit_init(void)
        skb_queue_head_init(&audit_skb_queue);
        audit_initialized = 1;
        audit_enabled = audit_default;
+       audit_ever_enabled |= !!audit_default;
 
        /* Register the callback with selinux.  This callback will be invoked
         * when a new policy is loaded. */
@@ -992,8 +899,10 @@ static int __init audit_enable(char *str)
        printk(KERN_INFO "audit: %s%s\n",
               audit_default ? "enabled" : "disabled",
               audit_initialized ? "" : " (after initialization)");
-       if (audit_initialized)
+       if (audit_initialized) {
                audit_enabled = audit_default;
+               audit_ever_enabled |= !!audit_default;
+       }
        return 1;
 }
 
@@ -1130,7 +1039,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 {
        struct audit_buffer     *ab     = NULL;
        struct timespec         t;
-       unsigned int            serial;
+       unsigned int            uninitialized_var(serial);
        int reserve;
        unsigned long timeout_start = jiffies;
 
@@ -1164,7 +1073,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
                        remove_wait_queue(&audit_backlog_wait, &wait);
                        continue;
                }
-               if (audit_rate_check())
+               if (audit_rate_check() && printk_ratelimit())
                        printk(KERN_WARNING
                               "audit: audit_backlog=%d > "
                               "audit_backlog_limit=%d\n",
@@ -1249,6 +1158,7 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
                        goto out;
                len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
        }
+       va_end(args2);
        if (len > 0)
                skb_put(skb, len);
 out:
@@ -1349,6 +1259,21 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
        skb_put(skb, slen + 2); /* don't include null terminator */
 }
 
+/**
+ * audit_string_contains_control - does a string need to be logged in hex
+ * @string - string to be checked
+ * @len - max length of the string to check
+ */
+int audit_string_contains_control(const char *string, size_t len)
+{
+       const unsigned char *p;
+       for (p = string; p < (const unsigned char *)string + len && *p; p++) {
+               if (*p == '"' || *p < 0x21 || *p > 0x7f)
+                       return 1;
+       }
+       return 0;
+}
+
 /**
  * audit_log_n_untrustedstring - log a string that may contain random characters
  * @ab: audit_buffer
@@ -1363,19 +1288,13 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
  * The caller specifies the number of characters in the string to log, which may
  * or may not be the entire string.
  */
-const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
-                                       const char *string)
+void audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
+                                const char *string)
 {
-       const unsigned char *p;
-
-       for (p = string; p < (const unsigned char *)string + len && *p; p++) {
-               if (*p == '"' || *p < 0x21 || *p > 0x7f) {
-                       audit_log_hex(ab, string, len);
-                       return string + len + 1;
-               }
-       }
-       audit_log_n_string(ab, len, string);
-       return p + 1;
+       if (audit_string_contains_control(string, len))
+               audit_log_hex(ab, string, len);
+       else
+               audit_log_n_string(ab, len, string);
 }
 
 /**
@@ -1386,9 +1305,9 @@ const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
  * Same as audit_log_n_untrustedstring(), except that strlen is used to
  * determine string length.
  */
-const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
 {
-       return audit_log_n_untrustedstring(ab, strlen(string), string);
+       audit_log_n_untrustedstring(ab, strlen(string), string);
 }
 
 /* This is a helper-function to print the escaped d_path */
@@ -1437,8 +1356,11 @@ void audit_log_end(struct audit_buffer *ab)
                        skb_queue_tail(&audit_skb_queue, ab->skb);
                        ab->skb = NULL;
                        wake_up_interruptible(&kauditd_wait);
+               } else if (printk_ratelimit()) {
+                       struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
+                       printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
                } else {
-                       printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
+                       audit_log_lost("printk limit exceeded\n");
                }
        }
        audit_buffer_free(ab);
index 5d96f2cc7be8137164f8881d830ad013f39da949..6f19fd477aac539d9010c06a12b08848e708af5e 100644 (file)
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
 /* Inotify events we care about. */
 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
 
+extern int audit_enabled;
+
 void audit_free_parent(struct inotify_watch *i_watch)
 {
        struct audit_parent *parent;
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
        struct audit_watch *owatch, *nwatch, *nextw;
        struct audit_krule *r, *nextr;
        struct audit_entry *oentry, *nentry;
-       struct audit_buffer *ab;
 
        mutex_lock(&audit_filter_mutex);
        list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
                        call_rcu(&oentry->rcu, audit_free_rule_rcu);
                }
 
