]> bbs.cooldavid.org Git - net-next-2.6.git/blame - kernel/auditsc.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[PATCH] support for context based audit filtering, part 2
[net-next-2.6.git] / kernel / auditsc.c
CommitLineData
85c8721f 1/* auditsc.c -- System-call auditing support
1da177e4
LT		 2 * Handles all system-call specific auditing features.
3 *
4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
73241ccc 5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
b63862f4 6 * Copyright (C) 2005 IBM Corporation
1da177e4
LT		 7 * All Rights Reserved.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 *
23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
24 *
25 * Many of the ideas implemented here are from Stephen C. Tweedie,
26 * especially the idea of avoiding a copy by using getname.
27 *
28 * The method for actual interception of syscall entry and exit (not in
29 * this file -- see entry.S) is based on a GPL'd patch written by
30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
31 *
b63862f4
DK		 32 * The support of additional filter rules compares (>, <, >=, <=) was
33 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
34 *
73241ccc
AG		 35 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
36 * filesystem information.
8c8570fb
DK		 37 *
38 * Subject and object context labeling support added by <danjones@us.ibm.com>
39 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
1da177e4
LT		 40 */
41
42#include <linux/init.h>
1da177e4 43#include <asm/types.h>
715b49ef 44#include <asm/atomic.h>
73241ccc
AG		 45#include <asm/types.h>
46#include <linux/fs.h>
47#include <linux/namei.h>
1da177e4
LT		 48#include <linux/mm.h>
49#include <linux/module.h>
01116105 50#include <linux/mount.h>
3ec3b2fb 51#include <linux/socket.h>
1da177e4
LT		 52#include <linux/audit.h>
53#include <linux/personality.h>
54#include <linux/time.h>
5bb289b5 55#include <linux/netlink.h>
f5561964 56#include <linux/compiler.h>
1da177e4 57#include <asm/unistd.h>
8c8570fb 58#include <linux/security.h>
fe7752ba 59#include <linux/list.h>
a6c043a8 60#include <linux/tty.h>
3dc7e315 61#include <linux/selinux.h>
1da177e4 62
fe7752ba 63#include "audit.h"
1da177e4 64
fe7752ba 65extern struct list_head audit_filter_list[];
1da177e4
LT		 66
67/* No syscall auditing will take place unless audit_enabled != 0. */
68extern int audit_enabled;
69
70/* AUDIT_NAMES is the number of slots we reserve in the audit_context
71 * for saving names from getname(). */
72#define AUDIT_NAMES 20
73
74/* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
75 * audit_context from being used for nameless inodes from
76 * path_lookup. */
77#define AUDIT_NAMES_RESERVED 7
78
1da177e4
LT		 79/* When fs/namei.c:getname() is called, we store the pointer in name and
80 * we don't let putname() free it (instead we free all of the saved
81 * pointers at syscall exit time).
82 *
83 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
84struct audit_names {
85 const char *name;
86 unsigned long ino;
73241ccc 87 unsigned long pino;
1da177e4
LT		 88 dev_t dev;
89 umode_t mode;
90 uid_t uid;
91 gid_t gid;
92 dev_t rdev;
8c8570fb 93 char *ctx;
1da177e4
LT		 94};
95
96struct audit_aux_data {
97 struct audit_aux_data *next;
98 int type;
99};
100
101#define AUDIT_AUX_IPCPERM 0
102
103struct audit_aux_data_ipcctl {
104 struct audit_aux_data d;
105 struct ipc_perm p;
106 unsigned long qbytes;
107 uid_t uid;
108 gid_t gid;
109 mode_t mode;
8c8570fb 110 char *ctx;
1da177e4
LT		 111};
112
3ec3b2fb
DW		 113struct audit_aux_data_socketcall {
114 struct audit_aux_data d;
115 int nargs;
116 unsigned long args[0];
117};
118
119struct audit_aux_data_sockaddr {
120 struct audit_aux_data d;
121 int len;
122 char a[0];
123};
124
01116105
SS		 125struct audit_aux_data_path {
126 struct audit_aux_data d;
127 struct dentry *dentry;
128 struct vfsmount *mnt;
129};
1da177e4
LT		 130
131/* The per-task audit context. */
132struct audit_context {
133 int in_syscall; /* 1 if task is in a syscall */
134 enum audit_state state;
135 unsigned int serial; /* serial number for record */
136 struct timespec ctime; /* time of syscall entry */
137 uid_t loginuid; /* login uid (identity) */
138 int major; /* syscall number */
139 unsigned long argv[4]; /* syscall arguments */
140 int return_valid; /* return code is valid */
2fd6f58b 141 long return_code;/* syscall return code */
1da177e4
LT		 142 int auditable; /* 1 if record should be written */
143 int name_count;
144 struct audit_names names[AUDIT_NAMES];
8f37d47c
DW		 145 struct dentry * pwd;
146 struct vfsmount * pwdmnt;
1da177e4
LT		 147 struct audit_context *previous; /* For nested syscalls */
