1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* auditsc.c -- System-call auditing support
3  * Handles all system-call specific auditing features.
4  *
5  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
6  * Copyright 2005 Hewlett-Packard Development Company, L.P.
7  * Copyright (C) 2005, 2006 IBM Corporation
8  * All Rights Reserved.
9  *
10  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
11  *
12  * Many of the ideas implemented here are from Stephen C. Tweedie,
13  * especially the idea of avoiding a copy by using getname.
14  *
15  * The method for actual interception of syscall entry and exit (not in
16  * this file -- see entry.S) is based on a GPL'd patch written by
17  * okir@suse.de and Copyright 2003 SuSE Linux AG.
18  *
19  * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
20  * 2006.
21  *
22  * The support of additional filter rules compares (>, <, >=, <=) was
23  * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
24  *
25  * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
26  * filesystem information.
27  *
28  * Subject and object context labeling support added by <danjones@us.ibm.com>
29  * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
30  */
31 
32 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33 
34 #include <linux/init.h>
35 #include <asm/types.h>
36 #include <linux/atomic.h>
37 #include <linux/fs.h>
38 #include <linux/namei.h>
39 #include <linux/mm.h>
40 #include <linux/export.h>
41 #include <linux/slab.h>
42 #include <linux/mount.h>
43 #include <linux/socket.h>
44 #include <linux/mqueue.h>
45 #include <linux/audit.h>
46 #include <linux/personality.h>
47 #include <linux/time.h>
48 #include <linux/netlink.h>
49 #include <linux/compiler.h>
50 #include <asm/unistd.h>
51 #include <linux/security.h>
52 #include <linux/list.h>
53 #include <linux/binfmts.h>
54 #include <linux/highmem.h>
55 #include <linux/syscalls.h>
56 #include <asm/syscall.h>
57 #include <linux/capability.h>
58 #include <linux/fs_struct.h>
59 #include <linux/compat.h>
60 #include <linux/ctype.h>
61 #include <linux/string.h>
62 #include <linux/uaccess.h>
63 #include <linux/fsnotify_backend.h>
64 #include <uapi/linux/limits.h>
65 #include <uapi/linux/netfilter/nf_tables.h>
66 #include <uapi/linux/openat2.h> // struct open_how
67 #include <uapi/linux/fanotify.h>
68 
69 #include "audit.h"
70 
71 /* flags stating the success for a syscall */
72 #define AUDITSC_INVALID 0
73 #define AUDITSC_SUCCESS 1
74 #define AUDITSC_FAILURE 2
75 
76 /* no execve audit message should be longer than this (userspace limits),
77  * see the note near the top of audit_log_execve_info() about this value */
78 #define MAX_EXECVE_AUDIT_LEN 7500
79 
80 /* max length to print of cmdline/proctitle value during audit */
81 #define MAX_PROCTITLE_AUDIT_LEN 128
82 
83 /* number of audit rules */
84 int audit_n_rules;
85 
86 /* determines whether we collect data for signals sent */
87 int audit_signals;
88 
89 struct audit_aux_data {
90 	struct audit_aux_data	*next;
91 	int			type;
92 };
93 
94 /* Number of target pids per aux struct. */
95 #define AUDIT_AUX_PIDS	16
96 
97 struct audit_aux_data_pids {
98 	struct audit_aux_data	d;
99 	pid_t			target_pid[AUDIT_AUX_PIDS];
100 	kuid_t			target_auid[AUDIT_AUX_PIDS];
101 	kuid_t			target_uid[AUDIT_AUX_PIDS];
102 	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
103 	u32			target_sid[AUDIT_AUX_PIDS];
104 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
105 	int			pid_count;
106 };
107 
108 struct audit_aux_data_bprm_fcaps {
109 	struct audit_aux_data	d;
110 	struct audit_cap_data	fcap;
111 	unsigned int		fcap_ver;
112 	struct audit_cap_data	old_pcap;
113 	struct audit_cap_data	new_pcap;
114 };
115 
116 struct audit_tree_refs {
117 	struct audit_tree_refs *next;
118 	struct audit_chunk *c[31];
119 };
120 
121 struct audit_nfcfgop_tab {
122 	enum audit_nfcfgop	op;
123 	const char		*s;
124 };
125 
126 static const struct audit_nfcfgop_tab audit_nfcfgs[] = {
127 	{ AUDIT_XT_OP_REGISTER,			"xt_register"		   },
128 	{ AUDIT_XT_OP_REPLACE,			"xt_replace"		   },
129 	{ AUDIT_XT_OP_UNREGISTER,		"xt_unregister"		   },
130 	{ AUDIT_NFT_OP_TABLE_REGISTER,		"nft_register_table"	   },
131 	{ AUDIT_NFT_OP_TABLE_UNREGISTER,	"nft_unregister_table"	   },
132 	{ AUDIT_NFT_OP_CHAIN_REGISTER,		"nft_register_chain"	   },
133 	{ AUDIT_NFT_OP_CHAIN_UNREGISTER,	"nft_unregister_chain"	   },
134 	{ AUDIT_NFT_OP_RULE_REGISTER,		"nft_register_rule"	   },
135 	{ AUDIT_NFT_OP_RULE_UNREGISTER,		"nft_unregister_rule"	   },
136 	{ AUDIT_NFT_OP_SET_REGISTER,		"nft_register_set"	   },
137 	{ AUDIT_NFT_OP_SET_UNREGISTER,		"nft_unregister_set"	   },
138 	{ AUDIT_NFT_OP_SETELEM_REGISTER,	"nft_register_setelem"	   },
139 	{ AUDIT_NFT_OP_SETELEM_UNREGISTER,	"nft_unregister_setelem"   },
140 	{ AUDIT_NFT_OP_GEN_REGISTER,		"nft_register_gen"	   },
141 	{ AUDIT_NFT_OP_OBJ_REGISTER,		"nft_register_obj"	   },
142 	{ AUDIT_NFT_OP_OBJ_UNREGISTER,		"nft_unregister_obj"	   },
143 	{ AUDIT_NFT_OP_OBJ_RESET,		"nft_reset_obj"		   },
144 	{ AUDIT_NFT_OP_FLOWTABLE_REGISTER,	"nft_register_flowtable"   },
145 	{ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,	"nft_unregister_flowtable" },
146 	{ AUDIT_NFT_OP_SETELEM_RESET,		"nft_reset_setelem"        },
147 	{ AUDIT_NFT_OP_RULE_RESET,		"nft_reset_rule"           },
148 	{ AUDIT_NFT_OP_INVALID,			"nft_invalid"		   },
149 };
150 
audit_match_perm(struct audit_context * ctx,int mask)151 static int audit_match_perm(struct audit_context *ctx, int mask)
152 {
153 	unsigned n;
154 
155 	if (unlikely(!ctx))
156 		return 0;
157 	n = ctx->major;
158 
159 	switch (audit_classify_syscall(ctx->arch, n)) {
160 	case AUDITSC_NATIVE:
161 		if ((mask & AUDIT_PERM_WRITE) &&
162 		     audit_match_class(AUDIT_CLASS_WRITE, n))
163 			return 1;
164 		if ((mask & AUDIT_PERM_READ) &&
165 		     audit_match_class(AUDIT_CLASS_READ, n))
166 			return 1;
167 		if ((mask & AUDIT_PERM_ATTR) &&
168 		     audit_match_class(AUDIT_CLASS_CHATTR, n))
169 			return 1;
170 		return 0;
171 	case AUDITSC_COMPAT: /* 32bit on biarch */
172 		if ((mask & AUDIT_PERM_WRITE) &&
173 		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
174 			return 1;
175 		if ((mask & AUDIT_PERM_READ) &&
176 		     audit_match_class(AUDIT_CLASS_READ_32, n))
177 			return 1;
178 		if ((mask & AUDIT_PERM_ATTR) &&
179 		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
180 			return 1;
181 		return 0;
182 	case AUDITSC_OPEN:
183 		return mask & ACC_MODE(ctx->argv[1]);
184 	case AUDITSC_OPENAT:
185 		return mask & ACC_MODE(ctx->argv[2]);
186 	case AUDITSC_SOCKETCALL:
187 		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
188 	case AUDITSC_EXECVE:
189 		return mask & AUDIT_PERM_EXEC;
190 	case AUDITSC_OPENAT2:
191 		return mask & ACC_MODE((u32)ctx->openat2.flags);
192 	default:
193 		return 0;
194 	}
195 }
196 
audit_match_filetype(struct audit_context * ctx,int val)197 static int audit_match_filetype(struct audit_context *ctx, int val)
198 {
199 	struct audit_names *n;
200 	umode_t mode = (umode_t)val;
201 
202 	if (unlikely(!ctx))
203 		return 0;
204 
205 	list_for_each_entry(n, &ctx->names_list, list) {
206 		if ((n->ino != AUDIT_INO_UNSET) &&
207 		    ((n->mode & S_IFMT) == mode))
208 			return 1;
209 	}
210 
211 	return 0;
212 }
213 
214 /*
215  * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
216  * ->first_trees points to its beginning, ->trees - to the current end of data.
217  * ->tree_count is the number of free entries in array pointed to by ->trees.
218  * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
219  * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
220  * it's going to remain 1-element for almost any setup) until we free context itself.
221  * References in it _are_ dropped - at the same time we free/drop aux stuff.
222  */
223 
audit_set_auditable(struct audit_context * ctx)224 static void audit_set_auditable(struct audit_context *ctx)
225 {
226 	if (!ctx->prio) {
227 		ctx->prio = 1;
228 		ctx->current_state = AUDIT_STATE_RECORD;
229 	}
230 }
231 
put_tree_ref(struct audit_context * ctx,struct audit_chunk * chunk)232 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
233 {
234 	struct audit_tree_refs *p = ctx->trees;
235 	int left = ctx->tree_count;
236 
237 	if (likely(left)) {
238 		p->c[--left] = chunk;
239 		ctx->tree_count = left;
240 		return 1;
241 	}
242 	if (!p)
243 		return 0;
244 	p = p->next;
245 	if (p) {
246 		p->c[30] = chunk;
247 		ctx->trees = p;
248 		ctx->tree_count = 30;
249 		return 1;
250 	}
251 	return 0;
252 }
253 
grow_tree_refs(struct audit_context * ctx)254 static int grow_tree_refs(struct audit_context *ctx)
255 {
256 	struct audit_tree_refs *p = ctx->trees;
257 
258 	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
259 	if (!ctx->trees) {
260 		ctx->trees = p;
261 		return 0;
262 	}
263 	if (p)
264 		p->next = ctx->trees;
265 	else
266 		ctx->first_trees = ctx->trees;
267 	ctx->tree_count = 31;
268 	return 1;
269 }
270 
unroll_tree_refs(struct audit_context * ctx,struct audit_tree_refs * p,int count)271 static void unroll_tree_refs(struct audit_context *ctx,
272 		      struct audit_tree_refs *p, int count)
273 {
274 	struct audit_tree_refs *q;
275 	int n;
276 
277 	if (!p) {
278 		/* we started with empty chain */
279 		p = ctx->first_trees;
280 		count = 31;
281 		/* if the very first allocation has failed, nothing to do */
282 		if (!p)
283 			return;
284 	}
285 	n = count;
286 	for (q = p; q != ctx->trees; q = q->next, n = 31) {
287 		while (n--) {
288 			audit_put_chunk(q->c[n]);
289 			q->c[n] = NULL;
290 		}
291 	}
292 	while (n-- > ctx->tree_count) {
293 		audit_put_chunk(q->c[n]);
294 		q->c[n] = NULL;
295 	}
296 	ctx->trees = p;
297 	ctx->tree_count = count;
298 }
299 
free_tree_refs(struct audit_context * ctx)300 static void free_tree_refs(struct audit_context *ctx)
301 {
302 	struct audit_tree_refs *p, *q;
303 
304 	for (p = ctx->first_trees; p; p = q) {
305 		q = p->next;
306 		kfree(p);
307 	}
308 }
309 
match_tree_refs(struct audit_context * ctx,struct audit_tree * tree)310 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
311 {
312 	struct audit_tree_refs *p;
313 	int n;
314 
315 	if (!tree)
316 		return 0;
317 	/* full ones */
318 	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
319 		for (n = 0; n < 31; n++)
320 			if (audit_tree_match(p->c[n], tree))
321 				return 1;
322 	}
323 	/* partial */
324 	if (p) {
325 		for (n = ctx->tree_count; n < 31; n++)
326 			if (audit_tree_match(p->c[n], tree))
327 				return 1;
328 	}
329 	return 0;
330 }
331 
audit_compare_uid(kuid_t uid,struct audit_names * name,struct audit_field * f,struct audit_context * ctx)332 static int audit_compare_uid(kuid_t uid,
333 			     struct audit_names *name,
334 			     struct audit_field *f,
335 			     struct audit_context *ctx)
336 {
337 	struct audit_names *n;
338 	int rc;
339 
340 	if (name) {
341 		rc = audit_uid_comparator(uid, f->op, name->uid);
342 		if (rc)
343 			return rc;
344 	}
345 
346 	if (ctx) {
347 		list_for_each_entry(n, &ctx->names_list, list) {
348 			rc = audit_uid_comparator(uid, f->op, n->uid);
349 			if (rc)
350 				return rc;
351 		}
352 	}
353 	return 0;
354 }
355 
audit_compare_gid(kgid_t gid,struct audit_names * name,struct audit_field * f,struct audit_context * ctx)356 static int audit_compare_gid(kgid_t gid,
357 			     struct audit_names *name,
358 			     struct audit_field *f,
359 			     struct audit_context *ctx)
360 {
361 	struct audit_names *n;
362 	int rc;
363 
364 	if (name) {
365 		rc = audit_gid_comparator(gid, f->op, name->gid);
366 		if (rc)
367 			return rc;
368 	}
369 
370 	if (ctx) {
371 		list_for_each_entry(n, &ctx->names_list, list) {
372 			rc = audit_gid_comparator(gid, f->op, n->gid);
373 			if (rc)
374 				return rc;
375 		}
376 	}
377 	return 0;
378 }
379 
audit_field_compare(struct task_struct * tsk,const struct cred * cred,struct audit_field * f,struct audit_context * ctx,struct audit_names * name)380 static int audit_field_compare(struct task_struct *tsk,
381 			       const struct cred *cred,
382 			       struct audit_field *f,
383 			       struct audit_context *ctx,
384 			       struct audit_names *name)
385 {
386 	switch (f->val) {
387 	/* process to file object comparisons */
388 	case AUDIT_COMPARE_UID_TO_OBJ_UID:
389 		return audit_compare_uid(cred->uid, name, f, ctx);
390 	case AUDIT_COMPARE_GID_TO_OBJ_GID:
391 		return audit_compare_gid(cred->gid, name, f, ctx);
392 	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
393 		return audit_compare_uid(cred->euid, name, f, ctx);
394 	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
395 		return audit_compare_gid(cred->egid, name, f, ctx);
396 	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
397 		return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
398 	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
399 		return audit_compare_uid(cred->suid, name, f, ctx);
400 	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
401 		return audit_compare_gid(cred->sgid, name, f, ctx);
402 	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
403 		return audit_compare_uid(cred->fsuid, name, f, ctx);
404 	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
405 		return audit_compare_gid(cred->fsgid, name, f, ctx);
406 	/* uid comparisons */
407 	case AUDIT_COMPARE_UID_TO_AUID:
408 		return audit_uid_comparator(cred->uid, f->op,
409 					    audit_get_loginuid(tsk));
410 	case AUDIT_COMPARE_UID_TO_EUID:
411 		return audit_uid_comparator(cred->uid, f->op, cred->euid);
412 	case AUDIT_COMPARE_UID_TO_SUID:
413 		return audit_uid_comparator(cred->uid, f->op, cred->suid);
414 	case AUDIT_COMPARE_UID_TO_FSUID:
415 		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
416 	/* auid comparisons */
417 	case AUDIT_COMPARE_AUID_TO_EUID:
418 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
419 					    cred->euid);
420 	case AUDIT_COMPARE_AUID_TO_SUID:
421 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
422 					    cred->suid);
423 	case AUDIT_COMPARE_AUID_TO_FSUID:
424 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
425 					    cred->fsuid);
426 	/* euid comparisons */
427 	case AUDIT_COMPARE_EUID_TO_SUID:
428 		return audit_uid_comparator(cred->euid, f->op, cred->suid);
429 	case AUDIT_COMPARE_EUID_TO_FSUID:
430 		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
431 	/* suid comparisons */
432 	case AUDIT_COMPARE_SUID_TO_FSUID:
433 		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
434 	/* gid comparisons */
435 	case AUDIT_COMPARE_GID_TO_EGID:
436 		return audit_gid_comparator(cred->gid, f->op, cred->egid);
437 	case AUDIT_COMPARE_GID_TO_SGID:
438 		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
439 	case AUDIT_COMPARE_GID_TO_FSGID:
440 		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
441 	/* egid comparisons */
442 	case AUDIT_COMPARE_EGID_TO_SGID:
443 		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
444 	case AUDIT_COMPARE_EGID_TO_FSGID:
445 		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
446 	/* sgid comparison */
447 	case AUDIT_COMPARE_SGID_TO_FSGID:
448 		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
449 	default:
450 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
451 		return 0;
452 	}
453 	return 0;
454 }
455 
456 /* Determine if any context name data matches a rule's watch data */
457 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
458  * otherwise.
