1a59d1b8e05ea (Thomas Gleixner 2019-05-27 08:55:05 +0200 1) // SPDX-License-Identifier: GPL-2.0-or-later
85c8721ff3bc9 (David Woodhouse 2005-04-29 16:23:29 +0100 2) /* audit.c -- Auditing support
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 3) * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 4) * System-call specific features have moved to auditsc.c
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 5) *
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 6) * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 7) * All Rights Reserved.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 8) *
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 9) * Written by Rickard E. (Rik) Faith <faith@redhat.com>
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 10) *
d7a96f3a1ae27 (Ahmed S. Darwish 2008-03-01 22:01:11 +0200 11) * Goals: 1) Integrate fully with Security Modules.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 12) * 2) Minimal run-time overhead:
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 13) * a) Minimal when syscall auditing is disabled (audit_enable=0).
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 14) * b) Small when syscall auditing is enabled and no audit record
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 15) * is generated (defer as much work as possible to record
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 16) * generation time):
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 17) * i) context is allocated,
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 18) * ii) names from getname are stored without a copy, and
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 19) * iii) inode information stored from path_lookup.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 20) * 3) Ability to disable syscall auditing at boot time (audit=0).
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 21) * 4) Usable by other parts of the kernel (if audit_log* is called,
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 22) * then a syscall record will be generated automatically for the
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 23) * current syscall).
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 24) * 5) Netlink interface to user-space.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 25) * 6) Support low-overhead kernel-based filtering to minimize the
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 26) * information that must be passed to user-space.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 27) *
d590dca62bb8a (Richard Guy Briggs 2018-02-03 00:33:11 -0500 28) * Audit userspace, documentation, tests, and bug/issue trackers:
d590dca62bb8a (Richard Guy Briggs 2018-02-03 00:33:11 -0500 29) * https://github.com/linux-audit
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 30) */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 31)
d957f7b726ccc (Joe Perches 2014-01-14 10:33:12 -0800 32) #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
d957f7b726ccc (Joe Perches 2014-01-14 10:33:12 -0800 33)
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 34) #include <linux/file.h>
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 35) #include <linux/init.h>
7153e402731c3 (Paul McQuade 2014-06-06 14:37:37 -0700 36) #include <linux/types.h>
60063497a95e7 (Arun Sharma 2011-07-26 16:09:06 -0700 37) #include <linux/atomic.h>
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 38) #include <linux/mm.h>
9984de1a5a8a9 (Paul Gortmaker 2011-05-23 14:51:41 -0400 39) #include <linux/export.h>
5a0e3ad6af866 (Tejun Heo 2010-03-24 17:04:11 +0900 40) #include <linux/slab.h>
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 41) #include <linux/err.h>
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 42) #include <linux/kthread.h>
46e959ea2969c (Richard Guy Briggs 2013-05-03 14:03:50 -0400 43) #include <linux/kernel.h>
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 44) #include <linux/syscalls.h>
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 45) #include <linux/spinlock.h>
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 46) #include <linux/rcupdate.h>
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 47) #include <linux/mutex.h>
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 48) #include <linux/gfp.h>
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 49) #include <linux/pid.h>
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 50)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 51) #include <linux/audit.h>
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 52)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 53) #include <net/sock.h>
93315ed6dd12d (Amy Griffis 2006-02-07 12:05:27 -0500 54) #include <net/netlink.h>
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 55) #include <linux/skbuff.h>
131ad62d8fc06 (Mr Dash Four 2011-06-30 13:31:57 +0200 56) #ifdef CONFIG_SECURITY
131ad62d8fc06 (Mr Dash Four 2011-06-30 13:31:57 +0200 57) #include <linux/security.h>
131ad62d8fc06 (Mr Dash Four 2011-06-30 13:31:57 +0200 58) #endif
7dfb71030f763 (Nigel Cunningham 2006-12-06 20:34:23 -0800 59) #include <linux/freezer.h>
34e36d8ecbd95 (Eric W. Biederman 2012-09-10 23:20:20 -0700 60) #include <linux/pid_namespace.h>
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 61) #include <net/netns/generic.h>
3dc7e3153eddf (Darrel Goeddel 2006-03-10 18:14:06 -0600 62)
3dc7e3153eddf (Darrel Goeddel 2006-03-10 18:14:06 -0600 63) #include "audit.h"
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 64)
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 65) /* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 66) * (Initialization happens after skb_init is called.) */
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 67) #define AUDIT_DISABLED -1
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 68) #define AUDIT_UNINITIALIZED 0
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 69) #define AUDIT_INITIALIZED 1
ba59eae723857 (Alex Shi 2020-11-06 16:31:22 +0800 70) static int audit_initialized = AUDIT_UNINITIALIZED;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 71)
173743dd99a49 (Paul Moore 2017-09-01 09:44:34 -0400 72) u32 audit_enabled = AUDIT_OFF;
b3b4fdf6a8ae9 (Paul Moore 2017-09-01 09:44:57 -0400 73) bool audit_ever_enabled = !!AUDIT_OFF;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 74)
ae9d67aff60af (Jan Engelhardt 2011-01-18 06:48:12 +0100 75) EXPORT_SYMBOL_GPL(audit_enabled);
ae9d67aff60af (Jan Engelhardt 2011-01-18 06:48:12 +0100 76)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 77) /* Default state when kernel boots without any parameters. */
173743dd99a49 (Paul Moore 2017-09-01 09:44:34 -0400 78) static u32 audit_default = AUDIT_OFF;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 79)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 80) /* If auditing cannot proceed, audit_failure selects what happens. */
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 81) static u32 audit_failure = AUDIT_FAIL_PRINTK;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 82)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 83) /* private audit network namespace index */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 84) static unsigned int audit_net_id;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 85)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 86) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 87) * struct audit_net - audit private network namespace data
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 88) * @sk: communication socket
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 89) */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 90) struct audit_net {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 91) struct sock *sk;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 92) };
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 93)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 94) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 95) * struct auditd_connection - kernel/auditd connection state
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 96) * @pid: auditd PID
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 97) * @portid: netlink portid
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 98) * @net: the associated network namespace
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 99) * @rcu: RCU head
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 100) *
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 101) * Description:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 102) * This struct is RCU protected; you must either hold the RCU lock for reading
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 103) * or the associated spinlock for writing.
75c0371a2d385 (Pavel Emelyanov 2008-03-20 15:39:41 -0700 104) */
cb5172d96d16d (Amol Grover 2019-12-02 00:03:48 +0530 105) struct auditd_connection {
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 106) struct pid *pid;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 107) u32 portid;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 108) struct net *net;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 109) struct rcu_head rcu;
cb5172d96d16d (Amol Grover 2019-12-02 00:03:48 +0530 110) };
cb5172d96d16d (Amol Grover 2019-12-02 00:03:48 +0530 111) static struct auditd_connection __rcu *auditd_conn;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 112) static DEFINE_SPINLOCK(auditd_conn_lock);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 113)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 114) /* If audit_rate_limit is non-zero, limit the rate of sending audit records
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 115) * to that number per second. This prevents DoS attacks, but results in
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 116) * audit records being dropped. */
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 117) static u32 audit_rate_limit;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 118)
40c0775e5ea47 (Richard Guy Briggs 2013-10-22 13:28:49 -0400 119) /* Number of outstanding audit_buffers allowed.
40c0775e5ea47 (Richard Guy Briggs 2013-10-22 13:28:49 -0400 120) * When set to zero, this means unlimited. */
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 121) static u32 audit_backlog_limit = 64;
e789e561a50de (Richard Guy Briggs 2013-09-12 23:03:51 -0400 122) #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 123) static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 124)
c2f0c7c356dc9 (Steve Grubb 2005-05-06 12:38:39 +0100 125) /* The identity of the user shutting down the audit system. */
6b87024f76bc7 (Jules Irenge 2020-08-03 13:34:38 +0100 126) static kuid_t audit_sig_uid = INVALID_UID;
6b87024f76bc7 (Jules Irenge 2020-08-03 13:34:38 +0100 127) static pid_t audit_sig_pid = -1;
265c32072b0ce (Jules Irenge 2020-08-03 13:34:39 +0100 128) static u32 audit_sig_sid;
c2f0c7c356dc9 (Steve Grubb 2005-05-06 12:38:39 +0100 129)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 130) /* Records can be lost in several ways:
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 131) 0) [suppressed in audit_alloc]
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 132) 1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 133) 2) out of memory in audit_log_move [alloc_skb]
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 134) 3) suppressed due to audit_rate_limit
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 135) 4) suppressed due to audit_backlog_limit
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 136) */
92c82e8a322b3 (Richard Guy Briggs 2017-01-13 03:26:29 -0500 137) static atomic_t audit_lost = ATOMIC_INIT(0);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 138)
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 139) /* Monotonically increasing sum of time the kernel has spent
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 140) * waiting while the backlog limit is exceeded.
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 141) */
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 142) static atomic_t audit_backlog_wait_time_actual = ATOMIC_INIT(0);
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 143)
f368c07d7214a (Amy Griffis 2006-04-07 16:55:56 -0400 144) /* Hash for inode-based rules */
f368c07d7214a (Amy Griffis 2006-04-07 16:55:56 -0400 145) struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
f368c07d7214a (Amy Griffis 2006-04-07 16:55:56 -0400 146)
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 147) static struct kmem_cache *audit_buffer_cache;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 148)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 149) /* queue msgs to send via kauditd_task */
af8b824f283de (Paul Moore 2016-11-29 16:53:24 -0500 150) static struct sk_buff_head audit_queue;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 151) /* queue msgs due to temporary unicast send problems */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 152) static struct sk_buff_head audit_retry_queue;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 153) /* queue msgs waiting for new auditd connection */
af8b824f283de (Paul Moore 2016-11-29 16:53:24 -0500 154) static struct sk_buff_head audit_hold_queue;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 155)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 156) /* queue servicing thread */
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 157) static struct task_struct *kauditd_task;
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 158) static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 159)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 160) /* waitqueue for callers who are blocked on the audit backlog */
9ad9ad385be27 (David Woodhouse 2005-06-22 15:04:33 +0100 161) static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 162)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 163) static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION,
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 164) .mask = -1,
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 165) .features = 0,
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 166) .lock = 0,};
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 167)
21b85c31d23f2 (Eric Paris 2013-05-23 14:26:00 -0400 168) static char *audit_feature_names[2] = {
d040e5af38055 (Eric Paris 2013-05-24 09:18:04 -0400 169) "only_unset_loginuid",
21b85c31d23f2 (Eric Paris 2013-05-23 14:26:00 -0400 170) "loginuid_immutable",
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 171) };
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 172)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 173) /**
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 174) * struct audit_ctl_mutex - serialize requests from userspace
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 175) * @lock: the mutex used for locking
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 176) * @owner: the task which owns the lock
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 177) *
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 178) * Description:
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 179) * This is the lock struct used to ensure we only process userspace requests
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 180) * in an orderly fashion. We can't simply use a mutex/lock here because we
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 181) * need to track lock ownership so we don't end up blocking the lock owner in
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 182) * audit_log_start() or similar.
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 183) */
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 184) static struct audit_ctl_mutex {
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 185) struct mutex lock;
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 186) void *owner;
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 187) } audit_cmd_mutex;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 188)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 189) /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 190) * audit records. Since printk uses a 1024 byte buffer, this buffer
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 191) * should be at least that large. */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 192) #define AUDIT_BUFSIZ 1024
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 193)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 194) /* The audit_buffer is used when formatting an audit record. The caller
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 195) * locks briefly to get the record off the freelist or to allocate the
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 196) * buffer, and locks briefly to send the buffer to the netlink layer or
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 197) * to place it on a transmit queue. Multiple audit_buffers can be in
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 198) * use simultaneously. */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 199) struct audit_buffer {
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 200) struct sk_buff *skb; /* formatted skb ready to send */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 201) struct audit_context *ctx; /* NULL or associated context */
9796fdd829da6 (Al Viro 2005-10-21 03:22:03 -0400 202) gfp_t gfp_mask;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 203) };
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 204)
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 205) struct audit_reply {
f9441639e6319 (Richard Guy Briggs 2013-08-14 11:32:45 -0400 206) __u32 portid;
638a0fd2a0625 (Eric W. Biederman 2014-02-28 10:49:05 -0800 207) struct net *net;
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 208) struct sk_buff *skb;
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 209) };
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 210)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 211) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 212) * auditd_test_task - Check to see if a given task is an audit daemon
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 213) * @task: the task to check
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 214) *
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 215) * Description:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 216) * Return 1 if the task is a registered audit daemon, 0 otherwise.
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 217) */
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 218) int auditd_test_task(struct task_struct *task)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 219) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 220) int rc;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 221) struct auditd_connection *ac;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 222)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 223) rcu_read_lock();
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 224) ac = rcu_dereference(auditd_conn);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 225) rc = (ac && ac->pid == task_tgid(task) ? 1 : 0);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 226) rcu_read_unlock();
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 227)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 228) return rc;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 229) }
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 230)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 231) /**
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 232) * audit_ctl_lock - Take the audit control lock
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 233) */
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 234) void audit_ctl_lock(void)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 235) {
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 236) mutex_lock(&audit_cmd_mutex.lock);
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 237) audit_cmd_mutex.owner = current;
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 238) }
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 239)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 240) /**
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 241) * audit_ctl_unlock - Drop the audit control lock
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 242) */
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 243) void audit_ctl_unlock(void)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 244) {
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 245) audit_cmd_mutex.owner = NULL;
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 246) mutex_unlock(&audit_cmd_mutex.lock);
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 247) }
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 248)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 249) /**
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 250) * audit_ctl_owner_current - Test to see if the current task owns the lock
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 251) *
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 252) * Description:
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 253) * Return true if the current task owns the audit control lock, false if it
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 254) * doesn't own the lock.
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 255) */
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 256) static bool audit_ctl_owner_current(void)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 257) {
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 258) return (current == audit_cmd_mutex.owner);
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 259) }
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 260)
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 261) /**
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 262) * auditd_pid_vnr - Return the auditd PID relative to the namespace
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 263) *
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 264) * Description:
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 265) * Returns the PID in relation to the namespace, 0 on failure.
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 266) */
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 267) static pid_t auditd_pid_vnr(void)
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 268) {
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 269) pid_t pid;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 270) const struct auditd_connection *ac;
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 271)
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 272) rcu_read_lock();
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 273) ac = rcu_dereference(auditd_conn);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 274) if (!ac || !ac->pid)
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 275) pid = 0;
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 276) else
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 277) pid = pid_vnr(ac->pid);
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 278) rcu_read_unlock();
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 279)
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 280) return pid;
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 281) }
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 282)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 283) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 284) * audit_get_sk - Return the audit socket for the given network namespace
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 285) * @net: the destination network namespace
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 286) *
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 287) * Description:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 288) * Returns the sock pointer if valid, NULL otherwise. The caller must ensure
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 289) * that a reference is held for the network namespace while the sock is in use.
