1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/* auditsc.c -- System-call auditing support
3
 * Handles all system-call specific auditing features.
4
 *
5
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
6
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
7
 * Copyright (C) 2005, 2006 IBM Corporation
8
 * All Rights Reserved.
9
 *
10
 * Written by Rickard E. (Rik) Faith <[email protected]>
11
 *
12
 * Many of the ideas implemented here are from Stephen C. Tweedie,
13
 * especially the idea of avoiding a copy by using getname.
14
 *
15
 * The method for actual interception of syscall entry and exit (not in
16
 * this file -- see entry.S) is based on a GPL'd patch written by
17
 * [email protected] and Copyright 2003 SuSE Linux AG.
18
 *
19
 * POSIX message queue support added by George Wilson <[email protected]>,
20
 * 2006.
21
 *
22
 * The support of additional filter rules compares (>, <, >=, <=) was
23
 * added by Dustin Kirkland <[email protected]>, 2005.
24
 *
25
 * Modified by Amy Griffis <[email protected]> to collect additional
26
 * filesystem information.
27
 *
28
 * Subject and object context labeling support added by <[email protected]>
29
 * and <[email protected]> for LSPP certification compliance.
30
 */
31

32
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33

34
#include <linux/init.h>
35
#include <asm/types.h>
36
#include <linux/atomic.h>
37
#include <linux/fs.h>
38
#include <linux/namei.h>
39
#include <linux/mm.h>
40
#include <linux/export.h>
41
#include <linux/slab.h>
42
#include <linux/mount.h>
43
#include <linux/socket.h>
44
#include <linux/mqueue.h>
45
#include <linux/audit.h>
46
#include <linux/personality.h>
47
#include <linux/time.h>
48
#include <linux/netlink.h>
49
#include <linux/compiler.h>
50
#include <asm/unistd.h>
51
#include <linux/security.h>
52
#include <linux/list.h>
53
#include <linux/binfmts.h>
54
#include <linux/highmem.h>
55
#include <linux/syscalls.h>
56
#include <asm/syscall.h>
57
#include <linux/capability.h>
58
#include <linux/fs_struct.h>
59
#include <linux/compat.h>
60
#include <linux/ctype.h>
61
#include <linux/string.h>
62
#include <linux/uaccess.h>
63
#include <linux/fsnotify_backend.h>
64
#include <uapi/linux/limits.h>
65
#include <uapi/linux/netfilter/nf_tables.h>
66
#include <uapi/linux/openat2.h> // struct open_how
67
#include <uapi/linux/fanotify.h>
68

69
#include "audit.h"
70

71
/* flags stating the success for a syscall */
72
#define AUDITSC_INVALID 0
73
#define AUDITSC_SUCCESS 1
74
#define AUDITSC_FAILURE 2
75

76
/* no execve audit message should be longer than this (userspace limits),
77
 * see the note near the top of audit_log_execve_info() about this value */
78
#define MAX_EXECVE_AUDIT_LEN 7500
79

80
/* max length to print of cmdline/proctitle value during audit */
81
#define MAX_PROCTITLE_AUDIT_LEN 128
82

83
/* number of audit rules */
84
int audit_n_rules;
85

86
/* determines whether we collect data for signals sent */
87
int audit_signals;
88

89
struct audit_aux_data {
90
	struct audit_aux_data	*next;
91
	int			type;
92
};
93

94
/* Number of target pids per aux struct. */
95
#define AUDIT_AUX_PIDS	16
96

97
struct audit_aux_data_pids {
98
	struct audit_aux_data	d;
99
	pid_t			target_pid[AUDIT_AUX_PIDS];
100
	kuid_t			target_auid[AUDIT_AUX_PIDS];
101
	kuid_t			target_uid[AUDIT_AUX_PIDS];
102
	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
103
	struct lsm_prop		target_ref[AUDIT_AUX_PIDS];
104
	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
105
	int			pid_count;
106
};
107

108
struct audit_aux_data_bprm_fcaps {
109
	struct audit_aux_data	d;
110
	struct audit_cap_data	fcap;
111
	unsigned int		fcap_ver;
112
	struct audit_cap_data	old_pcap;
113
	struct audit_cap_data	new_pcap;
114
};
115

116
struct audit_tree_refs {
117
	struct audit_tree_refs *next;
118
	struct audit_chunk *c[31];
119
};
120

121
struct audit_nfcfgop_tab {
122
	enum audit_nfcfgop	op;
123
	const char		*s;
124
};
125

126
static const struct audit_nfcfgop_tab audit_nfcfgs[] = {
127
	{ AUDIT_XT_OP_REGISTER,			"xt_register"		   },
128
	{ AUDIT_XT_OP_REPLACE,			"xt_replace"		   },
129
	{ AUDIT_XT_OP_UNREGISTER,		"xt_unregister"		   },
130
	{ AUDIT_NFT_OP_TABLE_REGISTER,		"nft_register_table"	   },
131
	{ AUDIT_NFT_OP_TABLE_UNREGISTER,	"nft_unregister_table"	   },
132
	{ AUDIT_NFT_OP_CHAIN_REGISTER,		"nft_register_chain"	   },
133
	{ AUDIT_NFT_OP_CHAIN_UNREGISTER,	"nft_unregister_chain"	   },
134
	{ AUDIT_NFT_OP_RULE_REGISTER,		"nft_register_rule"	   },
135
	{ AUDIT_NFT_OP_RULE_UNREGISTER,		"nft_unregister_rule"	   },
136
	{ AUDIT_NFT_OP_SET_REGISTER,		"nft_register_set"	   },
137
	{ AUDIT_NFT_OP_SET_UNREGISTER,		"nft_unregister_set"	   },
138
	{ AUDIT_NFT_OP_SETELEM_REGISTER,	"nft_register_setelem"	   },
139
	{ AUDIT_NFT_OP_SETELEM_UNREGISTER,	"nft_unregister_setelem"   },
140
	{ AUDIT_NFT_OP_GEN_REGISTER,		"nft_register_gen"	   },
141
	{ AUDIT_NFT_OP_OBJ_REGISTER,		"nft_register_obj"	   },
142
	{ AUDIT_NFT_OP_OBJ_UNREGISTER,		"nft_unregister_obj"	   },
143
	{ AUDIT_NFT_OP_OBJ_RESET,		"nft_reset_obj"		   },
144
	{ AUDIT_NFT_OP_FLOWTABLE_REGISTER,	"nft_register_flowtable"   },
145
	{ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,	"nft_unregister_flowtable" },
146
	{ AUDIT_NFT_OP_SETELEM_RESET,		"nft_reset_setelem"        },
147
	{ AUDIT_NFT_OP_RULE_RESET,		"nft_reset_rule"           },
148
	{ AUDIT_NFT_OP_INVALID,			"nft_invalid"		   },
149
};
150

151
static int audit_match_perm(struct audit_context *ctx, int mask)
152
{
153
	unsigned n;
154

155
	if (unlikely(!ctx))
156
		return 0;
157
	n = ctx->major;
158

159
	switch (audit_classify_syscall(ctx->arch, n)) {
160
	case AUDITSC_NATIVE:
161
		if ((mask & AUDIT_PERM_WRITE) &&
162
		     audit_match_class(AUDIT_CLASS_WRITE, n))
163
			return 1;
164
		if ((mask & AUDIT_PERM_READ) &&
165
		     audit_match_class(AUDIT_CLASS_READ, n))
166
			return 1;
167
		if ((mask & AUDIT_PERM_ATTR) &&
168
		     audit_match_class(AUDIT_CLASS_CHATTR, n))
169
			return 1;
170
		return 0;
171
	case AUDITSC_COMPAT: /* 32bit on biarch */
172
		if ((mask & AUDIT_PERM_WRITE) &&
173
		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
174
			return 1;
175
		if ((mask & AUDIT_PERM_READ) &&
176
		     audit_match_class(AUDIT_CLASS_READ_32, n))
177
			return 1;
178
		if ((mask & AUDIT_PERM_ATTR) &&
179
		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
180
			return 1;
181
		return 0;
182
	case AUDITSC_OPEN:
183
		return mask & ACC_MODE(ctx->argv[1]);
184
	case AUDITSC_OPENAT:
185
		return mask & ACC_MODE(ctx->argv[2]);
186
	case AUDITSC_SOCKETCALL:
187
		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
188
	case AUDITSC_EXECVE:
189
		return mask & AUDIT_PERM_EXEC;
190
	case AUDITSC_OPENAT2:
191
		return mask & ACC_MODE((u32)ctx->openat2.flags);
192
	default:
193
		return 0;
194
	}
195
}
196

197
static int audit_match_filetype(struct audit_context *ctx, int val)
198
{
199
	struct audit_names *n;
200
	umode_t mode = (umode_t)val;
201

202
	if (unlikely(!ctx))
203
		return 0;
204

205
	list_for_each_entry(n, &ctx->names_list, list) {
206
		if ((n->ino != AUDIT_INO_UNSET) &&
207
		    ((n->mode & S_IFMT) == mode))
208
			return 1;
209
	}
210

211
	return 0;
212
}
213

214
/*
215
 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
216
 * ->first_trees points to its beginning, ->trees - to the current end of data.
217
 * ->tree_count is the number of free entries in array pointed to by ->trees.
218
 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
219
 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
220
 * it's going to remain 1-element for almost any setup) until we free context itself.
221
 * References in it _are_ dropped - at the same time we free/drop aux stuff.
222
 */
223

224
static void audit_set_auditable(struct audit_context *ctx)
225
{
226
	if (!ctx->prio) {
227
		ctx->prio = 1;
228
		ctx->current_state = AUDIT_STATE_RECORD;
229
	}
230
}
231

232
static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
233
{
234
	struct audit_tree_refs *p = ctx->trees;
235
	int left = ctx->tree_count;
236

237
	if (likely(left)) {
238
		p->c[--left] = chunk;
239
		ctx->tree_count = left;
240
		return 1;
241
	}
242
	if (!p)
243
		return 0;
244
	p = p->next;
245
	if (p) {
246
		p->c[30] = chunk;
247
		ctx->trees = p;
248
		ctx->tree_count = 30;
249
		return 1;
250
	}
251
	return 0;
252
}
253