-               ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
-               audit_log_format(ab, "op=updated rules specifying path=");
-               audit_log_untrustedstring(ab, owatch->path);
-               audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
-               audit_log_format(ab, " list=%d res=1", r->listnr);
-               audit_log_end(ab);
-
+               if (audit_enabled) {
+                       struct audit_buffer *ab;
+                       ab = audit_log_start(NULL, GFP_KERNEL,
+                               AUDIT_CONFIG_CHANGE);
+                       audit_log_format(ab,
+                               "op=updated rules specifying path=");
+                       audit_log_untrustedstring(ab, owatch->path);
+                       audit_log_format(ab, " with dev=%u ino=%lu\n",
+                                dev, ino);
+                       audit_log_format(ab, " list=%d res=1", r->listnr);
+                       audit_log_end(ab);
+               }
                audit_remove_watch(owatch);
                goto add_watch_to_parent; /* event applies to a single watch */
        }
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
        struct audit_watch *w, *nextw;
        struct audit_krule *r, *nextr;
        struct audit_entry *e;
-       struct audit_buffer *ab;
 
        mutex_lock(&audit_filter_mutex);
        parent->flags |= AUDIT_PARENT_INVALID;
        list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
                list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
                        e = container_of(r, struct audit_entry, rule);
-
-                       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
-                       audit_log_format(ab, "op=remove rule path=");
-                       audit_log_untrustedstring(ab, w->path);
-                       if (r->filterkey) {
-                               audit_log_format(ab, " key=");
-                               audit_log_untrustedstring(ab, r->filterkey);
-                       } else
-                               audit_log_format(ab, " key=(null)");
-                       audit_log_format(ab, " list=%d res=1", r->listnr);
-                       audit_log_end(ab);
-
+                       if (audit_enabled) {
+                               struct audit_buffer *ab;
+                               ab = audit_log_start(NULL, GFP_KERNEL,
+                                       AUDIT_CONFIG_CHANGE);
+                               audit_log_format(ab, "op=remove rule path=");
+                               audit_log_untrustedstring(ab, w->path);
+                               if (r->filterkey) {
+                                       audit_log_format(ab, " key=");
+                                       audit_log_untrustedstring(ab,
+                                                       r->filterkey);
+                               } else
+                                       audit_log_format(ab, " key=(null)");
+                               audit_log_format(ab, " list=%d res=1",
+                                       r->listnr);
+                               audit_log_end(ab);
+                       }
                        list_del(&r->rlist);
                        list_del_rcu(&e->list);
                        call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
 {
        struct audit_buffer *ab;
 
+       if (!audit_enabled)
+               return;
+
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
        if (!ab)
                return;
index bce9ecdb771240885bd3d1c0c30f7565ebbd1eb5..1c06ecf38d7b059208b456a604c284e68ab409c4 100644 (file)
@@ -70,6 +70,7 @@
 #include "audit.h"
 
 extern struct list_head audit_filter_list[];
+extern int audit_ever_enabled;
 
 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
  * for saving names from getname(). */
@@ -78,6 +79,9 @@ extern struct list_head audit_filter_list[];
 /* Indicates that audit should log the full pathname. */
 #define AUDIT_NAME_FULL -1
 
+/* no execve audit message should be longer than this (userspace limits) */
+#define MAX_EXECVE_AUDIT_LEN 7500
+
 /* number of audit rules */
 int audit_n_rules;
 
@@ -176,7 +180,11 @@ struct audit_aux_data_fd_pair {
 struct audit_aux_data_pids {
        struct audit_aux_data   d;
        pid_t                   target_pid[AUDIT_AUX_PIDS];
+       uid_t                   target_auid[AUDIT_AUX_PIDS];
+       uid_t                   target_uid[AUDIT_AUX_PIDS];
+       unsigned int            target_sessionid[AUDIT_AUX_PIDS];
        u32                     target_sid[AUDIT_AUX_PIDS];
+       char                    target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
        int                     pid_count;
 };
 