148 struct audit_aux_data *aux;
149
150 /* Save things to print about task_struct */
151 pid_t pid;
152 uid_t uid, euid, suid, fsuid;
153 gid_t gid, egid, sgid, fsgid;
154 unsigned long personality;
2fd6f58b 155 int arch;
1da177e4
LT		 156
157#if AUDIT_DEBUG
158 int put_count;
159 int ino_count;
160#endif
161};
162
1da177e4
LT		 163
164/* Compare a task_struct with an audit_rule. Return 1 on match, 0
165 * otherwise. */
166static int audit_filter_rules(struct task_struct *tsk,
93315ed6 167 struct audit_krule *rule,
1da177e4
LT		 168 struct audit_context *ctx,
169 enum audit_state *state)
170{
171 int i, j;
3dc7e315
DG		 172 u32 sid;
173
174 selinux_task_ctxid(tsk, &sid);
1da177e4
LT		 175
176 for (i = 0; i < rule->field_count; i++) {
93315ed6 177 struct audit_field *f = &rule->fields[i];
1da177e4
LT		 178 int result = 0;
179
93315ed6 180 switch (f->type) {
1da177e4 181 case AUDIT_PID:
93315ed6 182 result = audit_comparator(tsk->pid, f->op, f->val);
1da177e4
LT		 183 break;
184 case AUDIT_UID:
93315ed6 185 result = audit_comparator(tsk->uid, f->op, f->val);
1da177e4
LT		 186 break;
187 case AUDIT_EUID:
93315ed6 188 result = audit_comparator(tsk->euid, f->op, f->val);
1da177e4
LT		 189 break;
190 case AUDIT_SUID:
93315ed6 191 result = audit_comparator(tsk->suid, f->op, f->val);
1da177e4
LT		 192 break;
193 case AUDIT_FSUID:
93315ed6 194 result = audit_comparator(tsk->fsuid, f->op, f->val);
1da177e4
LT		 195 break;
196 case AUDIT_GID:
93315ed6 197 result = audit_comparator(tsk->gid, f->op, f->val);
1da177e4
LT		 198 break;
199 case AUDIT_EGID:
93315ed6 200 result = audit_comparator(tsk->egid, f->op, f->val);
1da177e4
LT		 201 break;
202 case AUDIT_SGID:
93315ed6 203 result = audit_comparator(tsk->sgid, f->op, f->val);
1da177e4
LT		 204 break;
205 case AUDIT_FSGID:
93315ed6 206 result = audit_comparator(tsk->fsgid, f->op, f->val);
1da177e4
LT		 207 break;
208 case AUDIT_PERS:
93315ed6 209 result = audit_comparator(tsk->personality, f->op, f->val);
1da177e4 210 break;
2fd6f58b 211 case AUDIT_ARCH:
b63862f4 212 if (ctx)
93315ed6 213 result = audit_comparator(ctx->arch, f->op, f->val);
2fd6f58b 214 break;
1da177e4
LT		 215
216 case AUDIT_EXIT:
217 if (ctx && ctx->return_valid)
93315ed6 218 result = audit_comparator(ctx->return_code, f->op, f->val);
1da177e4
LT		 219 break;
220 case AUDIT_SUCCESS:
b01f2cc1 221 if (ctx && ctx->return_valid) {
93315ed6
AG		 222 if (f->val)
223 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
b01f2cc1 224 else
93315ed6 225 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
b01f2cc1 226 }
1da177e4
LT		 227 break;
228 case AUDIT_DEVMAJOR:
229 if (ctx) {
230 for (j = 0; j < ctx->name_count; j++) {
93315ed6 231 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) {
1da177e4
LT		 232 ++result;
233 break;
234 }
235 }
236 }
237 break;
238 case AUDIT_DEVMINOR:
239 if (ctx) {
240 for (j = 0; j < ctx->name_count; j++) {
93315ed6 241 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
1da177e4
LT		 242 ++result;
243 break;
244 }
245 }
246 }
247 break;
248 case AUDIT_INODE:
249 if (ctx) {
250 for (j = 0; j < ctx->name_count; j++) {
93315ed6
AG		 251 if (audit_comparator(ctx->names[j].ino, f->op, f->val) ||
252 audit_comparator(ctx->names[j].pino, f->op, f->val)) {
1da177e4
LT		 253 ++result;
254 break;
255 }
256 }
257 }
258 break;
259 case AUDIT_LOGINUID:
260 result = 0;
261 if (ctx)
93315ed6 262 result = audit_comparator(ctx->loginuid, f->op, f->val);
1da177e4 263 break;
3dc7e315
DG		 264 case AUDIT_SE_USER:
265 case AUDIT_SE_ROLE:
266 case AUDIT_SE_TYPE:
267 case AUDIT_SE_SEN:
268 case AUDIT_SE_CLR:
269 /* NOTE: this may return negative values indicating
270 a temporary error. We simply treat this as a
271 match for now to avoid losing information that
272 may be wanted. An error message will also be
273 logged upon error */
274 if (f->se_rule)
275 result = selinux_audit_rule_match(sid, f->type,
276 f->op,
277 f->se_rule,
278 ctx);
279 break;
1da177e4
LT		 280 case AUDIT_ARG0:
281 case AUDIT_ARG1:
282 case AUDIT_ARG2:
283 case AUDIT_ARG3:
284 if (ctx)
93315ed6 285 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
1da177e4
LT		 286 break;
287 }
288
1da177e4
LT		 289 if (!result)
290 return 0;
291 }
292 switch (rule->action) {
293 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
294 case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
295 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
296 }
297 return 1;
298}
299
300/* At process creation time, we can determine if system-call auditing is
301 * completely disabled for this task. Since we only have the task
302 * structure at this point, we can only check uid and gid.