254
static int grow_tree_refs(struct audit_context *ctx)
255
{
256
	struct audit_tree_refs *p = ctx->trees;
257

258
	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
259
	if (!ctx->trees) {
260
		ctx->trees = p;
261
		return 0;
262
	}
263
	if (p)
264
		p->next = ctx->trees;
265
	else
266
		ctx->first_trees = ctx->trees;
267
	ctx->tree_count = 31;
268
	return 1;
269
}
270

271
static void unroll_tree_refs(struct audit_context *ctx,
272
		      struct audit_tree_refs *p, int count)
273
{
274
	struct audit_tree_refs *q;
275
	int n;
276

277
	if (!p) {
278
		/* we started with empty chain */
279
		p = ctx->first_trees;
280
		count = 31;
281
		/* if the very first allocation has failed, nothing to do */
282
		if (!p)
283
			return;
284
	}
285
	n = count;
286
	for (q = p; q != ctx->trees; q = q->next, n = 31) {
287
		while (n--) {
288
			audit_put_chunk(q->c[n]);
289
			q->c[n] = NULL;
290
		}
291
	}
292
	while (n-- > ctx->tree_count) {
293
		audit_put_chunk(q->c[n]);
294
		q->c[n] = NULL;
295
	}
296
	ctx->trees = p;
297
	ctx->tree_count = count;
298
}
299

300
static void free_tree_refs(struct audit_context *ctx)
301
{
302
	struct audit_tree_refs *p, *q;
303

304
	for (p = ctx->first_trees; p; p = q) {
305
		q = p->next;
306
		kfree(p);
307
	}
308
}
309

310
static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
311
{
312
	struct audit_tree_refs *p;
313
	int n;
314

315
	if (!tree)
316
		return 0;
317
	/* full ones */
318
	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
319
		for (n = 0; n < 31; n++)
320
			if (audit_tree_match(p->c[n], tree))
321
				return 1;
322
	}
323
	/* partial */
324
	if (p) {
325
		for (n = ctx->tree_count; n < 31; n++)
326
			if (audit_tree_match(p->c[n], tree))
327
				return 1;
328
	}
329
	return 0;
330
}
331

332
static int audit_compare_uid(kuid_t uid,
333
			     struct audit_names *name,
334
			     struct audit_field *f,
335
			     struct audit_context *ctx)
336
{
337
	struct audit_names *n;
338
	int rc;
339

340
	if (name) {
341
		rc = audit_uid_comparator(uid, f->op, name->uid);
342
		if (rc)
343
			return rc;
344
	}
345

346
	if (ctx) {
347
		list_for_each_entry(n, &ctx->names_list, list) {
348
			rc = audit_uid_comparator(uid, f->op, n->uid);
349
			if (rc)
350
				return rc;
351
		}
352
	}
353
	return 0;
354
}
355

356
static int audit_compare_gid(kgid_t gid,
357
			     struct audit_names *name,
358
			     struct audit_field *f,
359
			     struct audit_context *ctx)
360
{
361
	struct audit_names *n;
362
	int rc;
363

364
	if (name) {
365
		rc = audit_gid_comparator(gid, f->op, name->gid);
366
		if (rc)
367
			return rc;
368
	}
369

370
	if (ctx) {
371
		list_for_each_entry(n, &ctx->names_list, list) {
372
			rc = audit_gid_comparator(gid, f->op, n->gid);
373
			if (rc)
374
				return rc;
375
		}
376
	}
377
	return 0;
378
}
379

380
static int audit_field_compare(struct task_struct *tsk,
381
			       const struct cred *cred,
382
			       struct audit_field *f,
383
			       struct audit_context *ctx,
384
			       struct audit_names *name)
385
{
386
	switch (f->val) {
387
	/* process to file object comparisons */
388
	case AUDIT_COMPARE_UID_TO_OBJ_UID:
389
		return audit_compare_uid(cred->uid, name, f, ctx);
390
	case AUDIT_COMPARE_GID_TO_OBJ_GID:
391
		return audit_compare_gid(cred->gid, name, f, ctx);
392
	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
393
		return audit_compare_uid(cred->euid, name, f, ctx);
394
	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
395
		return audit_compare_gid(cred->egid, name, f, ctx);
396
	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
397
		return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
398
	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
399
		return audit_compare_uid(cred->suid, name, f, ctx);
400
	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
401
		return audit_compare_gid(cred->sgid, name, f, ctx);
402
	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
403
		return audit_compare_uid(cred->fsuid, name, f, ctx);
404
	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
405
		return audit_compare_gid(cred->fsgid, name, f, ctx);
406
	/* uid comparisons */
407
	case AUDIT_COMPARE_UID_TO_AUID:
408
		return audit_uid_comparator(cred->uid, f->op,
409
					    audit_get_loginuid(tsk));
410
	case AUDIT_COMPARE_UID_TO_EUID:
411
		return audit_uid_comparator(cred->uid, f->op, cred->euid);
412
	case AUDIT_COMPARE_UID_TO_SUID:
413
		return audit_uid_comparator(cred->uid, f->op, cred->suid);
414
	case AUDIT_COMPARE_UID_TO_FSUID:
415
		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
416
	/* auid comparisons */
417
	case AUDIT_COMPARE_AUID_TO_EUID:
418
		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
419
					    cred->euid);
420
	case AUDIT_COMPARE_AUID_TO_SUID:
421
		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
422
					    cred->suid);
423
	case AUDIT_COMPARE_AUID_TO_FSUID:
424
		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
425
					    cred->fsuid);
426
	/* euid comparisons */
427
	case AUDIT_COMPARE_EUID_TO_SUID:
428
		return audit_uid_comparator(cred->euid, f->op, cred->suid);
429
	case AUDIT_COMPARE_EUID_TO_FSUID:
430
		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
431
	/* suid comparisons */
432
	case AUDIT_COMPARE_SUID_TO_FSUID:
433
		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
434
	/* gid comparisons */
435
	case AUDIT_COMPARE_GID_TO_EGID:
436
		return audit_gid_comparator(cred->gid, f->op, cred->egid);
437
	case AUDIT_COMPARE_GID_TO_SGID:
438
		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
439
	case AUDIT_COMPARE_GID_TO_FSGID:
440
		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
441
	/* egid comparisons */
442
	case AUDIT_COMPARE_EGID_TO_SGID:
443
		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
444
	case AUDIT_COMPARE_EGID_TO_FSGID:
445
		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
446
	/* sgid comparison */
447
	case AUDIT_COMPARE_SGID_TO_FSGID:
448
		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
449
	default:
450
		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
451
		return 0;
452
	}
453
	return 0;
454
}
455

456
/* Determine if any context name data matches a rule's watch data */
457
/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
458
 * otherwise.
459
 *
460
 * If task_creation is true, this is an explicit indication that we are
461
 * filtering a task rule at task creation time.  This and tsk == current are
462
 * the only situations where tsk->cred may be accessed without an rcu read lock.
463
 */
464
static int audit_filter_rules(struct task_struct *tsk,
465
			      struct audit_krule *rule,
466
			      struct audit_context *ctx,
467
			      struct audit_names *name,
468
			      enum audit_state *state,
469
			      bool task_creation)
470
{
471
	const struct cred *cred;
472
	int i, need_sid = 1;
473
	struct lsm_prop prop = { };
474
	unsigned int sessionid;
475

476
	if (ctx && rule->prio <= ctx->prio)
477
		return 0;
478

479
	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
480

481
	for (i = 0; i < rule->field_count; i++) {
482
		struct audit_field *f = &rule->fields[i];
483
		struct audit_names *n;
484
		int result = 0;
485
		pid_t pid;
486

487
		switch (f->type) {
488
		case AUDIT_PID:
489
			pid = task_tgid_nr(tsk);
490
			result = audit_comparator(pid, f->op, f->val);
491
			break;
492
		case AUDIT_PPID:
493
			if (ctx) {
494
				if (!ctx->ppid)
495
					ctx->ppid = task_ppid_nr(tsk);
496
				result = audit_comparator(ctx->ppid, f->op, f->val);
497
			}
498
			break;
499
		case AUDIT_EXE:
500
			result = audit_exe_compare(tsk, rule->exe);
501
			if (f->op == Audit_not_equal)
502
				result = !result;
503
			break;
504
		case AUDIT_UID:
505
			result = audit_uid_comparator(cred->uid, f->op, f->uid);
506
			break;
507
		case AUDIT_EUID:
508
			result = audit_uid_comparator(cred->euid, f->op, f->uid);
509
			break;
510
		case AUDIT_SUID:
511
			result = audit_uid_comparator(cred->suid, f->op, f->uid);
512
			break;
513
		case AUDIT_FSUID:
514
			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
515
			break;
516
		case AUDIT_GID:
517
			result = audit_gid_comparator(cred->gid, f->op, f->gid);
518
			if (f->op == Audit_equal) {
519
				if (!result)
520
					result = groups_search(cred->group_info, f->gid);
521
			} else if (f->op == Audit_not_equal) {
522
				if (result)
523
					result = !groups_search(cred->group_info, f->gid);
524
			}
525
			break;
526
		case AUDIT_EGID:
527
			result = audit_gid_comparator(cred->egid, f->op, f->gid);
528
			if (f->op == Audit_equal) {
529
				if (!result)
530
					result = groups_search(cred->group_info, f->gid);
531
			} else if (f->op == Audit_not_equal) {
532
				if (result)
533
					result = !groups_search(cred->group_info, f->gid);
534
			}
535
			break;
536
		case AUDIT_SGID:
537
			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
538
			break;
539
		case AUDIT_FSGID:
540
			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
541
			break;
542
		case AUDIT_SESSIONID:
543
			sessionid = audit_get_sessionid(tsk);
544
			result = audit_comparator(sessionid, f->op, f->val);
545
			break;
546
		case AUDIT_PERS:
547
			result = audit_comparator(tsk->personality, f->op, f->val);
548
			break;
549
		case AUDIT_ARCH:
550
			if (ctx)
551
				result = audit_comparator(ctx->arch, f->op, f->val);
552
			break;
553