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 290) */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 291) static struct sock *audit_get_sk(const struct net *net)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 292) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 293) struct audit_net *aunet;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 294)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 295) if (!net)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 296) return NULL;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 297)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 298) aunet = net_generic(net, audit_net_id);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 299) return aunet->sk;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 300) }
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 301)
8c8570fb8feef (Dustin Kirkland 2005-11-03 17:15:16 +0000 302) void audit_panic(const char *message)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 303) {
d957f7b726ccc (Joe Perches 2014-01-14 10:33:12 -0800 304) switch (audit_failure) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 305) case AUDIT_FAIL_SILENT:
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 306) break;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 307) case AUDIT_FAIL_PRINTK:
320f1b1ed28c6 (Eric Paris 2008-01-23 22:55:05 -0500 308) if (printk_ratelimit())
d957f7b726ccc (Joe Perches 2014-01-14 10:33:12 -0800 309) pr_err("%s\n", message);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 310) break;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 311) case AUDIT_FAIL_PANIC:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 312) panic("audit: %s\n", message);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 313) break;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 314) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 315) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 316)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 317) static inline int audit_rate_check(void)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 318) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 319) static unsigned long last_check = 0;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 320) static int messages = 0;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 321) static DEFINE_SPINLOCK(lock);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 322) unsigned long flags;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 323) unsigned long now;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 324) unsigned long elapsed;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 325) int retval = 0;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 326)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 327) if (!audit_rate_limit) return 1;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 328)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 329) spin_lock_irqsave(&lock, flags);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 330) if (++messages < audit_rate_limit) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 331) retval = 1;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 332) } else {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 333) now = jiffies;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 334) elapsed = now - last_check;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 335) if (elapsed > HZ) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 336) last_check = now;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 337) messages = 0;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 338) retval = 1;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 339) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 340) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 341) spin_unlock_irqrestore(&lock, flags);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 342)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 343) return retval;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 344) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 345)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 346) /**
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 347) * audit_log_lost - conditionally log lost audit message event
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 348) * @message: the message stating reason for lost audit message
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 349) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 350) * Emit at least 1 message per second, even if audit_rate_check is
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 351) * throttling.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 352) * Always increment the lost messages counter.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 353) */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 354) void audit_log_lost(const char *message)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 355) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 356) static unsigned long last_msg = 0;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 357) static DEFINE_SPINLOCK(lock);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 358) unsigned long flags;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 359) unsigned long now;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 360) int print;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 361)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 362) atomic_inc(&audit_lost);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 363)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 364) print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 365)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 366) if (!print) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 367) spin_lock_irqsave(&lock, flags);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 368) now = jiffies;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 369) if (now - last_msg > HZ) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 370) print = 1;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 371) last_msg = now;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 372) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 373) spin_unlock_irqrestore(&lock, flags);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 374) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 375)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 376) if (print) {
320f1b1ed28c6 (Eric Paris 2008-01-23 22:55:05 -0500 377) if (printk_ratelimit())
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 378) pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n",
320f1b1ed28c6 (Eric Paris 2008-01-23 22:55:05 -0500 379) atomic_read(&audit_lost),
320f1b1ed28c6 (Eric Paris 2008-01-23 22:55:05 -0500 380) audit_rate_limit,
320f1b1ed28c6 (Eric Paris 2008-01-23 22:55:05 -0500 381) audit_backlog_limit);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 382) audit_panic(message);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 383) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 384) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 385)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 386) static int audit_log_config_change(char *function_name, u32 new, u32 old,
2532386f480ee (Eric Paris 2008-04-18 10:09:25 -0400 387) int allow_changes)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 388) {
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 389) struct audit_buffer *ab;
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 390) int rc = 0;
ce29b682e228c (Steve Grubb 2006-04-01 18:29:34 -0500 391)
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 392) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
0644ec0cc8a33 (Kees Cook 2013-01-11 14:32:07 -0800 393) if (unlikely(!ab))
0644ec0cc8a33 (Kees Cook 2013-01-11 14:32:07 -0800 394) return rc;
53fc7a01df51f (Richard Guy Briggs 2018-12-10 17:17:48 -0500 395) audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old);
4d3fb709b285a (Eric Paris 2013-04-30 09:53:34 -0400 396) audit_log_session_info(ab);
b122c3767c1d8 (Eric Paris 2013-04-19 15:00:33 -0400 397) rc = audit_log_task_context(ab);
b122c3767c1d8 (Eric Paris 2013-04-19 15:00:33 -0400 398) if (rc)
b122c3767c1d8 (Eric Paris 2013-04-19 15:00:33 -0400 399) allow_changes = 0; /* Something weird, deny request */
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 400) audit_log_format(ab, " res=%d", allow_changes);
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 401) audit_log_end(ab);
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 402) return rc;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 403) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 404)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 405) static int audit_do_config_change(char *function_name, u32 *to_change, u32 new)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 406) {
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 407) int allow_changes, rc = 0;
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 408) u32 old = *to_change;
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 409)
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 410) /* check if we are locked */
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 411) if (audit_enabled == AUDIT_LOCKED)
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 412) allow_changes = 0;
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 413) else
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 414) allow_changes = 1;
ce29b682e228c (Steve Grubb 2006-04-01 18:29:34 -0500 415)
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 416) if (audit_enabled != AUDIT_OFF) {
dc9eb698f4418 (Eric Paris 2013-04-19 13:23:09 -0400 417) rc = audit_log_config_change(function_name, new, old, allow_changes);
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 418) if (rc)
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 419) allow_changes = 0;
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 420) }
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 421)
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 422) /* If we are allowed, make the change */
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 423) if (allow_changes == 1)
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 424) *to_change = new;
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 425) /* Not allowed, update reason */
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 426) else if (rc == 0)
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 427) rc = -EPERM;
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 428) return rc;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 429) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 430)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 431) static int audit_set_rate_limit(u32 limit)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 432) {
dc9eb698f4418 (Eric Paris 2013-04-19 13:23:09 -0400 433) return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 434) }
ce29b682e228c (Steve Grubb 2006-04-01 18:29:34 -0500 435)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 436) static int audit_set_backlog_limit(u32 limit)
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 437) {
dc9eb698f4418 (Eric Paris 2013-04-19 13:23:09 -0400 438) return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 439) }
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 440)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 441) static int audit_set_backlog_wait_time(u32 timeout)
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 442) {
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 443) return audit_do_config_change("audit_backlog_wait_time",
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 444) &audit_backlog_wait_time, timeout);
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 445) }
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 446)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 447) static int audit_set_enabled(u32 state)
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 448) {
b593d384efcff (Eric Paris 2008-01-08 17:38:31 -0500 449) int rc;
724e7bfcc5663 (Pranith Kumar 2015-03-11 14:08:19 -0400 450) if (state > AUDIT_LOCKED)
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 451) return -EINVAL;
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 452)
dc9eb698f4418 (Eric Paris 2013-04-19 13:23:09 -0400 453) rc = audit_do_config_change("audit_enabled", &audit_enabled, state);
b593d384efcff (Eric Paris 2008-01-08 17:38:31 -0500 454) if (!rc)
b593d384efcff (Eric Paris 2008-01-08 17:38:31 -0500 455) audit_ever_enabled |= !!state;
b593d384efcff (Eric Paris 2008-01-08 17:38:31 -0500 456)
b593d384efcff (Eric Paris 2008-01-08 17:38:31 -0500 457) return rc;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 458) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 459)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 460) static int audit_set_failure(u32 state)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 461) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 462) if (state != AUDIT_FAIL_SILENT
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 463) && state != AUDIT_FAIL_PRINTK
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 464) && state != AUDIT_FAIL_PANIC)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 465) return -EINVAL;
ce29b682e228c (Steve Grubb 2006-04-01 18:29:34 -0500 466)
dc9eb698f4418 (Eric Paris 2013-04-19 13:23:09 -0400 467) return audit_do_config_change("audit_failure", &audit_failure, state);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 468) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 469)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 470) /**
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 471) * auditd_conn_free - RCU helper to release an auditd connection struct
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 472) * @rcu: RCU head
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 473) *
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 474) * Description:
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 475) * Drop any references inside the auditd connection tracking struct and free
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 476) * the memory.
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 477) */
447a5647c9e7a (Joe Perches 2018-03-21 15:09:32 -0700 478) static void auditd_conn_free(struct rcu_head *rcu)
447a5647c9e7a (Joe Perches 2018-03-21 15:09:32 -0700 479) {
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 480) struct auditd_connection *ac;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 481)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 482) ac = container_of(rcu, struct auditd_connection, rcu);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 483) put_pid(ac->pid);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 484) put_net(ac->net);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 485) kfree(ac);
447a5647c9e7a (Joe Perches 2018-03-21 15:09:32 -0700 486) }
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 487)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 488) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 489) * auditd_set - Set/Reset the auditd connection state
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 490) * @pid: auditd PID
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 491) * @portid: auditd netlink portid
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 492) * @net: auditd network namespace pointer
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 493) *
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 494) * Description:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 495) * This function will obtain and drop network namespace references as
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 496) * necessary. Returns zero on success, negative values on failure.
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 497) */
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 498) static int auditd_set(struct pid *pid, u32 portid, struct net *net)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 499) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 500) unsigned long flags;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 501) struct auditd_connection *ac_old, *ac_new;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 502)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 503) if (!pid || !net)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 504) return -EINVAL;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 505)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 506) ac_new = kzalloc(sizeof(*ac_new), GFP_KERNEL);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 507) if (!ac_new)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 508) return -ENOMEM;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 509) ac_new->pid = get_pid(pid);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 510) ac_new->portid = portid;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 511) ac_new->net = get_net(net);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 512)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 513) spin_lock_irqsave(&auditd_conn_lock, flags);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 514) ac_old = rcu_dereference_protected(auditd_conn,
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 515) lockdep_is_held(&auditd_conn_lock));
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 516) rcu_assign_pointer(auditd_conn, ac_new);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 517) spin_unlock_irqrestore(&auditd_conn_lock, flags);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 518)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 519) if (ac_old)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 520) call_rcu(&ac_old->rcu, auditd_conn_free);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 521)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 522) return 0;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 523) }
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 524)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 525) /**
cbb5262192d9a (Mauro Carvalho Chehab 2020-10-23 18:33:38 +0200 526) * kauditd_printk_skb - Print the audit record to the ring buffer
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 527) * @skb: audit record
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 528) *
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 529) * Whatever the reason, this packet may not make it to the auditd connection
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 530) * so write it via printk so the information isn't completely lost.
038cbcf65fd6a (Eric Paris 2009-06-11 14:31:35 -0400 531) */
af8b824f283de (Paul Moore 2016-11-29 16:53:24 -0500 532) static void kauditd_printk_skb(struct sk_buff *skb)
038cbcf65fd6a (Eric Paris 2009-06-11 14:31:35 -0400 533) {
038cbcf65fd6a (Eric Paris 2009-06-11 14:31:35 -0400 534) struct nlmsghdr *nlh = nlmsg_hdr(skb);
c64e66c67b574 (David S. Miller 2012-06-26 21:45:21 -0700 535) char *data = nlmsg_data(nlh);
038cbcf65fd6a (Eric Paris 2009-06-11 14:31:35 -0400 536)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 537) if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 538) pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 539) }
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 540)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 541) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 542) * kauditd_rehold_skb - Handle a audit record send failure in the hold queue
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 543) * @skb: audit record
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 544) *
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 545) * Description:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 546) * This should only be used by the kauditd_thread when it fails to flush the
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 547) * hold queue.
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 548) */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 549) static void kauditd_rehold_skb(struct sk_buff *skb)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 550) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 551) /* put the record back in the queue at the same place */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 552) skb_queue_head(&audit_hold_queue, skb);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 553) }
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 554)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 555) /**
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 556) * kauditd_hold_skb - Queue an audit record, waiting for auditd
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 557) * @skb: audit record
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 558) *
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 559) * Description:
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 560) * Queue the audit record, waiting for an instance of auditd. When this
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 561) * function is called we haven't given up yet on sending the record, but things
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 562) * are not looking good. The first thing we want to do is try to write the
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 563) * record via printk and then see if we want to try and hold on to the record
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 564) * and queue it, if we have room. If we want to hold on to the record, but we
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 565) * don't have room, record a record lost message.
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 566) */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 567) static void kauditd_hold_skb(struct sk_buff *skb)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 568) {
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 569) /* at this point it is uncertain if we will ever send this to auditd so
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 570) * try to send the message via printk before we go any further */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 571) kauditd_printk_skb(skb);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 572)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 573) /* can we just silently drop the message? */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 574) if (!audit_default) {
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 575) kfree_skb(skb);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 576) return;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 577) }
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 578)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 579) /* if we have room, queue the message */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 580) if (!audit_backlog_limit ||
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 581) skb_queue_len(&audit_hold_queue) < audit_backlog_limit) {
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 582) skb_queue_tail(&audit_hold_queue, skb);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 583) return;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 584) }
038cbcf65fd6a (Eric Paris 2009-06-11 14:31:35 -0400 585)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 586) /* we have no other options - drop the message */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 587) audit_log_lost("kauditd hold queue overflow");
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 588) kfree_skb(skb);
038cbcf65fd6a (Eric Paris 2009-06-11 14:31:35 -0400 589) }
038cbcf65fd6a (Eric Paris 2009-06-11 14:31:35 -0400 590)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 591) /**
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 592) * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 593) * @skb: audit record
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 594) *
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 595) * Description:
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 596) * Not as serious as kauditd_hold_skb() as we still have a connected auditd,
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 597) * but for some reason we are having problems sending it audit records so
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 598) * queue the given record and attempt to resend.
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 599) */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 600) static void kauditd_retry_skb(struct sk_buff *skb)
f3d357b092956 (Eric Paris 2008-04-18 10:02:28 -0400 601) {
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 602) /* NOTE: because records should only live in the retry queue for a
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 603) * short period of time, before either being sent or moved to the hold
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 604) * queue, we don't currently enforce a limit on this queue */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 605) skb_queue_tail(&audit_retry_queue, skb);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 606) }
32a1dbaece7e3 (Richard Guy Briggs 2015-11-04 08:23:50 -0500 607)
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 608) /**
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 609) * auditd_reset - Disconnect the auditd connection
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 610) * @ac: auditd connection state
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 611) *
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 612) * Description:
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 613) * Break the auditd/kauditd connection and move all the queued records into the
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 614) * hold queue in case auditd reconnects. It is important to note that the @ac
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 615) * pointer should never be dereferenced inside this function as it may be NULL
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 616) * or invalid, you can only compare the memory address! If @ac is NULL then
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 617) * the connection will always be reset.
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 618) */
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 619) static void auditd_reset(const struct auditd_connection *ac)
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 620) {
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 621) unsigned long flags;
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 622) struct sk_buff *skb;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 623) struct auditd_connection *ac_old;
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 624)
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 625) /* if it isn't already broken, break the connection */
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 626) spin_lock_irqsave(&auditd_conn_lock, flags);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 627) ac_old = rcu_dereference_protected(auditd_conn,
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 628) lockdep_is_held(&auditd_conn_lock));
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 629) if (ac && ac != ac_old) {
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 630) /* someone already registered a new auditd connection */
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 631) spin_unlock_irqrestore(&auditd_conn_lock, flags);
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 632) return;
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 633) }
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 634) rcu_assign_pointer(auditd_conn, NULL);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 635) spin_unlock_irqrestore(&auditd_conn_lock, flags);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 636)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 637) if (ac_old)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 638) call_rcu(&ac_old->rcu, auditd_conn_free);
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 639)
cd33f5f2cbfaa (Paul Moore 2017-06-12 11:53:09 -0400 640) /* flush the retry queue to the hold queue, but don't touch the main
cd33f5f2cbfaa (Paul Moore 2017-06-12 11:53:09 -0400 641) * queue since we need to process that normally for multicast */
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 642) while ((skb = skb_dequeue(&audit_retry_queue)))
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 643) kauditd_hold_skb(skb);
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 644) }
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 645)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 646) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 647) * auditd_send_unicast_skb - Send a record via unicast to auditd
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 648) * @skb: audit record
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 649) *
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 650) * Description:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 651) * Send a skb to the audit daemon, returns positive/zero values on success and
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 652) * negative values on failure; in all cases the skb will be consumed by this
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 653) * function. If the send results in -ECONNREFUSED the connection with auditd
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 654) * will be reset. This function may sleep so callers should not hold any locks
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 655) * where this would cause a problem.
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 656) */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 657) static int auditd_send_unicast_skb(struct sk_buff *skb)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 658) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 659) int rc;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 660) u32 portid;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 661) struct net *net;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 662) struct sock *sk;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 663) struct auditd_connection *ac;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 664)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 665) /* NOTE: we can't call netlink_unicast while in the RCU section so
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 666) * take a reference to the network namespace and grab local
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 667) * copies of the namespace, the sock, and the portid; the
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 668) * namespace and sock aren't going to go away while we hold a
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 669) * reference and if the portid does become invalid after the RCU
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 670) * section netlink_unicast() should safely return an error */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 671)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 672) rcu_read_lock();
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 673) ac = rcu_dereference(auditd_conn);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 674) if (!ac) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 675) rcu_read_unlock();
b0659ae5e3007 (Shu Wang 2017-07-18 14:37:24 +0800 676) kfree_skb(skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 677) rc = -ECONNREFUSED;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 678) goto err;
533c7b69c764a (Richard Guy Briggs 2016-12-13 10:03:01 -0500 679) }
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 680) net = get_net(ac->net);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 681) sk = audit_get_sk(net);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 682) portid = ac->portid;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 683) rcu_read_unlock();
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 684)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 685) rc = netlink_unicast(sk, skb, portid, 0);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 686) put_net(net);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 687) if (rc < 0)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 688) goto err;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 689)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 690) return rc;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 691)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 692) err:
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 693) if (ac && rc == -ECONNREFUSED)
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 694) auditd_reset(ac);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 695) return rc;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 696) }
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 697)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 698) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 699) * kauditd_send_queue - Helper for kauditd_thread to flush skb queues
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 700) * @sk: the sending sock
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 701) * @portid: the netlink destination
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 702) * @queue: the skb queue to process
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 703) * @retry_limit: limit on number of netlink unicast failures
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 704) * @skb_hook: per-skb hook for additional processing
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 705) * @err_hook: hook called if the skb fails the netlink unicast send
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 706) *
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 707) * Description:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 708) * Run through the given queue and attempt to send the audit records to auditd,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 709) * returns zero on success, negative values on failure. It is up to the caller
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 710) * to ensure that the @sk is valid for the duration of this function.