@@ -192,7 +200,6 @@ struct audit_context {
        enum audit_state    state;
        unsigned int        serial;     /* serial number for record */
        struct timespec     ctime;      /* time of syscall entry */
-       uid_t               loginuid;   /* login uid (identity) */
        int                 major;      /* syscall number */
        unsigned long       argv[4];    /* syscall arguments */
        int                 return_valid; /* return code is valid */
@@ -215,7 +222,11 @@ struct audit_context {
        int                 arch;
 
        pid_t               target_pid;
+       uid_t               target_auid;
+       uid_t               target_uid;
+       unsigned int        target_sessionid;
        u32                 target_sid;
+       char                target_comm[TASK_COMM_LEN];
 
        struct audit_tree_refs *trees, *first_trees;
        int tree_count;
@@ -506,7 +517,7 @@ static int audit_filter_rules(struct task_struct *tsk,
                case AUDIT_LOGINUID:
                        result = 0;
                        if (ctx)
-                               result = audit_comparator(ctx->loginuid, f->op, f->val);
+                               result = audit_comparator(tsk->loginuid, f->op, f->val);
                        break;
                case AUDIT_SUBJ_USER:
                case AUDIT_SUBJ_ROLE:
@@ -702,7 +713,24 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
        if (likely(!context))
                return NULL;
        context->return_valid = return_valid;
-       context->return_code  = return_code;
+
+       /*
+        * we need to fix up the return code in the audit logs if the actual
+        * return codes are later going to be fixed up by the arch specific
+        * signal handlers
+        *
+        * This is actually a test for:
+        * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
+        * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
+        *
+        * but is faster than a bunch of ||
+        */
+       if (unlikely(return_code <= -ERESTARTSYS) &&
+           (return_code >= -ERESTART_RESTARTBLOCK) &&
+           (return_code != -ENOIOCTLCMD))
+               context->return_code = -EINTR;
+       else
+               context->return_code  = return_code;
 
        if (context->in_syscall && !context->dummy && !context->auditable) {
                enum audit_state state;
@@ -783,11 +811,8 @@ static inline void audit_free_aux(struct audit_context *context)
 static inline void audit_zero_context(struct audit_context *context,
                                      enum audit_state state)
 {
-       uid_t loginuid = context->loginuid;
-
        memset(context, 0, sizeof(*context));
        context->state      = state;
-       context->loginuid   = loginuid;
 }
 
 static inline struct audit_context *audit_alloc_context(enum audit_state state)
@@ -814,7 +839,7 @@ int audit_alloc(struct task_struct *tsk)
        struct audit_context *context;
        enum audit_state     state;
 
-       if (likely(!audit_enabled))
+       if (likely(!audit_ever_enabled))
                return 0; /* Return if not auditing. */
 
        state = audit_filter_task(tsk);
@@ -826,11 +851,6 @@ int audit_alloc(struct task_struct *tsk)
                return -ENOMEM;
        }
 
-                               /* Preserve login uid */
-       context->loginuid = -1;
-       if (current->audit_context)
-               context->loginuid = current->audit_context->loginuid;
-
        tsk->audit_context  = context;
        set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
        return 0;
@@ -922,7 +942,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
 }
 
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-                                u32 sid)
+                                uid_t auid, uid_t uid, unsigned int sessionid,
+                                u32 sid, char *comm)
 {
        struct audit_buffer *ab;
        char *s = NULL;
@@ -931,68 +952,204 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 
        ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
        if (!ab)
-               return 1;
+               return rc;
 
+       audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
+                        uid, sessionid);
        if (selinux_sid_to_string(sid, &s, &len)) {
-               audit_log_format(ab, "opid=%d obj=(none)", pid);
+               audit_log_format(ab, " obj=(none)");
                rc = 1;
        } else
-               audit_log_format(ab, "opid=%d  obj=%s", pid, s);
+               audit_log_format(ab, " obj=%s", s);
+       audit_log_format(ab, " ocomm=");
+       audit_log_untrustedstring(ab, comm);
        audit_log_end(ab);
        kfree(s);
 