554
		case AUDIT_EXIT:
555
			if (ctx && ctx->return_valid != AUDITSC_INVALID)
556
				result = audit_comparator(ctx->return_code, f->op, f->val);
557
			break;
558
		case AUDIT_SUCCESS:
559
			if (ctx && ctx->return_valid != AUDITSC_INVALID) {
560
				if (f->val)
561
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
562
				else
563
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
564
			}
565
			break;
566
		case AUDIT_DEVMAJOR:
567
			if (name) {
568
				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
569
				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
570
					++result;
571
			} else if (ctx) {
572
				list_for_each_entry(n, &ctx->names_list, list) {
573
					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
574
					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
575
						++result;
576
						break;
577
					}
578
				}
579
			}
580
			break;
581
		case AUDIT_DEVMINOR:
582
			if (name) {
583
				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
584
				    audit_comparator(MINOR(name->rdev), f->op, f->val))
585
					++result;
586
			} else if (ctx) {
587
				list_for_each_entry(n, &ctx->names_list, list) {
588
					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
589
					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
590
						++result;
591
						break;
592
					}
593
				}
594
			}
595
			break;
596
		case AUDIT_INODE:
597
			if (name)
598
				result = audit_comparator(name->ino, f->op, f->val);
599
			else if (ctx) {
600
				list_for_each_entry(n, &ctx->names_list, list) {
601
					if (audit_comparator(n->ino, f->op, f->val)) {
602
						++result;
603
						break;
604
					}
605
				}
606
			}
607
			break;
608
		case AUDIT_OBJ_UID:
609
			if (name) {
610
				result = audit_uid_comparator(name->uid, f->op, f->uid);
611
			} else if (ctx) {
612
				list_for_each_entry(n, &ctx->names_list, list) {
613
					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
614
						++result;
615
						break;
616
					}
617
				}
618
			}
619
			break;
620
		case AUDIT_OBJ_GID:
621
			if (name) {
622
				result = audit_gid_comparator(name->gid, f->op, f->gid);
623
			} else if (ctx) {
624
				list_for_each_entry(n, &ctx->names_list, list) {
625
					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
626
						++result;
627
						break;
628
					}
629
				}
630
			}
631
			break;
632
		case AUDIT_WATCH:
633
			if (name) {
634
				result = audit_watch_compare(rule->watch,
635
							     name->ino,
636
							     name->dev);
637
				if (f->op == Audit_not_equal)
638
					result = !result;
639
			}
640
			break;
641
		case AUDIT_DIR:
642
			if (ctx) {
643
				result = match_tree_refs(ctx, rule->tree);
644
				if (f->op == Audit_not_equal)
645
					result = !result;
646
			}
647
			break;
648
		case AUDIT_LOGINUID:
649
			result = audit_uid_comparator(audit_get_loginuid(tsk),
650
						      f->op, f->uid);
651
			break;
652
		case AUDIT_LOGINUID_SET:
653
			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
654
			break;
655
		case AUDIT_SADDR_FAM:
656
			if (ctx && ctx->sockaddr)
657
				result = audit_comparator(ctx->sockaddr->ss_family,
658
							  f->op, f->val);
659
			break;
660
		case AUDIT_SUBJ_USER:
661
		case AUDIT_SUBJ_ROLE:
662
		case AUDIT_SUBJ_TYPE:
663
		case AUDIT_SUBJ_SEN:
664
		case AUDIT_SUBJ_CLR:
665
			/* NOTE: this may return negative values indicating
666
			   a temporary error.  We simply treat this as a
667
			   match for now to avoid losing information that
668
			   may be wanted.   An error message will also be
669
			   logged upon error */
670
			if (f->lsm_rule) {
671
				if (need_sid) {
672
					/* @tsk should always be equal to
673
					 * @current with the exception of
674
					 * fork()/copy_process() in which case
675
					 * the new @tsk creds are still a dup
676
					 * of @current's creds so we can still
677
					 * use
678
					 * security_current_getlsmprop_subj()
679
					 * here even though it always refs
680
					 * @current's creds
681
					 */
682
					security_current_getlsmprop_subj(&prop);
683
					need_sid = 0;
684
				}
685
				result = security_audit_rule_match(&prop,
686
								   f->type,
687
								   f->op,
688
								   f->lsm_rule);
689
			}
690
			break;
691
		case AUDIT_OBJ_USER:
692
		case AUDIT_OBJ_ROLE:
693
		case AUDIT_OBJ_TYPE:
694
		case AUDIT_OBJ_LEV_LOW:
695
		case AUDIT_OBJ_LEV_HIGH:
696
			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
697
			   also applies here */
698
			if (f->lsm_rule) {
699
				/* Find files that match */
700
				if (name) {
701
					result = security_audit_rule_match(
702
								&name->oprop,
703
								f->type,
704
								f->op,
705
								f->lsm_rule);
706
				} else if (ctx) {
707
					list_for_each_entry(n, &ctx->names_list, list) {
708
						if (security_audit_rule_match(
709
								&n->oprop,
710
								f->type,
711
								f->op,
712
								f->lsm_rule)) {
713
							++result;
714
							break;
715
						}
716
					}
717
				}
718
				/* Find ipc objects that match */
719
				if (!ctx || ctx->type != AUDIT_IPC)
720
					break;
721
				if (security_audit_rule_match(&ctx->ipc.oprop,
722
							      f->type, f->op,
723
							      f->lsm_rule))
724
					++result;
725
			}
726
			break;
727
		case AUDIT_ARG0:
728
		case AUDIT_ARG1:
729
		case AUDIT_ARG2:
730
		case AUDIT_ARG3:
731
			if (ctx)
732
				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
733
			break;
734
		case AUDIT_FILTERKEY:
735
			/* ignore this field for filtering */
736
			result = 1;
737
			break;
738
		case AUDIT_PERM:
739
			result = audit_match_perm(ctx, f->val);
740
			if (f->op == Audit_not_equal)
741
				result = !result;
742
			break;
743
		case AUDIT_FILETYPE:
744
			result = audit_match_filetype(ctx, f->val);
745
			if (f->op == Audit_not_equal)
746
				result = !result;
747
			break;
748
		case AUDIT_FIELD_COMPARE:
749
			result = audit_field_compare(tsk, cred, f, ctx, name);
750
			break;
751
		}
752
		if (!result)
753
			return 0;
754
	}
755

756
	if (ctx) {
757
		if (rule->filterkey) {
758
			kfree(ctx->filterkey);
759
			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
760
		}
761
		ctx->prio = rule->prio;
762
	}
763
	switch (rule->action) {
764
	case AUDIT_NEVER:
765
		*state = AUDIT_STATE_DISABLED;
766
		break;
767
	case AUDIT_ALWAYS:
768
		*state = AUDIT_STATE_RECORD;
769
		break;
770
	}
771
	return 1;
772
}
773

774
/* At process creation time, we can determine if system-call auditing is
775
 * completely disabled for this task.  Since we only have the task
776
 * structure at this point, we can only check uid and gid.
777
 */
778
static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
779
{
780
	struct audit_entry *e;
781
	enum audit_state   state;
782

783
	rcu_read_lock();
784
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
785
		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
786
				       &state, true)) {
787
			if (state == AUDIT_STATE_RECORD)
788
				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
789
			rcu_read_unlock();
790
			return state;
791
		}
792
	}
793
	rcu_read_unlock();
794
	return AUDIT_STATE_BUILD;
795
}
796

797
static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
798
{
799
	int word, bit;
800

801
	if (val > 0xffffffff)
802
		return false;
803

804
	word = AUDIT_WORD(val);
805
	if (word >= AUDIT_BITMASK_SIZE)
806
		return false;
807

808
	bit = AUDIT_BIT(val);
809

810
	return rule->mask[word] & bit;
811
}
812

813
/**
814
 * __audit_filter_op - common filter helper for operations (syscall/uring/etc)
815
 * @tsk: associated task
816
 * @ctx: audit context
817
 * @list: audit filter list
818
 * @name: audit_name (can be NULL)
819
 * @op: current syscall/uring_op
820
 *
821
 * Run the udit filters specified in @list against @tsk using @ctx,
822
 * @name, and @op, as necessary; the caller is responsible for ensuring
823
 * that the call is made while the RCU read lock is held. The @name
824
 * parameter can be NULL, but all others must be specified.
825
 * Returns 1/true if the filter finds a match, 0/false if none are found.
826
 */
827
static int __audit_filter_op(struct task_struct *tsk,
828
			   struct audit_context *ctx,
829
			   struct list_head *list,
830
			   struct audit_names *name,
831
			   unsigned long op)
832
{
833
	struct audit_entry *e;
834
	enum audit_state state;
835

836
	list_for_each_entry_rcu(e, list, list) {
837
		if (audit_in_mask(&e->rule, op) &&
838
		    audit_filter_rules(tsk, &e->rule, ctx, name,
839
				       &state, false)) {
840
			ctx->current_state = state;
841
			return 1;
842
		}
843
	}
844
	return 0;
845
}
846

847
/**
848
 * audit_filter_uring - apply filters to an io_uring operation
849
 * @tsk: associated task
850
 * @ctx: audit context
851
 */
852
static void audit_filter_uring(struct task_struct *tsk,
853
			       struct audit_context *ctx)
854
{
855
	if (auditd_test_task(tsk))
856
		return;
857

858
	rcu_read_lock();
859
	__audit_filter_op(tsk, ctx, &audit_filter_list[AUDIT_FILTER_URING_EXIT],
860
			NULL, ctx->uring_op);
861
	rcu_read_unlock();
862
}
863

864
/* At syscall exit time, this filter is called if the audit_state is
865
 * not low enough that auditing cannot take place, but is also not
866
 * high enough that we already know we have to write an audit record
867
 * (i.e., the state is AUDIT_STATE_BUILD).
868
 */
869
static void audit_filter_syscall(struct task_struct *tsk,
870
				 struct audit_context *ctx)
871
{
872
	if (auditd_test_task(tsk))
873
		return;
874