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 711) *
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 712) */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 713) static int kauditd_send_queue(struct sock *sk, u32 portid,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 714) struct sk_buff_head *queue,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 715) unsigned int retry_limit,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 716) void (*skb_hook)(struct sk_buff *skb),
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 717) void (*err_hook)(struct sk_buff *skb))
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 718) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 719) int rc = 0;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 720) struct sk_buff *skb;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 721) static unsigned int failed = 0;
32a1dbaece7e3 (Richard Guy Briggs 2015-11-04 08:23:50 -0500 722)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 723) /* NOTE: kauditd_thread takes care of all our locking, we just use
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 724) * the netlink info passed to us (e.g. sk and portid) */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 725)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 726) while ((skb = skb_dequeue(queue))) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 727) /* call the skb_hook for each skb we touch */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 728) if (skb_hook)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 729) (*skb_hook)(skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 730)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 731) /* can we send to anyone via unicast? */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 732) if (!sk) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 733) if (err_hook)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 734) (*err_hook)(skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 735) continue;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 736) }
6c54e7899693d (Paul Moore 2016-11-29 16:53:26 -0500 737)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 738) /* grab an extra skb reference in case of error */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 739) skb_get(skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 740) rc = netlink_unicast(sk, skb, portid, 0);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 741) if (rc < 0) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 742) /* fatal failure for our queue flush attempt? */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 743) if (++failed >= retry_limit ||
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 744) rc == -ECONNREFUSED || rc == -EPERM) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 745) /* yes - error processing for the queue */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 746) sk = NULL;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 747) if (err_hook)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 748) (*err_hook)(skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 749) if (!skb_hook)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 750) goto out;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 751) /* keep processing with the skb_hook */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 752) continue;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 753) } else
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 754) /* no - requeue to preserve ordering */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 755) skb_queue_head(queue, skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 756) } else {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 757) /* it worked - drop the extra reference and continue */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 758) consume_skb(skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 759) failed = 0;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 760) }
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 761) }
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 762)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 763) out:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 764) return (rc >= 0 ? 0 : rc);
f3d357b092956 (Eric Paris 2008-04-18 10:02:28 -0400 765) }
f3d357b092956 (Eric Paris 2008-04-18 10:02:28 -0400 766)
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 767) /*
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 768) * kauditd_send_multicast_skb - Send a record to any multicast listeners
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 769) * @skb: audit record
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 770) *
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 771) * Description:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 772) * Write a multicast message to anyone listening in the initial network
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 773) * namespace. This function doesn't consume an skb as might be expected since
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 774) * it has to copy it anyways.
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 775) */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 776) static void kauditd_send_multicast_skb(struct sk_buff *skb)
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 777) {
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 778) struct sk_buff *copy;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 779) struct sock *sock = audit_get_sk(&init_net);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 780) struct nlmsghdr *nlh;
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 781)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 782) /* NOTE: we are not taking an additional reference for init_net since
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 783) * we don't have to worry about it going away */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 784)
7f74ecd788a8b (Richard Guy Briggs 2014-04-22 21:31:58 -0400 785) if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG))
7f74ecd788a8b (Richard Guy Briggs 2014-04-22 21:31:58 -0400 786) return;
7f74ecd788a8b (Richard Guy Briggs 2014-04-22 21:31:58 -0400 787)
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 788) /*
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 789) * The seemingly wasteful skb_copy() rather than bumping the refcount
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 790) * using skb_get() is necessary because non-standard mods are made to
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 791) * the skb by the original kaudit unicast socket send routine. The
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 792) * existing auditd daemon assumes this breakage. Fixing this would
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 793) * require co-ordinating a change in the established protocol between
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 794) * the kaudit kernel subsystem and the auditd userspace code. There is
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 795) * no reason for new multicast clients to continue with this
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 796) * non-compliance.
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 797) */
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 798) copy = skb_copy(skb, GFP_KERNEL);
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 799) if (!copy)
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 800) return;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 801) nlh = nlmsg_hdr(copy);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 802) nlh->nlmsg_len = skb->len;
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 803)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 804) nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL);
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 805) }
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 806)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 807) /**
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 808) * kauditd_thread - Worker thread to send audit records to userspace
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 809) * @dummy: unused
b551d1d98197b (Richard Guy Briggs 2013-01-24 13:15:10 -0500 810) */
97a41e2612433 (Adrian Bunk 2006-01-08 01:02:17 -0800 811) static int kauditd_thread(void *dummy)
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 812) {
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 813) int rc;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 814) u32 portid = 0;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 815) struct net *net = NULL;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 816) struct sock *sk = NULL;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 817) struct auditd_connection *ac;
4aa83872d3468 (Paul Moore 2016-11-29 16:53:24 -0500 818)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 819) #define UNICAST_RETRIES 5
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 820)
831441862956f (Rafael J. Wysocki 2007-07-17 04:03:35 -0700 821) set_freezable();
4899b8b16b302 (Andrew Morton 2006-10-06 00:43:48 -0700 822) while (!kthread_should_stop()) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 823) /* NOTE: see the lock comments in auditd_send_unicast_skb() */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 824) rcu_read_lock();
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 825) ac = rcu_dereference(auditd_conn);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 826) if (!ac) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 827) rcu_read_unlock();
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 828) goto main_queue;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 829) }
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 830) net = get_net(ac->net);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 831) sk = audit_get_sk(net);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 832) portid = ac->portid;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 833) rcu_read_unlock();
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 834)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 835) /* attempt to flush the hold queue */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 836) rc = kauditd_send_queue(sk, portid,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 837) &audit_hold_queue, UNICAST_RETRIES,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 838) NULL, kauditd_rehold_skb);
c34c78dfc1fc6 (Yunfeng Ye 2019-10-23 21:27:34 +0800 839) if (rc < 0) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 840) sk = NULL;
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 841) auditd_reset(ac);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 842) goto main_queue;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 843) }
f3d357b092956 (Eric Paris 2008-04-18 10:02:28 -0400 844)
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 845) /* attempt to flush the retry queue */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 846) rc = kauditd_send_queue(sk, portid,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 847) &audit_retry_queue, UNICAST_RETRIES,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 848) NULL, kauditd_hold_skb);
c34c78dfc1fc6 (Yunfeng Ye 2019-10-23 21:27:34 +0800 849) if (rc < 0) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 850) sk = NULL;
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 851) auditd_reset(ac);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 852) goto main_queue;
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 853) }
db897319401e1 (Dan Duval 2013-09-16 11:11:12 -0400 854)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 855) main_queue:
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 856) /* process the main queue - do the multicast send and attempt
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 857) * unicast, dump failed record sends to the retry queue; if
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 858) * sk == NULL due to previous failures we will just do the
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 859) * multicast send and move the record to the hold queue */
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 860) rc = kauditd_send_queue(sk, portid, &audit_queue, 1,
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 861) kauditd_send_multicast_skb,
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 862) (sk ?
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 863) kauditd_retry_skb : kauditd_hold_skb));
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 864) if (ac && rc < 0)
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 865) auditd_reset(ac);
264d509637d95 (Paul Moore 2017-04-10 11:16:59 -0400 866) sk = NULL;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 867)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 868) /* drop our netns reference, no auditd sends past this line */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 869) if (net) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 870) put_net(net);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 871) net = NULL;
3320c5133dd83 (Richard Guy Briggs 2013-01-24 13:15:11 -0500 872) }
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 873)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 874) /* we have processed all the queues so wake everyone */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 875) wake_up(&audit_backlog_wait);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 876)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 877) /* NOTE: we want to wake up if there is anything on the queue,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 878) * regardless of if an auditd is connected, as we need to
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 879) * do the multicast send and rotate records from the
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 880) * main queue to the retry/hold queues */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 881) wait_event_freezable(kauditd_wait,
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 882) (skb_queue_len(&audit_queue) ? 1 : 0));
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 883) }
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 884)
4899b8b16b302 (Andrew Morton 2006-10-06 00:43:48 -0700 885) return 0;
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 886) }
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 887)
3054d06719079 (Paul Moore 2020-04-21 09:10:56 -0400 888) int audit_send_list_thread(void *_dest)
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 889) {
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 890) struct audit_netlink_list *dest = _dest;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 891) struct sk_buff *skb;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 892) struct sock *sk = audit_get_sk(dest->net);
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 893)
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 894) /* wait for parent to finish and send an ACK */
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 895) audit_ctl_lock();
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 896) audit_ctl_unlock();
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 897)
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 898) while ((skb = __skb_dequeue(&dest->q)) != NULL)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 899) netlink_unicast(sk, skb, dest->portid, 0);
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 900)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 901) put_net(dest->net);
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 902) kfree(dest);
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 903)
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 904) return 0;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 905) }
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 906)
45a0642b4d021 (Paul Moore 2017-05-02 10:16:05 -0400 907) struct sk_buff *audit_make_reply(int seq, int type, int done,
b8800aa5d9c7e (Stephen Hemminger 2010-10-20 17:23:50 -0700 908) int multi, const void *payload, int size)
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 909) {
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 910) struct sk_buff *skb;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 911) struct nlmsghdr *nlh;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 912) void *data;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 913) int flags = multi ? NLM_F_MULTI : 0;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 914) int t = done ? NLMSG_DONE : type;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 915)
ee080e6ce93d5 (Eric Paris 2009-06-11 14:31:35 -0400 916) skb = nlmsg_new(size, GFP_KERNEL);
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 917) if (!skb)
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 918) return NULL;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 919)
45a0642b4d021 (Paul Moore 2017-05-02 10:16:05 -0400 920) nlh = nlmsg_put(skb, 0, seq, t, size, flags);
c64e66c67b574 (David S. Miller 2012-06-26 21:45:21 -0700 921) if (!nlh)
c64e66c67b574 (David S. Miller 2012-06-26 21:45:21 -0700 922) goto out_kfree_skb;
c64e66c67b574 (David S. Miller 2012-06-26 21:45:21 -0700 923) data = nlmsg_data(nlh);
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 924) memcpy(data, payload, size);
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 925) return skb;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 926)
c64e66c67b574 (David S. Miller 2012-06-26 21:45:21 -0700 927) out_kfree_skb:
c64e66c67b574 (David S. Miller 2012-06-26 21:45:21 -0700 928) kfree_skb(skb);
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 929) return NULL;
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 930) }
9044e6bca5a4a (Al Viro 2006-05-22 01:09:24 -0400 931)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 932) static void audit_free_reply(struct audit_reply *reply)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 933) {
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 934) if (!reply)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 935) return;
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 936)
c07203516439b (Xu Wang 2020-08-26 04:00:22 +0000 937) kfree_skb(reply->skb);
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 938) if (reply->net)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 939) put_net(reply->net);
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 940) kfree(reply);
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 941) }
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 942)
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 943) static int audit_send_reply_thread(void *arg)
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 944) {
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 945) struct audit_reply *reply = (struct audit_reply *)arg;
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 946)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 947) audit_ctl_lock();
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 948) audit_ctl_unlock();
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 949)
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 950) /* Ignore failure. It'll only happen if the sender goes away,
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 951) because our timeout is set to infinite. */
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 952) netlink_unicast(audit_get_sk(reply->net), reply->skb, reply->portid, 0);
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 953) reply->skb = NULL;
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 954) audit_free_reply(reply);
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 955) return 0;
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 956) }
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 957)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 958) /**
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 959) * audit_send_reply - send an audit reply message via netlink
d211f177b28ec (Eric W. Biederman 2014-03-08 15:31:54 -0800 960) * @request_skb: skb of request we are replying to (used to target the reply)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 961) * @seq: sequence number
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 962) * @type: audit message type
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 963) * @done: done (last) flag
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 964) * @multi: multi-part message flag
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 965) * @payload: payload data
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 966) * @size: payload size
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 967) *
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 968) * Allocates a skb, builds the netlink message, and sends it to the port id.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 969) */
6f285b19d09f7 (Eric W. Biederman 2014-02-28 19:44:55 -0800 970) static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done,
f9441639e6319 (Richard Guy Briggs 2013-08-14 11:32:45 -0400 971) int multi, const void *payload, int size)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 972) {
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 973) struct task_struct *tsk;
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 974) struct audit_reply *reply;
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 975)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 976) reply = kzalloc(sizeof(*reply), GFP_KERNEL);
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 977) if (!reply)
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 978) return;
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 979)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 980) reply->skb = audit_make_reply(seq, type, done, multi, payload, size);
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 981) if (!reply->skb)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 982) goto err;
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 983) reply->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
45a0642b4d021 (Paul Moore 2017-05-02 10:16:05 -0400 984) reply->portid = NETLINK_CB(request_skb).portid;
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 985)
f09ac9db2aafe (Eric Paris 2008-04-18 10:11:04 -0400 986) tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 987) if (IS_ERR(tsk))
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 988) goto err;
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 989)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 990) return;
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 991)
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 992) err:
a48b284b403a4 (Paul Moore 2020-04-20 10:09:29 -0400 993) audit_free_reply(reply);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 994) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 995)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 996) /*
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 997) * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 998) * control messages.
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 999) */
c7bdb545d2302 (Darrel Goeddel 2006-06-27 13:26:11 -0700 1000) static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1001) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1002) int err = 0;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1003)
5a3cb3b6c3a07 (Richard Guy Briggs 2013-08-16 00:04:46 -0400 1004) /* Only support initial user namespace for now. */
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1005) /*
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1006) * We return ECONNREFUSED because it tricks userspace into thinking
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1007) * that audit was not configured into the kernel. Lots of users
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1008) * configure their PAM stack (because that's what the distro does)
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1009) * to reject login if unable to send messages to audit. If we return
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1010) * ECONNREFUSED the PAM stack thinks the kernel does not have audit
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1011) * configured in and will let login proceed. If we return EPERM
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1012) * userspace will reject all logins. This should be removed when we
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1013) * support non init namespaces!!