303 */
304static enum audit_state audit_filter_task(struct task_struct *tsk)
305{
306 struct audit_entry *e;
307 enum audit_state state;
308
309 rcu_read_lock();
0f45aa18 310 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
1da177e4
LT		 311 if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
312 rcu_read_unlock();
313 return state;
314 }
315 }
316 rcu_read_unlock();
317 return AUDIT_BUILD_CONTEXT;
318}
319
320/* At syscall entry and exit time, this filter is called if the
321 * audit_state is not low enough that auditing cannot take place, but is
23f32d18 322 * also not high enough that we already know we have to write an audit
b0dd25a8 323 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
1da177e4
LT		 324 */
325static enum audit_state audit_filter_syscall(struct task_struct *tsk,
326 struct audit_context *ctx,
327 struct list_head *list)
328{
329 struct audit_entry *e;
c3896495 330 enum audit_state state;
1da177e4 331
351bb722 332 if (audit_pid && tsk->tgid == audit_pid)
f7056d64
DW		 333 return AUDIT_DISABLED;
334
1da177e4 335 rcu_read_lock();
c3896495 336 if (!list_empty(list)) {
b63862f4
DK		 337 int word = AUDIT_WORD(ctx->major);
338 int bit = AUDIT_BIT(ctx->major);
339
340 list_for_each_entry_rcu(e, list, list) {
341 if ((e->rule.mask[word] & bit) == bit
342 && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
343 rcu_read_unlock();
344 return state;
345 }
0f45aa18
DW		 346 }
347 }
348 rcu_read_unlock();
1da177e4 349 return AUDIT_BUILD_CONTEXT;
0f45aa18
DW		 350}
351
1da177e4
LT		 352static inline struct audit_context *audit_get_context(struct task_struct *tsk,
353 int return_valid,
354 int return_code)
355{
356 struct audit_context *context = tsk->audit_context;
357
358 if (likely(!context))
359 return NULL;
360 context->return_valid = return_valid;
361 context->return_code = return_code;
362
21af6c4f 363 if (context->in_syscall && !context->auditable) {
1da177e4 364 enum audit_state state;
0f45aa18 365 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
1da177e4
LT		 366 if (state == AUDIT_RECORD_CONTEXT)
367 context->auditable = 1;
368 }
369
370 context->pid = tsk->pid;
371 context->uid = tsk->uid;
372 context->gid = tsk->gid;
373 context->euid = tsk->euid;
374 context->suid = tsk->suid;
375 context->fsuid = tsk->fsuid;
376 context->egid = tsk->egid;
377 context->sgid = tsk->sgid;
378 context->fsgid = tsk->fsgid;
379 context->personality = tsk->personality;
380 tsk->audit_context = NULL;
381 return context;
382}
383
384static inline void audit_free_names(struct audit_context *context)
385{
386 int i;
387
388#if AUDIT_DEBUG == 2
389 if (context->auditable
390 ||context->put_count + context->ino_count != context->name_count) {
73241ccc 391 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
1da177e4
LT		 392 " name_count=%d put_count=%d"
393 " ino_count=%d [NOT freeing]\n",
73241ccc 394 __FILE__, __LINE__,
1da177e4
LT		 395 context->serial, context->major, context->in_syscall,
396 context->name_count, context->put_count,
397 context->ino_count);
8c8570fb 398 for (i = 0; i < context->name_count; i++) {
1da177e4
LT		 399 printk(KERN_ERR "names[%d] = %p = %s\n", i,
400 context->names[i].name,
73241ccc 401 context->names[i].name ?: "(null)");
8c8570fb 402 }
1da177e4
LT		 403 dump_stack();
404 return;
405 }
406#endif
407#if AUDIT_DEBUG
408 context->put_count = 0;
409 context->ino_count = 0;
410#endif
411
8c8570fb
DK		 412 for (i = 0; i < context->name_count; i++) {
413 char *p = context->names[i].ctx;
414 context->names[i].ctx = NULL;
415 kfree(p);
1da177e4
LT		 416 if (context->names[i].name)
417 __putname(context->names[i].name);
8c8570fb 418 }
1da177e4 419 context->name_count = 0;
8f37d47c
DW		 420 if (context->pwd)
421 dput(context->pwd);
422 if (context->pwdmnt)
423 mntput(context->pwdmnt);
424 context->pwd = NULL;
425 context->pwdmnt = NULL;
1da177e4
LT		 426}
427
428static inline void audit_free_aux(struct audit_context *context)
429{
430 struct audit_aux_data *aux;
431
432 while ((aux = context->aux)) {
01116105
SS		 433 if (aux->type == AUDIT_AVC_PATH) {
434 struct audit_aux_data_path *axi = (void *)aux;
435 dput(axi->dentry);
436 mntput(axi->mnt);
437 }
8c8570fb
DK		 438 if ( aux->type == AUDIT_IPC ) {
439 struct audit_aux_data_ipcctl *axi = (void *)aux;
440 if (axi->ctx)
441 kfree(axi->ctx);
442 }
443
1da177e4
LT		 444 context->aux = aux->next;
445 kfree(aux);
446 }
447}
448
449static inline void audit_zero_context(struct audit_context *context,
450 enum audit_state state)
451{
452 uid_t loginuid = context->loginuid;
453
454 memset(context, 0, sizeof(*context));
455 context->state = state;
456 context->loginuid = loginuid;
457}
458
459static inline struct audit_context *audit_alloc_context(enum audit_state state)
460{
461 struct audit_context *context;
462
463 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
464 return NULL;
465 audit_zero_context(context, state);
466 return context;
467}
468
b0dd25a8
RD		 469/**
470 * audit_alloc - allocate an audit context block for a task
471 * @tsk: task
472 *
473 * Filter on the task information and allocate a per-task audit context
1da177e4
LT		 474 * if necessary. Doing so turns on system call auditing for the
475 * specified task. This is called from copy_process, so no lock is
b0dd25a8
RD		 476 * needed.