459  *
460  * If task_creation is true, this is an explicit indication that we are
461  * filtering a task rule at task creation time.  This and tsk == current are
462  * the only situations where tsk->cred may be accessed without an rcu read lock.
463  */
audit_filter_rules(struct task_struct * tsk,struct audit_krule * rule,struct audit_context * ctx,struct audit_names * name,enum audit_state * state,bool task_creation)464 static int audit_filter_rules(struct task_struct *tsk,
465 			      struct audit_krule *rule,
466 			      struct audit_context *ctx,
467 			      struct audit_names *name,
468 			      enum audit_state *state,
469 			      bool task_creation)
470 {
471 	const struct cred *cred;
472 	int i, need_sid = 1;
473 	u32 sid;
474 	unsigned int sessionid;
475 
476 	if (ctx && rule->prio <= ctx->prio)
477 		return 0;
478 
479 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
480 
481 	for (i = 0; i < rule->field_count; i++) {
482 		struct audit_field *f = &rule->fields[i];
483 		struct audit_names *n;
484 		int result = 0;
485 		pid_t pid;
486 
487 		switch (f->type) {
488 		case AUDIT_PID:
489 			pid = task_tgid_nr(tsk);
490 			result = audit_comparator(pid, f->op, f->val);
491 			break;
492 		case AUDIT_PPID:
493 			if (ctx) {
494 				if (!ctx->ppid)
495 					ctx->ppid = task_ppid_nr(tsk);
496 				result = audit_comparator(ctx->ppid, f->op, f->val);
497 			}
498 			break;
499 		case AUDIT_EXE:
500 			result = audit_exe_compare(tsk, rule->exe);
501 			if (f->op == Audit_not_equal)
502 				result = !result;
503 			break;
504 		case AUDIT_UID:
505 			result = audit_uid_comparator(cred->uid, f->op, f->uid);
506 			break;
507 		case AUDIT_EUID:
508 			result = audit_uid_comparator(cred->euid, f->op, f->uid);
509 			break;
510 		case AUDIT_SUID:
511 			result = audit_uid_comparator(cred->suid, f->op, f->uid);
512 			break;
513 		case AUDIT_FSUID:
514 			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
515 			break;
516 		case AUDIT_GID:
517 			result = audit_gid_comparator(cred->gid, f->op, f->gid);
518 			if (f->op == Audit_equal) {
519 				if (!result)
520 					result = groups_search(cred->group_info, f->gid);
521 			} else if (f->op == Audit_not_equal) {
522 				if (result)
523 					result = !groups_search(cred->group_info, f->gid);
524 			}
525 			break;
526 		case AUDIT_EGID:
527 			result = audit_gid_comparator(cred->egid, f->op, f->gid);
528 			if (f->op == Audit_equal) {
529 				if (!result)
530 					result = groups_search(cred->group_info, f->gid);
531 			} else if (f->op == Audit_not_equal) {
532 				if (result)
533 					result = !groups_search(cred->group_info, f->gid);
534 			}
535 			break;
536 		case AUDIT_SGID:
537 			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
538 			break;
539 		case AUDIT_FSGID:
540 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
541 			break;
542 		case AUDIT_SESSIONID:
543 			sessionid = audit_get_sessionid(tsk);
544 			result = audit_comparator(sessionid, f->op, f->val);
545 			break;
546 		case AUDIT_PERS:
547 			result = audit_comparator(tsk->personality, f->op, f->val);
548 			break;
549 		case AUDIT_ARCH:
550 			if (ctx)
551 				result = audit_comparator(ctx->arch, f->op, f->val);
552 			break;
553 
554 		case AUDIT_EXIT:
555 			if (ctx && ctx->return_valid != AUDITSC_INVALID)
556 				result = audit_comparator(ctx->return_code, f->op, f->val);
557 			break;
558 		case AUDIT_SUCCESS:
559 			if (ctx && ctx->return_valid != AUDITSC_INVALID) {
560 				if (f->val)
561 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
562 				else
563 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
564 			}
565 			break;
566 		case AUDIT_DEVMAJOR:
567 			if (name) {
568 				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
569 				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
570 					++result;
571 			} else if (ctx) {
572 				list_for_each_entry(n, &ctx->names_list, list) {
573 					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
574 					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
575 						++result;
576 						break;
577 					}
578 				}
579 			}
580 			break;
581 		case AUDIT_DEVMINOR:
582 			if (name) {
583 				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
584 				    audit_comparator(MINOR(name->rdev), f->op, f->val))
585 					++result;
586 			} else if (ctx) {
587 				list_for_each_entry(n, &ctx->names_list, list) {
588 					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
589 					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
590 						++result;
591 						break;
592 					}
593 				}
594 			}
595 			break;
596 		case AUDIT_INODE:
597 			if (name)
598 				result = audit_comparator(name->ino, f->op, f->val);
599 			else if (ctx) {
600 				list_for_each_entry(n, &ctx->names_list, list) {
601 					if (audit_comparator(n->ino, f->op, f->val)) {
602 						++result;
603 						break;
604 					}
605 				}
606 			}
607 			break;
608 		case AUDIT_OBJ_UID:
609 			if (name) {
610 				result = audit_uid_comparator(name->uid, f->op, f->uid);
611 			} else if (ctx) {
612 				list_for_each_entry(n, &ctx->names_list, list) {
613 					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
614 						++result;
615 						break;
616 					}
617 				}
618 			}
619 			break;
620 		case AUDIT_OBJ_GID:
621 			if (name) {
622 				result = audit_gid_comparator(name->gid, f->op, f->gid);
623 			} else if (ctx) {
624 				list_for_each_entry(n, &ctx->names_list, list) {
625 					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
626 						++result;
627 						break;
628 					}
629 				}
630 			}
631 			break;
632 		case AUDIT_WATCH:
633 			if (name) {
634 				result = audit_watch_compare(rule->watch,
635 							     name->ino,
636 							     name->dev);
637 				if (f->op == Audit_not_equal)
638 					result = !result;
639 			}
640 			break;
641 		case AUDIT_DIR:
642 			if (ctx) {
643 				result = match_tree_refs(ctx, rule->tree);
644 				if (f->op == Audit_not_equal)
645 					result = !result;
646 			}
647 			break;
648 		case AUDIT_LOGINUID:
649 			result = audit_uid_comparator(audit_get_loginuid(tsk),
650 						      f->op, f->uid);
651 			break;
652 		case AUDIT_LOGINUID_SET:
653 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
654 			break;
655 		case AUDIT_SADDR_FAM:
656 			if (ctx && ctx->sockaddr)
657 				result = audit_comparator(ctx->sockaddr->ss_family,
658 							  f->op, f->val);
659 			break;
660 		case AUDIT_SUBJ_USER:
661 		case AUDIT_SUBJ_ROLE:
662 		case AUDIT_SUBJ_TYPE:
663 		case AUDIT_SUBJ_SEN:
664 		case AUDIT_SUBJ_CLR:
665 			/* NOTE: this may return negative values indicating
666 			   a temporary error.  We simply treat this as a
667 			   match for now to avoid losing information that
668 			   may be wanted.   An error message will also be
669 			   logged upon error */
670 			if (f->lsm_rule) {
671 				if (need_sid) {
672 					/* @tsk should always be equal to
673 					 * @current with the exception of
674 					 * fork()/copy_process() in which case
675 					 * the new @tsk creds are still a dup
676 					 * of @current's creds so we can still
677 					 * use security_current_getsecid_subj()
678 					 * here even though it always refs
679 					 * @current's creds
680 					 */
681 					security_current_getsecid_subj(&sid);
682 					need_sid = 0;
683 				}
684 				result = security_audit_rule_match(sid, f->type,
685 								   f->op,
686 								   f->lsm_rule);
687 			}
688 			break;
689 		case AUDIT_OBJ_USER:
690 		case AUDIT_OBJ_ROLE:
691 		case AUDIT_OBJ_TYPE:
692 		case AUDIT_OBJ_LEV_LOW:
693 		case AUDIT_OBJ_LEV_HIGH:
694 			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
695 			   also applies here */
696 			if (f->lsm_rule) {
697 				/* Find files that match */
698 				if (name) {
699 					result = security_audit_rule_match(
700 								name->osid,
701 								f->type,
702 								f->op,
703 								f->lsm_rule);
704 				} else if (ctx) {
705 					list_for_each_entry(n, &ctx->names_list, list) {
706 						if (security_audit_rule_match(
707 								n->osid,
708 								f->type,
709 								f->op,
710 								f->lsm_rule)) {
711 							++result;
712 							break;
713 						}
714 					}
715 				}
716 				/* Find ipc objects that match */
717 				if (!ctx || ctx->type != AUDIT_IPC)
718 					break;
719 				if (security_audit_rule_match(ctx->ipc.osid,
720 							      f->type, f->op,
721 							      f->lsm_rule))
722 					++result;
723 			}
724 			break;
725 		case AUDIT_ARG0:
726 		case AUDIT_ARG1:
727 		case AUDIT_ARG2:
728 		case AUDIT_ARG3:
729 			if (ctx)
730 				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
731 			break;
732 		case AUDIT_FILTERKEY:
733 			/* ignore this field for filtering */
734 			result = 1;
735 			break;
736 		case AUDIT_PERM:
737 			result = audit_match_perm(ctx, f->val);
738 			if (f->op == Audit_not_equal)
739 				result = !result;
740 			break;
741 		case AUDIT_FILETYPE:
742 			result = audit_match_filetype(ctx, f->val);
743 			if (f->op == Audit_not_equal)
744 				result = !result;
745 			break;
746 		case AUDIT_FIELD_COMPARE:
747 			result = audit_field_compare(tsk, cred, f, ctx, name);
748 			break;
749 		}
750 		if (!result)
751 			return 0;
752 	}
753 
754 	if (ctx) {
755 		if (rule->filterkey) {
756 			kfree(ctx->filterkey);
757 			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
758 		}
759 		ctx->prio = rule->prio;
760 	}
761 	switch (rule->action) {
762 	case AUDIT_NEVER:
763 		*state = AUDIT_STATE_DISABLED;
764 		break;
765 	case AUDIT_ALWAYS:
766 		*state = AUDIT_STATE_RECORD;
767 		break;
768 	}
769 	return 1;
770 }
771 
772 /* At process creation time, we can determine if system-call auditing is
773  * completely disabled for this task.  Since we only have the task
774  * structure at this point, we can only check uid and gid.