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1014) */
0b747172dce6e (Linus Torvalds 2014-04-12 12:38:53 -0700 1015) if (current_user_ns() != &init_user_ns)
aa4af831bb4f3 (Eric Paris 2014-03-30 19:07:54 -0400 1016) return -ECONNREFUSED;
34e36d8ecbd95 (Eric W. Biederman 2012-09-10 23:20:20 -0700 1017)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1018) switch (msg_type) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1019) case AUDIT_LIST:
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1020) case AUDIT_ADD:
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1021) case AUDIT_DEL:
1890090916375 (Eric Paris 2013-04-18 19:16:36 -0400 1022) return -EOPNOTSUPP;
1890090916375 (Eric Paris 2013-04-18 19:16:36 -0400 1023) case AUDIT_GET:
1890090916375 (Eric Paris 2013-04-18 19:16:36 -0400 1024) case AUDIT_SET:
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1025) case AUDIT_GET_FEATURE:
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1026) case AUDIT_SET_FEATURE:
1890090916375 (Eric Paris 2013-04-18 19:16:36 -0400 1027) case AUDIT_LIST_RULES:
1890090916375 (Eric Paris 2013-04-18 19:16:36 -0400 1028) case AUDIT_ADD_RULE:
93315ed6dd12d (Amy Griffis 2006-02-07 12:05:27 -0500 1029) case AUDIT_DEL_RULE:
c2f0c7c356dc9 (Steve Grubb 2005-05-06 12:38:39 +0100 1030) case AUDIT_SIGNAL_INFO:
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1031) case AUDIT_TTY_GET:
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1032) case AUDIT_TTY_SET:
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1033) case AUDIT_TRIM:
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1034) case AUDIT_MAKE_EQUIV:
5a3cb3b6c3a07 (Richard Guy Briggs 2013-08-16 00:04:46 -0400 1035) /* Only support auditd and auditctl in initial pid namespace
5a3cb3b6c3a07 (Richard Guy Briggs 2013-08-16 00:04:46 -0400 1036) * for now. */
5985de6754a6f (Ameen Ali 2015-02-23 15:38:00 -0500 1037) if (task_active_pid_ns(current) != &init_pid_ns)
5a3cb3b6c3a07 (Richard Guy Briggs 2013-08-16 00:04:46 -0400 1038) return -EPERM;
5a3cb3b6c3a07 (Richard Guy Briggs 2013-08-16 00:04:46 -0400 1039)
90f62cf30a787 (Eric W. Biederman 2014-04-23 14:29:27 -0700 1040) if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1041) err = -EPERM;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1042) break;
05474106a41f4 (Steve Grubb 2005-05-21 00:18:37 +0100 1043) case AUDIT_USER:
039b6b3ed84e4 (Robert P. J. Day 2007-05-08 00:29:20 -0700 1044) case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
039b6b3ed84e4 (Robert P. J. Day 2007-05-08 00:29:20 -0700 1045) case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
90f62cf30a787 (Eric W. Biederman 2014-04-23 14:29:27 -0700 1046) if (!netlink_capable(skb, CAP_AUDIT_WRITE))
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1047) err = -EPERM;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1048) break;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1049) default: /* bad msg */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1050) err = -EINVAL;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1051) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1052)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1053) return err;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1054) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1055)
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1056) static void audit_log_common_recv_msg(struct audit_context *context,
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1057) struct audit_buffer **ab, u16 msg_type)
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1058) {
dc9eb698f4418 (Eric Paris 2013-04-19 13:23:09 -0400 1059) uid_t uid = from_kuid(&init_user_ns, current_uid());
f1dc4867ff41b (Richard Guy Briggs 2013-12-11 13:52:26 -0500 1060) pid_t pid = task_tgid_nr(current);
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1061)
0868a5e150bc4 (Tyler Hicks 2013-07-25 18:02:55 -0700 1062) if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1063) *ab = NULL;
233a68667cf4c (Paul Moore 2015-11-04 08:23:52 -0500 1064) return;
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1065) }
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1066)
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1067) *ab = audit_log_start(context, GFP_KERNEL, msg_type);
0644ec0cc8a33 (Kees Cook 2013-01-11 14:32:07 -0800 1068) if (unlikely(!*ab))
233a68667cf4c (Paul Moore 2015-11-04 08:23:52 -0500 1069) return;
a2c97da11cdb9 (Richard Guy Briggs 2018-11-16 16:30:10 -0500 1070) audit_log_format(*ab, "pid=%d uid=%u ", pid, uid);
4d3fb709b285a (Eric Paris 2013-04-30 09:53:34 -0400 1071) audit_log_session_info(*ab);
b122c3767c1d8 (Eric Paris 2013-04-19 15:00:33 -0400 1072) audit_log_task_context(*ab);
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1073) }
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1074)
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1075) static inline void audit_log_user_recv_msg(struct audit_buffer **ab,
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1076) u16 msg_type)
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1077) {
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1078) audit_log_common_recv_msg(NULL, ab, msg_type);
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1079) }
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1080)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1081) int is_audit_feature_set(int i)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1082) {
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1083) return af.features & AUDIT_FEATURE_TO_MASK(i);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1084) }
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1085)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1086)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1087) static int audit_get_feature(struct sk_buff *skb)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1088) {
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1089) u32 seq;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1090)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1091) seq = nlmsg_hdr(skb)->nlmsg_seq;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1092)
9ef91514774a1 (Richard Guy Briggs 2014-08-24 20:37:52 -0400 1093) audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af));
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1094)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1095) return 0;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1096) }
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1097)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1098) static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature,
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1099) u32 old_lock, u32 new_lock, int res)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1100) {
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1101) struct audit_buffer *ab;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1102)
b6c50fe0be5b3 (Gao feng 2013-11-01 19:34:43 +0800 1103) if (audit_enabled == AUDIT_OFF)
b6c50fe0be5b3 (Gao feng 2013-11-01 19:34:43 +0800 1104) return;
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 1105)
cdfb6b341f0f2 (Richard Guy Briggs 2018-05-12 21:58:20 -0400 1106) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FEATURE_CHANGE);
23138ead27004 (Richard Guy Briggs 2018-02-21 04:30:07 -0500 1107) if (!ab)
23138ead27004 (Richard Guy Briggs 2018-02-21 04:30:07 -0500 1108) return;
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 1109) audit_log_task_info(ab);
897f1acbb6702 (Richard Guy Briggs 2014-10-30 11:22:53 -0400 1110) audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1111) audit_feature_names[which], !!old_feature, !!new_feature,
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1112) !!old_lock, !!new_lock, res);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1113) audit_log_end(ab);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1114) }
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1115)
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1116) static int audit_set_feature(struct audit_features *uaf)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1117) {
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1118) int i;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1119)
6eed9b2613349 (Fabian Frederick 2014-06-03 22:05:10 +0200 1120) BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1121)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1122) /* if there is ever a version 2 we should handle that here */
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1123)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1124) for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1125) u32 feature = AUDIT_FEATURE_TO_MASK(i);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1126) u32 old_feature, new_feature, old_lock, new_lock;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1127)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1128) /* if we are not changing this feature, move along */
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1129) if (!(feature & uaf->mask))
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1130) continue;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1131)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1132) old_feature = af.features & feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1133) new_feature = uaf->features & feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1134) new_lock = (uaf->lock | af.lock) & feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1135) old_lock = af.lock & feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1136)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1137) /* are we changing a locked feature? */
4547b3bc43c64 (Gao feng 2013-11-01 19:34:44 +0800 1138) if (old_lock && (new_feature != old_feature)) {
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1139) audit_log_feature_change(i, old_feature, new_feature,
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1140) old_lock, new_lock, 0);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1141) return -EPERM;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1142) }
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1143) }
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1144) /* nothing invalid, do the changes */
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1145) for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1146) u32 feature = AUDIT_FEATURE_TO_MASK(i);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1147) u32 old_feature, new_feature, old_lock, new_lock;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1148)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1149) /* if we are not changing this feature, move along */
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1150) if (!(feature & uaf->mask))
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1151) continue;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1152)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1153) old_feature = af.features & feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1154) new_feature = uaf->features & feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1155) old_lock = af.lock & feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1156) new_lock = (uaf->lock | af.lock) & feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1157)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1158) if (new_feature != old_feature)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1159) audit_log_feature_change(i, old_feature, new_feature,
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1160) old_lock, new_lock, 1);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1161)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1162) if (new_feature)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1163) af.features |= feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1164) else
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1165) af.features &= ~feature;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1166) af.lock |= new_lock;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1167) }
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1168)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1169) return 0;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1170) }
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1171)
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1172) static int audit_replace(struct pid *pid)
133e1e5acd4a6 (Richard Guy Briggs 2016-01-25 18:04:15 -0500 1173) {
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1174) pid_t pvnr;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1175) struct sk_buff *skb;
133e1e5acd4a6 (Richard Guy Briggs 2016-01-25 18:04:15 -0500 1176)
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1177) pvnr = pid_vnr(pid);
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1178) skb = audit_make_reply(0, AUDIT_REPLACE, 0, 0, &pvnr, sizeof(pvnr));
133e1e5acd4a6 (Richard Guy Briggs 2016-01-25 18:04:15 -0500 1179) if (!skb)
133e1e5acd4a6 (Richard Guy Briggs 2016-01-25 18:04:15 -0500 1180) return -ENOMEM;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1181) return auditd_send_unicast_skb(skb);
133e1e5acd4a6 (Richard Guy Briggs 2016-01-25 18:04:15 -0500 1182) }
133e1e5acd4a6 (Richard Guy Briggs 2016-01-25 18:04:15 -0500 1183)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1184) static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1185) {
dc9eb698f4418 (Eric Paris 2013-04-19 13:23:09 -0400 1186) u32 seq;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1187) void *data;
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1188) int data_len;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1189) int err;
c04049939f88b (Steve Grubb 2005-05-13 18:17:42 +0100 1190) struct audit_buffer *ab;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1191) u16 msg_type = nlh->nlmsg_type;
e1396065e0489 (Al Viro 2006-05-25 10:19:47 -0400 1192) struct audit_sig_info *sig_data;
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1193) char *ctx = NULL;
e1396065e0489 (Al Viro 2006-05-25 10:19:47 -0400 1194) u32 len;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1195)
c7bdb545d2302 (Darrel Goeddel 2006-06-27 13:26:11 -0700 1196) err = audit_netlink_ok(skb, msg_type);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1197) if (err)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1198) return err;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1199)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1200) seq = nlh->nlmsg_seq;
c64e66c67b574 (David S. Miller 2012-06-26 21:45:21 -0700 1201) data = nlmsg_data(nlh);
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1202) data_len = nlmsg_len(nlh);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1203)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1204) switch (msg_type) {
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1205) case AUDIT_GET: {
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1206) struct audit_status s;
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1207) memset(&s, 0, sizeof(s));
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1208) s.enabled = audit_enabled;
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1209) s.failure = audit_failure;
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1210) /* NOTE: use pid_vnr() so the PID is relative to the current
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1211) * namespace */
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1212) s.pid = auditd_pid_vnr();
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1213) s.rate_limit = audit_rate_limit;
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1214) s.backlog_limit = audit_backlog_limit;
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1215) s.lost = atomic_read(&audit_lost);
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1216) s.backlog = skb_queue_len(&audit_queue);
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1217) s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1218) s.backlog_wait_time = audit_backlog_wait_time;
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1219) s.backlog_wait_time_actual = atomic_read(&audit_backlog_wait_time_actual);
6f285b19d09f7 (Eric W. Biederman 2014-02-28 19:44:55 -0800 1220) audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1221) break;
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1222) }
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1223) case AUDIT_SET: {
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1224) struct audit_status s;
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1225) memset(&s, 0, sizeof(s));
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1226) /* guard against past and future API changes */
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1227) memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1228) if (s.mask & AUDIT_STATUS_ENABLED) {
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1229) err = audit_set_enabled(s.enabled);
20c6aaa39ab73 (zhangxiliang 2008-07-31 10:11:19 +0800 1230) if (err < 0)
20c6aaa39ab73 (zhangxiliang 2008-07-31 10:11:19 +0800 1231) return err;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1232) }
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1233) if (s.mask & AUDIT_STATUS_FAILURE) {
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1234) err = audit_set_failure(s.failure);
20c6aaa39ab73 (zhangxiliang 2008-07-31 10:11:19 +0800 1235) if (err < 0)
20c6aaa39ab73 (zhangxiliang 2008-07-31 10:11:19 +0800 1236) return err;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1237) }
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1238) if (s.mask & AUDIT_STATUS_PID) {
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1239) /* NOTE: we are using the vnr PID functions below
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1240) * because the s.pid value is relative to the
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1241) * namespace of the caller; at present this
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1242) * doesn't matter much since you can really only
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1243) * run auditd from the initial pid namespace, but
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1244) * something to keep in mind if this changes */
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1245) pid_t new_pid = s.pid;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1246) pid_t auditd_pid;
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1247) struct pid *req_pid = task_tgid(current);
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1248)
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1249) /* Sanity check - PID values must match. Setting
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1250) * pid to 0 is how auditd ends auditing. */
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1251) if (new_pid && (new_pid != pid_vnr(req_pid)))
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1252) return -EINVAL;
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 1253)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1254) /* test the auditd connection */
b6c7c115c2ce6 (Paul Moore 2017-05-02 10:16:05 -0400 1255) audit_replace(req_pid);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1256)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1257) auditd_pid = auditd_pid_vnr();
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1258) if (auditd_pid) {
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1259) /* replacing a healthy auditd is not allowed */
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1260) if (new_pid) {
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1261) audit_log_config_change("audit_pid",
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1262) new_pid, auditd_pid, 0);
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1263) return -EEXIST;
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1264) }
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1265) /* only current auditd can unregister itself */
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1266) if (pid_vnr(req_pid) != auditd_pid) {
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1267) audit_log_config_change("audit_pid",
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1268) new_pid, auditd_pid, 0);
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1269) return -EACCES;
33e8a90780442 (Steve Grubb 2017-10-17 18:29:22 -0400 1270) }
935c9e7ff06ab (Richard Guy Briggs 2016-01-25 18:04:15 -0500 1271) }
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1272)
533c7b69c764a (Richard Guy Briggs 2016-12-13 10:03:01 -0500 1273) if (new_pid) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1274) /* register a new auditd connection */
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1275) err = auditd_set(req_pid,
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1276) NETLINK_CB(skb).portid,
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1277) sock_net(NETLINK_CB(skb).sk));
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1278) if (audit_enabled != AUDIT_OFF)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1279) audit_log_config_change("audit_pid",
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1280) new_pid,
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1281) auditd_pid,
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1282) err ? 0 : 1);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1283) if (err)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1284) return err;
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1285)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1286) /* try to process any backlog */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1287) wake_up_interruptible(&kauditd_wait);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1288) } else {
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1289) if (audit_enabled != AUDIT_OFF)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1290) audit_log_config_change("audit_pid",
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1291) new_pid,
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1292) auditd_pid, 1);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1293)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1294) /* unregister the auditd connection */
c81be52a3ac02 (Paul Moore 2017-06-12 09:35:24 -0400 1295) auditd_reset(NULL);
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1296) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1297) }
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1298) if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1299) err = audit_set_rate_limit(s.rate_limit);
20c6aaa39ab73 (zhangxiliang 2008-07-31 10:11:19 +0800 1300) if (err < 0)
20c6aaa39ab73 (zhangxiliang 2008-07-31 10:11:19 +0800 1301) return err;
20c6aaa39ab73 (zhangxiliang 2008-07-31 10:11:19 +0800 1302) }
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 1303) if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1304) err = audit_set_backlog_limit(s.backlog_limit);
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 1305) if (err < 0)
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 1306) return err;
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 1307) }
3f0c5fad89c2c (Eric Paris 2014-01-13 16:49:28 -0500 1308) if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
3f0c5fad89c2c (Eric Paris 2014-01-13 16:49:28 -0500 1309) if (sizeof(s) > (size_t)nlh->nlmsg_len)
3f0c5fad89c2c (Eric Paris 2014-01-13 16:49:28 -0500 1310) return -EINVAL;
724e7bfcc5663 (Pranith Kumar 2015-03-11 14:08:19 -0400 1311) if (s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
3f0c5fad89c2c (Eric Paris 2014-01-13 16:49:28 -0500 1312) return -EINVAL;
3f0c5fad89c2c (Eric Paris 2014-01-13 16:49:28 -0500 1313) err = audit_set_backlog_wait_time(s.backlog_wait_time);
3f0c5fad89c2c (Eric Paris 2014-01-13 16:49:28 -0500 1314) if (err < 0)
3f0c5fad89c2c (Eric Paris 2014-01-13 16:49:28 -0500 1315) return err;
51cc83f024ee5 (Richard Guy Briggs 2013-09-18 11:55:12 -0400 1316) }
92c82e8a322b3 (Richard Guy Briggs 2017-01-13 03:26:29 -0500 1317) if (s.mask == AUDIT_STATUS_LOST) {
92c82e8a322b3 (Richard Guy Briggs 2017-01-13 03:26:29 -0500 1318) u32 lost = atomic_xchg(&audit_lost, 0);
92c82e8a322b3 (Richard Guy Briggs 2017-01-13 03:26:29 -0500 1319)
92c82e8a322b3 (Richard Guy Briggs 2017-01-13 03:26:29 -0500 1320) audit_log_config_change("lost", 0, lost, 1);
92c82e8a322b3 (Richard Guy Briggs 2017-01-13 03:26:29 -0500 1321) return lost;
92c82e8a322b3 (Richard Guy Briggs 2017-01-13 03:26:29 -0500 1322) }
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1323) if (s.mask == AUDIT_STATUS_BACKLOG_WAIT_TIME_ACTUAL) {
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1324) u32 actual = atomic_xchg(&audit_backlog_wait_time_actual, 0);
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1325)
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1326) audit_log_config_change("backlog_wait_time_actual", 0, actual, 1);
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1327) return actual;
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1328) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1329) break;
09f883a9023e7 (Richard Guy Briggs 2013-09-18 09:32:24 -0400 1330) }
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1331) case AUDIT_GET_FEATURE:
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1332) err = audit_get_feature(skb);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1333) if (err)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1334) return err;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1335) break;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1336) case AUDIT_SET_FEATURE:
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1337) if (data_len < sizeof(struct audit_features))
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1338) return -EINVAL;
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1339) err = audit_set_feature(data);
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1340) if (err)
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1341) return err;
b0fed40214ce7 (Eric Paris 2013-05-22 12:54:49 -0400 1342) break;
05474106a41f4 (Steve Grubb 2005-05-21 00:18:37 +0100 1343) case AUDIT_USER:
039b6b3ed84e4 (Robert P. J. Day 2007-05-08 00:29:20 -0700 1344) case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
039b6b3ed84e4 (Robert P. J. Day 2007-05-08 00:29:20 -0700 1345) case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
4a4cd633b5756 (David Woodhouse 2005-06-22 14:56:47 +0100 1346) if (!audit_enabled && msg_type != AUDIT_USER_AVC)
4a4cd633b5756 (David Woodhouse 2005-06-22 14:56:47 +0100 1347) return 0;
763dafc520add (Paul Moore 2020-04-20 16:24:34 -0400 1348) /* exit early if there isn't at least one character to print */
763dafc520add (Paul Moore 2020-04-20 16:24:34 -0400 1349) if (data_len < 2)
763dafc520add (Paul Moore 2020-04-20 16:24:34 -0400 1350) return -EINVAL;
4a4cd633b5756 (David Woodhouse 2005-06-22 14:56:47 +0100 1351)
86b2efbe3a390 (Richard Guy Briggs 2016-06-24 16:35:46 -0400 1352) err = audit_filter(msg_type, AUDIT_FILTER_USER);
724e4fcc8d80c (Richard Guy Briggs 2013-11-25 21:57:51 -0500 1353) if (err == 1) { /* match or error */
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1354) char *str = data;
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1355)
4a4cd633b5756 (David Woodhouse 2005-06-22 14:56:47 +0100 1356) err = 0;
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1357) if (msg_type == AUDIT_USER_TTY) {
37282a77954aa (Peter Hurley 2016-01-09 22:55:31 -0800 1358) err = tty_audit_push();
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1359) if (err)
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1360) break;
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1361) }
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1362) audit_log_user_recv_msg(&ab, msg_type);
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1363) if (msg_type != AUDIT_USER_TTY) {
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1364) /* ensure NULL termination */
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1365) str[data_len - 1] = '\0';
b50eba7e2d534 (Richard Guy Briggs 2013-09-16 18:20:42 -0400 1366) audit_log_format(ab, " msg='%.*s'",
b50eba7e2d534 (Richard Guy Briggs 2013-09-16 18:20:42 -0400 1367) AUDIT_MESSAGE_TEXT_MAX,
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1368) str);
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1369) } else {
f7616102d6f62 (Eric Paris 2013-04-11 11:25:00 -0400 1370) audit_log_format(ab, " data=");
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1371) if (data_len > 0 && str[data_len - 1] == '\0')
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1372) data_len--;
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1373) audit_log_n_untrustedstring(ab, str, data_len);
4a4cd633b5756 (David Woodhouse 2005-06-22 14:56:47 +0100 1374) }
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1375) audit_log_end(ab);
0f45aa18e65cf (David Woodhouse 2005-06-19 19:35:50 +0100 1376) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1377) break;
93315ed6dd12d (Amy Griffis 2006-02-07 12:05:27 -0500 1378) case AUDIT_ADD_RULE:
93315ed6dd12d (Amy Griffis 2006-02-07 12:05:27 -0500 1379) case AUDIT_DEL_RULE:
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1380) if (data_len < sizeof(struct audit_rule_data))
93315ed6dd12d (Amy Griffis 2006-02-07 12:05:27 -0500 1381) return -EINVAL;
1a6b9f2317f18 (Eric Paris 2008-01-07 17:09:31 -0500 1382) if (audit_enabled == AUDIT_LOCKED) {
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1383) audit_log_common_recv_msg(audit_context(), &ab,
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1384) AUDIT_CONFIG_CHANGE);
53fc7a01df51f (Richard Guy Briggs 2018-12-10 17:17:48 -0500 1385) audit_log_format(ab, " op=%s audit_enabled=%d res=0",
53fc7a01df51f (Richard Guy Briggs 2018-12-10 17:17:48 -0500 1386) msg_type == AUDIT_ADD_RULE ?