        return rc;
 }
 
-static void audit_log_execve_info(struct audit_buffer *ab,
-               struct audit_aux_data_execve *axi)
+/*
+ * to_send and len_sent accounting are very loose estimates.  We aren't
+ * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
+ * within about 500 bytes (next page boundry)
+ *
+ * why snprintf?  an int is up to 12 digits long.  if we just assumed when
+ * logging that a[%d]= was going to be 16 characters long we would be wasting
+ * space in every audit message.  In one 7500 byte message we can log up to
+ * about 1000 min size arguments.  That comes down to about 50% waste of space
+ * if we didn't do the snprintf to find out how long arg_num_len was.
+ */
+static int audit_log_single_execve_arg(struct audit_context *context,
+                                       struct audit_buffer **ab,
+                                       int arg_num,
+                                       size_t *len_sent,
+                                       const char __user *p,
+                                       char *buf)
 {
-       int i;
-       long len, ret;
-       const char __user *p;
-       char *buf;
+       char arg_num_len_buf[12];
+       const char __user *tmp_p = p;
+       /* how many digits are in arg_num? 3 is the length of a=\n */
+       size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
+       size_t len, len_left, to_send;
+       size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
+       unsigned int i, has_cntl = 0, too_long = 0;
+       int ret;
+
+       /* strnlen_user includes the null we don't want to send */
+       len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
 
-       if (axi->mm != current->mm)
-               return; /* execve failed, no additional info */
-
-       p = (const char __user *)axi->mm->arg_start;
+       /*
+        * We just created this mm, if we can't find the strings
+        * we just copied into it something is _very_ wrong. Similar
+        * for strings that are too long, we should not have created
+        * any.
+        */
+       if (unlikely((len  = -1) || len > MAX_ARG_STRLEN - 1)) {
+               WARN_ON(1);
+               send_sig(SIGKILL, current, 0);
+       }
 
-       for (i = 0; i < axi->argc; i++, p += len) {
-               len = strnlen_user(p, MAX_ARG_STRLEN);
+       /* walk the whole argument looking for non-ascii chars */
+       do {
+               if (len_left > MAX_EXECVE_AUDIT_LEN)
+                       to_send = MAX_EXECVE_AUDIT_LEN;
+               else
+                       to_send = len_left;
+               ret = copy_from_user(buf, tmp_p, to_send);
                /*
-                * We just created this mm, if we can't find the strings
-                * we just copied into it something is _very_ wrong. Similar
-                * for strings that are too long, we should not have created
-                * any.
+                * There is no reason for this copy to be short. We just
+                * copied them here, and the mm hasn't been exposed to user-
+                * space yet.
                 */
-               if (!len || len > MAX_ARG_STRLEN) {
+               if (ret) {
                        WARN_ON(1);
                        send_sig(SIGKILL, current, 0);
                }
-
-               buf = kmalloc(len, GFP_KERNEL);
-               if (!buf) {
-                       audit_panic("out of memory for argv string\n");
+               buf[to_send] = '\0';
+               has_cntl = audit_string_contains_control(buf, to_send);
+               if (has_cntl) {
+                       /*
+                        * hex messages get logged as 2 bytes, so we can only
+                        * send half as much in each message
+                        */
+                       max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
                        break;
                }
+               len_left -= to_send;
+               tmp_p += to_send;
+       } while (len_left > 0);
+
+       len_left = len;
+
+       if (len > max_execve_audit_len)
+               too_long = 1;
+
+       /* rewalk the argument actually logging the message */
+       for (i = 0; len_left > 0; i++) {
+               int room_left;
+
+               if (len_left > max_execve_audit_len)
+                       to_send = max_execve_audit_len;
+               else
+                       to_send = len_left;
+
+               /* do we have space left to send this argument in this ab? */
+               room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
+               if (has_cntl)
+                       room_left -= (to_send * 2);
+               else
+                       room_left -= to_send;
+               if (room_left < 0) {
+                       *len_sent = 0;
+                       audit_log_end(*ab);
+                       *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
+                       if (!*ab)
+                               return 0;
+               }
 
-               ret = copy_from_user(buf, p, len);
                /*
-                * There is no reason for this copy to be short. We just
-                * copied them here, and the mm hasn't been exposed to user-
-                * space yet.
+                * first record needs to say how long the original string was
+                * so we can be sure nothing was lost.
+                */
+               if ((i == 0) && (too_long))
+                       audit_log_format(*ab, "a%d_len=%ld ", arg_num,
+                                        has_cntl ? 2*len : len);
+
+               /*
+                * normally arguments are small enough to fit and we already
+                * filled buf above when we checked for control characters
+                * so don't bother with another copy_from_user
                 */
+               if (len >= max_execve_audit_len)
+                       ret = copy_from_user(buf, p, to_send);
+               else
+                       ret = 0;
                if (ret) {
                        WARN_ON(1);
                        send_sig(SIGKILL, current, 0);
                }
+               buf[to_send] = '\0';
+
+               /* actually log it */
+               audit_log_format(*ab, "a%d", arg_num);
+               if (too_long)
+                       audit_log_format(*ab, "[%d]", i);
+               audit_log_format(*ab, "=");
+               if (has_cntl)
+                       audit_log_hex(*ab, buf, to_send);
+               else
+                       audit_log_format(*ab, "\"%s\"", buf);
+               audit_log_format(*ab, "\n");
+
+               p += to_send;
+               len_left -= to_send;
+               *len_sent += arg_num_len;
+               if (has_cntl)
+                       *len_sent += to_send * 2;
+               else
+                       *len_sent += to_send;
+       }
+       /* include the null we didn't log */
+       return len + 1;
+}
 