775  */
audit_filter_task(struct task_struct * tsk,char ** key)776 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
777 {
778 	struct audit_entry *e;
779 	enum audit_state   state;
780 
781 	rcu_read_lock();
782 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
783 		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
784 				       &state, true)) {
785 			if (state == AUDIT_STATE_RECORD)
786 				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
787 			rcu_read_unlock();
788 			return state;
789 		}
790 	}
791 	rcu_read_unlock();
792 	return AUDIT_STATE_BUILD;
793 }
794 
audit_in_mask(const struct audit_krule * rule,unsigned long val)795 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
796 {
797 	int word, bit;
798 
799 	if (val > 0xffffffff)
800 		return false;
801 
802 	word = AUDIT_WORD(val);
803 	if (word >= AUDIT_BITMASK_SIZE)
804 		return false;
805 
806 	bit = AUDIT_BIT(val);
807 
808 	return rule->mask[word] & bit;
809 }
810 
811 /**
812  * __audit_filter_op - common filter helper for operations (syscall/uring/etc)
813  * @tsk: associated task
814  * @ctx: audit context
815  * @list: audit filter list
816  * @name: audit_name (can be NULL)
817  * @op: current syscall/uring_op
818  *
819  * Run the udit filters specified in @list against @tsk using @ctx,
820  * @name, and @op, as necessary; the caller is responsible for ensuring
821  * that the call is made while the RCU read lock is held. The @name
822  * parameter can be NULL, but all others must be specified.
823  * Returns 1/true if the filter finds a match, 0/false if none are found.
824  */
__audit_filter_op(struct task_struct * tsk,struct audit_context * ctx,struct list_head * list,struct audit_names * name,unsigned long op)825 static int __audit_filter_op(struct task_struct *tsk,
826 			   struct audit_context *ctx,
827 			   struct list_head *list,
828 			   struct audit_names *name,
829 			   unsigned long op)
830 {
831 	struct audit_entry *e;
832 	enum audit_state state;
833 
834 	list_for_each_entry_rcu(e, list, list) {
835 		if (audit_in_mask(&e->rule, op) &&
836 		    audit_filter_rules(tsk, &e->rule, ctx, name,
837 				       &state, false)) {
838 			ctx->current_state = state;
839 			return 1;
840 		}
841 	}
842 	return 0;
843 }
844 
845 /**
846  * audit_filter_uring - apply filters to an io_uring operation
847  * @tsk: associated task
848  * @ctx: audit context
849  */
audit_filter_uring(struct task_struct * tsk,struct audit_context * ctx)850 static void audit_filter_uring(struct task_struct *tsk,
851 			       struct audit_context *ctx)
852 {
853 	if (auditd_test_task(tsk))
854 		return;
855 
856 	rcu_read_lock();
857 	__audit_filter_op(tsk, ctx, &audit_filter_list[AUDIT_FILTER_URING_EXIT],
858 			NULL, ctx->uring_op);
859 	rcu_read_unlock();
860 }
861 
862 /* At syscall exit time, this filter is called if the audit_state is
863  * not low enough that auditing cannot take place, but is also not
864  * high enough that we already know we have to write an audit record
865  * (i.e., the state is AUDIT_STATE_BUILD).
866  */
audit_filter_syscall(struct task_struct * tsk,struct audit_context * ctx)867 static void audit_filter_syscall(struct task_struct *tsk,
868 				 struct audit_context *ctx)
869 {
870 	if (auditd_test_task(tsk))
871 		return;
872 
873 	rcu_read_lock();
874 	__audit_filter_op(tsk, ctx, &audit_filter_list[AUDIT_FILTER_EXIT],
875 			NULL, ctx->major);
876 	rcu_read_unlock();
877 }
878 
879 /*
880  * Given an audit_name check the inode hash table to see if they match.
881  * Called holding the rcu read lock to protect the use of audit_inode_hash
882  */
audit_filter_inode_name(struct task_struct * tsk,struct audit_names * n,struct audit_context * ctx)883 static int audit_filter_inode_name(struct task_struct *tsk,
884 				   struct audit_names *n,
885 				   struct audit_context *ctx)
886 {
887 	int h = audit_hash_ino((u32)n->ino);
888 	struct list_head *list = &audit_inode_hash[h];
889 
890 	return __audit_filter_op(tsk, ctx, list, n, ctx->major);
891 }
892 
893 /* At syscall exit time, this filter is called if any audit_names have been
894  * collected during syscall processing.  We only check rules in sublists at hash
895  * buckets applicable to the inode numbers in audit_names.
896  * Regarding audit_state, same rules apply as for audit_filter_syscall().
897  */
audit_filter_inodes(struct task_struct * tsk,struct audit_context * ctx)898 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
899 {
900 	struct audit_names *n;
901 
902 	if (auditd_test_task(tsk))
903 		return;
904 
905 	rcu_read_lock();
906 
907 	list_for_each_entry(n, &ctx->names_list, list) {
908 		if (audit_filter_inode_name(tsk, n, ctx))
909 			break;
910 	}
911 	rcu_read_unlock();
912 }
913 
audit_proctitle_free(struct audit_context * context)914 static inline void audit_proctitle_free(struct audit_context *context)
915 {
916 	kfree(context->proctitle.value);
917 	context->proctitle.value = NULL;
918 	context->proctitle.len = 0;
919 }
920 
audit_free_module(struct audit_context * context)921 static inline void audit_free_module(struct audit_context *context)
922 {
923 	if (context->type == AUDIT_KERN_MODULE) {
924 		kfree(context->module.name);
925 		context->module.name = NULL;
926 	}
927 }
audit_free_names(struct audit_context * context)928 static inline void audit_free_names(struct audit_context *context)
929 {
930 	struct audit_names *n, *next;
931 
932 	list_for_each_entry_safe(n, next, &context->names_list, list) {
933 		list_del(&n->list);
934 		if (n->name)
935 			putname(n->name);
936 		if (n->should_free)
937 			kfree(n);
938 	}
939 	context->name_count = 0;
940 	path_put(&context->pwd);
941 	context->pwd.dentry = NULL;
942 	context->pwd.mnt = NULL;
943 }
944 
audit_free_aux(struct audit_context * context)945 static inline void audit_free_aux(struct audit_context *context)
946 {
947 	struct audit_aux_data *aux;
948 
949 	while ((aux = context->aux)) {
950 		context->aux = aux->next;
951 		kfree(aux);
952 	}
953 	context->aux = NULL;
954 	while ((aux = context->aux_pids)) {
955 		context->aux_pids = aux->next;
956 		kfree(aux);
957 	}
958 	context->aux_pids = NULL;
959 }
960 
961 /**
962  * audit_reset_context - reset a audit_context structure
963  * @ctx: the audit_context to reset
964  *
965  * All fields in the audit_context will be reset to an initial state, all
966  * references held by fields will be dropped, and private memory will be
967  * released.  When this function returns the audit_context will be suitable
968  * for reuse, so long as the passed context is not NULL or a dummy context.
969  */
audit_reset_context(struct audit_context * ctx)970 static void audit_reset_context(struct audit_context *ctx)
971 {
972 	if (!ctx)
973 		return;
974 
975 	/* if ctx is non-null, reset the "ctx->context" regardless */
976 	ctx->context = AUDIT_CTX_UNUSED;
977 	if (ctx->dummy)
978 		return;
979 
980 	/*
981 	 * NOTE: It shouldn't matter in what order we release the fields, so
982 	 *       release them in the order in which they appear in the struct;
983 	 *       this gives us some hope of quickly making sure we are
984 	 *       resetting the audit_context properly.
985 	 *
986 	 *       Other things worth mentioning:
987 	 *       - we don't reset "dummy"
988 	 *       - we don't reset "state", we do reset "current_state"
989 	 *       - we preserve "filterkey" if "state" is AUDIT_STATE_RECORD
990 	 *       - much of this is likely overkill, but play it safe for now
991 	 *       - we really need to work on improving the audit_context struct
992 	 */
993 
994 	ctx->current_state = ctx->state;
995 	ctx->serial = 0;
996 	ctx->major = 0;
997 	ctx->uring_op = 0;
998 	ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
999 	memset(ctx->argv, 0, sizeof(ctx->argv));
1000 	ctx->return_code = 0;
1001 	ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
1002 	ctx->return_valid = AUDITSC_INVALID;
1003 	audit_free_names(ctx);
1004 	if (ctx->state != AUDIT_STATE_RECORD) {
1005 		kfree(ctx->filterkey);
1006 		ctx->filterkey = NULL;
1007 	}
1008 	audit_free_aux(ctx);
1009 	kfree(ctx->sockaddr);
1010 	ctx->sockaddr = NULL;
1011 	ctx->sockaddr_len = 0;
1012 	ctx->ppid = 0;
1013 	ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0);
1014 	ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0);
1015 	ctx->personality = 0;
1016 	ctx->arch = 0;
1017 	ctx->target_pid = 0;
1018 	ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
1019 	ctx->target_sessionid = 0;
1020 	ctx->target_sid = 0;
1021 	ctx->target_comm[0] = '\0';
1022 	unroll_tree_refs(ctx, NULL, 0);
1023 	WARN_ON(!list_empty(&ctx->killed_trees));
1024 	audit_free_module(ctx);
1025 	ctx->fds[0] = -1;
1026 	ctx->type = 0; /* reset last for audit_free_*() */
1027 }
1028 
audit_alloc_context(enum audit_state state)1029 static inline struct audit_context *audit_alloc_context(enum audit_state state)
1030 {
1031 	struct audit_context *context;
1032 
1033 	context = kzalloc(sizeof(*context), GFP_KERNEL);
1034 	if (!context)
1035 		return NULL;
1036 	context->context = AUDIT_CTX_UNUSED;
1037 	context->state = state;
1038 	context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0;
1039 	INIT_LIST_HEAD(&context->killed_trees);
1040 	INIT_LIST_HEAD(&context->names_list);
1041 	context->fds[0] = -1;
1042 	context->return_valid = AUDITSC_INVALID;
1043 	return context;
1044 }
1045 
1046 /**
1047  * audit_alloc - allocate an audit context block for a task
1048  * @tsk: task
1049  *
1050  * Filter on the task information and allocate a per-task audit context
1051  * if necessary.  Doing so turns on system call auditing for the
1052  * specified task.  This is called from copy_process, so no lock is
1053  * needed.
1054  */
audit_alloc(struct task_struct * tsk)1055 int audit_alloc(struct task_struct *tsk)
1056 {
1057 	struct audit_context *context;
1058 	enum audit_state     state;
1059 	char *key = NULL;
1060 
1061 	if (likely(!audit_ever_enabled))
1062 		return 0;
1063 
1064 	state = audit_filter_task(tsk, &key);
1065 	if (state == AUDIT_STATE_DISABLED) {
1066 		clear_task_syscall_work(tsk, SYSCALL_AUDIT);
1067 		return 0;
1068 	}
1069 
1070 	context = audit_alloc_context(state);
1071 	if (!context) {
1072 		kfree(key);
1073 		audit_log_lost("out of memory in audit_alloc");
1074 		return -ENOMEM;
1075 	}
1076 	context->filterkey = key;
1077 
1078 	audit_set_context(tsk, context);
1079 	set_task_syscall_work(tsk, SYSCALL_AUDIT);
1080 	return 0;
1081 }
1082 
audit_free_context(struct audit_context * context)1083 static inline void audit_free_context(struct audit_context *context)
1084 {
1085 	/* resetting is extra work, but it is likely just noise */
1086 	audit_reset_context(context);
1087 	audit_proctitle_free(context);
1088 	free_tree_refs(context);
1089 	kfree(context->filterkey);
1090 	kfree(context);
1091 }
1092 
audit_log_pid_context(struct audit_context * context,pid_t pid,kuid_t auid,kuid_t uid,unsigned int sessionid,u32 sid,char * comm)1093 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1094 				 kuid_t auid, kuid_t uid, unsigned int sessionid,
1095 				 u32 sid, char *comm)
1096 {
1097 	struct audit_buffer *ab;
1098 	char *ctx = NULL;
1099 	u32 len;
1100 	int rc = 0;
1101 
1102 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1103 	if (!ab)
1104 		return rc;
1105 
1106 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1107 			 from_kuid(&init_user_ns, auid),
1108 			 from_kuid(&init_user_ns, uid), sessionid);
1109 	if (sid) {
1110 		if (security_secid_to_secctx(sid, &ctx, &len)) {
1111 			audit_log_format(ab, " obj=(none)");
1112 			rc = 1;
1113 		} else {
1114 			audit_log_format(ab, " obj=%s", ctx);
1115 			security_release_secctx(ctx, len);
1116 		}
1117 	}
1118 	audit_log_format(ab, " ocomm=");
1119 	audit_log_untrustedstring(ab, comm);
1120 	audit_log_end(ab);
1121 
1122 	return rc;
1123 }
1124 
audit_log_execve_info(struct audit_context * context,struct audit_buffer ** ab)1125 static void audit_log_execve_info(struct audit_context *context,
1126 				  struct audit_buffer **ab)
1127 {
1128 	long len_max;
1129 	long len_rem;
1130 	long len_full;
1131 	long len_buf;
1132 	long len_abuf = 0;
1133 	long len_tmp;
1134 	bool require_data;
1135 	bool encode;
1136 	unsigned int iter;
1137 	unsigned int arg;
1138 	char *buf_head;
1139 	char *buf;
1140 	const char __user *p = (const char __user *)current->mm->arg_start;
1141 
1142 	/* NOTE: this buffer needs to be large enough to hold all the non-arg
1143 	 *       data we put in the audit record for this argument (see the
1144 	 *       code below) ... at this point in time 96 is plenty */
1145 	char abuf[96];
1146 
1147 	/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1148 	 *       current value of 7500 is not as important as the fact that it
1149 	 *       is less than 8k, a setting of 7500 gives us plenty of wiggle
1150 	 *       room if we go over a little bit in the logging below */
1151 	WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1152 	len_max = MAX_EXECVE_AUDIT_LEN;
1153 
1154 	/* scratch buffer to hold the userspace args */
1155 	buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1156 	if (!buf_head) {
1157 		audit_panic("out of memory for argv string");
1158 		return;
1159 	}
1160 	buf = buf_head;
1161 
1162 	audit_log_format(*ab, "argc=%d", context->execve.argc);
1163 
1164 	len_rem = len_max;
1165 	len_buf = 0;
1166 	len_full = 0;
1167 	require_data = true;
1168 	encode = false;
1169 	iter = 0;
1170 	arg = 0;
1171 	do {
1172 		/* NOTE: we don't ever want to trust this value for anything
1173 		 *       serious, but the audit record format insists we
1174 		 *       provide an argument length for really long arguments,
1175 		 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1176 		 *       to use strncpy_from_user() to obtain this value for
1177 		 *       recording in the log, although we don't use it
1178 		 *       anywhere here to avoid a double-fetch problem */
1179 		if (len_full == 0)
1180 			len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1181 
1182 		/* read more data from userspace */
1183 		if (require_data) {
1184 			/* can we make more room in the buffer? */
1185 			if (buf != buf_head) {
1186 				memmove(buf_head, buf, len_buf);
1187 				buf = buf_head;
1188 			}
1189 
1190 			/* fetch as much as we can of the argument */
1191 			len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1192 						    len_max - len_buf);
1193 			if (len_tmp == -EFAULT) {
1194 				/* unable to copy from userspace */
1195 				send_sig(SIGKILL, current, 0);
1196 				goto out;
1197 			} else if (len_tmp == (len_max - len_buf)) {
1198 				/* buffer is not large enough */
1199 				require_data = true;
1200 				/* NOTE: if we are going to span multiple
1201 				 *       buffers force the encoding so we stand
1202 				 *       a chance at a sane len_full value and
1203 				 *       consistent record encoding */
1204 				encode = true;
1205 				len_full = len_full * 2;
1206 				p += len_tmp;
1207 			} else {
1208 				require_data = false;
1209 				if (!encode)
1210 					encode = audit_string_contains_control(
1211 								buf, len_tmp);
1212 				/* try to use a trusted value for len_full */
1213 				if (len_full < len_max)
1214 					len_full = (encode ?