53fc7a01df51f (Richard Guy Briggs 2018-12-10 17:17:48 -0500 1387) "add_rule" : "remove_rule",
53fc7a01df51f (Richard Guy Briggs 2018-12-10 17:17:48 -0500 1388) audit_enabled);
50397bd1e4713 (Eric Paris 2008-01-07 18:14:19 -0500 1389) audit_log_end(ab);
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 1390) return -EPERM;
6a01b07fae482 (Steve Grubb 2007-01-19 14:39:55 -0500 1391) }
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1392) err = audit_rule_change(msg_type, seq, data, data_len);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1393) break;
ce0d9f0469970 (Richard Guy Briggs 2013-11-20 14:01:53 -0500 1394) case AUDIT_LIST_RULES:
6f285b19d09f7 (Eric W. Biederman 2014-02-28 19:44:55 -0800 1395) err = audit_list_rules_send(skb, seq);
ce0d9f0469970 (Richard Guy Briggs 2013-11-20 14:01:53 -0500 1396) break;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1397) case AUDIT_TRIM:
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1398) audit_trim_trees();
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1399) audit_log_common_recv_msg(audit_context(), &ab,
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1400) AUDIT_CONFIG_CHANGE);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1401) audit_log_format(ab, " op=trim res=1");
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1402) audit_log_end(ab);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1403) break;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1404) case AUDIT_MAKE_EQUIV: {
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1405) void *bufp = data;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1406) u32 sizes[2];
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1407) size_t msglen = data_len;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1408) char *old, *new;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1409)
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1410) err = -EINVAL;
7719e437fac11 (Harvey Harrison 2008-04-27 02:39:56 -0700 1411) if (msglen < 2 * sizeof(u32))
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1412) break;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1413) memcpy(sizes, bufp, 2 * sizeof(u32));
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1414) bufp += 2 * sizeof(u32);
7719e437fac11 (Harvey Harrison 2008-04-27 02:39:56 -0700 1415) msglen -= 2 * sizeof(u32);
7719e437fac11 (Harvey Harrison 2008-04-27 02:39:56 -0700 1416) old = audit_unpack_string(&bufp, &msglen, sizes[0]);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1417) if (IS_ERR(old)) {
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1418) err = PTR_ERR(old);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1419) break;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1420) }
7719e437fac11 (Harvey Harrison 2008-04-27 02:39:56 -0700 1421) new = audit_unpack_string(&bufp, &msglen, sizes[1]);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1422) if (IS_ERR(new)) {
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1423) err = PTR_ERR(new);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1424) kfree(old);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1425) break;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1426) }
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1427) /* OK, here comes... */
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1428) err = audit_tag_tree(old, new);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1429)
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1430) audit_log_common_recv_msg(audit_context(), &ab,
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1431) AUDIT_CONFIG_CHANGE);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1432) audit_log_format(ab, " op=make_equiv old=");
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1433) audit_log_untrustedstring(ab, old);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1434) audit_log_format(ab, " new=");
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1435) audit_log_untrustedstring(ab, new);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1436) audit_log_format(ab, " res=%d", !err);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1437) audit_log_end(ab);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1438) kfree(old);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1439) kfree(new);
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1440) break;
74c3cbe33bc07 (Al Viro 2007-07-22 08:04:18 -0400 1441) }
c2f0c7c356dc9 (Steve Grubb 2005-05-06 12:38:39 +0100 1442) case AUDIT_SIGNAL_INFO:
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1443) len = 0;
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1444) if (audit_sig_sid) {
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1445) err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1446) if (err)
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1447) return err;
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1448) }
e1396065e0489 (Al Viro 2006-05-25 10:19:47 -0400 1449) sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
e1396065e0489 (Al Viro 2006-05-25 10:19:47 -0400 1450) if (!sig_data) {
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1451) if (audit_sig_sid)
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1452) security_release_secctx(ctx, len);
e1396065e0489 (Al Viro 2006-05-25 10:19:47 -0400 1453) return -ENOMEM;
e1396065e0489 (Al Viro 2006-05-25 10:19:47 -0400 1454) }
cca080d9b6220 (Eric W. Biederman 2012-02-07 16:53:48 -0800 1455) sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
e1396065e0489 (Al Viro 2006-05-25 10:19:47 -0400 1456) sig_data->pid = audit_sig_pid;
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1457) if (audit_sig_sid) {
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1458) memcpy(sig_data->ctx, ctx, len);
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1459) security_release_secctx(ctx, len);
939cbf260c1ab (Eric Paris 2009-09-23 13:46:00 -0400 1460) }
6f285b19d09f7 (Eric W. Biederman 2014-02-28 19:44:55 -0800 1461) audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
6f285b19d09f7 (Eric W. Biederman 2014-02-28 19:44:55 -0800 1462) sig_data, sizeof(*sig_data) + len);
e1396065e0489 (Al Viro 2006-05-25 10:19:47 -0400 1463) kfree(sig_data);
c2f0c7c356dc9 (Steve Grubb 2005-05-06 12:38:39 +0100 1464) break;
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1465) case AUDIT_TTY_GET: {
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1466) struct audit_tty_status s;
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1467) unsigned int t;
8aa14b64981ee (Eric W. Biederman 2012-09-10 23:43:14 -0700 1468)
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1469) t = READ_ONCE(current->signal->audit_tty);
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1470) s.enabled = t & AUDIT_TTY_ENABLE;
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1471) s.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
8aa14b64981ee (Eric W. Biederman 2012-09-10 23:43:14 -0700 1472)
6f285b19d09f7 (Eric W. Biederman 2014-02-28 19:44:55 -0800 1473) audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1474) break;
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1475) }
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1476) case AUDIT_TTY_SET: {
a06e56b2a11b5 (Richard Guy Briggs 2013-11-15 11:29:02 -0500 1477) struct audit_tty_status s, old;
a06e56b2a11b5 (Richard Guy Briggs 2013-11-15 11:29:02 -0500 1478) struct audit_buffer *ab;
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1479) unsigned int t;
0e23baccaae4f (Eric Paris 2014-01-13 21:12:34 -0500 1480)
0e23baccaae4f (Eric Paris 2014-01-13 21:12:34 -0500 1481) memset(&s, 0, sizeof(s));
0e23baccaae4f (Eric Paris 2014-01-13 21:12:34 -0500 1482) /* guard against past and future API changes */
756125289285f (Paul Moore 2020-02-24 16:38:57 -0500 1483) memcpy(&s, data, min_t(size_t, sizeof(s), data_len));
0e23baccaae4f (Eric Paris 2014-01-13 21:12:34 -0500 1484) /* check if new data is valid */
0e23baccaae4f (Eric Paris 2014-01-13 21:12:34 -0500 1485) if ((s.enabled != 0 && s.enabled != 1) ||
0e23baccaae4f (Eric Paris 2014-01-13 21:12:34 -0500 1486) (s.log_passwd != 0 && s.log_passwd != 1))
0e23baccaae4f (Eric Paris 2014-01-13 21:12:34 -0500 1487) err = -EINVAL;
a06e56b2a11b5 (Richard Guy Briggs 2013-11-15 11:29:02 -0500 1488)
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1489) if (err)
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1490) t = READ_ONCE(current->signal->audit_tty);
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1491) else {
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1492) t = s.enabled | (-s.log_passwd & AUDIT_TTY_LOG_PASSWD);
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1493) t = xchg(¤t->signal->audit_tty, t);
0e23baccaae4f (Eric Paris 2014-01-13 21:12:34 -0500 1494) }
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1495) old.enabled = t & AUDIT_TTY_ENABLE;
2e28d38ae1d9c (Peter Hurley 2016-01-09 22:55:33 -0800 1496) old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1497)
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1498) audit_log_common_recv_msg(audit_context(), &ab,
626abcd13d4ea (Richard Guy Briggs 2019-01-18 17:42:48 -0500 1499) AUDIT_CONFIG_CHANGE);
1ce319f11ccc5 (Eric Paris 2014-01-13 21:16:59 -0500 1500) audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"
1ce319f11ccc5 (Eric Paris 2014-01-13 21:16:59 -0500 1501) " old-log_passwd=%d new-log_passwd=%d res=%d",
1ce319f11ccc5 (Eric Paris 2014-01-13 21:16:59 -0500 1502) old.enabled, s.enabled, old.log_passwd,
1ce319f11ccc5 (Eric Paris 2014-01-13 21:16:59 -0500 1503) s.log_passwd, !err);
a06e56b2a11b5 (Richard Guy Briggs 2013-11-15 11:29:02 -0500 1504) audit_log_end(ab);
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1505) break;
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 1506) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1507) default:
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1508) err = -EINVAL;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1509) break;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1510) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1511)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1512) return err < 0 ? err : 0;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1513) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1514)
a9d1620877748 (Paul Moore 2017-05-02 10:16:05 -0400 1515) /**
a9d1620877748 (Paul Moore 2017-05-02 10:16:05 -0400 1516) * audit_receive - receive messages from a netlink control socket
a9d1620877748 (Paul Moore 2017-05-02 10:16:05 -0400 1517) * @skb: the message buffer
a9d1620877748 (Paul Moore 2017-05-02 10:16:05 -0400 1518) *
a9d1620877748 (Paul Moore 2017-05-02 10:16:05 -0400 1519) * Parse the provided skb and deal with any messages that may be present,
a9d1620877748 (Paul Moore 2017-05-02 10:16:05 -0400 1520) * malformed skbs are discarded.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1521) */
a9d1620877748 (Paul Moore 2017-05-02 10:16:05 -0400 1522) static void audit_receive(struct sk_buff *skb)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1523) {
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1524) struct nlmsghdr *nlh;
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1525) /*
9419121330259 (Hong zhi guo 2013-03-27 06:49:06 +0000 1526) * len MUST be signed for nlmsg_next to be able to dec it below 0
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1527) * if the nlmsg_len was not aligned
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1528) */
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1529) int len;
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1530) int err;
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1531)
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1532) nlh = nlmsg_hdr(skb);
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1533) len = skb->len;
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1534)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 1535) audit_ctl_lock();
9419121330259 (Hong zhi guo 2013-03-27 06:49:06 +0000 1536) while (nlmsg_ok(nlh, len)) {
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1537) err = audit_receive_msg(skb, nlh);
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1538) /* if err or if this message says it wants a response */
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1539) if (err || (nlh->nlmsg_flags & NLM_F_ACK))
2d4bc93368f5a (Johannes Berg 2017-04-12 14:34:04 +0200 1540) netlink_ack(skb, nlh, err, NULL);
ea7ae60bfe39a (Eric Paris 2009-06-11 14:31:35 -0400 1541)
2851da57036f4 (Alexandru Copot 2013-03-28 23:31:29 +0200 1542) nlh = nlmsg_next(nlh, &len);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1543) }
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 1544) audit_ctl_unlock();
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1545) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1546)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1547) /* Log information about who is connecting to the audit multicast socket */
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1548) static void audit_log_multicast(int group, const char *op, int err)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1549) {
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1550) const struct cred *cred;
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1551) struct tty_struct *tty;
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1552) char comm[sizeof(current->comm)];
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1553) struct audit_buffer *ab;
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1554)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1555) if (!audit_enabled)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1556) return;
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1557)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1558) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1559) if (!ab)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1560) return;
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1561)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1562) cred = current_cred();
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1563) tty = audit_get_tty();
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1564) audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1565) task_pid_nr(current),
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1566) from_kuid(&init_user_ns, cred->uid),
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1567) from_kuid(&init_user_ns, audit_get_loginuid(current)),
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1568) tty ? tty_name(tty) : "(none)",
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1569) audit_get_sessionid(current));
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1570) audit_put_tty(tty);
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1571) audit_log_task_context(ab); /* subj= */
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1572) audit_log_format(ab, " comm=");
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1573) audit_log_untrustedstring(ab, get_task_comm(comm, current));
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1574) audit_log_d_path_exe(ab, current->mm); /* exe= */
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1575) audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1576) audit_log_end(ab);
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1577) }
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1578)
3a101b8de0d39 (Richard Guy Briggs 2014-04-22 21:31:56 -0400 1579) /* Run custom bind function on netlink socket group connect or bind requests. */
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1580) static int audit_multicast_bind(struct net *net, int group)
3a101b8de0d39 (Richard Guy Briggs 2014-04-22 21:31:56 -0400 1581) {
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1582) int err = 0;
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1583)
3a101b8de0d39 (Richard Guy Briggs 2014-04-22 21:31:56 -0400 1584) if (!capable(CAP_AUDIT_READ))
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1585) err = -EPERM;
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1586) audit_log_multicast(group, "connect", err);
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1587) return err;
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1588) }
3a101b8de0d39 (Richard Guy Briggs 2014-04-22 21:31:56 -0400 1589)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1590) static void audit_multicast_unbind(struct net *net, int group)
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1591) {
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1592) audit_log_multicast(group, "disconnect", 0);
3a101b8de0d39 (Richard Guy Briggs 2014-04-22 21:31:56 -0400 1593) }
3a101b8de0d39 (Richard Guy Briggs 2014-04-22 21:31:56 -0400 1594)
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1595) static int __net_init audit_net_init(struct net *net)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1596) {
a31f2d17b331d (Pablo Neira Ayuso 2012-06-29 06:15:21 +0000 1597) struct netlink_kernel_cfg cfg = {
a31f2d17b331d (Pablo Neira Ayuso 2012-06-29 06:15:21 +0000 1598) .input = audit_receive,
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1599) .bind = audit_multicast_bind,
9d2161bed4e39 (Richard Guy Briggs 2020-04-22 17:37:04 -0400 1600) .unbind = audit_multicast_unbind,
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 1601) .flags = NL_CFG_F_NONROOT_RECV,
451f921639fea (Richard Guy Briggs 2014-04-22 21:31:57 -0400 1602) .groups = AUDIT_NLGRP_MAX,
a31f2d17b331d (Pablo Neira Ayuso 2012-06-29 06:15:21 +0000 1603) };
f368c07d7214a (Amy Griffis 2006-04-07 16:55:56 -0400 1604)
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1605) struct audit_net *aunet = net_generic(net, audit_net_id);
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1606)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1607) aunet->sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1608) if (aunet->sk == NULL) {
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1609) audit_panic("cannot initialize netlink socket in namespace");
11ee39ebf7568 (Gao feng 2013-12-17 11:10:41 +0800 1610) return -ENOMEM;
11ee39ebf7568 (Gao feng 2013-12-17 11:10:41 +0800 1611) }
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1612) aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1613)
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1614) return 0;
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1615) }
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1616)
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1617) static void __net_exit audit_net_exit(struct net *net)
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1618) {
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1619) struct audit_net *aunet = net_generic(net, audit_net_id);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1620)
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1621) /* NOTE: you would think that we would want to check the auditd
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1622) * connection and potentially reset it here if it lives in this
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1623) * namespace, but since the auditd connection tracking struct holds a
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1624) * reference to this namespace (see auditd_set()) we are only ever
48d0e023af979 (Paul Moore 2017-05-02 10:16:05 -0400 1625) * going to get here after that connection has been released */
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1626)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1627) netlink_kernel_release(aunet->sk);
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1628) }
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1629)
8626877b5252c (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1630) static struct pernet_operations audit_net_ops __net_initdata = {
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1631) .init = audit_net_init,
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1632) .exit = audit_net_exit,
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1633) .id = &audit_net_id,
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1634) .size = sizeof(struct audit_net),
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1635) };
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1636)
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1637) /* Initialize audit support at boot time. */
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1638) static int __init audit_init(void)
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1639) {