875
	rcu_read_lock();
876
	__audit_filter_op(tsk, ctx, &audit_filter_list[AUDIT_FILTER_EXIT],
877
			NULL, ctx->major);
878
	rcu_read_unlock();
879
}
880

881
/*
882
 * Given an audit_name check the inode hash table to see if they match.
883
 * Called holding the rcu read lock to protect the use of audit_inode_hash
884
 */
885
static int audit_filter_inode_name(struct task_struct *tsk,
886
				   struct audit_names *n,
887
				   struct audit_context *ctx)
888
{
889
	int h = audit_hash_ino((u32)n->ino);
890
	struct list_head *list = &audit_inode_hash[h];
891

892
	return __audit_filter_op(tsk, ctx, list, n, ctx->major);
893
}
894

895
/* At syscall exit time, this filter is called if any audit_names have been
896
 * collected during syscall processing.  We only check rules in sublists at hash
897
 * buckets applicable to the inode numbers in audit_names.
898
 * Regarding audit_state, same rules apply as for audit_filter_syscall().
899
 */
900
void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
901
{
902
	struct audit_names *n;
903

904
	if (auditd_test_task(tsk))
905
		return;
906

907
	rcu_read_lock();
908

909
	list_for_each_entry(n, &ctx->names_list, list) {
910
		if (audit_filter_inode_name(tsk, n, ctx))
911
			break;
912
	}
913
	rcu_read_unlock();
914
}
915

916
static inline void audit_proctitle_free(struct audit_context *context)
917
{
918
	kfree(context->proctitle.value);
919
	context->proctitle.value = NULL;
920
	context->proctitle.len = 0;
921
}
922

923
static inline void audit_free_module(struct audit_context *context)
924
{
925
	if (context->type == AUDIT_KERN_MODULE) {
926
		kfree(context->module.name);
927
		context->module.name = NULL;
928
	}
929
}
930
static inline void audit_free_names(struct audit_context *context)
931
{
932
	struct audit_names *n, *next;
933

934
	list_for_each_entry_safe(n, next, &context->names_list, list) {
935
		list_del(&n->list);
936
		if (n->name)
937
			putname(n->name);
938
		if (n->should_free)
939
			kfree(n);
940
	}
941
	context->name_count = 0;
942
	path_put(&context->pwd);
943
	context->pwd.dentry = NULL;
944
	context->pwd.mnt = NULL;
945
}
946

947
static inline void audit_free_aux(struct audit_context *context)
948
{
949
	struct audit_aux_data *aux;
950

951
	while ((aux = context->aux)) {
952
		context->aux = aux->next;
953
		kfree(aux);
954
	}
955
	context->aux = NULL;
956
	while ((aux = context->aux_pids)) {
957
		context->aux_pids = aux->next;
958
		kfree(aux);
959
	}
960
	context->aux_pids = NULL;
961
}
962

963
/**
964
 * audit_reset_context - reset a audit_context structure
965
 * @ctx: the audit_context to reset
966
 *
967
 * All fields in the audit_context will be reset to an initial state, all
968
 * references held by fields will be dropped, and private memory will be
969
 * released.  When this function returns the audit_context will be suitable
970
 * for reuse, so long as the passed context is not NULL or a dummy context.
971
 */
972
static void audit_reset_context(struct audit_context *ctx)
973
{
974
	if (!ctx)
975
		return;
976

977
	/* if ctx is non-null, reset the "ctx->context" regardless */
978
	ctx->context = AUDIT_CTX_UNUSED;
979
	if (ctx->dummy)
980
		return;
981

982
	/*
983
	 * NOTE: It shouldn't matter in what order we release the fields, so
984
	 *       release them in the order in which they appear in the struct;
985
	 *       this gives us some hope of quickly making sure we are
986
	 *       resetting the audit_context properly.
987
	 *
988
	 *       Other things worth mentioning:
989
	 *       - we don't reset "dummy"
990
	 *       - we don't reset "state", we do reset "current_state"
991
	 *       - we preserve "filterkey" if "state" is AUDIT_STATE_RECORD
992
	 *       - much of this is likely overkill, but play it safe for now
993
	 *       - we really need to work on improving the audit_context struct
994
	 */
995

996
	ctx->current_state = ctx->state;
997
	ctx->stamp.serial = 0;
998
	ctx->stamp.ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
999
	ctx->major = 0;
1000
	ctx->uring_op = 0;
1001
	memset(ctx->argv, 0, sizeof(ctx->argv));
1002
	ctx->return_code = 0;
1003
	ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
1004
	ctx->return_valid = AUDITSC_INVALID;
1005
	audit_free_names(ctx);
1006
	if (ctx->state != AUDIT_STATE_RECORD) {
1007
		kfree(ctx->filterkey);
1008
		ctx->filterkey = NULL;
1009
	}
1010
	audit_free_aux(ctx);
1011
	kfree(ctx->sockaddr);
1012
	ctx->sockaddr = NULL;
1013
	ctx->sockaddr_len = 0;
1014
	ctx->ppid = 0;
1015
	ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0);
1016
	ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0);
1017
	ctx->personality = 0;
1018
	ctx->arch = 0;
1019
	ctx->target_pid = 0;
1020
	ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
1021
	ctx->target_sessionid = 0;
1022
	lsmprop_init(&ctx->target_ref);
1023
	ctx->target_comm[0] = '\0';
1024
	unroll_tree_refs(ctx, NULL, 0);
1025
	WARN_ON(!list_empty(&ctx->killed_trees));
1026
	audit_free_module(ctx);
1027
	ctx->fds[0] = -1;
1028
	ctx->type = 0; /* reset last for audit_free_*() */
1029
}
1030

1031
static inline struct audit_context *audit_alloc_context(enum audit_state state)
1032
{
1033
	struct audit_context *context;
1034

1035
	context = kzalloc(sizeof(*context), GFP_KERNEL);
1036
	if (!context)
1037
		return NULL;
1038
	context->context = AUDIT_CTX_UNUSED;
1039
	context->state = state;
1040
	context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0;
1041
	INIT_LIST_HEAD(&context->killed_trees);
1042
	INIT_LIST_HEAD(&context->names_list);
1043
	context->fds[0] = -1;
1044
	context->return_valid = AUDITSC_INVALID;
1045
	return context;
1046
}
1047

1048
/**
1049
 * audit_alloc - allocate an audit context block for a task
1050
 * @tsk: task
1051
 *
1052
 * Filter on the task information and allocate a per-task audit context
1053
 * if necessary.  Doing so turns on system call auditing for the
1054
 * specified task.  This is called from copy_process, so no lock is
1055
 * needed.
1056
 */
1057
int audit_alloc(struct task_struct *tsk)
1058
{
1059
	struct audit_context *context;
1060
	enum audit_state     state;
1061
	char *key = NULL;
1062

1063
	if (likely(!audit_ever_enabled))
1064
		return 0;
1065

1066
	state = audit_filter_task(tsk, &key);
1067
	if (state == AUDIT_STATE_DISABLED) {
1068
		clear_task_syscall_work(tsk, SYSCALL_AUDIT);
1069
		return 0;
1070
	}
1071

1072
	context = audit_alloc_context(state);
1073
	if (!context) {
1074
		kfree(key);
1075
		audit_log_lost("out of memory in audit_alloc");
1076
		return -ENOMEM;
1077
	}
1078
	context->filterkey = key;
1079

1080
	audit_set_context(tsk, context);
1081
	set_task_syscall_work(tsk, SYSCALL_AUDIT);
1082
	return 0;
1083
}
1084

1085
static inline void audit_free_context(struct audit_context *context)
1086
{
1087
	/* resetting is extra work, but it is likely just noise */
1088
	audit_reset_context(context);
1089
	audit_proctitle_free(context);
1090
	free_tree_refs(context);
1091
	kfree(context->filterkey);
1092
	kfree(context);
1093
}
1094

1095
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1096
				 kuid_t auid, kuid_t uid,
1097
				 unsigned int sessionid, struct lsm_prop *prop,
1098
				 char *comm)
1099
{
1100
	struct audit_buffer *ab;
1101
	int rc = 0;
1102

1103
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1104
	if (!ab)
1105
		return rc;
1106

1107
	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1108
			 from_kuid(&init_user_ns, auid),
1109
			 from_kuid(&init_user_ns, uid), sessionid);
1110
	if (lsmprop_is_set(prop) && audit_log_obj_ctx(ab, prop))
1111
		rc = 1;
1112

1113
	audit_log_format(ab, " ocomm=");
1114
	audit_log_untrustedstring(ab, comm);
1115
	audit_log_end(ab);
1116

1117
	return rc;
1118
}
1119

1120
static void audit_log_execve_info(struct audit_context *context,
1121
				  struct audit_buffer **ab)
1122
{
1123
	long len_max;
1124
	long len_rem;
1125
	long len_full;
1126
	long len_buf;
1127
	long len_abuf = 0;
1128
	long len_tmp;
1129
	bool require_data;
1130
	bool encode;
1131
	unsigned int iter;
1132
	unsigned int arg;
1133
	char *buf_head;
1134
	char *buf;
1135
	const char __user *p = (const char __user *)current->mm->arg_start;
1136

1137
	/* NOTE: this buffer needs to be large enough to hold all the non-arg
1138
	 *       data we put in the audit record for this argument (see the
1139
	 *       code below) ... at this point in time 96 is plenty */
1140
	char abuf[96];
1141

1142
	/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1143
	 *       current value of 7500 is not as important as the fact that it
1144
	 *       is less than 8k, a setting of 7500 gives us plenty of wiggle
1145
	 *       room if we go over a little bit in the logging below */
1146
	WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1147
	len_max = MAX_EXECVE_AUDIT_LEN;
1148

1149
	/* scratch buffer to hold the userspace args */
1150
	buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1151
	if (!buf_head) {
1152
		audit_panic("out of memory for argv string");
1153
		return;
1154
	}
1155
	buf = buf_head;
1156