1215 						    len_tmp * 2 : len_tmp);
1216 				p += len_tmp + 1;
1217 			}
1218 			len_buf += len_tmp;
1219 			buf_head[len_buf] = '\0';
1220 
1221 			/* length of the buffer in the audit record? */
1222 			len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1223 		}
1224 
1225 		/* write as much as we can to the audit log */
1226 		if (len_buf >= 0) {
1227 			/* NOTE: some magic numbers here - basically if we
1228 			 *       can't fit a reasonable amount of data into the
1229 			 *       existing audit buffer, flush it and start with
1230 			 *       a new buffer */
1231 			if ((sizeof(abuf) + 8) > len_rem) {
1232 				len_rem = len_max;
1233 				audit_log_end(*ab);
1234 				*ab = audit_log_start(context,
1235 						      GFP_KERNEL, AUDIT_EXECVE);
1236 				if (!*ab)
1237 					goto out;
1238 			}
1239 
1240 			/* create the non-arg portion of the arg record */
1241 			len_tmp = 0;
1242 			if (require_data || (iter > 0) ||
1243 			    ((len_abuf + sizeof(abuf)) > len_rem)) {
1244 				if (iter == 0) {
1245 					len_tmp += snprintf(&abuf[len_tmp],
1246 							sizeof(abuf) - len_tmp,
1247 							" a%d_len=%lu",
1248 							arg, len_full);
1249 				}
1250 				len_tmp += snprintf(&abuf[len_tmp],
1251 						    sizeof(abuf) - len_tmp,
1252 						    " a%d[%d]=", arg, iter++);
1253 			} else
1254 				len_tmp += snprintf(&abuf[len_tmp],
1255 						    sizeof(abuf) - len_tmp,
1256 						    " a%d=", arg);
1257 			WARN_ON(len_tmp >= sizeof(abuf));
1258 			abuf[sizeof(abuf) - 1] = '\0';
1259 
1260 			/* log the arg in the audit record */
1261 			audit_log_format(*ab, "%s", abuf);
1262 			len_rem -= len_tmp;
1263 			len_tmp = len_buf;
1264 			if (encode) {
1265 				if (len_abuf > len_rem)
1266 					len_tmp = len_rem / 2; /* encoding */
1267 				audit_log_n_hex(*ab, buf, len_tmp);
1268 				len_rem -= len_tmp * 2;
1269 				len_abuf -= len_tmp * 2;
1270 			} else {
1271 				if (len_abuf > len_rem)
1272 					len_tmp = len_rem - 2; /* quotes */
1273 				audit_log_n_string(*ab, buf, len_tmp);
1274 				len_rem -= len_tmp + 2;
1275 				/* don't subtract the "2" because we still need
1276 				 * to add quotes to the remaining string */
1277 				len_abuf -= len_tmp;
1278 			}
1279 			len_buf -= len_tmp;
1280 			buf += len_tmp;
1281 		}
1282 
1283 		/* ready to move to the next argument? */
1284 		if ((len_buf == 0) && !require_data) {
1285 			arg++;
1286 			iter = 0;
1287 			len_full = 0;
1288 			require_data = true;
1289 			encode = false;
1290 		}
1291 	} while (arg < context->execve.argc);
1292 
1293 	/* NOTE: the caller handles the final audit_log_end() call */
1294 
1295 out:
1296 	kfree(buf_head);
1297 }
1298 
audit_log_cap(struct audit_buffer * ab,char * prefix,kernel_cap_t * cap)1299 static void audit_log_cap(struct audit_buffer *ab, char *prefix,
1300 			  kernel_cap_t *cap)
1301 {
1302 	if (cap_isclear(*cap)) {
1303 		audit_log_format(ab, " %s=0", prefix);
1304 		return;
1305 	}
1306 	audit_log_format(ab, " %s=%016llx", prefix, cap->val);
1307 }
1308 
audit_log_fcaps(struct audit_buffer * ab,struct audit_names * name)1309 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1310 {
1311 	if (name->fcap_ver == -1) {
1312 		audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
1313 		return;
1314 	}
1315 	audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
1316 	audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
1317 	audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
1318 			 name->fcap.fE, name->fcap_ver,
1319 			 from_kuid(&init_user_ns, name->fcap.rootid));
1320 }
1321 
audit_log_time(struct audit_context * context,struct audit_buffer ** ab)1322 static void audit_log_time(struct audit_context *context, struct audit_buffer **ab)
1323 {
1324 	const struct audit_ntp_data *ntp = &context->time.ntp_data;
1325 	const struct timespec64 *tk = &context->time.tk_injoffset;
1326 	static const char * const ntp_name[] = {
1327 		"offset",
1328 		"freq",
1329 		"status",
1330 		"tai",
1331 		"tick",
1332 		"adjust",
1333 	};
1334 	int type;
1335 
1336 	if (context->type == AUDIT_TIME_ADJNTPVAL) {
1337 		for (type = 0; type < AUDIT_NTP_NVALS; type++) {
1338 			if (ntp->vals[type].newval != ntp->vals[type].oldval) {
1339 				if (!*ab) {
1340 					*ab = audit_log_start(context,
1341 							GFP_KERNEL,
1342 							AUDIT_TIME_ADJNTPVAL);
1343 					if (!*ab)
1344 						return;
1345 				}
1346 				audit_log_format(*ab, "op=%s old=%lli new=%lli",
1347 						 ntp_name[type],
1348 						 ntp->vals[type].oldval,
1349 						 ntp->vals[type].newval);
1350 				audit_log_end(*ab);
1351 				*ab = NULL;
1352 			}
1353 		}
1354 	}
1355 	if (tk->tv_sec != 0 || tk->tv_nsec != 0) {
1356 		if (!*ab) {
1357 			*ab = audit_log_start(context, GFP_KERNEL,
1358 					      AUDIT_TIME_INJOFFSET);
1359 			if (!*ab)
1360 				return;
1361 		}
1362 		audit_log_format(*ab, "sec=%lli nsec=%li",
1363 				 (long long)tk->tv_sec, tk->tv_nsec);
1364 		audit_log_end(*ab);
1365 		*ab = NULL;
1366 	}
1367 }
1368 
show_special(struct audit_context * context,int * call_panic)1369 static void show_special(struct audit_context *context, int *call_panic)
1370 {
1371 	struct audit_buffer *ab;
1372 	int i;
1373 
1374 	ab = audit_log_start(context, GFP_KERNEL, context->type);
1375 	if (!ab)
1376 		return;
1377 
1378 	switch (context->type) {
1379 	case AUDIT_SOCKETCALL: {
1380 		int nargs = context->socketcall.nargs;
1381 
1382 		audit_log_format(ab, "nargs=%d", nargs);
1383 		for (i = 0; i < nargs; i++)
1384 			audit_log_format(ab, " a%d=%lx", i,
1385 				context->socketcall.args[i]);
1386 		break; }
1387 	case AUDIT_IPC: {
1388 		u32 osid = context->ipc.osid;
1389 
1390 		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1391 				 from_kuid(&init_user_ns, context->ipc.uid),
1392 				 from_kgid(&init_user_ns, context->ipc.gid),
1393 				 context->ipc.mode);
1394 		if (osid) {
1395 			char *ctx = NULL;
1396 			u32 len;
1397 
1398 			if (security_secid_to_secctx(osid, &ctx, &len)) {
1399 				audit_log_format(ab, " osid=%u", osid);
1400 				*call_panic = 1;
1401 			} else {
1402 				audit_log_format(ab, " obj=%s", ctx);
1403 				security_release_secctx(ctx, len);
1404 			}
1405 		}
1406 		if (context->ipc.has_perm) {
1407 			audit_log_end(ab);
1408 			ab = audit_log_start(context, GFP_KERNEL,
1409 					     AUDIT_IPC_SET_PERM);
1410 			if (unlikely(!ab))
1411 				return;
1412 			audit_log_format(ab,
1413 				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1414 				context->ipc.qbytes,
1415 				context->ipc.perm_uid,
1416 				context->ipc.perm_gid,
1417 				context->ipc.perm_mode);
1418 		}
1419 		break; }
1420 	case AUDIT_MQ_OPEN:
1421 		audit_log_format(ab,
1422 			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1423 			"mq_msgsize=%ld mq_curmsgs=%ld",
1424 			context->mq_open.oflag, context->mq_open.mode,
1425 			context->mq_open.attr.mq_flags,
1426 			context->mq_open.attr.mq_maxmsg,
1427 			context->mq_open.attr.mq_msgsize,
1428 			context->mq_open.attr.mq_curmsgs);
1429 		break;
1430 	case AUDIT_MQ_SENDRECV:
1431 		audit_log_format(ab,
1432 			"mqdes=%d msg_len=%zd msg_prio=%u "
1433 			"abs_timeout_sec=%lld abs_timeout_nsec=%ld",
1434 			context->mq_sendrecv.mqdes,
1435 			context->mq_sendrecv.msg_len,
1436 			context->mq_sendrecv.msg_prio,
1437 			(long long) context->mq_sendrecv.abs_timeout.tv_sec,
1438 			context->mq_sendrecv.abs_timeout.tv_nsec);
1439 		break;
1440 	case AUDIT_MQ_NOTIFY:
1441 		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1442 				context->mq_notify.mqdes,
1443 				context->mq_notify.sigev_signo);
1444 		break;
1445 	case AUDIT_MQ_GETSETATTR: {
1446 		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1447 
1448 		audit_log_format(ab,
1449 			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1450 			"mq_curmsgs=%ld ",
1451 			context->mq_getsetattr.mqdes,
1452 			attr->mq_flags, attr->mq_maxmsg,
1453 			attr->mq_msgsize, attr->mq_curmsgs);
1454 		break; }
1455 	case AUDIT_CAPSET:
1456 		audit_log_format(ab, "pid=%d", context->capset.pid);
1457 		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1458 		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1459 		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1460 		audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
1461 		break;
1462 	case AUDIT_MMAP:
1463 		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1464 				 context->mmap.flags);
1465 		break;
1466 	case AUDIT_OPENAT2:
1467 		audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx",
1468 				 context->openat2.flags,
1469 				 context->openat2.mode,
1470 				 context->openat2.resolve);
1471 		break;
1472 	case AUDIT_EXECVE:
1473 		audit_log_execve_info(context, &ab);
1474 		break;
1475 	case AUDIT_KERN_MODULE:
1476 		audit_log_format(ab, "name=");
1477 		if (context->module.name) {
1478 			audit_log_untrustedstring(ab, context->module.name);
1479 		} else
1480 			audit_log_format(ab, "(null)");
1481 
1482 		break;
1483 	case AUDIT_TIME_ADJNTPVAL:
1484 	case AUDIT_TIME_INJOFFSET:
1485 		/* this call deviates from the rest, eating the buffer */
1486 		audit_log_time(context, &ab);
1487 		break;
1488 	}
1489 	audit_log_end(ab);
1490 }
1491 
audit_proctitle_rtrim(char * proctitle,int len)1492 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1493 {
1494 	char *end = proctitle + len - 1;
1495 
1496 	while (end > proctitle && !isprint(*end))
1497 		end--;
1498 
1499 	/* catch the case where proctitle is only 1 non-print character */
1500 	len = end - proctitle + 1;
1501 	len -= isprint(proctitle[len-1]) == 0;
1502 	return len;
1503 }
1504 
1505 /*
1506  * audit_log_name - produce AUDIT_PATH record from struct audit_names
1507  * @context: audit_context for the task
1508  * @n: audit_names structure with reportable details
1509  * @path: optional path to report instead of audit_names->name
1510  * @record_num: record number to report when handling a list of names
1511  * @call_panic: optional pointer to int that will be updated if secid fails
1512  */
audit_log_name(struct audit_context * context,struct audit_names * n,const struct path * path,int record_num,int * call_panic)1513 static void audit_log_name(struct audit_context *context, struct audit_names *n,
1514 		    const struct path *path, int record_num, int *call_panic)
1515 {
1516 	struct audit_buffer *ab;
1517 
1518 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1519 	if (!ab)
1520 		return;
1521 
1522 	audit_log_format(ab, "item=%d", record_num);
1523 
1524 	if (path)
1525 		audit_log_d_path(ab, " name=", path);
1526 	else if (n->name) {
1527 		switch (n->name_len) {
1528 		case AUDIT_NAME_FULL:
1529 			/* log the full path */
1530 			audit_log_format(ab, " name=");
1531 			audit_log_untrustedstring(ab, n->name->name);
1532 			break;
1533 		case 0:
1534 			/* name was specified as a relative path and the
1535 			 * directory component is the cwd
1536 			 */
1537 			if (context->pwd.dentry && context->pwd.mnt)
1538 				audit_log_d_path(ab, " name=", &context->pwd);
1539 			else
1540 				audit_log_format(ab, " name=(null)");
1541 			break;
1542 		default:
1543 			/* log the name's directory component */
1544 			audit_log_format(ab, " name=");
1545 			audit_log_n_untrustedstring(ab, n->name->name,
1546 						    n->name_len);
1547 		}
1548 	} else
1549 		audit_log_format(ab, " name=(null)");
1550 
1551 	if (n->ino != AUDIT_INO_UNSET)
1552 		audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
1553 				 n->ino,
1554 				 MAJOR(n->dev),
1555 				 MINOR(n->dev),