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1640) int i;
33faba7fa7f22 (Richard Guy Briggs 2013-07-16 13:18:45 -0400 1641)
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 1642) if (audit_initialized == AUDIT_DISABLED)
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 1643) return 0;
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 1644)
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1645) audit_buffer_cache = kmem_cache_create("audit_buffer",
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1646) sizeof(struct audit_buffer),
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1647) 0, SLAB_PANIC, NULL);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1648)
af8b824f283de (Paul Moore 2016-11-29 16:53:24 -0500 1649) skb_queue_head_init(&audit_queue);
c6480207fdf7b (Paul Moore 2016-11-29 16:53:25 -0500 1650) skb_queue_head_init(&audit_retry_queue);
af8b824f283de (Paul Moore 2016-11-29 16:53:24 -0500 1651) skb_queue_head_init(&audit_hold_queue);
3dc7e3153eddf (Darrel Goeddel 2006-03-10 18:14:06 -0600 1652)
f368c07d7214a (Amy Griffis 2006-04-07 16:55:56 -0400 1653) for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
f368c07d7214a (Amy Griffis 2006-04-07 16:55:56 -0400 1654) INIT_LIST_HEAD(&audit_inode_hash[i]);
f368c07d7214a (Amy Griffis 2006-04-07 16:55:56 -0400 1655)
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 1656) mutex_init(&audit_cmd_mutex.lock);
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 1657) audit_cmd_mutex.owner = NULL;
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 1658)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1659) pr_info("initializing netlink subsys (%s)\n",
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1660) audit_default ? "enabled" : "disabled");
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1661) register_pernet_subsys(&audit_net_ops);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1662)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1663) audit_initialized = AUDIT_INITIALIZED;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1664)
6c9255645350c (Paul Moore 2016-11-29 16:53:23 -0500 1665) kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
6c9255645350c (Paul Moore 2016-11-29 16:53:23 -0500 1666) if (IS_ERR(kauditd_task)) {
6c9255645350c (Paul Moore 2016-11-29 16:53:23 -0500 1667) int err = PTR_ERR(kauditd_task);
6c9255645350c (Paul Moore 2016-11-29 16:53:23 -0500 1668) panic("audit: failed to start the kauditd thread (%d)\n", err);
6c9255645350c (Paul Moore 2016-11-29 16:53:23 -0500 1669) }
6c9255645350c (Paul Moore 2016-11-29 16:53:23 -0500 1670)
7c397d01e4349 (Steve Grubb 2016-12-14 15:59:46 -0500 1671) audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
7c397d01e4349 (Steve Grubb 2016-12-14 15:59:46 -0500 1672) "state=initialized audit_enabled=%u res=1",
7c397d01e4349 (Steve Grubb 2016-12-14 15:59:46 -0500 1673) audit_enabled);
6c9255645350c (Paul Moore 2016-11-29 16:53:23 -0500 1674)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1675) return 0;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1676) }
be4104abf25c6 (Paul Moore 2017-09-01 09:44:44 -0400 1677) postcore_initcall(audit_init);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1678)
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1679) /*
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1680) * Process kernel command-line parameter at boot time.
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1681) * audit={0|off} or audit={1|on}.
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1682) */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1683) static int __init audit_enable(char *str)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1684) {
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1685) if (!strcasecmp(str, "off") || !strcmp(str, "0"))
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1686) audit_default = AUDIT_OFF;
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1687) else if (!strcasecmp(str, "on") || !strcmp(str, "1"))
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1688) audit_default = AUDIT_ON;
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1689) else {
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1690) pr_err("audit: invalid 'audit' parameter value (%s)\n", str);
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1691) audit_default = AUDIT_ON;
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1692) }
80ab4df62706b (Paul Moore 2017-09-01 09:44:51 -0400 1693)
80ab4df62706b (Paul Moore 2017-09-01 09:44:51 -0400 1694) if (audit_default == AUDIT_OFF)
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 1695) audit_initialized = AUDIT_DISABLED;
5d842a5b77a58 (Paul Moore 2017-09-01 09:45:05 -0400 1696) if (audit_set_enabled(audit_default))
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1697) pr_err("audit: error setting audit state (%d)\n",
11dd2666375e1 (Greg Edwards 2018-03-05 15:05:20 -0700 1698) audit_default);
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 1699)
d957f7b726ccc (Joe Perches 2014-01-14 10:33:12 -0800 1700) pr_info("%s\n", audit_default ?
d3ca0344b21f0 (Gao feng 2013-10-31 14:31:01 +0800 1701) "enabled (after initialization)" : "disabled (until reboot)");
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 1702)
9b41046cd0ee0 (OGAWA Hirofumi 2006-03-31 02:30:33 -0800 1703) return 1;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1704) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1705) __setup("audit=", audit_enable);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1706)
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1707) /* Process kernel command-line parameter at boot time.
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1708) * audit_backlog_limit=<n> */
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1709) static int __init audit_backlog_limit_set(char *str)
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1710) {
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 1711) u32 audit_backlog_limit_arg;
d957f7b726ccc (Joe Perches 2014-01-14 10:33:12 -0800 1712)
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1713) pr_info("audit_backlog_limit: ");
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 1714) if (kstrtouint(str, 0, &audit_backlog_limit_arg)) {
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 1715) pr_cont("using default of %u, unable to parse %s\n",
d957f7b726ccc (Joe Perches 2014-01-14 10:33:12 -0800 1716) audit_backlog_limit, str);
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1717) return 1;
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1718) }
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 1719)
3e1d0bb6224f0 (Joe Perches 2014-01-14 10:33:13 -0800 1720) audit_backlog_limit = audit_backlog_limit_arg;
d957f7b726ccc (Joe Perches 2014-01-14 10:33:12 -0800 1721) pr_cont("%d\n", audit_backlog_limit);
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1722)
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1723) return 1;
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1724) }
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1725) __setup("audit_backlog_limit=", audit_backlog_limit_set);
f910fde7307be (Richard Guy Briggs 2013-09-17 12:34:52 -0400 1726)
16e1904e694d4 (Chris Wright 2005-05-06 15:53:34 +0100 1727) static void audit_buffer_free(struct audit_buffer *ab)
16e1904e694d4 (Chris Wright 2005-05-06 15:53:34 +0100 1728) {
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1729) if (!ab)
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1730) return;
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1731)
d865e573b8a4f (Markus Elfring 2016-01-13 09:18:55 -0500 1732) kfree_skb(ab->skb);
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1733) kmem_cache_free(audit_buffer_cache, ab);
16e1904e694d4 (Chris Wright 2005-05-06 15:53:34 +0100 1734) }
16e1904e694d4 (Chris Wright 2005-05-06 15:53:34 +0100 1735)
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1736) static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1737) gfp_t gfp_mask, int type)
16e1904e694d4 (Chris Wright 2005-05-06 15:53:34 +0100 1738) {
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1739) struct audit_buffer *ab;
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1740)
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1741) ab = kmem_cache_alloc(audit_buffer_cache, gfp_mask);
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1742) if (!ab)
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1743) return NULL;
ee080e6ce93d5 (Eric Paris 2009-06-11 14:31:35 -0400 1744)
ee080e6ce93d5 (Eric Paris 2009-06-11 14:31:35 -0400 1745) ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
ee080e6ce93d5 (Eric Paris 2009-06-11 14:31:35 -0400 1746) if (!ab->skb)
c64e66c67b574 (David S. Miller 2012-06-26 21:45:21 -0700 1747) goto err;
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1748) if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1749) goto err;
ee080e6ce93d5 (Eric Paris 2009-06-11 14:31:35 -0400 1750)
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1751) ab->ctx = ctx;
8cc96382d9a7f (Paul Moore 2017-05-02 10:16:05 -0400 1752) ab->gfp_mask = gfp_mask;
ee080e6ce93d5 (Eric Paris 2009-06-11 14:31:35 -0400 1753)
16e1904e694d4 (Chris Wright 2005-05-06 15:53:34 +0100 1754) return ab;
ee080e6ce93d5 (Eric Paris 2009-06-11 14:31:35 -0400 1755)
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1756) err:
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1757) audit_buffer_free(ab);
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1758) return NULL;
16e1904e694d4 (Chris Wright 2005-05-06 15:53:34 +0100 1759) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1760)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1761) /**
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1762) * audit_serial - compute a serial number for the audit record
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1763) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1764) * Compute a serial number for the audit record. Audit records are
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1765) * written to user-space as soon as they are generated, so a complete
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1766) * audit record may be written in several pieces. The timestamp of the
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1767) * record and this serial number are used by the user-space tools to
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1768) * determine which pieces belong to the same audit record. The
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1769) * (timestamp,serial) tuple is unique for each syscall and is live from
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1770) * syscall entry to syscall exit.
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1771) *
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1772) * NOTE: Another possibility is to store the formatted records off the
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1773) * audit context (for those records that have a context), and emit them
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1774) * all at syscall exit. However, this could delay the reporting of
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1775) * significant errors until syscall exit (or never, if the system
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1776) * halts).
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1777) */
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1778) unsigned int audit_serial(void)
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1779) {
01478d7d60f65 (Richard Guy Briggs 2014-06-13 18:22:00 -0400 1780) static atomic_t serial = ATOMIC_INIT(0);
d5b454f2c40c9 (David Woodhouse 2005-07-15 12:56:03 +0100 1781)
6b3211842a115 (Yejune Deng 2020-11-30 16:35:45 +0800 1782) return atomic_inc_return(&serial);
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1783) }
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1784)
5600b892789c2 (Daniel Walker 2007-10-18 03:06:10 -0700 1785) static inline void audit_get_stamp(struct audit_context *ctx,
2115bb250f260 (Deepa Dinamani 2017-05-02 10:16:05 -0400 1786) struct timespec64 *t, unsigned int *serial)
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1787) {
48887e63d6e05 (Al Viro 2008-12-06 01:05:50 -0500 1788) if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
290e44b7dd116 (Paul Moore 2018-07-17 14:45:08 -0400 1789) ktime_get_coarse_real_ts64(t);
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1790) *serial = audit_serial();
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1791) }
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1792) }
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1793)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1794) /**
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1795) * audit_log_start - obtain an audit buffer
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1796) * @ctx: audit_context (may be NULL)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1797) * @gfp_mask: type of allocation
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1798) * @type: audit message type
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1799) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1800) * Returns audit_buffer pointer on success or NULL on error.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1801) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1802) * Obtain an audit buffer. This routine does locking to obtain the
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1803) * audit buffer, but then no locking is required for calls to
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1804) * audit_log_*format. If the task (ctx) is a task that is currently in a
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1805) * syscall, then the syscall is marked as auditable and an audit record
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1806) * will be written at syscall exit. If there is no associated task, then
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1807) * task context (ctx) should be NULL.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1808) */
9796fdd829da6 (Al Viro 2005-10-21 03:22:03 -0400 1809) struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
9ad9ad385be27 (David Woodhouse 2005-06-22 15:04:33 +0100 1810) int type)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1811) {
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1812) struct audit_buffer *ab;
2115bb250f260 (Deepa Dinamani 2017-05-02 10:16:05 -0400 1813) struct timespec64 t;
3f649ab728cda (Kees Cook 2020-06-03 13:09:38 -0700 1814) unsigned int serial;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1815)
a3f07114e3359 (Eric Paris 2008-11-05 12:47:09 -0500 1816) if (audit_initialized != AUDIT_INITIALIZED)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1817) return NULL;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1818)
d904ac0320d3c (Richard Guy Briggs 2018-06-05 11:45:07 -0400 1819) if (unlikely(!audit_filter(type, AUDIT_FILTER_EXCLUDE)))
c8edc80c8b8c3 (Dustin Kirkland 2005-11-03 16:12:36 +0000 1820) return NULL;
c8edc80c8b8c3 (Dustin Kirkland 2005-11-03 16:12:36 +0000 1821)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1822) /* NOTE: don't ever fail/sleep on these two conditions:
a09cfa470817a (Paul Moore 2016-11-29 16:53:26 -0500 1823) * 1. auditd generated record - since we need auditd to drain the
a09cfa470817a (Paul Moore 2016-11-29 16:53:26 -0500 1824) * queue; also, when we are checking for auditd, compare PIDs using
a09cfa470817a (Paul Moore 2016-11-29 16:53:26 -0500 1825) * task_tgid_vnr() since auditd_pid is set in audit_receive_msg()
a09cfa470817a (Paul Moore 2016-11-29 16:53:26 -0500 1826) * using a PID anchored in the caller's namespace
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1827) * 2. generator holding the audit_cmd_mutex - we don't want to block
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1828) * while holding the mutex */
ce423631ce1f2 (Paul Moore 2018-02-20 09:52:38 -0500 1829) if (!(auditd_test_task(current) || audit_ctl_owner_current())) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1830) long stime = audit_backlog_wait_time;
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1831)
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1832) while (audit_backlog_limit &&
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1833) (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1834) /* wake kauditd to try and flush the queue */
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1835) wake_up_interruptible(&kauditd_wait);
9ad9ad385be27 (David Woodhouse 2005-06-22 15:04:33 +0100 1836)
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1837) /* sleep if we are allowed and we haven't exhausted our
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1838) * backlog wait limit */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 1839) if (gfpflags_allow_blocking(gfp_mask) && (stime > 0)) {
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1840) long rtime = stime;
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1841)
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1842) DECLARE_WAITQUEUE(wait, current);
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1843)
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1844) add_wait_queue_exclusive(&audit_backlog_wait,
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1845) &wait);
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1846) set_current_state(TASK_UNINTERRUPTIBLE);
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1847) stime = schedule_timeout(rtime);
b43870c74f3fd (Max Englander 2020-07-04 15:15:28 +0000 1848) atomic_add(rtime - stime, &audit_backlog_wait_time_actual);
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1849) remove_wait_queue(&audit_backlog_wait, &wait);
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1850) } else {
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1851) if (audit_rate_check() && printk_ratelimit())
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1852) pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1853) skb_queue_len(&audit_queue),
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1854) audit_backlog_limit);
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1855) audit_log_lost("backlog limit exceeded");
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1856) return NULL;
8ac1c8d5deba6 (Konstantin Khlebnikov 2013-09-24 15:27:42 -0700 1857) }
9ad9ad385be27 (David Woodhouse 2005-06-22 15:04:33 +0100 1858) }
fb19b4c6aa024 (David Woodhouse 2005-05-19 14:55:56 +0100 1859) }
fb19b4c6aa024 (David Woodhouse 2005-05-19 14:55:56 +0100 1860)
9ad9ad385be27 (David Woodhouse 2005-06-22 15:04:33 +0100 1861) ab = audit_buffer_alloc(ctx, gfp_mask, type);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1862) if (!ab) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1863) audit_log_lost("out of memory in audit_log_start");
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1864) return NULL;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1865) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1866)
bfb4496e7239c (David Woodhouse 2005-05-21 21:08:09 +0100 1867) audit_get_stamp(ab->ctx, &t, &serial);
6d915476e67d9 (Richard Guy Briggs 2020-09-22 08:44:50 -0400 1868) /* cancel dummy context to enable supporting records */
6d915476e67d9 (Richard Guy Briggs 2020-09-22 08:44:50 -0400 1869) if (ctx)
6d915476e67d9 (Richard Guy Briggs 2020-09-22 08:44:50 -0400 1870) ctx->dummy = 0;
2115bb250f260 (Deepa Dinamani 2017-05-02 10:16:05 -0400 1871) audit_log_format(ab, "audit(%llu.%03lu:%u): ",
2115bb250f260 (Deepa Dinamani 2017-05-02 10:16:05 -0400 1872) (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
3197542482df2 (Paul Moore 2016-11-29 16:53:25 -0500 1873)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1874) return ab;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1875) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1876)
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1877) /**
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1878) * audit_expand - expand skb in the audit buffer
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1879) * @ab: audit_buffer
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1880) * @extra: space to add at tail of the skb
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1881) *
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1882) * Returns 0 (no space) on failed expansion, or available space if
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1883) * successful.