-               audit_log_format(ab, "a%d=", i);
-               audit_log_untrustedstring(ab, buf);
-               audit_log_format(ab, "\n");
+static void audit_log_execve_info(struct audit_context *context,
+                                 struct audit_buffer **ab,
+                                 struct audit_aux_data_execve *axi)
+{
+       int i;
+       size_t len, len_sent = 0;
+       const char __user *p;
+       char *buf;
+
+       if (axi->mm != current->mm)
+               return; /* execve failed, no additional info */
+
+       p = (const char __user *)axi->mm->arg_start;
+
+       audit_log_format(*ab, "argc=%d ", axi->argc);
+
+       /*
+        * we need some kernel buffer to hold the userspace args.  Just
+        * allocate one big one rather than allocating one of the right size
+        * for every single argument inside audit_log_single_execve_arg()
+        * should be <8k allocation so should be pretty safe.
+        */
+       buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
+       if (!buf) {
+               audit_panic("out of memory for argv string\n");
+               return;
+       }
 
-               kfree(buf);
+       for (i = 0; i < axi->argc; i++) {
+               len = audit_log_single_execve_arg(context, ab, i,
+                                                 &len_sent, p, buf);
+               if (len <= 0)
+                       break;
+               p += len;
        }
+       kfree(buf);
 }
 
 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
@@ -1039,7 +1196,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
                  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
                  " euid=%u suid=%u fsuid=%u"
-                 " egid=%u sgid=%u fsgid=%u tty=%s",
+                 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
                  context->argv[0],
                  context->argv[1],
                  context->argv[2],
@@ -1047,11 +1204,12 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                  context->name_count,
                  context->ppid,
                  context->pid,
-                 context->loginuid,
+                 tsk->loginuid,
                  context->uid,
                  context->gid,
                  context->euid, context->suid, context->fsuid,
-                 context->egid, context->sgid, context->fsgid, tty);
+                 context->egid, context->sgid, context->fsgid, tty,
+                 tsk->sessionid);
 
        mutex_unlock(&tty_mutex);
 
@@ -1135,7 +1293,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 
                case AUDIT_EXECVE: {
                        struct audit_aux_data_execve *axi = (void *)aux;
-                       audit_log_execve_info(ab, axi);
+                       audit_log_execve_info(context, &ab, axi);
                        break; }
 
                case AUDIT_SOCKETCALL: {
@@ -1168,13 +1326,19 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 
                for (i = 0; i < axs->pid_count; i++)
                        if (audit_log_pid_context(context, axs->target_pid[i],
-                                                 axs->target_sid[i]))
+                                                 axs->target_auid[i],
+                                                 axs->target_uid[i],
+                                                 axs->target_sessionid[i],
+                                                 axs->target_sid[i],
+                                                 axs->target_comm[i]))
                                call_panic = 1;
        }
 
        if (context->target_pid &&
            audit_log_pid_context(context, context->target_pid,
-                                 context->target_sid))
+                                 context->target_auid, context->target_uid,
+                                 context->target_sessionid,
+                                 context->target_sid, context->target_comm))
                        call_panic = 1;
 
        if (context->pwd && context->pwdmnt) {
@@ -1242,6 +1406,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 
                audit_log_end(ab);
        }
+
+       /* Send end of event record to help user space know we are finished */
+       ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
+       if (ab)
+               audit_log_end(ab);
        if (call_panic)
                audit_panic("error converting sid to string");
 }
@@ -1766,6 +1935,9 @@ void auditsc_get_stamp(struct audit_context *ctx,
        ctx->auditable = 1;
 }
 