1556 				 n->mode,
1557 				 from_kuid(&init_user_ns, n->uid),
1558 				 from_kgid(&init_user_ns, n->gid),
1559 				 MAJOR(n->rdev),
1560 				 MINOR(n->rdev));
1561 	if (n->osid != 0) {
1562 		char *ctx = NULL;
1563 		u32 len;
1564 
1565 		if (security_secid_to_secctx(
1566 			n->osid, &ctx, &len)) {
1567 			audit_log_format(ab, " osid=%u", n->osid);
1568 			if (call_panic)
1569 				*call_panic = 2;
1570 		} else {
1571 			audit_log_format(ab, " obj=%s", ctx);
1572 			security_release_secctx(ctx, len);
1573 		}
1574 	}
1575 
1576 	/* log the audit_names record type */
1577 	switch (n->type) {
1578 	case AUDIT_TYPE_NORMAL:
1579 		audit_log_format(ab, " nametype=NORMAL");
1580 		break;
1581 	case AUDIT_TYPE_PARENT:
1582 		audit_log_format(ab, " nametype=PARENT");
1583 		break;
1584 	case AUDIT_TYPE_CHILD_DELETE:
1585 		audit_log_format(ab, " nametype=DELETE");
1586 		break;
1587 	case AUDIT_TYPE_CHILD_CREATE:
1588 		audit_log_format(ab, " nametype=CREATE");
1589 		break;
1590 	default:
1591 		audit_log_format(ab, " nametype=UNKNOWN");
1592 		break;
1593 	}
1594 
1595 	audit_log_fcaps(ab, n);
1596 	audit_log_end(ab);
1597 }
1598 
audit_log_proctitle(void)1599 static void audit_log_proctitle(void)
1600 {
1601 	int res;
1602 	char *buf;
1603 	char *msg = "(null)";
1604 	int len = strlen(msg);
1605 	struct audit_context *context = audit_context();
1606 	struct audit_buffer *ab;
1607 
1608 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1609 	if (!ab)
1610 		return;	/* audit_panic or being filtered */
1611 
1612 	audit_log_format(ab, "proctitle=");
1613 
1614 	/* Not  cached */
1615 	if (!context->proctitle.value) {
1616 		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1617 		if (!buf)
1618 			goto out;
1619 		/* Historically called this from procfs naming */
1620 		res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);
1621 		if (res == 0) {
1622 			kfree(buf);
1623 			goto out;
1624 		}
1625 		res = audit_proctitle_rtrim(buf, res);
1626 		if (res == 0) {
1627 			kfree(buf);
1628 			goto out;
1629 		}
1630 		context->proctitle.value = buf;
1631 		context->proctitle.len = res;
1632 	}
1633 	msg = context->proctitle.value;
1634 	len = context->proctitle.len;
1635 out:
1636 	audit_log_n_untrustedstring(ab, msg, len);
1637 	audit_log_end(ab);
1638 }
1639 
1640 /**
1641  * audit_log_uring - generate a AUDIT_URINGOP record
1642  * @ctx: the audit context
1643  */
audit_log_uring(struct audit_context * ctx)1644 static void audit_log_uring(struct audit_context *ctx)
1645 {
1646 	struct audit_buffer *ab;
1647 	const struct cred *cred;
1648 
1649 	ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_URINGOP);
1650 	if (!ab)
1651 		return;
1652 	cred = current_cred();
1653 	audit_log_format(ab, "uring_op=%d", ctx->uring_op);
1654 	if (ctx->return_valid != AUDITSC_INVALID)
1655 		audit_log_format(ab, " success=%s exit=%ld",
1656 				 (ctx->return_valid == AUDITSC_SUCCESS ?
1657 				  "yes" : "no"),
1658 				 ctx->return_code);
1659 	audit_log_format(ab,
1660 			 " items=%d"
1661 			 " ppid=%d pid=%d uid=%u gid=%u euid=%u suid=%u"
1662 			 " fsuid=%u egid=%u sgid=%u fsgid=%u",
1663 			 ctx->name_count,
1664 			 task_ppid_nr(current), task_tgid_nr(current),
1665 			 from_kuid(&init_user_ns, cred->uid),
1666 			 from_kgid(&init_user_ns, cred->gid),
1667 			 from_kuid(&init_user_ns, cred->euid),
1668 			 from_kuid(&init_user_ns, cred->suid),
1669 			 from_kuid(&init_user_ns, cred->fsuid),
1670 			 from_kgid(&init_user_ns, cred->egid),
1671 			 from_kgid(&init_user_ns, cred->sgid),
1672 			 from_kgid(&init_user_ns, cred->fsgid));
1673 	audit_log_task_context(ab);
1674 	audit_log_key(ab, ctx->filterkey);
1675 	audit_log_end(ab);
1676 }
1677 
audit_log_exit(void)1678 static void audit_log_exit(void)
1679 {
1680 	int i, call_panic = 0;
1681 	struct audit_context *context = audit_context();
1682 	struct audit_buffer *ab;
1683 	struct audit_aux_data *aux;
1684 	struct audit_names *n;
1685 
1686 	context->personality = current->personality;
1687 
1688 	switch (context->context) {
1689 	case AUDIT_CTX_SYSCALL:
1690 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1691 		if (!ab)
1692 			return;
1693 		audit_log_format(ab, "arch=%x syscall=%d",
1694 				 context->arch, context->major);
1695 		if (context->personality != PER_LINUX)
1696 			audit_log_format(ab, " per=%lx", context->personality);
1697 		if (context->return_valid != AUDITSC_INVALID)
1698 			audit_log_format(ab, " success=%s exit=%ld",
1699 					 (context->return_valid == AUDITSC_SUCCESS ?
1700 					  "yes" : "no"),
1701 					 context->return_code);
1702 		audit_log_format(ab,
1703 				 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1704 				 context->argv[0],
1705 				 context->argv[1],
1706 				 context->argv[2],
1707 				 context->argv[3],
1708 				 context->name_count);
1709 		audit_log_task_info(ab);
1710 		audit_log_key(ab, context->filterkey);
1711 		audit_log_end(ab);
1712 		break;
1713 	case AUDIT_CTX_URING:
1714 		audit_log_uring(context);
1715 		break;
1716 	default:
1717 		BUG();
1718 		break;
1719 	}
1720 
1721 	for (aux = context->aux; aux; aux = aux->next) {
1722 
1723 		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1724 		if (!ab)
1725 			continue; /* audit_panic has been called */
1726 
1727 		switch (aux->type) {
1728 
1729 		case AUDIT_BPRM_FCAPS: {
1730 			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1731 
1732 			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1733 			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1734 			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1735 			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1736 			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1737 			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1738 			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1739 			audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
1740 			audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
1741 			audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
1742 			audit_log_cap(ab, "pe", &axs->new_pcap.effective);
1743 			audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
1744 			audit_log_format(ab, " frootid=%d",
1745 					 from_kuid(&init_user_ns,
1746 						   axs->fcap.rootid));
1747 			break; }
1748 
1749 		}
1750 		audit_log_end(ab);
1751 	}
1752 
1753 	if (context->type)
1754 		show_special(context, &call_panic);
1755 
1756 	if (context->fds[0] >= 0) {
1757 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1758 		if (ab) {
1759 			audit_log_format(ab, "fd0=%d fd1=%d",
1760 					context->fds[0], context->fds[1]);
1761 			audit_log_end(ab);
1762 		}
1763 	}
1764 
1765 	if (context->sockaddr_len) {
1766 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1767 		if (ab) {
1768 			audit_log_format(ab, "saddr=");
1769 			audit_log_n_hex(ab, (void *)context->sockaddr,
1770 					context->sockaddr_len);
1771 			audit_log_end(ab);
1772 		}
1773 	}
1774 
1775 	for (aux = context->aux_pids; aux; aux = aux->next) {
1776 		struct audit_aux_data_pids *axs = (void *)aux;
1777 
1778 		for (i = 0; i < axs->pid_count; i++)
1779 			if (audit_log_pid_context(context, axs->target_pid[i],
1780 						  axs->target_auid[i],
1781 						  axs->target_uid[i],
1782 						  axs->target_sessionid[i],
1783 						  axs->target_sid[i],
1784 						  axs->target_comm[i]))
1785 				call_panic = 1;
1786 	}
1787 
1788 	if (context->target_pid &&
1789 	    audit_log_pid_context(context, context->target_pid,
1790 				  context->target_auid, context->target_uid,
1791 				  context->target_sessionid,
1792 				  context->target_sid, context->target_comm))
1793 			call_panic = 1;
1794 
1795 	if (context->pwd.dentry && context->pwd.mnt) {
1796 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1797 		if (ab) {
1798 			audit_log_d_path(ab, "cwd=", &context->pwd);
1799 			audit_log_end(ab);
1800 		}
1801 	}
1802 
1803 	i = 0;
1804 	list_for_each_entry(n, &context->names_list, list) {
1805 		if (n->hidden)
1806 			continue;
1807 		audit_log_name(context, n, NULL, i++, &call_panic);
1808 	}
1809 
1810 	if (context->context == AUDIT_CTX_SYSCALL)
1811 		audit_log_proctitle();
1812 
1813 	/* Send end of event record to help user space know we are finished */
1814 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1815 	if (ab)
1816 		audit_log_end(ab);
1817 	if (call_panic)
1818 		audit_panic("error in audit_log_exit()");
1819 }
1820 
1821 /**
1822  * __audit_free - free a per-task audit context
1823  * @tsk: task whose audit context block to free
1824  *
1825  * Called from copy_process, do_exit, and the io_uring code
1826  */
__audit_free(struct task_struct * tsk)1827 void __audit_free(struct task_struct *tsk)
1828 {
1829 	struct audit_context *context = tsk->audit_context;
1830 
1831 	if (!context)
1832 		return;
1833 
1834 	/* this may generate CONFIG_CHANGE records */
1835 	if (!list_empty(&context->killed_trees))
1836 		audit_kill_trees(context);
1837 
1838 	/* We are called either by do_exit() or the fork() error handling code;
1839 	 * in the former case tsk == current and in the latter tsk is a
1840 	 * random task_struct that doesn't have any meaningful data we
1841 	 * need to log via audit_log_exit().
1842 	 */
1843 	if (tsk == current && !context->dummy) {
1844 		context->return_valid = AUDITSC_INVALID;
1845 		context->return_code = 0;
1846 		if (context->context == AUDIT_CTX_SYSCALL) {
1847 			audit_filter_syscall(tsk, context);
1848 			audit_filter_inodes(tsk, context);
1849 			if (context->current_state == AUDIT_STATE_RECORD)
1850 				audit_log_exit();
1851 		} else if (context->context == AUDIT_CTX_URING) {
1852 			/* TODO: verify this case is real and valid */
1853 			audit_filter_uring(tsk, context);
1854 			audit_filter_inodes(tsk, context);
1855 			if (context->current_state == AUDIT_STATE_RECORD)
1856 				audit_log_uring(context);
1857 		}
1858 	}
1859 
1860 	audit_set_context(tsk, NULL);
1861 	audit_free_context(context);
1862 }
1863 
1864 /**
1865  * audit_return_fixup - fixup the return codes in the audit_context
1866  * @ctx: the audit_context
1867  * @success: true/false value to indicate if the operation succeeded or not
1868  * @code: operation return code
1869  *
1870  * We need to fixup the return code in the audit logs if the actual return
1871  * codes are later going to be fixed by the arch specific signal handlers.
1872  */
audit_return_fixup(struct audit_context * ctx,int success,long code)1873 static void audit_return_fixup(struct audit_context *ctx,
1874 			       int success, long code)
1875 {
1876 	/*
1877 	 * This is actually a test for:
1878 	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
1879 	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
1880 	 *
1881 	 * but is faster than a bunch of ||
1882 	 */
1883 	if (unlikely(code <= -ERESTARTSYS) &&
1884 	    (code >= -ERESTART_RESTARTBLOCK) &&
1885 	    (code != -ENOIOCTLCMD))
1886 		ctx->return_code = -EINTR;
1887 	else
1888 		ctx->return_code  = code;
1889 	ctx->return_valid = (success ? AUDITSC_SUCCESS : AUDITSC_FAILURE);
1890 }
1891 
1892 /**
1893  * __audit_uring_entry - prepare the kernel task's audit context for io_uring
1894  * @op: the io_uring opcode
1895  *
1896  * This is similar to audit_syscall_entry() but is intended for use by io_uring
1897  * operations.  This function should only ever be called from
1898  * audit_uring_entry() as we rely on the audit context checking present in that
1899  * function.