1157
	audit_log_format(*ab, "argc=%d", context->execve.argc);
1158

1159
	len_rem = len_max;
1160
	len_buf = 0;
1161
	len_full = 0;
1162
	require_data = true;
1163
	encode = false;
1164
	iter = 0;
1165
	arg = 0;
1166
	do {
1167
		/* NOTE: we don't ever want to trust this value for anything
1168
		 *       serious, but the audit record format insists we
1169
		 *       provide an argument length for really long arguments,
1170
		 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1171
		 *       to use strncpy_from_user() to obtain this value for
1172
		 *       recording in the log, although we don't use it
1173
		 *       anywhere here to avoid a double-fetch problem */
1174
		if (len_full == 0)
1175
			len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1176

1177
		/* read more data from userspace */
1178
		if (require_data) {
1179
			/* can we make more room in the buffer? */
1180
			if (buf != buf_head) {
1181
				memmove(buf_head, buf, len_buf);
1182
				buf = buf_head;
1183
			}
1184

1185
			/* fetch as much as we can of the argument */
1186
			len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1187
						    len_max - len_buf);
1188
			if (len_tmp == -EFAULT) {
1189
				/* unable to copy from userspace */
1190
				send_sig(SIGKILL, current, 0);
1191
				goto out;
1192
			} else if (len_tmp == (len_max - len_buf)) {
1193
				/* buffer is not large enough */
1194
				require_data = true;
1195
				/* NOTE: if we are going to span multiple
1196
				 *       buffers force the encoding so we stand
1197
				 *       a chance at a sane len_full value and
1198
				 *       consistent record encoding */
1199
				encode = true;
1200
				len_full = len_full * 2;
1201
				p += len_tmp;
1202
			} else {
1203
				require_data = false;
1204
				if (!encode)
1205
					encode = audit_string_contains_control(
1206
								buf, len_tmp);
1207
				/* try to use a trusted value for len_full */
1208
				if (len_full < len_max)
1209
					len_full = (encode ?
1210
						    len_tmp * 2 : len_tmp);
1211
				p += len_tmp + 1;
1212
			}
1213
			len_buf += len_tmp;
1214
			buf_head[len_buf] = '\0';
1215

1216
			/* length of the buffer in the audit record? */
1217
			len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1218
		}
1219

1220
		/* write as much as we can to the audit log */
1221
		if (len_buf >= 0) {
1222
			/* NOTE: some magic numbers here - basically if we
1223
			 *       can't fit a reasonable amount of data into the
1224
			 *       existing audit buffer, flush it and start with
1225
			 *       a new buffer */
1226
			if ((sizeof(abuf) + 8) > len_rem) {
1227
				len_rem = len_max;
1228
				audit_log_end(*ab);
1229
				*ab = audit_log_start(context,
1230
						      GFP_KERNEL, AUDIT_EXECVE);
1231
				if (!*ab)
1232
					goto out;
1233
			}
1234

1235
			/* create the non-arg portion of the arg record */
1236
			len_tmp = 0;
1237
			if (require_data || (iter > 0) ||
1238
			    ((len_abuf + sizeof(abuf)) > len_rem)) {
1239
				if (iter == 0) {
1240
					len_tmp += snprintf(&abuf[len_tmp],
1241
							sizeof(abuf) - len_tmp,
1242
							" a%d_len=%lu",
1243
							arg, len_full);
1244
				}
1245
				len_tmp += snprintf(&abuf[len_tmp],
1246
						    sizeof(abuf) - len_tmp,
1247
						    " a%d[%d]=", arg, iter++);
1248
			} else
1249
				len_tmp += snprintf(&abuf[len_tmp],
1250
						    sizeof(abuf) - len_tmp,
1251
						    " a%d=", arg);
1252
			WARN_ON(len_tmp >= sizeof(abuf));
1253
			abuf[sizeof(abuf) - 1] = '\0';
1254

1255
			/* log the arg in the audit record */
1256
			audit_log_format(*ab, "%s", abuf);
1257
			len_rem -= len_tmp;
1258
			len_tmp = len_buf;
1259
			if (encode) {
1260
				if (len_abuf > len_rem)
1261
					len_tmp = len_rem / 2; /* encoding */
1262
				audit_log_n_hex(*ab, buf, len_tmp);
1263
				len_rem -= len_tmp * 2;
1264
				len_abuf -= len_tmp * 2;
1265
			} else {
1266
				if (len_abuf > len_rem)
1267
					len_tmp = len_rem - 2; /* quotes */
1268
				audit_log_n_string(*ab, buf, len_tmp);
1269
				len_rem -= len_tmp + 2;
1270
				/* don't subtract the "2" because we still need
1271
				 * to add quotes to the remaining string */
1272
				len_abuf -= len_tmp;
1273
			}
1274
			len_buf -= len_tmp;
1275
			buf += len_tmp;
1276
		}
1277

1278
		/* ready to move to the next argument? */
1279
		if ((len_buf == 0) && !require_data) {
1280
			arg++;
1281
			iter = 0;
1282
			len_full = 0;
1283
			require_data = true;
1284
			encode = false;
1285
		}
1286
	} while (arg < context->execve.argc);
1287

1288
	/* NOTE: the caller handles the final audit_log_end() call */
1289

1290
out:
1291
	kfree(buf_head);
1292
}
1293

1294
static void audit_log_cap(struct audit_buffer *ab, char *prefix,
1295
			  kernel_cap_t *cap)
1296
{
1297
	if (cap_isclear(*cap)) {
1298
		audit_log_format(ab, " %s=0", prefix);
1299
		return;
1300
	}
1301
	audit_log_format(ab, " %s=%016llx", prefix, cap->val);
1302
}
1303

1304
static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1305
{
1306
	if (name->fcap_ver == -1) {
1307
		audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
1308
		return;
1309
	}
1310
	audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
1311
	audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
1312
	audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
1313
			 name->fcap.fE, name->fcap_ver,
1314
			 from_kuid(&init_user_ns, name->fcap.rootid));
1315
}
1316

1317
static void audit_log_time(struct audit_context *context, struct audit_buffer **ab)
1318
{
1319
	const struct audit_ntp_data *ntp = &context->time.ntp_data;
1320
	const struct timespec64 *tk = &context->time.tk_injoffset;
1321
	static const char * const ntp_name[] = {
1322
		"offset",
1323
		"freq",
1324
		"status",
1325
		"tai",
1326
		"tick",
1327
		"adjust",
1328
	};
1329
	int type;
1330

1331
	if (context->type == AUDIT_TIME_ADJNTPVAL) {
1332
		for (type = 0; type < AUDIT_NTP_NVALS; type++) {
1333
			if (ntp->vals[type].newval != ntp->vals[type].oldval) {
1334
				if (!*ab) {
1335
					*ab = audit_log_start(context,
1336
							GFP_KERNEL,
1337
							AUDIT_TIME_ADJNTPVAL);
1338
					if (!*ab)
1339
						return;
1340
				}
1341
				audit_log_format(*ab, "op=%s old=%lli new=%lli",
1342
						 ntp_name[type],
1343
						 ntp->vals[type].oldval,
1344
						 ntp->vals[type].newval);
1345
				audit_log_end(*ab);
1346
				*ab = NULL;
1347
			}
1348
		}
1349
	}
1350
	if (tk->tv_sec != 0 || tk->tv_nsec != 0) {
1351
		if (!*ab) {
1352
			*ab = audit_log_start(context, GFP_KERNEL,
1353
					      AUDIT_TIME_INJOFFSET);
1354
			if (!*ab)
1355
				return;
1356
		}
1357
		audit_log_format(*ab, "sec=%lli nsec=%li",
1358
				 (long long)tk->tv_sec, tk->tv_nsec);
1359
		audit_log_end(*ab);
1360
		*ab = NULL;
1361
	}
1362
}
1363

1364
static void show_special(struct audit_context *context, int *call_panic)
1365
{
1366
	struct audit_buffer *ab;
1367
	int i;
1368

1369
	ab = audit_log_start(context, GFP_KERNEL, context->type);
1370
	if (!ab)
1371
		return;
1372

1373
	switch (context->type) {
1374
	case AUDIT_SOCKETCALL: {
1375
		int nargs = context->socketcall.nargs;
1376

1377
		audit_log_format(ab, "nargs=%d", nargs);
1378
		for (i = 0; i < nargs; i++)
1379
			audit_log_format(ab, " a%d=%lx", i,
1380
				context->socketcall.args[i]);
1381
		break; }
1382
	case AUDIT_IPC:
1383
		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1384
				 from_kuid(&init_user_ns, context->ipc.uid),
1385
				 from_kgid(&init_user_ns, context->ipc.gid),
1386
				 context->ipc.mode);
1387
		if (lsmprop_is_set(&context->ipc.oprop)) {
1388
			if (audit_log_obj_ctx(ab, &context->ipc.oprop))
1389
				*call_panic = 1;
1390
		}
1391
		if (context->ipc.has_perm) {
1392
			audit_log_end(ab);
1393
			ab = audit_log_start(context, GFP_KERNEL,
1394
					     AUDIT_IPC_SET_PERM);
1395
			if (unlikely(!ab))
1396
				return;
1397
			audit_log_format(ab,
1398
				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1399
				context->ipc.qbytes,
1400
				context->ipc.perm_uid,
1401
				context->ipc.perm_gid,
1402
				context->ipc.perm_mode);
1403
		}
1404
		break;
1405
	case AUDIT_MQ_OPEN:
1406
		audit_log_format(ab,
1407
			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1408
			"mq_msgsize=%ld mq_curmsgs=%ld",
1409
			context->mq_open.oflag, context->mq_open.mode,
1410
			context->mq_open.attr.mq_flags,
1411
			context->mq_open.attr.mq_maxmsg,
1412
			context->mq_open.attr.mq_msgsize,
1413
			context->mq_open.attr.mq_curmsgs);
1414
		break;
1415
	case AUDIT_MQ_SENDRECV:
1416
		audit_log_format(ab,
1417
			"mqdes=%d msg_len=%zd msg_prio=%u "
1418
			"abs_timeout_sec=%lld abs_timeout_nsec=%ld",
1419
			context->mq_sendrecv.mqdes,
1420
			context->mq_sendrecv.msg_len,
1421
			context->mq_sendrecv.msg_prio,
1422
			(long long) context->mq_sendrecv.abs_timeout.tv_sec,
1423
			context->mq_sendrecv.abs_timeout.tv_nsec);
1424
		break;
1425
	case AUDIT_MQ_NOTIFY:
1426
		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1427
				context->mq_notify.mqdes,
1428
				context->mq_notify.sigev_signo);
1429
		break;
1430
	case AUDIT_MQ_GETSETATTR: {
1431
		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1432