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1884) */
e3b926b4c1499 (David Woodhouse 2005-05-10 18:56:08 +0100 1885) static inline int audit_expand(struct audit_buffer *ab, int extra)
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1886) {
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1887) struct sk_buff *skb = ab->skb;
406a1d8680014 (Herbert Xu 2008-01-28 20:47:09 -0800 1888) int oldtail = skb_tailroom(skb);
406a1d8680014 (Herbert Xu 2008-01-28 20:47:09 -0800 1889) int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
406a1d8680014 (Herbert Xu 2008-01-28 20:47:09 -0800 1890) int newtail = skb_tailroom(skb);
406a1d8680014 (Herbert Xu 2008-01-28 20:47:09 -0800 1891)
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1892) if (ret < 0) {
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1893) audit_log_lost("out of memory in audit_expand");
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1894) return 0;
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1895) }
406a1d8680014 (Herbert Xu 2008-01-28 20:47:09 -0800 1896)
406a1d8680014 (Herbert Xu 2008-01-28 20:47:09 -0800 1897) skb->truesize += newtail - oldtail;
406a1d8680014 (Herbert Xu 2008-01-28 20:47:09 -0800 1898) return newtail;
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1899) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1900)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1901) /*
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1902) * Format an audit message into the audit buffer. If there isn't enough
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1903) * room in the audit buffer, more room will be allocated and vsnprint
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1904) * will be called a second time. Currently, we assume that a printk
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1905) * can't format message larger than 1024 bytes, so we don't either.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1906) */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1907) static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1908) va_list args)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1909) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1910) int len, avail;
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1911) struct sk_buff *skb;
eecb0a7338ef6 (David Woodhouse 2005-05-10 18:58:51 +0100 1912) va_list args2;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1913)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1914) if (!ab)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1915) return;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1916)
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1917) BUG_ON(!ab->skb);
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1918) skb = ab->skb;
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1919) avail = skb_tailroom(skb);
5ac52f33b6f05 (Chris Wright 2005-05-06 15:54:53 +0100 1920) if (avail == 0) {
e3b926b4c1499 (David Woodhouse 2005-05-10 18:56:08 +0100 1921) avail = audit_expand(ab, AUDIT_BUFSIZ);
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1922) if (!avail)
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1923) goto out;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1924) }
eecb0a7338ef6 (David Woodhouse 2005-05-10 18:58:51 +0100 1925) va_copy(args2, args);
27a884dc3cb63 (Arnaldo Carvalho de Melo 2007-04-19 20:29:13 -0700 1926) len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1927) if (len >= avail) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1928) /* The printk buffer is 1024 bytes long, so if we get
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1929) * here and AUDIT_BUFSIZ is at least 1024, then we can
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1930) * log everything that printk could have logged. */
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1931) avail = audit_expand(ab,
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1932) max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1933) if (!avail)
a0e86bd425251 (Jesper Juhl 2012-01-08 22:44:29 +0100 1934) goto out_va_end;
27a884dc3cb63 (Arnaldo Carvalho de Melo 2007-04-19 20:29:13 -0700 1935) len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1936) }
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1937) if (len > 0)
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1938) skb_put(skb, len);
a0e86bd425251 (Jesper Juhl 2012-01-08 22:44:29 +0100 1939) out_va_end:
a0e86bd425251 (Jesper Juhl 2012-01-08 22:44:29 +0100 1940) va_end(args2);
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1941) out:
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 1942) return;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1943) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1944)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1945) /**
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1946) * audit_log_format - format a message into the audit buffer.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1947) * @ab: audit_buffer
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1948) * @fmt: format string
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1949) * @...: optional parameters matching @fmt string
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1950) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1951) * All the work is done in audit_log_vformat.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1952) */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1953) void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1954) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1955) va_list args;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1956)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1957) if (!ab)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1958) return;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1959) va_start(args, fmt);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1960) audit_log_vformat(ab, fmt, args);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1961) va_end(args);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1962) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 1963)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1964) /**
196a5085592c6 (Geliang Tang 2017-08-07 21:44:24 +0800 1965) * audit_log_n_hex - convert a buffer to hex and append it to the audit skb
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1966) * @ab: the audit_buffer
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1967) * @buf: buffer to convert to hex
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1968) * @len: length of @buf to be converted
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1969) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1970) * No return value; failure to expand is silently ignored.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1971) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1972) * This function will take the passed buf and convert it into a string of
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1973) * ascii hex digits. The new string is placed onto the skb.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 1974) */
b556f8ad58c6e (Eric Paris 2008-04-18 10:12:59 -0400 1975) void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1976) size_t len)
83c7d09173fdb (David Woodhouse 2005-04-29 15:54:44 +0100 1977) {
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1978) int i, avail, new_len;
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1979) unsigned char *ptr;
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1980) struct sk_buff *skb;
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1981)
8ef2d3040e5cf (Amy Griffis 2006-09-07 17:03:02 -0400 1982) if (!ab)
8ef2d3040e5cf (Amy Griffis 2006-09-07 17:03:02 -0400 1983) return;
8ef2d3040e5cf (Amy Griffis 2006-09-07 17:03:02 -0400 1984)
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1985) BUG_ON(!ab->skb);
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1986) skb = ab->skb;
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1987) avail = skb_tailroom(skb);
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1988) new_len = len<<1;
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1989) if (new_len >= avail) {
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1990) /* Round the buffer request up to the next multiple */
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1991) new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1992) avail = audit_expand(ab, new_len);
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1993) if (!avail)
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1994) return;
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 1995) }
83c7d09173fdb (David Woodhouse 2005-04-29 15:54:44 +0100 1996)
27a884dc3cb63 (Arnaldo Carvalho de Melo 2007-04-19 20:29:13 -0700 1997) ptr = skb_tail_pointer(skb);
b8dbc3241fff0 (Joe Perches 2014-01-13 23:31:27 -0800 1998) for (i = 0; i < len; i++)
b8dbc3241fff0 (Joe Perches 2014-01-13 23:31:27 -0800 1999) ptr = hex_byte_pack_upper(ptr, buf[i]);
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2000) *ptr = 0;
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2001) skb_put(skb, len << 1); /* new string is twice the old string */
83c7d09173fdb (David Woodhouse 2005-04-29 15:54:44 +0100 2002) }
83c7d09173fdb (David Woodhouse 2005-04-29 15:54:44 +0100 2003)
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2004) /*
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2005) * Format a string of no more than slen characters into the audit buffer,
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2006) * enclosed in quote marks.
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2007) */
b556f8ad58c6e (Eric Paris 2008-04-18 10:12:59 -0400 2008) void audit_log_n_string(struct audit_buffer *ab, const char *string,
b556f8ad58c6e (Eric Paris 2008-04-18 10:12:59 -0400 2009) size_t slen)
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2010) {
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2011) int avail, new_len;
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2012) unsigned char *ptr;
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2013) struct sk_buff *skb;
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2014)
8ef2d3040e5cf (Amy Griffis 2006-09-07 17:03:02 -0400 2015) if (!ab)
8ef2d3040e5cf (Amy Griffis 2006-09-07 17:03:02 -0400 2016) return;
8ef2d3040e5cf (Amy Griffis 2006-09-07 17:03:02 -0400 2017)
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2018) BUG_ON(!ab->skb);
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2019) skb = ab->skb;
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2020) avail = skb_tailroom(skb);
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2021) new_len = slen + 3; /* enclosing quotes + null terminator */
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2022) if (new_len > avail) {
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2023) avail = audit_expand(ab, new_len);
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2024) if (!avail)
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2025) return;
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2026) }
27a884dc3cb63 (Arnaldo Carvalho de Melo 2007-04-19 20:29:13 -0700 2027) ptr = skb_tail_pointer(skb);
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2028) *ptr++ = '"';
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2029) memcpy(ptr, string, slen);
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2030) ptr += slen;
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2031) *ptr++ = '"';
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2032) *ptr = 0;
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2033) skb_put(skb, slen + 2); /* don't include null terminator */
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2034) }
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2035)
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2036) /**
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2037) * audit_string_contains_control - does a string need to be logged in hex
f706d5d22c35e (Dave Jones 2008-03-28 14:15:56 -0700 2038) * @string: string to be checked
f706d5d22c35e (Dave Jones 2008-03-28 14:15:56 -0700 2039) * @len: max length of the string to check
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2040) */
9fcf836b215ca (Yaowei Bai 2015-11-04 08:23:51 -0500 2041) bool audit_string_contains_control(const char *string, size_t len)
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2042) {
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2043) const unsigned char *p;
b3897f567100d (Miloslav Trmac 2009-03-19 09:48:27 -0400 2044) for (p = string; p < (const unsigned char *)string + len; p++) {
1d6c9649e236c (Vesa-Matti J Kari 2008-07-23 00:06:13 +0300 2045) if (*p == '"' || *p < 0x21 || *p > 0x7e)
9fcf836b215ca (Yaowei Bai 2015-11-04 08:23:51 -0500 2046) return true;
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2047) }
9fcf836b215ca (Yaowei Bai 2015-11-04 08:23:51 -0500 2048) return false;
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2049) }
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2050)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2051) /**
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 2052) * audit_log_n_untrustedstring - log a string that may contain random characters
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2053) * @ab: audit_buffer
f706d5d22c35e (Dave Jones 2008-03-28 14:15:56 -0700 2054) * @len: length of string (not including trailing null)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2055) * @string: string to be logged
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2056) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2057) * This code will escape a string that is passed to it if the string
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2058) * contains a control character, unprintable character, double quote mark,
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2059) * or a space. Unescaped strings will start and end with a double quote mark.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2060) * Strings that are escaped are printed in hex (2 digits per char).
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2061) *
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2062) * The caller specifies the number of characters in the string to log, which may
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2063) * or may not be the entire string.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2064) */
b556f8ad58c6e (Eric Paris 2008-04-18 10:12:59 -0400 2065) void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string,
b556f8ad58c6e (Eric Paris 2008-04-18 10:12:59 -0400 2066) size_t len)
83c7d09173fdb (David Woodhouse 2005-04-29 15:54:44 +0100 2067) {
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2068) if (audit_string_contains_control(string, len))
b556f8ad58c6e (Eric Paris 2008-04-18 10:12:59 -0400 2069) audit_log_n_hex(ab, string, len);
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2070) else
b556f8ad58c6e (Eric Paris 2008-04-18 10:12:59 -0400 2071) audit_log_n_string(ab, string, len);
83c7d09173fdb (David Woodhouse 2005-04-29 15:54:44 +0100 2072) }
83c7d09173fdb (David Woodhouse 2005-04-29 15:54:44 +0100 2073)
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2074) /**
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 2075) * audit_log_untrustedstring - log a string that may contain random characters
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2076) * @ab: audit_buffer
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2077) * @string: string to be logged
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2078) *
522ed7767e800 (Miloslav Trmac 2007-07-15 23:40:56 -0700 2079) * Same as audit_log_n_untrustedstring(), except that strlen is used to
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2080) * determine string length.