1900  */
__audit_uring_entry(u8 op)1901 void __audit_uring_entry(u8 op)
1902 {
1903 	struct audit_context *ctx = audit_context();
1904 
1905 	if (ctx->state == AUDIT_STATE_DISABLED)
1906 		return;
1907 
1908 	/*
1909 	 * NOTE: It's possible that we can be called from the process' context
1910 	 *       before it returns to userspace, and before audit_syscall_exit()
1911 	 *       is called.  In this case there is not much to do, just record
1912 	 *       the io_uring details and return.
1913 	 */
1914 	ctx->uring_op = op;
1915 	if (ctx->context == AUDIT_CTX_SYSCALL)
1916 		return;
1917 
1918 	ctx->dummy = !audit_n_rules;
1919 	if (!ctx->dummy && ctx->state == AUDIT_STATE_BUILD)
1920 		ctx->prio = 0;
1921 
1922 	ctx->context = AUDIT_CTX_URING;
1923 	ctx->current_state = ctx->state;
1924 	ktime_get_coarse_real_ts64(&ctx->ctime);
1925 }
1926 
1927 /**
1928  * __audit_uring_exit - wrap up the kernel task's audit context after io_uring
1929  * @success: true/false value to indicate if the operation succeeded or not
1930  * @code: operation return code
1931  *
1932  * This is similar to audit_syscall_exit() but is intended for use by io_uring
1933  * operations.  This function should only ever be called from
1934  * audit_uring_exit() as we rely on the audit context checking present in that
1935  * function.
1936  */
__audit_uring_exit(int success,long code)1937 void __audit_uring_exit(int success, long code)
1938 {
1939 	struct audit_context *ctx = audit_context();
1940 
1941 	if (ctx->dummy) {
1942 		if (ctx->context != AUDIT_CTX_URING)
1943 			return;
1944 		goto out;
1945 	}
1946 
1947 	audit_return_fixup(ctx, success, code);
1948 	if (ctx->context == AUDIT_CTX_SYSCALL) {
1949 		/*
1950 		 * NOTE: See the note in __audit_uring_entry() about the case
1951 		 *       where we may be called from process context before we
1952 		 *       return to userspace via audit_syscall_exit().  In this
1953 		 *       case we simply emit a URINGOP record and bail, the
1954 		 *       normal syscall exit handling will take care of
1955 		 *       everything else.
1956 		 *       It is also worth mentioning that when we are called,
1957 		 *       the current process creds may differ from the creds
1958 		 *       used during the normal syscall processing; keep that
1959 		 *       in mind if/when we move the record generation code.
1960 		 */
1961 
1962 		/*
1963 		 * We need to filter on the syscall info here to decide if we
1964 		 * should emit a URINGOP record.  I know it seems odd but this
1965 		 * solves the problem where users have a filter to block *all*
1966 		 * syscall records in the "exit" filter; we want to preserve
1967 		 * the behavior here.
1968 		 */
1969 		audit_filter_syscall(current, ctx);
1970 		if (ctx->current_state != AUDIT_STATE_RECORD)
1971 			audit_filter_uring(current, ctx);
1972 		audit_filter_inodes(current, ctx);
1973 		if (ctx->current_state != AUDIT_STATE_RECORD)
1974 			return;
1975 
1976 		audit_log_uring(ctx);
1977 		return;
1978 	}
1979 
1980 	/* this may generate CONFIG_CHANGE records */
1981 	if (!list_empty(&ctx->killed_trees))
1982 		audit_kill_trees(ctx);
1983 
1984 	/* run through both filters to ensure we set the filterkey properly */
1985 	audit_filter_uring(current, ctx);
1986 	audit_filter_inodes(current, ctx);
1987 	if (ctx->current_state != AUDIT_STATE_RECORD)
1988 		goto out;
1989 	audit_log_exit();
1990 
1991 out:
1992 	audit_reset_context(ctx);
1993 }
1994 
1995 /**
1996  * __audit_syscall_entry - fill in an audit record at syscall entry
1997  * @major: major syscall type (function)
1998  * @a1: additional syscall register 1
1999  * @a2: additional syscall register 2
2000  * @a3: additional syscall register 3
2001  * @a4: additional syscall register 4
2002  *
2003  * Fill in audit context at syscall entry.  This only happens if the
2004  * audit context was created when the task was created and the state or
2005  * filters demand the audit context be built.  If the state from the
2006  * per-task filter or from the per-syscall filter is AUDIT_STATE_RECORD,
2007  * then the record will be written at syscall exit time (otherwise, it
2008  * will only be written if another part of the kernel requests that it
2009  * be written).
2010  */
__audit_syscall_entry(int major,unsigned long a1,unsigned long a2,unsigned long a3,unsigned long a4)2011 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
2012 			   unsigned long a3, unsigned long a4)
2013 {
2014 	struct audit_context *context = audit_context();
2015 	enum audit_state     state;
2016 
2017 	if (!audit_enabled || !context)
2018 		return;
2019 
2020 	WARN_ON(context->context != AUDIT_CTX_UNUSED);
2021 	WARN_ON(context->name_count);
2022 	if (context->context != AUDIT_CTX_UNUSED || context->name_count) {
2023 		audit_panic("unrecoverable error in audit_syscall_entry()");
2024 		return;
2025 	}
2026 
2027 	state = context->state;
2028 	if (state == AUDIT_STATE_DISABLED)
2029 		return;
2030 
2031 	context->dummy = !audit_n_rules;
2032 	if (!context->dummy && state == AUDIT_STATE_BUILD) {
2033 		context->prio = 0;
2034 		if (auditd_test_task(current))
2035 			return;
2036 	}
2037 
2038 	context->arch	    = syscall_get_arch(current);
2039 	context->major      = major;
2040 	context->argv[0]    = a1;
2041 	context->argv[1]    = a2;
2042 	context->argv[2]    = a3;
2043 	context->argv[3]    = a4;
2044 	context->context = AUDIT_CTX_SYSCALL;
2045 	context->current_state  = state;
2046 	ktime_get_coarse_real_ts64(&context->ctime);
2047 }
2048 
2049 /**
2050  * __audit_syscall_exit - deallocate audit context after a system call
2051  * @success: success value of the syscall
2052  * @return_code: return value of the syscall
2053  *
2054  * Tear down after system call.  If the audit context has been marked as
2055  * auditable (either because of the AUDIT_STATE_RECORD state from
2056  * filtering, or because some other part of the kernel wrote an audit
2057  * message), then write out the syscall information.  In call cases,
2058  * free the names stored from getname().
2059  */
__audit_syscall_exit(int success,long return_code)2060 void __audit_syscall_exit(int success, long return_code)
2061 {
2062 	struct audit_context *context = audit_context();
2063 
2064 	if (!context || context->dummy ||
2065 	    context->context != AUDIT_CTX_SYSCALL)
2066 		goto out;
2067 
2068 	/* this may generate CONFIG_CHANGE records */
2069 	if (!list_empty(&context->killed_trees))
2070 		audit_kill_trees(context);
2071 
2072 	audit_return_fixup(context, success, return_code);
2073 	/* run through both filters to ensure we set the filterkey properly */
2074 	audit_filter_syscall(current, context);
2075 	audit_filter_inodes(current, context);
2076 	if (context->current_state != AUDIT_STATE_RECORD)
2077 		goto out;
2078 
2079 	audit_log_exit();
2080 
2081 out:
2082 	audit_reset_context(context);
2083 }
2084 
handle_one(const struct inode * inode)2085 static inline void handle_one(const struct inode *inode)
2086 {
2087 	struct audit_context *context;
2088 	struct audit_tree_refs *p;
2089 	struct audit_chunk *chunk;
2090 	int count;
2091 
2092 	if (likely(!inode->i_fsnotify_marks))
2093 		return;
2094 	context = audit_context();
2095 	p = context->trees;
2096 	count = context->tree_count;
2097 	rcu_read_lock();
2098 	chunk = audit_tree_lookup(inode);
2099 	rcu_read_unlock();
2100 	if (!chunk)
2101 		return;
2102 	if (likely(put_tree_ref(context, chunk)))
2103 		return;
2104 	if (unlikely(!grow_tree_refs(context))) {
2105 		pr_warn("out of memory, audit has lost a tree reference\n");
2106 		audit_set_auditable(context);
2107 		audit_put_chunk(chunk);
2108 		unroll_tree_refs(context, p, count);
2109 		return;
2110 	}
2111 	put_tree_ref(context, chunk);
2112 }
2113 
handle_path(const struct dentry * dentry)2114 static void handle_path(const struct dentry *dentry)
2115 {
2116 	struct audit_context *context;
2117 	struct audit_tree_refs *p;
2118 	const struct dentry *d, *parent;
2119 	struct audit_chunk *drop;
2120 	unsigned long seq;
2121 	int count;
2122 
2123 	context = audit_context();
2124 	p = context->trees;
2125 	count = context->tree_count;
2126 retry:
2127 	drop = NULL;
2128 	d = dentry;
2129 	rcu_read_lock();
2130 	seq = read_seqbegin(&rename_lock);
2131 	for (;;) {
2132 		struct inode *inode = d_backing_inode(d);
2133 
2134 		if (inode && unlikely(inode->i_fsnotify_marks)) {
2135 			struct audit_chunk *chunk;
2136 
2137 			chunk = audit_tree_lookup(inode);
2138 			if (chunk) {
2139 				if (unlikely(!put_tree_ref(context, chunk))) {
2140 					drop = chunk;
2141 					break;
2142 				}
2143 			}
2144 		}
2145 		parent = d->d_parent;
2146 		if (parent == d)
2147 			break;
2148 		d = parent;
2149 	}
2150 	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
2151 		rcu_read_unlock();
2152 		if (!drop) {
2153 			/* just a race with rename */
2154 			unroll_tree_refs(context, p, count);
2155 			goto retry;
2156 		}
2157 		audit_put_chunk(drop);
2158 		if (grow_tree_refs(context)) {
2159 			/* OK, got more space */
2160 			unroll_tree_refs(context, p, count);
2161 			goto retry;
2162 		}
2163 		/* too bad */
2164 		pr_warn("out of memory, audit has lost a tree reference\n");
2165 		unroll_tree_refs(context, p, count);
2166 		audit_set_auditable(context);
2167 		return;
2168 	}
2169 	rcu_read_unlock();
2170 }
2171 
audit_alloc_name(struct audit_context * context,unsigned char type)2172 static struct audit_names *audit_alloc_name(struct audit_context *context,
2173 						unsigned char type)
2174 {
2175 	struct audit_names *aname;
2176 
2177 	if (context->name_count < AUDIT_NAMES) {
2178 		aname = &context->preallocated_names[context->name_count];
2179 		memset(aname, 0, sizeof(*aname));
2180 	} else {
2181 		aname = kzalloc(sizeof(*aname), GFP_NOFS);
2182 		if (!aname)
2183 			return NULL;
2184 		aname->should_free = true;
2185 	}
2186 
2187 	aname->ino = AUDIT_INO_UNSET;
2188 	aname->type = type;
2189 	list_add_tail(&aname->list, &context->names_list);
2190 
2191 	context->name_count++;
2192 	if (!context->pwd.dentry)
2193 		get_fs_pwd(current->fs, &context->pwd);
2194 	return aname;
2195 }
2196 
2197 /**
2198  * __audit_reusename - fill out filename with info from existing entry
2199  * @uptr: userland ptr to pathname
2200  *
2201  * Search the audit_names list for the current audit context. If there is an
2202  * existing entry with a matching "uptr" then return the filename
2203  * associated with that audit_name. If not, return NULL.
2204  */
2205 struct filename *
__audit_reusename(const __user char * uptr)2206 __audit_reusename(const __user char *uptr)
2207 {
2208 	struct audit_context *context = audit_context();
2209 	struct audit_names *n;
2210 
2211 	list_for_each_entry(n, &context->names_list, list) {
2212 		if (!n->name)
2213 			continue;
2214 		if (n->name->uptr == uptr) {
2215 			atomic_inc(&n->name->refcnt);
2216 			return n->name;
2217 		}
2218 	}
2219 	return NULL;
2220 }
2221 
2222 /**
2223  * __audit_getname - add a name to the list
2224  * @name: name to add
2225  *
2226  * Add a name to the list of audit names for this context.
2227  * Called from fs/namei.c:getname().
2228  */
__audit_getname(struct filename * name)2229 void __audit_getname(struct filename *name)
2230 {
2231 	struct audit_context *context = audit_context();
2232 	struct audit_names *n;
2233 
2234 	if (context->context == AUDIT_CTX_UNUSED)
2235 		return;
2236 
2237 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2238 	if (!n)
2239 		return;
2240 
2241 	n->name = name;
2242 	n->name_len = AUDIT_NAME_FULL;
2243 	name->aname = n;
2244 	atomic_inc(&name->refcnt);
2245 }
2246 
audit_copy_fcaps(struct audit_names * name,const struct dentry * dentry)2247 static inline int audit_copy_fcaps(struct audit_names *name,
2248 				   const struct dentry *dentry)
2249 {
2250 	struct cpu_vfs_cap_data caps;
2251 	int rc;
2252 
2253 	if (!dentry)
2254 		return 0;
2255 
2256 	rc = get_vfs_caps_from_disk(&nop_mnt_idmap, dentry, &caps);
2257 	if (rc)
2258 		return rc;
2259 
2260 	name->fcap.permitted = caps.permitted;
2261 	name->fcap.inheritable = caps.inheritable;
2262 	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2263 	name->fcap.rootid = caps.rootid;
2264 	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
2265 				VFS_CAP_REVISION_SHIFT;
2266 
2267 	return 0;
2268 }
2269 
2270 /* Copy inode data into an audit_names. */
audit_copy_inode(struct audit_names * name,const struct dentry * dentry,struct inode * inode,unsigned int flags)2271 static void audit_copy_inode(struct audit_names *name,
2272 			     const struct dentry *dentry,
2273 			     struct inode *inode, unsigned int flags)
2274 {
2275 	name->ino   = inode->i_ino;
2276 	name->dev   = inode->i_sb->s_dev;
2277 	name->mode  = inode->i_mode;
2278 	name->uid   = inode->i_uid;
2279 	name->gid   = inode->i_gid;
2280 	name->rdev  = inode->i_rdev;
2281 	security_inode_getsecid(inode, &name->osid);
2282 	if (flags & AUDIT_INODE_NOEVAL) {
2283 		name->fcap_ver = -1;
2284 		return;
2285 	}
2286 	audit_copy_fcaps(name, dentry);
2287 }
2288 
2289 /**
2290  * __audit_inode - store the inode and device from a lookup
2291  * @name: name being audited
2292  * @dentry: dentry being audited
2293  * @flags: attributes for this particular entry
2294  */
__audit_inode(struct filename * name,const struct dentry * dentry,unsigned int flags)2295 void __audit_inode(struct filename *name, const struct dentry *dentry,
2296 		   unsigned int flags)
2297 {
2298 	struct audit_context *context = audit_context();
2299 	struct inode *inode = d_backing_inode(dentry);
2300 	struct audit_names *n;
2301 	bool parent = flags & AUDIT_INODE_PARENT;
2302 	struct audit_entry *e;
2303 	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2304 	int i;
2305 
2306 	if (context->context == AUDIT_CTX_UNUSED)
2307 		return;
2308 
2309 	rcu_read_lock();
2310 	list_for_each_entry_rcu(e, list, list) {
2311 		for (i = 0; i < e->rule.field_count; i++) {
2312 			struct audit_field *f = &e->rule.fields[i];
2313 
2314 			if (f->type == AUDIT_FSTYPE
2315 			    && audit_comparator(inode->i_sb->s_magic,
2316 						f->op, f->val)
2317 			    && e->rule.action == AUDIT_NEVER) {
2318 				rcu_read_unlock();
2319 				return;
2320 			}
2321 		}
2322 	}
2323 	rcu_read_unlock();
2324 
2325 	if (!name)
2326 		goto out_alloc;
2327 
2328 	/*
2329 	 * If we have a pointer to an audit_names entry already, then we can
2330 	 * just use it directly if the type is correct.