1433
		audit_log_format(ab,
1434
			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1435
			"mq_curmsgs=%ld ",
1436
			context->mq_getsetattr.mqdes,
1437
			attr->mq_flags, attr->mq_maxmsg,
1438
			attr->mq_msgsize, attr->mq_curmsgs);
1439
		break; }
1440
	case AUDIT_CAPSET:
1441
		audit_log_format(ab, "pid=%d", context->capset.pid);
1442
		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1443
		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1444
		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1445
		audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
1446
		break;
1447
	case AUDIT_MMAP:
1448
		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1449
				 context->mmap.flags);
1450
		break;
1451
	case AUDIT_OPENAT2:
1452
		audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx",
1453
				 context->openat2.flags,
1454
				 context->openat2.mode,
1455
				 context->openat2.resolve);
1456
		break;
1457
	case AUDIT_EXECVE:
1458
		audit_log_execve_info(context, &ab);
1459
		break;
1460
	case AUDIT_KERN_MODULE:
1461
		audit_log_format(ab, "name=");
1462
		if (context->module.name) {
1463
			audit_log_untrustedstring(ab, context->module.name);
1464
		} else
1465
			audit_log_format(ab, "(null)");
1466

1467
		break;
1468
	case AUDIT_TIME_ADJNTPVAL:
1469
	case AUDIT_TIME_INJOFFSET:
1470
		/* this call deviates from the rest, eating the buffer */
1471
		audit_log_time(context, &ab);
1472
		break;
1473
	}
1474
	audit_log_end(ab);
1475
}
1476

1477
static inline int audit_proctitle_rtrim(char *proctitle, int len)
1478
{
1479
	char *end = proctitle + len - 1;
1480

1481
	while (end > proctitle && !isprint(*end))
1482
		end--;
1483

1484
	/* catch the case where proctitle is only 1 non-print character */
1485
	len = end - proctitle + 1;
1486
	len -= isprint(proctitle[len-1]) == 0;
1487
	return len;
1488
}
1489

1490
/*
1491
 * audit_log_name - produce AUDIT_PATH record from struct audit_names
1492
 * @context: audit_context for the task
1493
 * @n: audit_names structure with reportable details
1494
 * @path: optional path to report instead of audit_names->name
1495
 * @record_num: record number to report when handling a list of names
1496
 * @call_panic: optional pointer to int that will be updated if secid fails
1497
 */
1498
static void audit_log_name(struct audit_context *context, struct audit_names *n,
1499
		    const struct path *path, int record_num, int *call_panic)
1500
{
1501
	struct audit_buffer *ab;
1502

1503
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1504
	if (!ab)
1505
		return;
1506

1507
	audit_log_format(ab, "item=%d", record_num);
1508

1509
	if (path)
1510
		audit_log_d_path(ab, " name=", path);
1511
	else if (n->name) {
1512
		switch (n->name_len) {
1513
		case AUDIT_NAME_FULL:
1514
			/* log the full path */
1515
			audit_log_format(ab, " name=");
1516
			audit_log_untrustedstring(ab, n->name->name);
1517
			break;
1518
		case 0:
1519
			/* name was specified as a relative path and the
1520
			 * directory component is the cwd
1521
			 */
1522
			if (context->pwd.dentry && context->pwd.mnt)
1523
				audit_log_d_path(ab, " name=", &context->pwd);
1524
			else
1525
				audit_log_format(ab, " name=(null)");
1526
			break;
1527
		default:
1528
			/* log the name's directory component */
1529
			audit_log_format(ab, " name=");
1530
			audit_log_n_untrustedstring(ab, n->name->name,
1531
						    n->name_len);
1532
		}
1533
	} else
1534
		audit_log_format(ab, " name=(null)");
1535

1536
	if (n->ino != AUDIT_INO_UNSET)
1537
		audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
1538
				 n->ino,
1539
				 MAJOR(n->dev),
1540
				 MINOR(n->dev),
1541
				 n->mode,
1542
				 from_kuid(&init_user_ns, n->uid),
1543
				 from_kgid(&init_user_ns, n->gid),
1544
				 MAJOR(n->rdev),
1545
				 MINOR(n->rdev));
1546
	if (lsmprop_is_set(&n->oprop) &&
1547
	    audit_log_obj_ctx(ab, &n->oprop))
1548
		*call_panic = 2;
1549

1550
	/* log the audit_names record type */
1551
	switch (n->type) {
1552
	case AUDIT_TYPE_NORMAL:
1553
		audit_log_format(ab, " nametype=NORMAL");
1554
		break;
1555
	case AUDIT_TYPE_PARENT:
1556
		audit_log_format(ab, " nametype=PARENT");
1557
		break;
1558
	case AUDIT_TYPE_CHILD_DELETE:
1559
		audit_log_format(ab, " nametype=DELETE");
1560
		break;
1561
	case AUDIT_TYPE_CHILD_CREATE:
1562
		audit_log_format(ab, " nametype=CREATE");
1563
		break;
1564
	default:
1565
		audit_log_format(ab, " nametype=UNKNOWN");
1566
		break;
1567
	}
1568

1569
	audit_log_fcaps(ab, n);
1570
	audit_log_end(ab);
1571
}
1572

1573
static void audit_log_proctitle(void)
1574
{
1575
	int res;
1576
	char *buf;
1577
	char *msg = "(null)";
1578
	int len = strlen(msg);
1579
	struct audit_context *context = audit_context();
1580
	struct audit_buffer *ab;
1581

1582
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1583
	if (!ab)
1584
		return;	/* audit_panic or being filtered */
1585

1586
	audit_log_format(ab, "proctitle=");
1587

1588
	/* Not  cached */
1589
	if (!context->proctitle.value) {
1590
		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1591
		if (!buf)
1592
			goto out;
1593
		/* Historically called this from procfs naming */
1594
		res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);
1595
		if (res == 0) {
1596
			kfree(buf);
1597
			goto out;
1598
		}
1599
		res = audit_proctitle_rtrim(buf, res);
1600
		if (res == 0) {
1601
			kfree(buf);
1602
			goto out;
1603
		}
1604
		context->proctitle.value = buf;
1605
		context->proctitle.len = res;
1606
	}
1607
	msg = context->proctitle.value;
1608
	len = context->proctitle.len;
1609
out:
1610
	audit_log_n_untrustedstring(ab, msg, len);
1611
	audit_log_end(ab);
1612
}
1613

1614
/**
1615
 * audit_log_uring - generate a AUDIT_URINGOP record
1616
 * @ctx: the audit context
1617
 */
1618
static void audit_log_uring(struct audit_context *ctx)
1619
{
1620
	struct audit_buffer *ab;
1621
	const struct cred *cred;
1622

1623
	ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_URINGOP);
1624
	if (!ab)
1625
		return;
1626
	cred = current_cred();
1627
	audit_log_format(ab, "uring_op=%d", ctx->uring_op);
1628
	if (ctx->return_valid != AUDITSC_INVALID)
1629
		audit_log_format(ab, " success=%s exit=%ld",
1630
				 str_yes_no(ctx->return_valid ==
1631
					    AUDITSC_SUCCESS),
1632
				 ctx->return_code);
1633
	audit_log_format(ab,
1634
			 " items=%d"
1635
			 " ppid=%d pid=%d uid=%u gid=%u euid=%u suid=%u"
1636
			 " fsuid=%u egid=%u sgid=%u fsgid=%u",
1637
			 ctx->name_count,
1638
			 task_ppid_nr(current), task_tgid_nr(current),
1639
			 from_kuid(&init_user_ns, cred->uid),
1640
			 from_kgid(&init_user_ns, cred->gid),
1641
			 from_kuid(&init_user_ns, cred->euid),
1642
			 from_kuid(&init_user_ns, cred->suid),
1643
			 from_kuid(&init_user_ns, cred->fsuid),
1644
			 from_kgid(&init_user_ns, cred->egid),
1645
			 from_kgid(&init_user_ns, cred->sgid),
1646
			 from_kgid(&init_user_ns, cred->fsgid));
1647
	audit_log_task_context(ab);
1648
	audit_log_key(ab, ctx->filterkey);
1649
	audit_log_end(ab);
1650
}
1651

1652
static void audit_log_exit(void)
1653
{
1654
	int i, call_panic = 0;
1655
	struct audit_context *context = audit_context();
1656
	struct audit_buffer *ab;
1657
	struct audit_aux_data *aux;
1658
	struct audit_names *n;
1659

1660
	context->personality = current->personality;
1661

1662
	switch (context->context) {
1663
	case AUDIT_CTX_SYSCALL:
1664
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1665
		if (!ab)
1666
			return;
1667
		audit_log_format(ab, "arch=%x syscall=%d",
1668
				 context->arch, context->major);
1669
		if (context->personality != PER_LINUX)
1670
			audit_log_format(ab, " per=%lx", context->personality);
1671
		if (context->return_valid != AUDITSC_INVALID)
1672
			audit_log_format(ab, " success=%s exit=%ld",
1673
					 str_yes_no(context->return_valid ==
1674
						    AUDITSC_SUCCESS),
1675
					 context->return_code);
1676
		audit_log_format(ab,
1677
				 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1678
				 context->argv[0],
1679
				 context->argv[1],
1680
				 context->argv[2],
1681
				 context->argv[3],
1682
				 context->name_count);
1683
		audit_log_task_info(ab);
1684
		audit_log_key(ab, context->filterkey);
1685
		audit_log_end(ab);
1686
		break;
1687
	case AUDIT_CTX_URING:
1688
		audit_log_uring(context);
1689
		break;
1690
	default:
1691
		BUG();
1692
		break;
1693
	}
1694