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2081) */
de6bbd1d30e59 (Eric Paris 2008-01-07 14:31:58 -0500 2082) void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2083) {
b556f8ad58c6e (Eric Paris 2008-04-18 10:12:59 -0400 2084) audit_log_n_untrustedstring(ab, string, strlen(string));
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2085) }
9c937dcc71021 (Amy Griffis 2006-06-08 23:19:31 -0400 2086)
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2087) /* This is a helper-function to print the escaped d_path */
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2088) void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
66b3fad3f4c53 (Al Viro 2012-03-14 21:48:20 -0400 2089) const struct path *path)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2090) {
44707fdf5938a (Jan Blunck 2008-02-14 19:38:33 -0800 2091) char *p, *pathname;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2092)
8fc6115c2a040 (Chris Wright 2005-05-06 15:54:17 +0100 2093) if (prefix)
c158a35c8a681 (Kees Cook 2012-01-06 14:07:10 -0800 2094) audit_log_format(ab, "%s", prefix);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2095)
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2096) /* We will allow 11 spaces for ' (deleted)' to be appended */
44707fdf5938a (Jan Blunck 2008-02-14 19:38:33 -0800 2097) pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
44707fdf5938a (Jan Blunck 2008-02-14 19:38:33 -0800 2098) if (!pathname) {
f1d9b23cabc61 (Richard Guy Briggs 2020-07-13 15:51:59 -0400 2099) audit_log_format(ab, "\"<no_memory>\"");
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2100) return;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2101) }
cf28b4863f9ee (Jan Blunck 2008-02-14 19:38:44 -0800 2102) p = d_path(path, pathname, PATH_MAX+11);
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2103) if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2104) /* FIXME: can we save some information here? */
f1d9b23cabc61 (Richard Guy Briggs 2020-07-13 15:51:59 -0400 2105) audit_log_format(ab, "\"<too_long>\"");
5600b892789c2 (Daniel Walker 2007-10-18 03:06:10 -0700 2106) } else
168b7173959f8 (Steve Grubb 2005-05-19 10:24:22 +0100 2107) audit_log_untrustedstring(ab, p);
44707fdf5938a (Jan Blunck 2008-02-14 19:38:33 -0800 2108) kfree(pathname);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2109) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2110)
4d3fb709b285a (Eric Paris 2013-04-30 09:53:34 -0400 2111) void audit_log_session_info(struct audit_buffer *ab)
4d3fb709b285a (Eric Paris 2013-04-30 09:53:34 -0400 2112) {
4440e8548153e (Eric Paris 2013-11-27 17:35:17 -0500 2113) unsigned int sessionid = audit_get_sessionid(current);
4d3fb709b285a (Eric Paris 2013-04-30 09:53:34 -0400 2114) uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
4d3fb709b285a (Eric Paris 2013-04-30 09:53:34 -0400 2115)
a2c97da11cdb9 (Richard Guy Briggs 2018-11-16 16:30:10 -0500 2116) audit_log_format(ab, "auid=%u ses=%u", auid, sessionid);
4d3fb709b285a (Eric Paris 2013-04-30 09:53:34 -0400 2117) }
4d3fb709b285a (Eric Paris 2013-04-30 09:53:34 -0400 2118)
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2119) void audit_log_key(struct audit_buffer *ab, char *key)
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2120) {
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2121) audit_log_format(ab, " key=");
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2122) if (key)
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2123) audit_log_untrustedstring(ab, key);
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2124) else
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2125) audit_log_format(ab, "(null)");
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2126) }
9d9609851003e (Eric Paris 2009-06-11 14:31:37 -0400 2127)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2128) int audit_log_task_context(struct audit_buffer *ab)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2129) {
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2130) char *ctx = NULL;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2131) unsigned len;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2132) int error;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2133) u32 sid;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2134)
4ebd7651bfc89 (Paul Moore 2021-02-19 14:26:21 -0500 2135) security_task_getsecid_subj(current, &sid);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2136) if (!sid)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2137) return 0;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2138)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2139) error = security_secid_to_secctx(sid, &ctx, &len);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2140) if (error) {
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2141) if (error != -EINVAL)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2142) goto error_path;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2143) return 0;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2144) }
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2145)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2146) audit_log_format(ab, " subj=%s", ctx);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2147) security_release_secctx(ctx, len);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2148) return 0;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2149)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2150) error_path:
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2151) audit_panic("error in audit_log_task_context");
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2152) return error;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2153) }
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2154) EXPORT_SYMBOL(audit_log_task_context);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2155)
4766b199ef9e1 (Davidlohr Bueso 2015-02-22 18:20:00 -0800 2156) void audit_log_d_path_exe(struct audit_buffer *ab,
4766b199ef9e1 (Davidlohr Bueso 2015-02-22 18:20:00 -0800 2157) struct mm_struct *mm)
4766b199ef9e1 (Davidlohr Bueso 2015-02-22 18:20:00 -0800 2158) {
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2159) struct file *exe_file;
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2160)
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2161) if (!mm)
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2162) goto out_null;
4766b199ef9e1 (Davidlohr Bueso 2015-02-22 18:20:00 -0800 2163)
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2164) exe_file = get_mm_exe_file(mm);
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2165) if (!exe_file)
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2166) goto out_null;
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2167)
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2168) audit_log_d_path(ab, " exe=", &exe_file->f_path);
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2169) fput(exe_file);
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2170) return;
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2171) out_null:
5b28255278dd7 (Davidlohr Bueso 2015-02-22 18:20:09 -0800 2172) audit_log_format(ab, " exe=(null)");
4766b199ef9e1 (Davidlohr Bueso 2015-02-22 18:20:00 -0800 2173) }
4766b199ef9e1 (Davidlohr Bueso 2015-02-22 18:20:00 -0800 2174)
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2175) struct tty_struct *audit_get_tty(void)
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2176) {
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2177) struct tty_struct *tty = NULL;
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2178) unsigned long flags;
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2179)
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2180) spin_lock_irqsave(¤t->sighand->siglock, flags);
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2181) if (current->signal)
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2182) tty = tty_kref_get(current->signal->tty);
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2183) spin_unlock_irqrestore(¤t->sighand->siglock, flags);
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2184) return tty;
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2185) }
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2186)
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2187) void audit_put_tty(struct tty_struct *tty)
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2188) {
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2189) tty_kref_put(tty);
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2190) }
3f5be2da8565c (Richard Guy Briggs 2016-06-28 12:07:50 -0400 2191)
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2192) void audit_log_task_info(struct audit_buffer *ab)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2193) {
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2194) const struct cred *cred;
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2195) char comm[sizeof(current->comm)];
db0a6fb5d97af (Richard Guy Briggs 2016-04-21 14:14:01 -0400 2196) struct tty_struct *tty;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2197)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2198) if (!ab)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2199) return;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2200)
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2201) cred = current_cred();
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2202) tty = audit_get_tty();
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2203) audit_log_format(ab,
c92cdeb45eea3 (Richard Guy Briggs 2013-12-10 22:10:41 -0500 2204) " ppid=%d pid=%d auid=%u uid=%u gid=%u"
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2205) " euid=%u suid=%u fsuid=%u"
2f2ad1013322c (Richard Guy Briggs 2013-07-15 10:23:11 -0400 2206) " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2207) task_ppid_nr(current),
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2208) task_tgid_nr(current),
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2209) from_kuid(&init_user_ns, audit_get_loginuid(current)),
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2210) from_kuid(&init_user_ns, cred->uid),
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2211) from_kgid(&init_user_ns, cred->gid),
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2212) from_kuid(&init_user_ns, cred->euid),
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2213) from_kuid(&init_user_ns, cred->suid),
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2214) from_kuid(&init_user_ns, cred->fsuid),
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2215) from_kgid(&init_user_ns, cred->egid),
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2216) from_kgid(&init_user_ns, cred->sgid),
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2217) from_kgid(&init_user_ns, cred->fsgid),
db0a6fb5d97af (Richard Guy Briggs 2016-04-21 14:14:01 -0400 2218) tty ? tty_name(tty) : "(none)",
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2219) audit_get_sessionid(current));
db0a6fb5d97af (Richard Guy Briggs 2016-04-21 14:14:01 -0400 2220) audit_put_tty(tty);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2221) audit_log_format(ab, " comm=");
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2222) audit_log_untrustedstring(ab, get_task_comm(comm, current));
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2223) audit_log_d_path_exe(ab, current->mm);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2224) audit_log_task_context(ab);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2225) }
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2226) EXPORT_SYMBOL(audit_log_task_info);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2227)
a51d9eaa41866 (Kees Cook 2012-07-25 17:29:08 -0700 2228) /**
245d73698ed7a (Kees Cook 2019-10-02 16:41:58 -0700 2229) * audit_log_path_denied - report a path restriction denial
245d73698ed7a (Kees Cook 2019-10-02 16:41:58 -0700 2230) * @type: audit message type (AUDIT_ANOM_LINK, AUDIT_ANOM_CREAT, etc)
245d73698ed7a (Kees Cook 2019-10-02 16:41:58 -0700 2231) * @operation: specific operation name
a51d9eaa41866 (Kees Cook 2012-07-25 17:29:08 -0700 2232) */
245d73698ed7a (Kees Cook 2019-10-02 16:41:58 -0700 2233) void audit_log_path_denied(int type, const char *operation)
a51d9eaa41866 (Kees Cook 2012-07-25 17:29:08 -0700 2234) {
a51d9eaa41866 (Kees Cook 2012-07-25 17:29:08 -0700 2235) struct audit_buffer *ab;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2236)
15564ff0a16e2 (Richard Guy Briggs 2018-02-14 11:18:21 -0500 2237) if (!audit_enabled || audit_dummy_context())
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2238) return;
a51d9eaa41866 (Kees Cook 2012-07-25 17:29:08 -0700 2239)
245d73698ed7a (Kees Cook 2019-10-02 16:41:58 -0700 2240) /* Generate log with subject, operation, outcome. */
245d73698ed7a (Kees Cook 2019-10-02 16:41:58 -0700 2241) ab = audit_log_start(audit_context(), GFP_KERNEL, type);
d1c7d97ad5883 (Sasha Levin 2012-10-04 19:57:31 -0400 2242) if (!ab)
45b578fe4c3ca (Richard Guy Briggs 2018-02-14 11:18:22 -0500 2243) return;
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2244) audit_log_format(ab, "op=%s", operation);
2a1fe215e7300 (Paul Moore 2018-11-26 18:40:07 -0500 2245) audit_log_task_info(ab);
b24a30a730541 (Eric Paris 2013-04-30 15:30:32 -0400 2246) audit_log_format(ab, " res=0");
a51d9eaa41866 (Kees Cook 2012-07-25 17:29:08 -0700 2247) audit_log_end(ab);
a51d9eaa41866 (Kees Cook 2012-07-25 17:29:08 -0700 2248) }
a51d9eaa41866 (Kees Cook 2012-07-25 17:29:08 -0700 2249)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2250) /* global counter which is incremented every time something logs in */
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2251) static atomic_t session_id = ATOMIC_INIT(0);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2252)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2253) static int audit_set_loginuid_perm(kuid_t loginuid)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2254) {
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2255) /* if we are unset, we don't need privs */
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2256) if (!audit_loginuid_set(current))
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2257) return 0;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2258) /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2259) if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2260) return -EPERM;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2261) /* it is set, you need permission */
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2262) if (!capable(CAP_AUDIT_CONTROL))
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2263) return -EPERM;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2264) /* reject if this is not an unset and we don't allow that */
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2265) if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2266) && uid_valid(loginuid))
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2267) return -EPERM;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2268) return 0;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2269) }
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2270)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2271) static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2272) unsigned int oldsessionid,
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2273) unsigned int sessionid, int rc)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2274) {
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2275) struct audit_buffer *ab;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2276) uid_t uid, oldloginuid, loginuid;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2277) struct tty_struct *tty;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2278)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2279) if (!audit_enabled)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2280) return;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2281)
73e65b88feb91 (Richard Guy Briggs 2019-03-19 15:23:29 -0400 2282) ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOGIN);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2283) if (!ab)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2284) return;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2285)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2286) uid = from_kuid(&init_user_ns, task_uid(current));
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2287) oldloginuid = from_kuid(&init_user_ns, koldloginuid);
a1b861faa6844 (Zheng Yongjun 2020-12-11 16:42:54 +0800 2288) loginuid = from_kuid(&init_user_ns, kloginuid);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2289) tty = audit_get_tty();
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2290)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2291) audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2292) audit_log_task_context(ab);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2293) audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2294) oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2295) oldsessionid, sessionid, !rc);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2296) audit_put_tty(tty);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2297) audit_log_end(ab);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2298) }
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2299)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2300) /**
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2301) * audit_set_loginuid - set current task's loginuid
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2302) * @loginuid: loginuid value
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2303) *
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2304) * Returns 0.
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2305) *
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2306) * Called (set) from fs/proc/base.c::proc_loginuid_write().
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2307) */
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2308) int audit_set_loginuid(kuid_t loginuid)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2309) {
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2310) unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2311) kuid_t oldloginuid;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2312) int rc;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2313)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2314) oldloginuid = audit_get_loginuid(current);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2315) oldsessionid = audit_get_sessionid(current);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2316)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2317) rc = audit_set_loginuid_perm(loginuid);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2318) if (rc)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2319) goto out;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2320)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2321) /* are we setting or clearing? */
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2322) if (uid_valid(loginuid)) {
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2323) sessionid = (unsigned int)atomic_inc_return(&session_id);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2324) if (unlikely(sessionid == AUDIT_SID_UNSET))
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2325) sessionid = (unsigned int)atomic_inc_return(&session_id);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2326) }
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2327)
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2328) current->sessionid = sessionid;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2329) current->loginuid = loginuid;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2330) out:
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2331) audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2332) return rc;
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2333) }
4b7d248b3a1de (Richard Guy Briggs 2019-01-22 17:06:39 -0500 2334)
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2335) /**
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2336) * audit_signal_info - record signal info for shutting down audit subsystem
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2337) * @sig: signal value
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2338) * @t: task being signaled
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2339) *
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2340) * If the audit subsystem is being terminated, record the task (pid)
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2341) * and uid that is doing that.
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2342) */
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2343) int audit_signal_info(int sig, struct task_struct *t)
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2344) {
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2345) kuid_t uid = current_uid(), auid;
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2346)
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2347) if (auditd_test_task(t) &&
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2348) (sig == SIGTERM || sig == SIGHUP ||
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2349) sig == SIGUSR1 || sig == SIGUSR2)) {
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2350) audit_sig_pid = task_tgid_nr(current);
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2351) auid = audit_get_loginuid(current);
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2352) if (uid_valid(auid))
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2353) audit_sig_uid = auid;
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2354) else
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2355) audit_sig_uid = uid;
4ebd7651bfc89 (Paul Moore 2021-02-19 14:26:21 -0500 2356) security_task_getsecid_subj(current, &audit_sig_sid);
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2357) }
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2358)
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2359) return audit_signal_info_syscall(t);
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2360) }
b48345aafb203 (Richard Guy Briggs 2019-05-10 12:21:49 -0400 2361)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2362) /**
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2363) * audit_log_end - end one audit record
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2364) * @ab: the audit_buffer
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2365) *
4aa83872d3468 (Paul Moore 2016-11-29 16:53:24 -0500 2366) * We can not do a netlink send inside an irq context because it blocks (last
4aa83872d3468 (Paul Moore 2016-11-29 16:53:24 -0500 2367) * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
c1de44631eb53 (Davidlohr Bueso 2021-01-14 16:12:01 -0800 2368) * queue and a kthread is scheduled to remove them from the queue outside the
4aa83872d3468 (Paul Moore 2016-11-29 16:53:24 -0500 2369) * irq context. May be called in any context.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2370) */
b7d1125817c9a (David Woodhouse 2005-05-19 10:56:58 +0100 2371) void audit_log_end(struct audit_buffer *ab)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2372) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2373) struct sk_buff *skb;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2374) struct nlmsghdr *nlh;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2375)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2376) if (!ab)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2377) return;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2378)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2379) if (audit_rate_check()) {
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2380) skb = ab->skb;
f3d357b092956 (Eric Paris 2008-04-18 10:02:28 -0400 2381) ab->skb = NULL;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2382)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2383) /* setup the netlink header, see the comments in
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2384) * kauditd_send_multicast_skb() for length quirks */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2385) nlh = nlmsg_hdr(skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2386) nlh->nlmsg_len = skb->len - NLMSG_HDRLEN;
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2387)
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2388) /* queue the netlink packet and poke the kauditd thread */
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2389) skb_queue_tail(&audit_queue, skb);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2390) wake_up_interruptible(&kauditd_wait);
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2391) } else
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2392) audit_log_lost("rate limit exceeded");
5b52330bbfe63 (Paul Moore 2017-03-21 11:26:35 -0400 2393)
16e1904e694d4 (Chris Wright 2005-05-06 15:53:34 +0100 2394) audit_buffer_free(ab);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2395) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2396)
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2397) /**
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2398) * audit_log - Log an audit record
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2399) * @ctx: audit context
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2400) * @gfp_mask: type of allocation
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2401) * @type: audit message type
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2402) * @fmt: format string to use
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2403) * @...: variable parameters matching the format string
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2404) *
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2405) * This is a convenience function that calls audit_log_start,
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2406) * audit_log_vformat, and audit_log_end. It may be called
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2407) * in any context.
b0dd25a8263dd (Randy Dunlap 2005-09-13 12:47:11 -0700 2408) */
5600b892789c2 (Daniel Walker 2007-10-18 03:06:10 -0700 2409) void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
9ad9ad385be27 (David Woodhouse 2005-06-22 15:04:33 +0100 2410) const char *fmt, ...)
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2411) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2412) struct audit_buffer *ab;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2413) va_list args;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2414)
9ad9ad385be27 (David Woodhouse 2005-06-22 15:04:33 +0100 2415) ab = audit_log_start(ctx, gfp_mask, type);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2416) if (ab) {
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2417) va_start(args, fmt);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2418) audit_log_vformat(ab, fmt, args);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2419) va_end(args);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2420) audit_log_end(ab);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2421) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 2422) }
bf45da97a45f6 (lorenzo@gnu.org 2006-03-09 00:33:47 +0100 2423)
bf45da97a45f6 (lorenzo@gnu.org 2006-03-09 00:33:47 +0100 2424) EXPORT_SYMBOL(audit_log_start);
bf45da97a45f6 (lorenzo@gnu.org 2006-03-09 00:33:47 +0100 2425) EXPORT_SYMBOL(audit_log_end);
bf45da97a45f6 (lorenzo@gnu.org 2006-03-09 00:33:47 +0100 2426) EXPORT_SYMBOL(audit_log_format);
bf45da97a45f6 (lorenzo@gnu.org 2006-03-09 00:33:47 +0100 2427) EXPORT_SYMBOL(audit_log);