477 */
1da177e4
LT		 478int audit_alloc(struct task_struct *tsk)
479{
480 struct audit_context *context;
481 enum audit_state state;
482
483 if (likely(!audit_enabled))
484 return 0; /* Return if not auditing. */
485
486 state = audit_filter_task(tsk);
487 if (likely(state == AUDIT_DISABLED))
488 return 0;
489
490 if (!(context = audit_alloc_context(state))) {
491 audit_log_lost("out of memory in audit_alloc");
492 return -ENOMEM;
493 }
494
495 /* Preserve login uid */
496 context->loginuid = -1;
497 if (current->audit_context)
498 context->loginuid = current->audit_context->loginuid;
499
500 tsk->audit_context = context;
501 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
502 return 0;
503}
504
505static inline void audit_free_context(struct audit_context *context)
506{
507 struct audit_context *previous;
508 int count = 0;
509
510 do {
511 previous = context->previous;
512 if (previous || (count && count < 10)) {
513 ++count;
514 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
515 " freeing multiple contexts (%d)\n",
516 context->serial, context->major,
517 context->name_count, count);
518 }
519 audit_free_names(context);
520 audit_free_aux(context);
521 kfree(context);
522 context = previous;
523 } while (context);
524 if (count >= 10)
525 printk(KERN_ERR "audit: freed %d contexts\n", count);
526}
527
e495149b 528static void audit_log_task_context(struct audit_buffer *ab)
8c8570fb
DK		 529{
530 char *ctx = NULL;
531 ssize_t len = 0;
532
533 len = security_getprocattr(current, "current", NULL, 0);
534 if (len < 0) {
535 if (len != -EINVAL)
536 goto error_path;
537 return;
538 }
539
e495149b 540 ctx = kmalloc(len, GFP_KERNEL);
7306a0b9 541 if (!ctx)
8c8570fb 542 goto error_path;
8c8570fb
DK		 543
544 len = security_getprocattr(current, "current", ctx, len);
545 if (len < 0 )
546 goto error_path;
547
548 audit_log_format(ab, " subj=%s", ctx);
7306a0b9 549 return;
8c8570fb
DK		 550
551error_path:
552 if (ctx)
553 kfree(ctx);
7306a0b9 554 audit_panic("error in audit_log_task_context");
8c8570fb
DK		 555 return;
556}
557
e495149b 558static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
219f0817 559{
45d9bb0e
AV		 560 char name[sizeof(tsk->comm)];
561 struct mm_struct *mm = tsk->mm;
219f0817
SS		 562 struct vm_area_struct *vma;
563
e495149b
AV		 564 /* tsk == current */
565
45d9bb0e 566 get_task_comm(name, tsk);
99e45eea
DW		 567 audit_log_format(ab, " comm=");
568 audit_log_untrustedstring(ab, name);
219f0817 569
e495149b
AV		 570 if (mm) {
571 down_read(&mm->mmap_sem);
572 vma = mm->mmap;
573 while (vma) {
574 if ((vma->vm_flags & VM_EXECUTABLE) &&
575 vma->vm_file) {
576 audit_log_d_path(ab, "exe=",
577 vma->vm_file->f_dentry,
578 vma->vm_file->f_vfsmnt);
579 break;
580 }
581 vma = vma->vm_next;
219f0817 582 }
e495149b 583 up_read(&mm->mmap_sem);
219f0817 584 }
e495149b 585 audit_log_task_context(ab);
219f0817
SS		 586}
587
e495149b 588static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1da177e4
LT		 589{
590 int i;
591 struct audit_buffer *ab;
7551ced3 592 struct audit_aux_data *aux;
a6c043a8 593 const char *tty;
1da177e4 594
e495149b
AV		 595 /* tsk == current */
596
597 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1da177e4
LT		 598 if (!ab)
599 return; /* audit_panic has been called */
bccf6ae0
DW		 600 audit_log_format(ab, "arch=%x syscall=%d",
601 context->arch, context->major);
1da177e4
LT		 602 if (context->personality != PER_LINUX)
603 audit_log_format(ab, " per=%lx", context->personality);
604 if (context->return_valid)
2fd6f58b
DW		 605 audit_log_format(ab, " success=%s exit=%ld",
606 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
607 context->return_code);
45d9bb0e
AV		 608 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
609 tty = tsk->signal->tty->name;
a6c043a8
SG		 610 else
611 tty = "(none)";
1da177e4
LT		 612 audit_log_format(ab,
613 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
326e9c8b
SG		 614 " pid=%d auid=%u uid=%u gid=%u"
615 " euid=%u suid=%u fsuid=%u"
a6c043a8 616 " egid=%u sgid=%u fsgid=%u tty=%s",
1da177e4
LT		 617 context->argv[0],
618 context->argv[1],
619 context->argv[2],
620 context->argv[3],
621 context->name_count,
622 context->pid,
623 context->loginuid,
624 context->uid,
625 context->gid,
626 context->euid, context->suid, context->fsuid,
a6c043a8 627 context->egid, context->sgid, context->fsgid, tty);
e495149b 628 audit_log_task_info(ab, tsk);
1da177e4 629 audit_log_end(ab);
1da177e4 630
7551ced3 631 for (aux = context->aux; aux; aux = aux->next) {
c0404993 632
e495149b 633 ab = audit_log_start(context, GFP_KERNEL, aux->type);
1da177e4
LT		 634 if (!ab)
635 continue; /* audit_panic has been called */
636
1da177e4 637 switch (aux->type) {
c0404993 638 case AUDIT_IPC: {
1da177e4
LT		 639 struct audit_aux_data_ipcctl *axi = (void *)aux;
640 audit_log_format(ab,
8c8570fb
DK		 641 " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s",
642 axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx);
3ec3b2fb
DW		 643 break; }
644
645 case AUDIT_SOCKETCALL: {
646 int i;
647 struct audit_aux_data_socketcall *axs = (void *)aux;
648 audit_log_format(ab, "nargs=%d", axs->nargs);
649 for (i=0; i<axs->nargs; i++)
650 audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
651 break; }
652
653 case AUDIT_SOCKADDR: {
654 struct audit_aux_data_sockaddr *axs = (void *)aux;
655
656 audit_log_format(ab, "saddr=");
657 audit_log_hex(ab, axs->a, axs->len);
658 break; }
01116105
SS		 659
660 case AUDIT_AVC_PATH: {
661 struct audit_aux_data_path *axi = (void *)aux;
662 audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
01116105
SS		 663 break; }
664
1da177e4
LT		 665 }
666 audit_log_end(ab);
1da177e4
LT		 667 }
668
8f37d47c 669 if (context->pwd && context->pwdmnt) {
e495149b 670 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
8f37d47c
DW		 671 if (ab) {
672 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
673 audit_log_end(ab);