1695
	for (aux = context->aux; aux; aux = aux->next) {
1696

1697
		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1698
		if (!ab)
1699
			continue; /* audit_panic has been called */
1700

1701
		switch (aux->type) {
1702

1703
		case AUDIT_BPRM_FCAPS: {
1704
			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1705

1706
			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1707
			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1708
			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1709
			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1710
			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1711
			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1712
			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1713
			audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
1714
			audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
1715
			audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
1716
			audit_log_cap(ab, "pe", &axs->new_pcap.effective);
1717
			audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
1718
			audit_log_format(ab, " frootid=%d",
1719
					 from_kuid(&init_user_ns,
1720
						   axs->fcap.rootid));
1721
			break; }
1722

1723
		}
1724
		audit_log_end(ab);
1725
	}
1726

1727
	if (context->type)
1728
		show_special(context, &call_panic);
1729

1730
	if (context->fds[0] >= 0) {
1731
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1732
		if (ab) {
1733
			audit_log_format(ab, "fd0=%d fd1=%d",
1734
					context->fds[0], context->fds[1]);
1735
			audit_log_end(ab);
1736
		}
1737
	}
1738

1739
	if (context->sockaddr_len) {
1740
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1741
		if (ab) {
1742
			audit_log_format(ab, "saddr=");
1743
			audit_log_n_hex(ab, (void *)context->sockaddr,
1744
					context->sockaddr_len);
1745
			audit_log_end(ab);
1746
		}
1747
	}
1748

1749
	for (aux = context->aux_pids; aux; aux = aux->next) {
1750
		struct audit_aux_data_pids *axs = (void *)aux;
1751

1752
		for (i = 0; i < axs->pid_count; i++)
1753
			if (audit_log_pid_context(context, axs->target_pid[i],
1754
						  axs->target_auid[i],
1755
						  axs->target_uid[i],
1756
						  axs->target_sessionid[i],
1757
						  &axs->target_ref[i],
1758
						  axs->target_comm[i]))
1759
				call_panic = 1;
1760
	}
1761

1762
	if (context->target_pid &&
1763
	    audit_log_pid_context(context, context->target_pid,
1764
				  context->target_auid, context->target_uid,
1765
				  context->target_sessionid,
1766
				  &context->target_ref,
1767
				  context->target_comm))
1768
		call_panic = 1;
1769

1770
	if (context->pwd.dentry && context->pwd.mnt) {
1771
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1772
		if (ab) {
1773
			audit_log_d_path(ab, "cwd=", &context->pwd);
1774
			audit_log_end(ab);
1775
		}
1776
	}
1777

1778
	i = 0;
1779
	list_for_each_entry(n, &context->names_list, list) {
1780
		if (n->hidden)
1781
			continue;
1782
		audit_log_name(context, n, NULL, i++, &call_panic);
1783
	}
1784

1785
	if (context->context == AUDIT_CTX_SYSCALL)
1786
		audit_log_proctitle();
1787

1788
	/* Send end of event record to help user space know we are finished */
1789
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1790
	if (ab)
1791
		audit_log_end(ab);
1792
	if (call_panic)
1793
		audit_panic("error in audit_log_exit()");
1794
}
1795

1796
/**
1797
 * __audit_free - free a per-task audit context
1798
 * @tsk: task whose audit context block to free
1799
 *
1800
 * Called from copy_process, do_exit, and the io_uring code
1801
 */
1802
void __audit_free(struct task_struct *tsk)
1803
{
1804
	struct audit_context *context = tsk->audit_context;
1805

1806
	if (!context)
1807
		return;
1808

1809
	/* this may generate CONFIG_CHANGE records */
1810
	if (!list_empty(&context->killed_trees))
1811
		audit_kill_trees(context);
1812

1813
	/* We are called either by do_exit() or the fork() error handling code;
1814
	 * in the former case tsk == current and in the latter tsk is a
1815
	 * random task_struct that doesn't have any meaningful data we
1816
	 * need to log via audit_log_exit().
1817
	 */
1818
	if (tsk == current && !context->dummy) {
1819
		context->return_valid = AUDITSC_INVALID;
1820
		context->return_code = 0;
1821
		if (context->context == AUDIT_CTX_SYSCALL) {
1822
			audit_filter_syscall(tsk, context);
1823
			audit_filter_inodes(tsk, context);
1824
			if (context->current_state == AUDIT_STATE_RECORD)
1825
				audit_log_exit();
1826
		} else if (context->context == AUDIT_CTX_URING) {
1827
			/* TODO: verify this case is real and valid */
1828
			audit_filter_uring(tsk, context);
1829
			audit_filter_inodes(tsk, context);
1830
			if (context->current_state == AUDIT_STATE_RECORD)
1831
				audit_log_uring(context);
1832
		}
1833
	}
1834

1835
	audit_set_context(tsk, NULL);
1836
	audit_free_context(context);
1837
}
1838

1839
/**
1840
 * audit_return_fixup - fixup the return codes in the audit_context
1841
 * @ctx: the audit_context
1842
 * @success: true/false value to indicate if the operation succeeded or not
1843
 * @code: operation return code
1844
 *
1845
 * We need to fixup the return code in the audit logs if the actual return
1846
 * codes are later going to be fixed by the arch specific signal handlers.
1847
 */
1848
static void audit_return_fixup(struct audit_context *ctx,
1849
			       int success, long code)
1850
{
1851
	/*
1852
	 * This is actually a test for:
1853
	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
1854
	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
1855
	 *
1856
	 * but is faster than a bunch of ||
1857
	 */
1858
	if (unlikely(code <= -ERESTARTSYS) &&
1859
	    (code >= -ERESTART_RESTARTBLOCK) &&
1860
	    (code != -ENOIOCTLCMD))
1861
		ctx->return_code = -EINTR;
1862
	else
1863
		ctx->return_code  = code;
1864
	ctx->return_valid = (success ? AUDITSC_SUCCESS : AUDITSC_FAILURE);
1865
}
1866

1867
/**
1868
 * __audit_uring_entry - prepare the kernel task's audit context for io_uring
1869
 * @op: the io_uring opcode
1870
 *
1871
 * This is similar to audit_syscall_entry() but is intended for use by io_uring
1872
 * operations.  This function should only ever be called from
1873
 * audit_uring_entry() as we rely on the audit context checking present in that
1874
 * function.
1875
 */
1876
void __audit_uring_entry(u8 op)
1877
{
1878
	struct audit_context *ctx = audit_context();
1879

1880
	if (ctx->state == AUDIT_STATE_DISABLED)
1881
		return;
1882

1883
	/*
1884
	 * NOTE: It's possible that we can be called from the process' context
1885
	 *       before it returns to userspace, and before audit_syscall_exit()
1886
	 *       is called.  In this case there is not much to do, just record
1887
	 *       the io_uring details and return.
1888
	 */
1889
	ctx->uring_op = op;
1890
	if (ctx->context == AUDIT_CTX_SYSCALL)
1891
		return;
1892

1893
	ctx->dummy = !audit_n_rules;
1894
	if (!ctx->dummy && ctx->state == AUDIT_STATE_BUILD)
1895
		ctx->prio = 0;
1896

1897
	ctx->context = AUDIT_CTX_URING;
1898
	ctx->current_state = ctx->state;
1899
	ktime_get_coarse_real_ts64(&ctx->stamp.ctime);
1900
}
1901

1902
/**
1903
 * __audit_uring_exit - wrap up the kernel task's audit context after io_uring
1904
 * @success: true/false value to indicate if the operation succeeded or not
1905
 * @code: operation return code
1906
 *
1907
 * This is similar to audit_syscall_exit() but is intended for use by io_uring
1908
 * operations.  This function should only ever be called from
1909
 * audit_uring_exit() as we rely on the audit context checking present in that
1910
 * function.
1911
 */
1912
void __audit_uring_exit(int success, long code)
1913
{
1914
	struct audit_context *ctx = audit_context();
1915

1916
	if (ctx->dummy) {
1917
		if (ctx->context != AUDIT_CTX_URING)
1918
			return;
1919
		goto out;
1920
	}
1921

1922
	audit_return_fixup(ctx, success, code);
1923
	if (ctx->context == AUDIT_CTX_SYSCALL) {
1924
		/*
1925
		 * NOTE: See the note in __audit_uring_entry() about the case
1926
		 *       where we may be called from process context before we
1927
		 *       return to userspace via audit_syscall_exit().  In this
1928
		 *       case we simply emit a URINGOP record and bail, the
1929
		 *       normal syscall exit handling will take care of
1930
		 *       everything else.
1931
		 *       It is also worth mentioning that when we are called,
1932
		 *       the current process creds may differ from the creds
1933
		 *       used during the normal syscall processing; keep that
1934
		 *       in mind if/when we move the record generation code.
1935
		 */
1936

1937
		/*
1938
		 * We need to filter on the syscall info here to decide if we
1939
		 * should emit a URINGOP record.  I know it seems odd but this
1940
		 * solves the problem where users have a filter to block *all*
1941
		 * syscall records in the "exit" filter; we want to preserve
1942
		 * the behavior here.
1943
		 */
1944
		audit_filter_syscall(current, ctx);
1945
		if (ctx->current_state != AUDIT_STATE_RECORD)
1946
			audit_filter_uring(current, ctx);
1947
		audit_filter_inodes(current, ctx);
1948
		if (ctx->current_state != AUDIT_STATE_RECORD)
1949
			return;
1950

1951
		audit_log_uring(ctx);
1952
		return;
1953
	}
1954

1955
	/* this may generate CONFIG_CHANGE records */
1956
	if (!list_empty(&ctx->killed_trees))
1957
		audit_kill_trees(ctx);
1958

1959
	/* run through both filters to ensure we set the filterkey properly */
1960
	audit_filter_uring(current, ctx);
1961
	audit_filter_inodes(current, ctx);
1962
	if (ctx->current_state != AUDIT_STATE_RECORD)
1963
		goto out;
1964
	audit_log_exit();
1965