+/* global counter which is incremented every time something logs in */
+static atomic_t session_id = ATOMIC_INIT(0);
+
 /**
  * audit_set_loginuid - set a task's audit_context loginuid
  * @task: task whose audit context is being modified
@@ -1777,40 +1949,28 @@ void auditsc_get_stamp(struct audit_context *ctx,
  */
 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 {
+       unsigned int sessionid = atomic_inc_return(&session_id);
        struct audit_context *context = task->audit_context;
 
-       if (context) {
-               /* Only log if audit is enabled */
-               if (context->in_syscall) {
-                       struct audit_buffer *ab;
-
-                       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
-                       if (ab) {
-                               audit_log_format(ab, "login pid=%d uid=%u "
-                                       "old auid=%u new auid=%u",
-                                       task->pid, task->uid,
-                                       context->loginuid, loginuid);
-                               audit_log_end(ab);
-                       }
+       if (context && context->in_syscall) {
+               struct audit_buffer *ab;
+
+               ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+               if (ab) {
+                       audit_log_format(ab, "login pid=%d uid=%u "
+                               "old auid=%u new auid=%u"
+                               " old ses=%u new ses=%u",
+                               task->pid, task->uid,
+                               task->loginuid, loginuid,
+                               task->sessionid, sessionid);
+                       audit_log_end(ab);
                }
-               context->loginuid = loginuid;
        }
+       task->sessionid = sessionid;
+       task->loginuid = loginuid;
        return 0;
 }
 
-/**
- * audit_get_loginuid - get the loginuid for an audit_context
- * @ctx: the audit_context
- *
- * Returns the context's loginuid or -1 if @ctx is NULL.
- */
-uid_t audit_get_loginuid(struct audit_context *ctx)
-{
-       return ctx ? ctx->loginuid : -1;
-}
-
-EXPORT_SYMBOL(audit_get_loginuid);
-
 /**
  * __audit_mq_open - record audit data for a POSIX MQ open
  * @oflag: open flag
@@ -2070,8 +2230,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
        return 0;
 }
 
-int audit_argv_kb = 32;
-
 int audit_bprm(struct linux_binprm *bprm)
 {
        struct audit_aux_data_execve *ax;
@@ -2080,14 +2238,6 @@ int audit_bprm(struct linux_binprm *bprm)
        if (likely(!audit_enabled || !context || context->dummy))
                return 0;
 
-       /*
-        * Even though the stack code doesn't limit the arg+env size any more,
-        * the audit code requires that _all_ arguments be logged in a single
-        * netlink skb. Hence cap it :-(
-        */
-       if (bprm->argv_len > (audit_argv_kb << 10))
-               return -E2BIG;
-
        ax = kmalloc(sizeof(*ax), GFP_KERNEL);
        if (!ax)
                return -ENOMEM;
@@ -2193,7 +2343,11 @@ void __audit_ptrace(struct task_struct *t)
        struct audit_context *context = current->audit_context;
 
        context->target_pid = t->pid;
+       context->target_auid = audit_get_loginuid(t);
+       context->target_uid = t->uid;
+       context->target_sessionid = audit_get_sessionid(t);
        selinux_get_task_sid(t, &context->target_sid);
+       memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
 }
 
 /**
@@ -2216,8 +2370,8 @@ int __audit_signal_info(int sig, struct task_struct *t)
        if (audit_pid && t->tgid == audit_pid) {
                if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
                        audit_sig_pid = tsk->pid;
-                       if (ctx)
-                               audit_sig_uid = ctx->loginuid;
+                       if (tsk->loginuid != -1)
+                               audit_sig_uid = tsk->loginuid;
                        else
                                audit_sig_uid = tsk->uid;
                        selinux_get_task_sid(tsk, &audit_sig_sid);
@@ -2230,7 +2384,11 @@ int __audit_signal_info(int sig, struct task_struct *t)
         * in audit_context */
        if (!ctx->target_pid) {
                ctx->target_pid = t->tgid;
+               ctx->target_auid = audit_get_loginuid(t);
+               ctx->target_uid = t->uid;
+               ctx->target_sessionid = audit_get_sessionid(t);
                selinux_get_task_sid(t, &ctx->target_sid);
+               memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
                return 0;
        }
 