674 }
675 }
1da177e4 676 for (i = 0; i < context->name_count; i++) {
73241ccc
AG		 677 unsigned long ino = context->names[i].ino;
678 unsigned long pino = context->names[i].pino;
679
e495149b 680 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1da177e4
LT		 681 if (!ab)
682 continue; /* audit_panic has been called */
8f37d47c 683
1da177e4 684 audit_log_format(ab, "item=%d", i);
73241ccc
AG		 685
686 audit_log_format(ab, " name=");
687 if (context->names[i].name)
83c7d091 688 audit_log_untrustedstring(ab, context->names[i].name);
73241ccc
AG		 689 else
690 audit_log_format(ab, "(null)");
691
692 if (pino != (unsigned long)-1)
693 audit_log_format(ab, " parent=%lu", pino);
694 if (ino != (unsigned long)-1)
695 audit_log_format(ab, " inode=%lu", ino);
696 if ((pino != (unsigned long)-1) || (ino != (unsigned long)-1))
697 audit_log_format(ab, " dev=%02x:%02x mode=%#o"
698 " ouid=%u ogid=%u rdev=%02x:%02x",
699 MAJOR(context->names[i].dev),
700 MINOR(context->names[i].dev),
701 context->names[i].mode,
702 context->names[i].uid,
703 context->names[i].gid,
704 MAJOR(context->names[i].rdev),
1da177e4 705 MINOR(context->names[i].rdev));
8c8570fb
DK		 706 if (context->names[i].ctx) {
707 audit_log_format(ab, " obj=%s",
708 context->names[i].ctx);
709 }
710
1da177e4
LT		 711 audit_log_end(ab);
712 }
713}
714
b0dd25a8
RD		 715/**
716 * audit_free - free a per-task audit context
717 * @tsk: task whose audit context block to free
718 *
fa84cb93 719 * Called from copy_process and do_exit
b0dd25a8 720 */
1da177e4
LT		 721void audit_free(struct task_struct *tsk)
722{
723 struct audit_context *context;
724
1da177e4 725 context = audit_get_context(tsk, 0, 0);
1da177e4
LT		 726 if (likely(!context))
727 return;
728
729 /* Check for system calls that do not go through the exit
f5561964
DW		 730 * function (e.g., exit_group), then free context block.
731 * We use GFP_ATOMIC here because we might be doing this
732 * in the context of the idle thread */
e495149b 733 /* that can happen only if we are called from do_exit() */
f7056d64 734 if (context->in_syscall && context->auditable)
e495149b 735 audit_log_exit(context, tsk);
1da177e4
LT		 736
737 audit_free_context(context);
738}
739
b0dd25a8
RD		 740/**
741 * audit_syscall_entry - fill in an audit record at syscall entry
742 * @tsk: task being audited
743 * @arch: architecture type
744 * @major: major syscall type (function)
745 * @a1: additional syscall register 1
746 * @a2: additional syscall register 2
747 * @a3: additional syscall register 3
748 * @a4: additional syscall register 4
749 *
750 * Fill in audit context at syscall entry. This only happens if the
1da177e4
LT		 751 * audit context was created when the task was created and the state or
752 * filters demand the audit context be built. If the state from the
753 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
754 * then the record will be written at syscall exit time (otherwise, it
755 * will only be written if another part of the kernel requests that it
b0dd25a8
RD		 756 * be written).
757 */
5411be59 758void audit_syscall_entry(int arch, int major,
1da177e4
LT		 759 unsigned long a1, unsigned long a2,
760 unsigned long a3, unsigned long a4)
761{
5411be59 762 struct task_struct *tsk = current;
1da177e4
LT		 763 struct audit_context *context = tsk->audit_context;
764 enum audit_state state;
765
766 BUG_ON(!context);
767
b0dd25a8
RD		 768 /*
769 * This happens only on certain architectures that make system
1da177e4
LT		 770 * calls in kernel_thread via the entry.S interface, instead of
771 * with direct calls. (If you are porting to a new
772 * architecture, hitting this condition can indicate that you
773 * got the _exit/_leave calls backward in entry.S.)
774 *
775 * i386 no
776 * x86_64 no
2ef9481e 777 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S)
1da177e4
LT		 778 *
779 * This also happens with vm86 emulation in a non-nested manner
780 * (entries without exits), so this case must be caught.
781 */
782 if (context->in_syscall) {
783 struct audit_context *newctx;
784
1da177e4
LT		 785#if AUDIT_DEBUG
786 printk(KERN_ERR
787 "audit(:%d) pid=%d in syscall=%d;"
788 " entering syscall=%d\n",
789 context->serial, tsk->pid, context->major, major);
790#endif
791 newctx = audit_alloc_context(context->state);
792 if (newctx) {
793 newctx->previous = context;
794 context = newctx;
795 tsk->audit_context = newctx;
796 } else {
797 /* If we can't alloc a new context, the best we
798 * can do is to leak memory (any pending putname
799 * will be lost). The only other alternative is
800 * to abandon auditing. */
801 audit_zero_context(context, context->state);
802 }
803 }
804 BUG_ON(context->in_syscall || context->name_count);
805
806 if (!audit_enabled)
807 return;
808
2fd6f58b 809 context->arch = arch;
1da177e4
LT		 810 context->major = major;
811 context->argv[0] = a1;
812 context->argv[1] = a2;
813 context->argv[2] = a3;
814 context->argv[3] = a4;
815
816 state = context->state;
817 if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)
0f45aa18 818 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1da177e4
LT		 819 if (likely(state == AUDIT_DISABLED))
820 return;
821
ce625a80 822 context->serial = 0;
1da177e4
LT		 823 context->ctime = CURRENT_TIME;
824 context->in_syscall = 1;
825 context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
826}
827
b0dd25a8
RD		 828/**
829 * audit_syscall_exit - deallocate audit context after a system call
830 * @tsk: task being audited
831 * @valid: success/failure flag
832 * @return_code: syscall return value
833 *
834 * Tear down after system call. If the audit context has been marked as
1da177e4
LT		 835 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
836 * filtering, or because some other part of the kernel write an audit
837 * message), then write out the syscall information. In call cases,
b0dd25a8
RD		 838 * free the names stored from getname().