2331 	 */
2332 	n = name->aname;
2333 	if (n) {
2334 		if (parent) {
2335 			if (n->type == AUDIT_TYPE_PARENT ||
2336 			    n->type == AUDIT_TYPE_UNKNOWN)
2337 				goto out;
2338 		} else {
2339 			if (n->type != AUDIT_TYPE_PARENT)
2340 				goto out;
2341 		}
2342 	}
2343 
2344 	list_for_each_entry_reverse(n, &context->names_list, list) {
2345 		if (n->ino) {
2346 			/* valid inode number, use that for the comparison */
2347 			if (n->ino != inode->i_ino ||
2348 			    n->dev != inode->i_sb->s_dev)
2349 				continue;
2350 		} else if (n->name) {
2351 			/* inode number has not been set, check the name */
2352 			if (strcmp(n->name->name, name->name))
2353 				continue;
2354 		} else
2355 			/* no inode and no name (?!) ... this is odd ... */
2356 			continue;
2357 
2358 		/* match the correct record type */
2359 		if (parent) {
2360 			if (n->type == AUDIT_TYPE_PARENT ||
2361 			    n->type == AUDIT_TYPE_UNKNOWN)
2362 				goto out;
2363 		} else {
2364 			if (n->type != AUDIT_TYPE_PARENT)
2365 				goto out;
2366 		}
2367 	}
2368 
2369 out_alloc:
2370 	/* unable to find an entry with both a matching name and type */
2371 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2372 	if (!n)
2373 		return;
2374 	if (name) {
2375 		n->name = name;
2376 		atomic_inc(&name->refcnt);
2377 	}
2378 
2379 out:
2380 	if (parent) {
2381 		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2382 		n->type = AUDIT_TYPE_PARENT;
2383 		if (flags & AUDIT_INODE_HIDDEN)
2384 			n->hidden = true;
2385 	} else {
2386 		n->name_len = AUDIT_NAME_FULL;
2387 		n->type = AUDIT_TYPE_NORMAL;
2388 	}
2389 	handle_path(dentry);
2390 	audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
2391 }
2392 
__audit_file(const struct file * file)2393 void __audit_file(const struct file *file)
2394 {
2395 	__audit_inode(NULL, file->f_path.dentry, 0);
2396 }
2397 
2398 /**
2399  * __audit_inode_child - collect inode info for created/removed objects
2400  * @parent: inode of dentry parent
2401  * @dentry: dentry being audited
2402  * @type:   AUDIT_TYPE_* value that we're looking for
2403  *
2404  * For syscalls that create or remove filesystem objects, audit_inode
2405  * can only collect information for the filesystem object's parent.
2406  * This call updates the audit context with the child's information.
2407  * Syscalls that create a new filesystem object must be hooked after
2408  * the object is created.  Syscalls that remove a filesystem object
2409  * must be hooked prior, in order to capture the target inode during
2410  * unsuccessful attempts.
2411  */
__audit_inode_child(struct inode * parent,const struct dentry * dentry,const unsigned char type)2412 void __audit_inode_child(struct inode *parent,
2413 			 const struct dentry *dentry,
2414 			 const unsigned char type)
2415 {
2416 	struct audit_context *context = audit_context();
2417 	struct inode *inode = d_backing_inode(dentry);
2418 	const struct qstr *dname = &dentry->d_name;
2419 	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2420 	struct audit_entry *e;
2421 	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2422 	int i;
2423 
2424 	if (context->context == AUDIT_CTX_UNUSED)
2425 		return;
2426 
2427 	rcu_read_lock();
2428 	list_for_each_entry_rcu(e, list, list) {
2429 		for (i = 0; i < e->rule.field_count; i++) {
2430 			struct audit_field *f = &e->rule.fields[i];
2431 
2432 			if (f->type == AUDIT_FSTYPE
2433 			    && audit_comparator(parent->i_sb->s_magic,
2434 						f->op, f->val)
2435 			    && e->rule.action == AUDIT_NEVER) {
2436 				rcu_read_unlock();
2437 				return;
2438 			}
2439 		}
2440 	}
2441 	rcu_read_unlock();
2442 
2443 	if (inode)
2444 		handle_one(inode);
2445 
2446 	/* look for a parent entry first */
2447 	list_for_each_entry(n, &context->names_list, list) {
2448 		if (!n->name ||
2449 		    (n->type != AUDIT_TYPE_PARENT &&
2450 		     n->type != AUDIT_TYPE_UNKNOWN))
2451 			continue;
2452 
2453 		if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
2454 		    !audit_compare_dname_path(dname,
2455 					      n->name->name, n->name_len)) {
2456 			if (n->type == AUDIT_TYPE_UNKNOWN)
2457 				n->type = AUDIT_TYPE_PARENT;
2458 			found_parent = n;
2459 			break;
2460 		}
2461 	}
2462 
2463 	cond_resched();
2464 
2465 	/* is there a matching child entry? */
2466 	list_for_each_entry(n, &context->names_list, list) {
2467 		/* can only match entries that have a name */
2468 		if (!n->name ||
2469 		    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
2470 			continue;
2471 
2472 		if (!strcmp(dname->name, n->name->name) ||
2473 		    !audit_compare_dname_path(dname, n->name->name,
2474 						found_parent ?
2475 						found_parent->name_len :
2476 						AUDIT_NAME_FULL)) {
2477 			if (n->type == AUDIT_TYPE_UNKNOWN)
2478 				n->type = type;
2479 			found_child = n;
2480 			break;
2481 		}
2482 	}
2483 
2484 	if (!found_parent) {
2485 		/* create a new, "anonymous" parent record */
2486 		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2487 		if (!n)
2488 			return;
2489 		audit_copy_inode(n, NULL, parent, 0);
2490 	}
2491 
2492 	if (!found_child) {
2493 		found_child = audit_alloc_name(context, type);
2494 		if (!found_child)
2495 			return;
2496 
2497 		/* Re-use the name belonging to the slot for a matching parent
2498 		 * directory. All names for this context are relinquished in
2499 		 * audit_free_names() */
2500 		if (found_parent) {
2501 			found_child->name = found_parent->name;
2502 			found_child->name_len = AUDIT_NAME_FULL;
2503 			atomic_inc(&found_child->name->refcnt);
2504 		}
2505 	}
2506 
2507 	if (inode)
2508 		audit_copy_inode(found_child, dentry, inode, 0);
2509 	else
2510 		found_child->ino = AUDIT_INO_UNSET;
2511 }
2512 EXPORT_SYMBOL_GPL(__audit_inode_child);
2513 
2514 /**
2515  * auditsc_get_stamp - get local copies of audit_context values
2516  * @ctx: audit_context for the task
2517  * @t: timespec64 to store time recorded in the audit_context
2518  * @serial: serial value that is recorded in the audit_context
2519  *
2520  * Also sets the context as auditable.
2521  */
auditsc_get_stamp(struct audit_context * ctx,struct timespec64 * t,unsigned int * serial)2522 int auditsc_get_stamp(struct audit_context *ctx,
2523 		       struct timespec64 *t, unsigned int *serial)
2524 {
2525 	if (ctx->context == AUDIT_CTX_UNUSED)
2526 		return 0;
2527 	if (!ctx->serial)
2528 		ctx->serial = audit_serial();
2529 	t->tv_sec  = ctx->ctime.tv_sec;
2530 	t->tv_nsec = ctx->ctime.tv_nsec;
2531 	*serial    = ctx->serial;
2532 	if (!ctx->prio) {
2533 		ctx->prio = 1;
2534 		ctx->current_state = AUDIT_STATE_RECORD;
2535 	}
2536 	return 1;
2537 }
2538 
2539 /**
2540  * __audit_mq_open - record audit data for a POSIX MQ open
2541  * @oflag: open flag
2542  * @mode: mode bits
2543  * @attr: queue attributes
2544  *
2545  */
__audit_mq_open(int oflag,umode_t mode,struct mq_attr * attr)2546 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2547 {
2548 	struct audit_context *context = audit_context();
2549 
2550 	if (attr)
2551 		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2552 	else
2553 		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2554 
2555 	context->mq_open.oflag = oflag;
2556 	context->mq_open.mode = mode;
2557 
2558 	context->type = AUDIT_MQ_OPEN;
2559 }
2560 
2561 /**
2562  * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2563  * @mqdes: MQ descriptor
2564  * @msg_len: Message length
2565  * @msg_prio: Message priority
2566  * @abs_timeout: Message timeout in absolute time
2567  *
2568  */
__audit_mq_sendrecv(mqd_t mqdes,size_t msg_len,unsigned int msg_prio,const struct timespec64 * abs_timeout)2569 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2570 			const struct timespec64 *abs_timeout)
2571 {
2572 	struct audit_context *context = audit_context();
2573 	struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
2574 
2575 	if (abs_timeout)
2576 		memcpy(p, abs_timeout, sizeof(*p));
2577 	else
2578 		memset(p, 0, sizeof(*p));
2579 
2580 	context->mq_sendrecv.mqdes = mqdes;
2581 	context->mq_sendrecv.msg_len = msg_len;
2582 	context->mq_sendrecv.msg_prio = msg_prio;
2583 
2584 	context->type = AUDIT_MQ_SENDRECV;
2585 }
2586 
2587 /**
2588  * __audit_mq_notify - record audit data for a POSIX MQ notify
2589  * @mqdes: MQ descriptor
2590  * @notification: Notification event
2591  *
2592  */
2593 
__audit_mq_notify(mqd_t mqdes,const struct sigevent * notification)2594 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2595 {
2596 	struct audit_context *context = audit_context();
2597 
2598 	if (notification)
2599 		context->mq_notify.sigev_signo = notification->sigev_signo;
2600 	else
2601 		context->mq_notify.sigev_signo = 0;
2602 
2603 	context->mq_notify.mqdes = mqdes;
2604 	context->type = AUDIT_MQ_NOTIFY;
2605 }
2606 
2607 /**
2608  * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2609  * @mqdes: MQ descriptor
2610  * @mqstat: MQ flags
2611  *
2612  */
__audit_mq_getsetattr(mqd_t mqdes,struct mq_attr * mqstat)2613 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2614 {
2615 	struct audit_context *context = audit_context();
2616 
2617 	context->mq_getsetattr.mqdes = mqdes;
2618 	context->mq_getsetattr.mqstat = *mqstat;
2619 	context->type = AUDIT_MQ_GETSETATTR;
2620 }
2621 
2622 /**
2623  * __audit_ipc_obj - record audit data for ipc object
2624  * @ipcp: ipc permissions
2625  *
2626  */
__audit_ipc_obj(struct kern_ipc_perm * ipcp)2627 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2628 {
2629 	struct audit_context *context = audit_context();
2630 
2631 	context->ipc.uid = ipcp->uid;
2632 	context->ipc.gid = ipcp->gid;
2633 	context->ipc.mode = ipcp->mode;
2634 	context->ipc.has_perm = 0;
2635 	security_ipc_getsecid(ipcp, &context->ipc.osid);
2636 	context->type = AUDIT_IPC;
2637 }
2638 
2639 /**
2640  * __audit_ipc_set_perm - record audit data for new ipc permissions
2641  * @qbytes: msgq bytes
2642  * @uid: msgq user id
2643  * @gid: msgq group id
2644  * @mode: msgq mode (permissions)
2645  *
2646  * Called only after audit_ipc_obj().