@@ -2247,7 +2405,11 @@ int __audit_signal_info(int sig, struct task_struct *t)
        BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
 
        axp->target_pid[axp->pid_count] = t->tgid;
+       axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
+       axp->target_uid[axp->pid_count] = t->uid;
+       axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
        selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
+       memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
        axp->pid_count++;
 
        return 0;
@@ -2264,6 +2426,8 @@ void audit_core_dumps(long signr)
 {
        struct audit_buffer *ab;
        u32 sid;
+       uid_t auid = audit_get_loginuid(current);
+       unsigned int sessionid = audit_get_sessionid(current);
 
        if (!audit_enabled)
                return;
@@ -2272,9 +2436,8 @@ void audit_core_dumps(long signr)
                return;
 
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
-       audit_log_format(ab, "auid=%u uid=%u gid=%u",
-                       audit_get_loginuid(current->audit_context),
-                       current->uid, current->gid);
+       audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
+                       auid, current->uid, current->gid, sessionid);
        selinux_get_task_sid(current, &sid);
        if (sid) {
                char *ctx = NULL;
index 357b68ba23ecd7975f93e4273787cf1041ca8df8..7cb1ac3e6fff9583c0d880788190d14da6e2ced1 100644 (file)
@@ -81,7 +81,6 @@ extern int percpu_pagelist_fraction;
 extern int compat_log;
 extern int maps_protect;
 extern int sysctl_stat_interval;
-extern int audit_argv_kb;
 extern int latencytop_enabled;
 
 /* Constants used for minimum and  maximum */
@@ -390,16 +389,6 @@ static struct ctl_table kern_table[] = {
                .mode           = 0644,
                .proc_handler   = &proc_dointvec,
        },
-#ifdef CONFIG_AUDITSYSCALL
-       {
-               .ctl_name       = CTL_UNNUMBERED,
-               .procname       = "audit_argv_kb",
-               .data           = &audit_argv_kb,
-               .maxlen         = sizeof(int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec,
-       },
-#endif
        {
                .ctl_name       = KERN_CORE_PATTERN,
                .procname       = "core_pattern",
index edaff2720e1098fea7cbd10d79574548c90db4b1..9549417250bba71650547e747226ba9e8c0a1882 100644 (file)
@@ -2752,12 +2752,15 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
                printk(KERN_INFO "device %s %s promiscuous mode\n",
                       dev->name, (dev->flags & IFF_PROMISC) ? "entered" :
                                                               "left");
-               audit_log(current->audit_context, GFP_ATOMIC,
-                       AUDIT_ANOM_PROMISCUOUS,
-                       "dev=%s prom=%d old_prom=%d auid=%u",
-                       dev->name, (dev->flags & IFF_PROMISC),
-                       (old_flags & IFF_PROMISC),
-                       audit_get_loginuid(current->audit_context));
+               if (audit_enabled)
+                       audit_log(current->audit_context, GFP_ATOMIC,
+                               AUDIT_ANOM_PROMISCUOUS,
+                               "dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
+                               dev->name, (dev->flags & IFF_PROMISC),
+                               (old_flags & IFF_PROMISC),
+                               audit_get_loginuid(current),
+                               current->uid, current->gid,
+                               audit_get_sessionid(current));
 
                if (dev->change_rx_flags)
                        dev->change_rx_flags(dev, IFF_PROMISC);
index 16b72b5570c303831aca6353d6a35b4ae901b473..45c3c27d279ad9b66e92b0771b9342a4840ca4c1 100644 (file)
@@ -1466,7 +1466,7 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr,
                err = xfrm_state_update(x);
 
        xfrm_audit_state_add(x, err ? 0 : 1,
-                            audit_get_loginuid(current->audit_context), 0);
+                            audit_get_loginuid(current), 0);
 
        if (err < 0) {
                x->km.state = XFRM_STATE_DEAD;
@@ -1520,7 +1520,7 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
        km_state_notify(x, &c);
 out:
        xfrm_audit_state_delete(x, err ? 0 : 1,
-                              audit_get_loginuid(current->audit_context), 0);
+                              audit_get_loginuid(current), 0);
        xfrm_state_put(x);
 
        return err;
@@ -1695,7 +1695,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
        if (proto == 0)
                return -EINVAL;
 