839 */
5411be59 840void audit_syscall_exit(int valid, long return_code)
1da177e4 841{
5411be59 842 struct task_struct *tsk = current;
1da177e4
LT		 843 struct audit_context *context;
844
2fd6f58b 845 context = audit_get_context(tsk, valid, return_code);
1da177e4 846
1da177e4 847 if (likely(!context))
97e94c45 848 return;
1da177e4 849
f7056d64 850 if (context->in_syscall && context->auditable)
e495149b 851 audit_log_exit(context, tsk);
1da177e4
LT		 852
853 context->in_syscall = 0;
854 context->auditable = 0;
2fd6f58b 855
1da177e4
LT		 856 if (context->previous) {
857 struct audit_context *new_context = context->previous;
858 context->previous = NULL;
859 audit_free_context(context);
860 tsk->audit_context = new_context;
861 } else {
862 audit_free_names(context);
863 audit_free_aux(context);
1da177e4
LT		 864 tsk->audit_context = context;
865 }
1da177e4
LT		 866}
867
b0dd25a8
RD		 868/**
869 * audit_getname - add a name to the list
870 * @name: name to add
871 *
872 * Add a name to the list of audit names for this context.
873 * Called from fs/namei.c:getname().
874 */
1da177e4
LT		 875void audit_getname(const char *name)
876{
877 struct audit_context *context = current->audit_context;
878
879 if (!context || IS_ERR(name) || !name)
880 return;
881
882 if (!context->in_syscall) {
883#if AUDIT_DEBUG == 2
884 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
885 __FILE__, __LINE__, context->serial, name);
886 dump_stack();
887#endif
888 return;
889 }
890 BUG_ON(context->name_count >= AUDIT_NAMES);
891 context->names[context->name_count].name = name;
892 context->names[context->name_count].ino = (unsigned long)-1;
893 ++context->name_count;
8f37d47c
DW		 894 if (!context->pwd) {
895 read_lock(&current->fs->lock);
896 context->pwd = dget(current->fs->pwd);
897 context->pwdmnt = mntget(current->fs->pwdmnt);
898 read_unlock(&current->fs->lock);
899 }
900
1da177e4
LT		 901}
902
b0dd25a8
RD		 903/* audit_putname - intercept a putname request
904 * @name: name to intercept and delay for putname
905 *
906 * If we have stored the name from getname in the audit context,
907 * then we delay the putname until syscall exit.
908 * Called from include/linux/fs.h:putname().
909 */
1da177e4
LT		 910void audit_putname(const char *name)
911{
912 struct audit_context *context = current->audit_context;
913
914 BUG_ON(!context);
915 if (!context->in_syscall) {
916#if AUDIT_DEBUG == 2
917 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
918 __FILE__, __LINE__, context->serial, name);
919 if (context->name_count) {
920 int i;
921 for (i = 0; i < context->name_count; i++)
922 printk(KERN_ERR "name[%d] = %p = %s\n", i,
923 context->names[i].name,
73241ccc 924 context->names[i].name ?: "(null)");
1da177e4
LT		 925 }
926#endif
927 __putname(name);
928 }
929#if AUDIT_DEBUG
930 else {
931 ++context->put_count;
932 if (context->put_count > context->name_count) {
933 printk(KERN_ERR "%s:%d(:%d): major=%d"
934 " in_syscall=%d putname(%p) name_count=%d"
935 " put_count=%d\n",
936 __FILE__, __LINE__,
937 context->serial, context->major,
938 context->in_syscall, name, context->name_count,
939 context->put_count);
940 dump_stack();
941 }
942 }
943#endif
944}
945
8c8570fb
DK		 946void audit_inode_context(int idx, const struct inode *inode)
947{
948 struct audit_context *context = current->audit_context;
7306a0b9 949 const char *suffix = security_inode_xattr_getsuffix();
8c8570fb
DK		 950 char *ctx = NULL;
951 int len = 0;
952
7306a0b9
DK		 953 if (!suffix)
954 goto ret;
8c8570fb 955
7306a0b9
DK		 956 len = security_inode_getsecurity(inode, suffix, NULL, 0, 0);
957 if (len == -EOPNOTSUPP)
958 goto ret;
8c8570fb
DK		 959 if (len < 0)
960 goto error_path;
961
962 ctx = kmalloc(len, GFP_KERNEL);
963 if (!ctx)
964 goto error_path;
965
7306a0b9 966 len = security_inode_getsecurity(inode, suffix, ctx, len, 0);
8c8570fb
DK		 967 if (len < 0)
968 goto error_path;
969
970 kfree(context->names[idx].ctx);
971 context->names[idx].ctx = ctx;
7306a0b9 972 goto ret;
8c8570fb
DK		 973
974error_path:
975 if (ctx)
976 kfree(ctx);
977 audit_panic("error in audit_inode_context");
7306a0b9 978ret:
8c8570fb
DK		 979 return;
980}
981
982
b0dd25a8
RD		 983/**
984 * audit_inode - store the inode and device from a lookup
985 * @name: name being audited
986 * @inode: inode being audited
987 * @flags: lookup flags (as used in path_lookup())
988 *
989 * Called from fs/namei.c:path_lookup().