2647  */
__audit_ipc_set_perm(unsigned long qbytes,uid_t uid,gid_t gid,umode_t mode)2648 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2649 {
2650 	struct audit_context *context = audit_context();
2651 
2652 	context->ipc.qbytes = qbytes;
2653 	context->ipc.perm_uid = uid;
2654 	context->ipc.perm_gid = gid;
2655 	context->ipc.perm_mode = mode;
2656 	context->ipc.has_perm = 1;
2657 }
2658 
__audit_bprm(struct linux_binprm * bprm)2659 void __audit_bprm(struct linux_binprm *bprm)
2660 {
2661 	struct audit_context *context = audit_context();
2662 
2663 	context->type = AUDIT_EXECVE;
2664 	context->execve.argc = bprm->argc;
2665 }
2666 
2667 
2668 /**
2669  * __audit_socketcall - record audit data for sys_socketcall
2670  * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2671  * @args: args array
2672  *
2673  */
__audit_socketcall(int nargs,unsigned long * args)2674 int __audit_socketcall(int nargs, unsigned long *args)
2675 {
2676 	struct audit_context *context = audit_context();
2677 
2678 	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2679 		return -EINVAL;
2680 	context->type = AUDIT_SOCKETCALL;
2681 	context->socketcall.nargs = nargs;
2682 	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2683 	return 0;
2684 }
2685 
2686 /**
2687  * __audit_fd_pair - record audit data for pipe and socketpair
2688  * @fd1: the first file descriptor
2689  * @fd2: the second file descriptor
2690  *
2691  */
__audit_fd_pair(int fd1,int fd2)2692 void __audit_fd_pair(int fd1, int fd2)
2693 {
2694 	struct audit_context *context = audit_context();
2695 
2696 	context->fds[0] = fd1;
2697 	context->fds[1] = fd2;
2698 }
2699 
2700 /**
2701  * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2702  * @len: data length in user space
2703  * @a: data address in kernel space
2704  *
2705  * Returns 0 for success or NULL context or < 0 on error.
2706  */
__audit_sockaddr(int len,void * a)2707 int __audit_sockaddr(int len, void *a)
2708 {
2709 	struct audit_context *context = audit_context();
2710 
2711 	if (!context->sockaddr) {
2712 		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2713 
2714 		if (!p)
2715 			return -ENOMEM;
2716 		context->sockaddr = p;
2717 	}
2718 
2719 	context->sockaddr_len = len;
2720 	memcpy(context->sockaddr, a, len);
2721 	return 0;
2722 }
2723 
__audit_ptrace(struct task_struct * t)2724 void __audit_ptrace(struct task_struct *t)
2725 {
2726 	struct audit_context *context = audit_context();
2727 
2728 	context->target_pid = task_tgid_nr(t);
2729 	context->target_auid = audit_get_loginuid(t);
2730 	context->target_uid = task_uid(t);
2731 	context->target_sessionid = audit_get_sessionid(t);
2732 	security_task_getsecid_obj(t, &context->target_sid);
2733 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2734 }
2735 
2736 /**
2737  * audit_signal_info_syscall - record signal info for syscalls
2738  * @t: task being signaled
2739  *
2740  * If the audit subsystem is being terminated, record the task (pid)
2741  * and uid that is doing that.
2742  */
audit_signal_info_syscall(struct task_struct * t)2743 int audit_signal_info_syscall(struct task_struct *t)
2744 {
2745 	struct audit_aux_data_pids *axp;
2746 	struct audit_context *ctx = audit_context();
2747 	kuid_t t_uid = task_uid(t);
2748 
2749 	if (!audit_signals || audit_dummy_context())
2750 		return 0;
2751 
2752 	/* optimize the common case by putting first signal recipient directly
2753 	 * in audit_context */
2754 	if (!ctx->target_pid) {
2755 		ctx->target_pid = task_tgid_nr(t);
2756 		ctx->target_auid = audit_get_loginuid(t);
2757 		ctx->target_uid = t_uid;
2758 		ctx->target_sessionid = audit_get_sessionid(t);
2759 		security_task_getsecid_obj(t, &ctx->target_sid);
2760 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2761 		return 0;
2762 	}
2763 
2764 	axp = (void *)ctx->aux_pids;
2765 	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2766 		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2767 		if (!axp)
2768 			return -ENOMEM;
2769 
2770 		axp->d.type = AUDIT_OBJ_PID;
2771 		axp->d.next = ctx->aux_pids;
2772 		ctx->aux_pids = (void *)axp;
2773 	}
2774 	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2775 
2776 	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2777 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2778 	axp->target_uid[axp->pid_count] = t_uid;
2779 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2780 	security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]);
2781 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2782 	axp->pid_count++;
2783 
2784 	return 0;
2785 }
2786 
2787 /**
2788  * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2789  * @bprm: pointer to the bprm being processed
2790  * @new: the proposed new credentials
2791  * @old: the old credentials
2792  *
2793  * Simply check if the proc already has the caps given by the file and if not
2794  * store the priv escalation info for later auditing at the end of the syscall
2795  *
2796  * -Eric
2797  */
__audit_log_bprm_fcaps(struct linux_binprm * bprm,const struct cred * new,const struct cred * old)2798 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2799 			   const struct cred *new, const struct cred *old)
2800 {
2801 	struct audit_aux_data_bprm_fcaps *ax;
2802 	struct audit_context *context = audit_context();
2803 	struct cpu_vfs_cap_data vcaps;
2804 
2805 	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2806 	if (!ax)
2807 		return -ENOMEM;
2808 
2809 	ax->d.type = AUDIT_BPRM_FCAPS;
2810 	ax->d.next = context->aux;
2811 	context->aux = (void *)ax;
2812 
2813 	get_vfs_caps_from_disk(&nop_mnt_idmap,
2814 			       bprm->file->f_path.dentry, &vcaps);
2815 
2816 	ax->fcap.permitted = vcaps.permitted;
2817 	ax->fcap.inheritable = vcaps.inheritable;
2818 	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2819 	ax->fcap.rootid = vcaps.rootid;
2820 	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2821 
2822 	ax->old_pcap.permitted   = old->cap_permitted;
2823 	ax->old_pcap.inheritable = old->cap_inheritable;
2824 	ax->old_pcap.effective   = old->cap_effective;
2825 	ax->old_pcap.ambient     = old->cap_ambient;
2826 
2827 	ax->new_pcap.permitted   = new->cap_permitted;
2828 	ax->new_pcap.inheritable = new->cap_inheritable;
2829 	ax->new_pcap.effective   = new->cap_effective;
2830 	ax->new_pcap.ambient     = new->cap_ambient;
2831 	return 0;
2832 }
2833 
2834 /**
2835  * __audit_log_capset - store information about the arguments to the capset syscall
2836  * @new: the new credentials
2837  * @old: the old (current) credentials
2838  *
2839  * Record the arguments userspace sent to sys_capset for later printing by the
2840  * audit system if applicable
2841  */
__audit_log_capset(const struct cred * new,const struct cred * old)2842 void __audit_log_capset(const struct cred *new, const struct cred *old)
2843 {
2844 	struct audit_context *context = audit_context();
2845 
2846 	context->capset.pid = task_tgid_nr(current);
2847 	context->capset.cap.effective   = new->cap_effective;
2848 	context->capset.cap.inheritable = new->cap_effective;
2849 	context->capset.cap.permitted   = new->cap_permitted;
2850 	context->capset.cap.ambient     = new->cap_ambient;
2851 	context->type = AUDIT_CAPSET;
2852 }
2853 
__audit_mmap_fd(int fd,int flags)2854 void __audit_mmap_fd(int fd, int flags)
2855 {
2856 	struct audit_context *context = audit_context();
2857 
2858 	context->mmap.fd = fd;
2859 	context->mmap.flags = flags;
2860 	context->type = AUDIT_MMAP;
2861 }
2862 
__audit_openat2_how(struct open_how * how)2863 void __audit_openat2_how(struct open_how *how)
2864 {
2865 	struct audit_context *context = audit_context();
2866 
2867 	context->openat2.flags = how->flags;
2868 	context->openat2.mode = how->mode;
2869 	context->openat2.resolve = how->resolve;
2870 	context->type = AUDIT_OPENAT2;
2871 }
2872 
__audit_log_kern_module(char * name)2873 void __audit_log_kern_module(char *name)
2874 {
2875 	struct audit_context *context = audit_context();
2876 
2877 	context->module.name = kstrdup(name, GFP_KERNEL);
2878 	if (!context->module.name)
2879 		audit_log_lost("out of memory in __audit_log_kern_module");
2880 	context->type = AUDIT_KERN_MODULE;
2881 }
2882 
__audit_fanotify(u32 response,struct fanotify_response_info_audit_rule * friar)2883 void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
2884 {
2885 	/* {subj,obj}_trust values are {0,1,2}: no,yes,unknown */
2886 	switch (friar->hdr.type) {
2887 	case FAN_RESPONSE_INFO_NONE:
2888 		audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
2889 			  "resp=%u fan_type=%u fan_info=0 subj_trust=2 obj_trust=2",
2890 			  response, FAN_RESPONSE_INFO_NONE);
2891 		break;
2892 	case FAN_RESPONSE_INFO_AUDIT_RULE:
2893 		audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
2894 			  "resp=%u fan_type=%u fan_info=%X subj_trust=%u obj_trust=%u",
2895 			  response, friar->hdr.type, friar->rule_number,
2896 			  friar->subj_trust, friar->obj_trust);
2897 	}
2898 }
2899 
__audit_tk_injoffset(struct timespec64 offset)2900 void __audit_tk_injoffset(struct timespec64 offset)
2901 {
2902 	struct audit_context *context = audit_context();
2903 
2904 	/* only set type if not already set by NTP */
2905 	if (!context->type)
2906 		context->type = AUDIT_TIME_INJOFFSET;
2907 	memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));
2908 }
2909 
__audit_ntp_log(const struct audit_ntp_data * ad)2910 void __audit_ntp_log(const struct audit_ntp_data *ad)
2911 {
2912 	struct audit_context *context = audit_context();
2913 	int type;
2914 
2915 	for (type = 0; type < AUDIT_NTP_NVALS; type++)
2916 		if (ad->vals[type].newval != ad->vals[type].oldval) {
2917 			/* unconditionally set type, overwriting TK */
2918 			context->type = AUDIT_TIME_ADJNTPVAL;
2919 			memcpy(&context->time.ntp_data, ad, sizeof(*ad));
2920 			break;
2921 		}
2922 }
2923 
__audit_log_nfcfg(const char * name,u8 af,unsigned int nentries,enum audit_nfcfgop op,gfp_t gfp)2924 void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
2925 		       enum audit_nfcfgop op, gfp_t gfp)
2926 {
2927 	struct audit_buffer *ab;
2928 	char comm[sizeof(current->comm)];
2929 
2930 	ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG);
2931 	if (!ab)
2932 		return;
2933 	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
2934 			 name, af, nentries, audit_nfcfgs[op].s);
2935 
2936 	audit_log_format(ab, " pid=%u", task_pid_nr(current));
2937 	audit_log_task_context(ab); /* subj= */
2938 	audit_log_format(ab, " comm=");
2939 	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2940 	audit_log_end(ab);
2941 }
2942 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
2943 
audit_log_task(struct audit_buffer * ab)2944 static void audit_log_task(struct audit_buffer *ab)
2945 {
2946 	kuid_t auid, uid;
2947 	kgid_t gid;
2948 	unsigned int sessionid;
2949 	char comm[sizeof(current->comm)];
2950 
2951 	auid = audit_get_loginuid(current);
2952 	sessionid = audit_get_sessionid(current);
2953 	current_uid_gid(&uid, &gid);
2954 
2955 	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2956 			 from_kuid(&init_user_ns, auid),
2957 			 from_kuid(&init_user_ns, uid),
2958 			 from_kgid(&init_user_ns, gid),
2959 			 sessionid);
2960 	audit_log_task_context(ab);
2961 	audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2962 	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2963 	audit_log_d_path_exe(ab, current->mm);
2964 }
2965 
2966 /**
2967  * audit_core_dumps - record information about processes that end abnormally
2968  * @signr: signal value
2969  *
2970  * If a process ends with a core dump, something fishy is going on and we
2971  * should record the event for investigation.
2972  */
audit_core_dumps(long signr)2973 void audit_core_dumps(long signr)
2974 {
2975 	struct audit_buffer *ab;
2976 
2977 	if (!audit_enabled)
2978 		return;
2979 
2980 	if (signr == SIGQUIT)	/* don't care for those */
2981 		return;
2982 
2983 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
2984 	if (unlikely(!ab))
2985 		return;
2986 	audit_log_task(ab);
2987 	audit_log_format(ab, " sig=%ld res=1", signr);
2988 	audit_log_end(ab);
2989 }
2990 
2991 /**
2992  * audit_seccomp - record information about a seccomp action
2993  * @syscall: syscall number
2994  * @signr: signal value
2995  * @code: the seccomp action
2996  *
2997  * Record the information associated with a seccomp action. Event filtering for
2998  * seccomp actions that are not to be logged is done in seccomp_log().
2999  * Therefore, this function forces auditing independent of the audit_enabled
3000  * and dummy context state because seccomp actions should be logged even when
3001  * audit is not in use.
3002  */
audit_seccomp(unsigned long syscall,long signr,int code)3003 void audit_seccomp(unsigned long syscall, long signr, int code)
3004 {
3005 	struct audit_buffer *ab;
3006 
3007 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
3008 	if (unlikely(!ab))
3009 		return;
3010 	audit_log_task(ab);
3011 	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
3012 			 signr, syscall_get_arch(current), syscall,
3013 			 in_compat_syscall(), KSTK_EIP(current), code);
3014 	audit_log_end(ab);
3015 }
3016 
audit_seccomp_actions_logged(const char * names,const char * old_names,int res)3017 void audit_seccomp_actions_logged(const char *names, const char *old_names,
3018 				  int res)
3019 {
3020 	struct audit_buffer *ab;
3021 
3022 	if (!audit_enabled)
3023 		return;
3024 
3025 	ab = audit_log_start(audit_context(), GFP_KERNEL,
3026 			     AUDIT_CONFIG_CHANGE);
3027 	if (unlikely(!ab))
3028 		return;
3029 
3030 	audit_log_format(ab,
3031 			 "op=seccomp-logging actions=%s old-actions=%s res=%d",
3032 			 names, old_names, res);
3033 	audit_log_end(ab);
3034 }
3035 
audit_killed_trees(void)3036 struct list_head *audit_killed_trees(void)
3037 {
3038 	struct audit_context *ctx = audit_context();
3039 	if (likely(!ctx || ctx->context == AUDIT_CTX_UNUSED))
3040 		return NULL;
3041 	return &ctx->killed_trees;
3042 }
3043