-       audit_info.loginuid = audit_get_loginuid(current->audit_context);
+       audit_info.loginuid = audit_get_loginuid(current);
        audit_info.secid = 0;
        err = xfrm_state_flush(proto, &audit_info);
        if (err)
@@ -2273,7 +2273,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
                                 hdr->sadb_msg_type != SADB_X_SPDUPDATE);
 
        xfrm_audit_policy_add(xp, err ? 0 : 1,
-                            audit_get_loginuid(current->audit_context), 0);
+                            audit_get_loginuid(current), 0);
 
        if (err)
                goto out;
@@ -2356,7 +2356,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
                return -ENOENT;
 
        xfrm_audit_policy_delete(xp, err ? 0 : 1,
-                               audit_get_loginuid(current->audit_context), 0);
+                               audit_get_loginuid(current), 0);
 
        if (err)
                goto out;
@@ -2617,7 +2617,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
 
        if (delete) {
                xfrm_audit_policy_delete(xp, err ? 0 : 1,
-                               audit_get_loginuid(current->audit_context), 0);
+                               audit_get_loginuid(current), 0);
 
                if (err)
                        goto out;
@@ -2694,7 +2694,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
        struct xfrm_audit audit_info;
        int err;
 
-       audit_info.loginuid = audit_get_loginuid(current->audit_context);
+       audit_info.loginuid = audit_get_loginuid(current);
        audit_info.secid = 0;
        err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info);
        if (err)
index ff9fb6ba0c5c80e9de6f8bc1b63d045f418f5c10..1ab0da2632e19c5a0a74546a67a3e9c4d11bbc50 100644 (file)
@@ -1238,7 +1238,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
 
        NETLINK_CB(skb).pid     = nlk->pid;
        NETLINK_CB(skb).dst_group = dst_group;
-       NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context);
+       NETLINK_CB(skb).loginuid = audit_get_loginuid(current);
        selinux_get_task_sid(current, &(NETLINK_CB(skb).sid));
        memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
 
index 3ff76e84d548258acfe13455ff91c83d5000749d..7ba65e82941c4f7794f6ada15a418d60606dbba4 100644 (file)
@@ -493,7 +493,7 @@ expired:
                km_state_expired(x, 1, 0);
 
        xfrm_audit_state_delete(x, err ? 0 : 1,
-                               audit_get_loginuid(current->audit_context), 0);
+                               audit_get_loginuid(current), 0);
 
 out:
        spin_unlock(&x->lock);
index a85740530afc676fdb777c88a8cb4136d90370cd..0341567665b3b32eab4ac7bfa717c5c0ec00d908 100644 (file)
@@ -172,9 +172,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
                if (length)
                        goto out;
                audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-                       "enforcing=%d old_enforcing=%d auid=%u", new_value, 
-                       selinux_enforcing,
-                       audit_get_loginuid(current->audit_context));
+                       "enforcing=%d old_enforcing=%d auid=%u ses=%u",
+                       new_value, selinux_enforcing,
+                       audit_get_loginuid(current),
+                       audit_get_sessionid(current));
                selinux_enforcing = new_value;
                if (selinux_enforcing)
                        avc_ss_reset(0);
@@ -243,8 +244,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
                if (length < 0)
                        goto out;
                audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-                       "selinux=0 auid=%u",
-                       audit_get_loginuid(current->audit_context));
+                       "selinux=0 auid=%u ses=%u",
+                       audit_get_loginuid(current),
+                       audit_get_sessionid(current));
        }
 
        length = count;
@@ -356,8 +358,9 @@ out1:
                (security_get_allow_unknown() ? "allow" : "deny")));
 
        audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
-               "policy loaded auid=%u",
-               audit_get_loginuid(current->audit_context));
+               "policy loaded auid=%u ses=%u",
+               audit_get_loginuid(current),
+               audit_get_sessionid(current));
 out:
        mutex_unlock(&sel_mutex);
        vfree(data);
index 880d455aa659014c336965d6152575b191072cad..fced6bccee760b87d98df5b0a26133b6ae0b655c 100644 (file)
@@ -1905,11 +1905,12 @@ int security_set_bools(int len, int *values)
                if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
                        audit_log(current->audit_context, GFP_ATOMIC,
                                AUDIT_MAC_CONFIG_CHANGE,
-                               "bool=%s val=%d old_val=%d auid=%u",
+                               "bool=%s val=%d old_val=%d auid=%u ses=%u",
                                policydb.p_bool_val_to_name[i],
                                !!values[i],
                                policydb.bool_val_to_struct[i]->state,
-                               audit_get_loginuid(current->audit_context));
+                               audit_get_loginuid(current),
+                               audit_get_sessionid(current));
                }
                if (values[i]) {
                        policydb.bool_val_to_struct[i]->state = 1;