990 */
73241ccc 991void __audit_inode(const char *name, const struct inode *inode, unsigned flags)
1da177e4
LT		 992{
993 int idx;
994 struct audit_context *context = current->audit_context;
995
996 if (!context->in_syscall)
997 return;
998 if (context->name_count
999 && context->names[context->name_count-1].name
1000 && context->names[context->name_count-1].name == name)
1001 idx = context->name_count - 1;
1002 else if (context->name_count > 1
1003 && context->names[context->name_count-2].name
1004 && context->names[context->name_count-2].name == name)
1005 idx = context->name_count - 2;
1006 else {
1007 /* FIXME: how much do we care about inodes that have no
1008 * associated name? */
1009 if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
1010 return;
1011 idx = context->name_count++;
1012 context->names[idx].name = NULL;
1013#if AUDIT_DEBUG
1014 ++context->ino_count;
1015#endif
1016 }
ae7b961b
DW		 1017 context->names[idx].dev = inode->i_sb->s_dev;
1018 context->names[idx].mode = inode->i_mode;
1019 context->names[idx].uid = inode->i_uid;
1020 context->names[idx].gid = inode->i_gid;
1021 context->names[idx].rdev = inode->i_rdev;
8c8570fb 1022 audit_inode_context(idx, inode);
73241ccc
AG		 1023 if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) &&
1024 (strcmp(name, ".") != 0)) {
1025 context->names[idx].ino = (unsigned long)-1;
1026 context->names[idx].pino = inode->i_ino;
1027 } else {
1028 context->names[idx].ino = inode->i_ino;
1029 context->names[idx].pino = (unsigned long)-1;
1030 }
1031}
1032
1033/**
1034 * audit_inode_child - collect inode info for created/removed objects
1035 * @dname: inode's dentry name
1036 * @inode: inode being audited
1037 * @pino: inode number of dentry parent
1038 *
1039 * For syscalls that create or remove filesystem objects, audit_inode
1040 * can only collect information for the filesystem object's parent.
1041 * This call updates the audit context with the child's information.
1042 * Syscalls that create a new filesystem object must be hooked after
1043 * the object is created. Syscalls that remove a filesystem object
1044 * must be hooked prior, in order to capture the target inode during
1045 * unsuccessful attempts.
1046 */
1047void __audit_inode_child(const char *dname, const struct inode *inode,
1048 unsigned long pino)
1049{
1050 int idx;
1051 struct audit_context *context = current->audit_context;
1052
1053 if (!context->in_syscall)
1054 return;
1055
1056 /* determine matching parent */
1057 if (dname)
1058 for (idx = 0; idx < context->name_count; idx++)
1059 if (context->names[idx].pino == pino) {
1060 const char *n;
1061 const char *name = context->names[idx].name;
1062 int dlen = strlen(dname);
1063 int nlen = name ? strlen(name) : 0;
1064
1065 if (nlen < dlen)
1066 continue;
1067
1068 /* disregard trailing slashes */
1069 n = name + nlen - 1;
1070 while ((*n == '/') && (n > name))
1071 n--;
1072
1073 /* find last path component */
1074 n = n - dlen + 1;
1075 if (n < name)
1076 continue;
1077 else if (n > name) {
1078 if (*--n != '/')
1079 continue;
1080 else
1081 n++;
1082 }
1083
1084 if (strncmp(n, dname, dlen) == 0)
1085 goto update_context;
1086 }
1087
1088 /* catch-all in case match not found */
1089 idx = context->name_count++;
1090 context->names[idx].name = NULL;
1091 context->names[idx].pino = pino;
1092#if AUDIT_DEBUG
1093 context->ino_count++;
1094#endif
1095
1096update_context:
1097 if (inode) {
1098 context->names[idx].ino = inode->i_ino;
1099 context->names[idx].dev = inode->i_sb->s_dev;
1100 context->names[idx].mode = inode->i_mode;
1101 context->names[idx].uid = inode->i_uid;
1102 context->names[idx].gid = inode->i_gid;
1103 context->names[idx].rdev = inode->i_rdev;
8c8570fb 1104 audit_inode_context(idx, inode);
73241ccc 1105 }
1da177e4
LT		 1106}
1107
b0dd25a8
RD		 1108/**
1109 * auditsc_get_stamp - get local copies of audit_context values
1110 * @ctx: audit_context for the task
1111 * @t: timespec to store time recorded in the audit_context
1112 * @serial: serial value that is recorded in the audit_context
1113 *
1114 * Also sets the context as auditable.
1115 */
bfb4496e
DW		 1116void auditsc_get_stamp(struct audit_context *ctx,
1117 struct timespec *t, unsigned int *serial)
1da177e4 1118{
ce625a80
DW		 1119 if (!ctx->serial)
1120 ctx->serial = audit_serial();
bfb4496e
DW		 1121 t->tv_sec = ctx->ctime.tv_sec;
1122 t->tv_nsec = ctx->ctime.tv_nsec;
1123 *serial = ctx->serial;
1124 ctx->auditable = 1;
1da177e4
LT		 1125}
1126
b0dd25a8
RD		 1127/**
1128 * audit_set_loginuid - set a task's audit_context loginuid
1129 * @task: task whose audit context is being modified
1130 * @loginuid: loginuid value
1131 *
1132 * Returns 0.
1133 *
1134 * Called (set) from fs/proc/base.c::proc_loginuid_write().
1135 */
456be6cd 1136int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1da177e4 1137{
456be6cd 1138 if (task->audit_context) {
c0404993
SG		 1139 struct audit_buffer *ab;
1140
9ad9ad38 1141 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
c0404993
SG		 1142 if (ab) {
1143 audit_log_format(ab, "login pid=%d uid=%u "
326e9c8b 1144 "old auid=%u new auid=%u",
c0404993
SG		 1145 task->pid, task->uid,
1146 task->audit_context->loginuid, loginuid);
1147 audit_log_end(ab);
1148 }
456be6cd 1149 task->audit_context->loginuid = loginuid;
1da177e4
LT		 1150 }
1151 return 0;
1152}
1153
b0dd25a8
RD		 1154/**
1155 * audit_get_loginuid - get the loginuid for an audit_context
1156 * @ctx: the audit_context
1157 *
1158 * Returns the context's loginuid or -1 if @ctx is NULL.
1159 */
1da177e4
LT		 1160uid_t audit_get_loginuid(struct audit_context *ctx)
1161{
1162 return ctx ? ctx->loginuid : -1;
1163}
1164
8c8570fb
DK		 1165static char *audit_ipc_context(struct kern_ipc_perm *ipcp)
1166{
1167 struct audit_context *context = current->audit_context;
1168 char *ctx = NULL;
1169 int len = 0;
1170
1171 if (likely(!context))
1172 return NULL;
1173
1174 len = security_ipc_getsecurity(ipcp, NULL, 0);
1175 if (len == -EOPNOTSUPP)
1176 goto ret;
1177 if (len < 0)
1178 goto error_path;
1179
1180 ctx = kmalloc(len, GFP_ATOMIC);
1181 if (!ctx)
1182 goto error_path;
1183
1184 len = security_ipc_getsecurity(ipcp, ctx, len);
1185 if (len < 0)
1186 goto error_path;
1187
1188 return ctx;
1189
1190error_path:
1191 kfree(ctx);
1192 audit_panic("error in audit_ipc_context");
1193ret:
1194 return NULL;
1195}
1196
b0dd25a8
RD		 1197/**
1198 * audit_ipc_perms - record audit data for ipc
1199 * @qbytes: msgq bytes
1200 * @uid: msgq user id
1201 * @gid: msgq group id
1202 * @mode: msgq mode (permissions)
1203 *
1204 * Returns 0 for success or NULL context or < 0 on error.
1205 */
8c8570fb 1206int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
1da177e4
LT		 1207{
1208 struct audit_aux_data_ipcctl *ax;
1209 struct audit_context *context = current->audit_context;
1210
1211 if (likely(!context))
1212 return 0;
1213
8c8570fb 1214 ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1da177e4
LT		 1215 if (!ax)
1216 return -ENOMEM;
1217
1218 ax->qbytes = qbytes;
1219 ax->uid = uid;
1220 ax->gid = gid;
1221 ax->mode = mode;
8c8570fb 1222 ax->ctx = audit_ipc_context(ipcp);
1da177e4 1223
c0404993 1224 ax->d.type = AUDIT_IPC;
1da177e4
LT		 1225 ax->d.next = context->aux;
1226 context->aux = (void *)ax;
1227 return 0;
1228}
c2f0c7c3 1229
b0dd25a8
RD		 1230/**
1231 * audit_socketcall - record audit data for sys_socketcall
1232 * @nargs: number of args
1233 * @args: args array
1234 *
1235 * Returns 0 for success or NULL context or < 0 on error.
1236 */
3ec3b2fb
DW		 1237int audit_socketcall(int nargs, unsigned long *args)
1238{
1239 struct audit_aux_data_socketcall *ax;
1240 struct audit_context *context = current->audit_context;
1241
1242 if (likely(!context))
1243 return 0;
1244
1245 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
1246 if (!ax)
1247 return -ENOMEM;
1248
1249 ax->nargs = nargs;
1250 memcpy(ax->args, args, nargs * sizeof(unsigned long));
1251
1252 ax->d.type = AUDIT_SOCKETCALL;
1253 ax->d.next = context->aux;
1254 context->aux = (void *)ax;
1255 return 0;
1256}
1257
b0dd25a8
RD		 1258/**
1259 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
1260 * @len: data length in user space
1261 * @a: data address in kernel space
1262 *
1263 * Returns 0 for success or NULL context or < 0 on error.
1264 */
3ec3b2fb
DW		 1265int audit_sockaddr(int len, void *a)
1266{
1267 struct audit_aux_data_sockaddr *ax;
1268 struct audit_context *context = current->audit_context;
1269
1270 if (likely(!context))
1271 return 0;
1272
1273 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
1274 if (!ax)
1275 return -ENOMEM;
1276
1277 ax->len = len;
1278 memcpy(ax->a, a, len);
1279
1280 ax->d.type = AUDIT_SOCKADDR;
1281 ax->d.next = context->aux;
1282 context->aux = (void *)ax;
1283 return 0;
1284}
1285
b0dd25a8
RD		 1286/**
1287 * audit_avc_path - record the granting or denial of permissions
1288 * @dentry: dentry to record
1289 * @mnt: mnt to record
1290 *
1291 * Returns 0 for success or NULL context or < 0 on error.
1292 *
1293 * Called from security/selinux/avc.c::avc_audit()
1294 */
01116105
SS		 1295int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1296{
1297 struct audit_aux_data_path *ax;
1298 struct audit_context *context = current->audit_context;
1299
1300 if (likely(!context))
1301 return 0;
1302
1303 ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1304 if (!ax)
1305 return -ENOMEM;
1306
1307 ax->dentry = dget(dentry);
1308 ax->mnt = mntget(mnt);
1309
1310 ax->d.type = AUDIT_AVC_PATH;
1311 ax->d.next = context->aux;
1312 context->aux = (void *)ax;
1313 return 0;
1314}
1315
b0dd25a8
RD		 1316/**
1317 * audit_signal_info - record signal info for shutting down audit subsystem
1318 * @sig: signal value
1319 * @t: task being signaled
1320 *
1321 * If the audit subsystem is being terminated, record the task (pid)
1322 * and uid that is doing that.
1323 */
c2f0c7c3
SG		 1324void audit_signal_info(int sig, struct task_struct *t)
1325{
1326 extern pid_t audit_sig_pid;
1327 extern uid_t audit_sig_uid;
c2f0c7c3 1328
582edda5 1329 if (unlikely(audit_pid && t->tgid == audit_pid)) {
c2f0c7c3
SG		 1330 if (sig == SIGTERM || sig == SIGHUP) {
1331 struct audit_context *ctx = current->audit_context;
1332 audit_sig_pid = current->pid;
1333 if (ctx)
1334 audit_sig_uid = ctx->loginuid;
1335 else
1336 audit_sig_uid = current->uid;
1337 }
1338 }
1339}
Clone of davem's net-next-2.6 tree