1966
out:
1967
	audit_reset_context(ctx);
1968
}
1969

1970
/**
1971
 * __audit_syscall_entry - fill in an audit record at syscall entry
1972
 * @major: major syscall type (function)
1973
 * @a1: additional syscall register 1
1974
 * @a2: additional syscall register 2
1975
 * @a3: additional syscall register 3
1976
 * @a4: additional syscall register 4
1977
 *
1978
 * Fill in audit context at syscall entry.  This only happens if the
1979
 * audit context was created when the task was created and the state or
1980
 * filters demand the audit context be built.  If the state from the
1981
 * per-task filter or from the per-syscall filter is AUDIT_STATE_RECORD,
1982
 * then the record will be written at syscall exit time (otherwise, it
1983
 * will only be written if another part of the kernel requests that it
1984
 * be written).
1985
 */
1986
void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1987
			   unsigned long a3, unsigned long a4)
1988
{
1989
	struct audit_context *context = audit_context();
1990
	enum audit_state     state;
1991

1992
	if (!audit_enabled || !context)
1993
		return;
1994

1995
	WARN_ON(context->context != AUDIT_CTX_UNUSED);
1996
	WARN_ON(context->name_count);
1997
	if (context->context != AUDIT_CTX_UNUSED || context->name_count) {
1998
		audit_panic("unrecoverable error in audit_syscall_entry()");
1999
		return;
2000
	}
2001

2002
	state = context->state;
2003
	if (state == AUDIT_STATE_DISABLED)
2004
		return;
2005

2006
	context->dummy = !audit_n_rules;
2007
	if (!context->dummy && state == AUDIT_STATE_BUILD) {
2008
		context->prio = 0;
2009
		if (auditd_test_task(current))
2010
			return;
2011
	}
2012

2013
	context->arch	    = syscall_get_arch(current);
2014
	context->major      = major;
2015
	context->argv[0]    = a1;
2016
	context->argv[1]    = a2;
2017
	context->argv[2]    = a3;
2018
	context->argv[3]    = a4;
2019
	context->context = AUDIT_CTX_SYSCALL;
2020
	context->current_state  = state;
2021
	ktime_get_coarse_real_ts64(&context->stamp.ctime);
2022
}
2023

2024
/**
2025
 * __audit_syscall_exit - deallocate audit context after a system call
2026
 * @success: success value of the syscall
2027
 * @return_code: return value of the syscall
2028
 *
2029
 * Tear down after system call.  If the audit context has been marked as
2030
 * auditable (either because of the AUDIT_STATE_RECORD state from
2031
 * filtering, or because some other part of the kernel wrote an audit
2032
 * message), then write out the syscall information.  In call cases,
2033
 * free the names stored from getname().
2034
 */
2035
void __audit_syscall_exit(int success, long return_code)
2036
{
2037
	struct audit_context *context = audit_context();
2038

2039
	if (!context || context->dummy ||
2040
	    context->context != AUDIT_CTX_SYSCALL)
2041
		goto out;
2042

2043
	/* this may generate CONFIG_CHANGE records */
2044
	if (!list_empty(&context->killed_trees))
2045
		audit_kill_trees(context);
2046

2047
	audit_return_fixup(context, success, return_code);
2048
	/* run through both filters to ensure we set the filterkey properly */
2049
	audit_filter_syscall(current, context);
2050
	audit_filter_inodes(current, context);
2051
	if (context->current_state != AUDIT_STATE_RECORD)
2052
		goto out;
2053

2054
	audit_log_exit();
2055

2056
out:
2057
	audit_reset_context(context);
2058
}
2059

2060
static inline void handle_one(const struct inode *inode)
2061
{
2062
	struct audit_context *context;
2063
	struct audit_tree_refs *p;
2064
	struct audit_chunk *chunk;
2065
	int count;
2066

2067
	if (likely(!inode->i_fsnotify_marks))
2068
		return;
2069
	context = audit_context();
2070
	p = context->trees;
2071
	count = context->tree_count;
2072
	rcu_read_lock();
2073
	chunk = audit_tree_lookup(inode);
2074
	rcu_read_unlock();
2075
	if (!chunk)
2076
		return;
2077
	if (likely(put_tree_ref(context, chunk)))
2078
		return;
2079
	if (unlikely(!grow_tree_refs(context))) {
2080
		pr_warn("out of memory, audit has lost a tree reference\n");
2081
		audit_set_auditable(context);
2082
		audit_put_chunk(chunk);
2083
		unroll_tree_refs(context, p, count);
2084
		return;
2085
	}
2086
	put_tree_ref(context, chunk);
2087
}
2088

2089
static void handle_path(const struct dentry *dentry)
2090
{
2091
	struct audit_context *context;
2092
	struct audit_tree_refs *p;
2093
	const struct dentry *d, *parent;
2094
	struct audit_chunk *drop;
2095
	unsigned long seq;
2096
	int count;
2097

2098
	context = audit_context();
2099
	p = context->trees;
2100
	count = context->tree_count;
2101
retry:
2102
	drop = NULL;
2103
	d = dentry;
2104
	rcu_read_lock();
2105
	seq = read_seqbegin(&rename_lock);
2106
	for (;;) {
2107
		struct inode *inode = d_backing_inode(d);
2108

2109
		if (inode && unlikely(inode->i_fsnotify_marks)) {
2110
			struct audit_chunk *chunk;
2111

2112
			chunk = audit_tree_lookup(inode);
2113
			if (chunk) {
2114
				if (unlikely(!put_tree_ref(context, chunk))) {
2115
					drop = chunk;
2116
					break;
2117
				}
2118
			}
2119
		}
2120
		parent = d->d_parent;
2121
		if (parent == d)
2122
			break;
2123
		d = parent;
2124
	}
2125
	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
2126
		rcu_read_unlock();
2127
		if (!drop) {
2128
			/* just a race with rename */
2129
			unroll_tree_refs(context, p, count);
2130
			goto retry;
2131
		}
2132
		audit_put_chunk(drop);
2133
		if (grow_tree_refs(context)) {
2134
			/* OK, got more space */
2135
			unroll_tree_refs(context, p, count);
2136
			goto retry;
2137
		}
2138
		/* too bad */
2139
		pr_warn("out of memory, audit has lost a tree reference\n");
2140
		unroll_tree_refs(context, p, count);
2141
		audit_set_auditable(context);
2142
		return;
2143
	}
2144
	rcu_read_unlock();
2145
}
2146

2147
static struct audit_names *audit_alloc_name(struct audit_context *context,
2148
						unsigned char type)
2149
{
2150
	struct audit_names *aname;
2151

2152
	if (context->name_count < AUDIT_NAMES) {
2153
		aname = &context->preallocated_names[context->name_count];
2154
		memset(aname, 0, sizeof(*aname));
2155
	} else {
2156
		aname = kzalloc(sizeof(*aname), GFP_NOFS);
2157
		if (!aname)
2158
			return NULL;
2159
		aname->should_free = true;
2160
	}
2161

2162
	aname->ino = AUDIT_INO_UNSET;
2163
	aname->type = type;
2164
	list_add_tail(&aname->list, &context->names_list);
2165

2166
	context->name_count++;
2167
	if (!context->pwd.dentry)
2168
		get_fs_pwd(current->fs, &context->pwd);
2169
	return aname;
2170
}
2171

2172
/**
2173
 * __audit_reusename - fill out filename with info from existing entry
2174
 * @uptr: userland ptr to pathname
2175
 *
2176
 * Search the audit_names list for the current audit context. If there is an
2177
 * existing entry with a matching "uptr" then return the filename
2178
 * associated with that audit_name. If not, return NULL.
2179
 */
2180
struct filename *
2181
__audit_reusename(const __user char *uptr)
2182
{
2183
	struct audit_context *context = audit_context();
2184
	struct audit_names *n;
2185

2186
	list_for_each_entry(n, &context->names_list, list) {
2187
		if (!n->name)
2188
			continue;
2189
		if (n->name->uptr == uptr)
2190
			return refname(n->name);
2191
	}
2192
	return NULL;
2193
}
2194

2195
/**
2196
 * __audit_getname - add a name to the list
2197
 * @name: name to add
2198
 *
2199
 * Add a name to the list of audit names for this context.
2200
 * Called from fs/namei.c:getname().
2201
 */
2202
void __audit_getname(struct filename *name)
2203
{
2204
	struct audit_context *context = audit_context();
2205
	struct audit_names *n;
2206

2207
	if (context->context == AUDIT_CTX_UNUSED)
2208
		return;
2209

2210
	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2211
	if (!n)
2212
		return;
2213

2214
	n->name = name;
2215
	n->name_len = AUDIT_NAME_FULL;
2216
	name->aname = n;
2217
	refname(name);
2218
}
2219

2220
static inline int audit_copy_fcaps(struct audit_names *name,
2221
				   const struct dentry *dentry)
2222
{
2223
	struct cpu_vfs_cap_data caps;
2224
	int rc;
2225

2226
	if (!dentry)
2227
		return 0;
2228

2229
	rc = get_vfs_caps_from_disk(&nop_mnt_idmap, dentry, &caps);
2230
	if (rc)
2231
		return rc;
2232

2233
	name->fcap.permitted = caps.permitted;
2234
	name->fcap.inheritable = caps.inheritable;
2235
	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2236
	name->fcap.rootid = caps.rootid;
2237
	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
2238
				VFS_CAP_REVISION_SHIFT;
2239

2240
	return 0;
2241
}
2242

2243
/* Copy inode data into an audit_names. */
2244
static void audit_copy_inode(struct audit_names *name,
2245
			     const struct dentry *dentry,
2246
			     struct inode *inode, unsigned int flags)
2247
{
2248
	name->ino   = inode->i_ino;
2249
	name->dev   = inode->i_sb->s_dev;
2250
	name->mode  = inode->i_mode;
2251
	name->uid   = inode->i_uid;
2252
	name->gid   = inode->i_gid;
2253
	name->rdev  = inode->i_rdev;
2254
	security_inode_getlsmprop(inode, &name->oprop);
2255
	if (flags & AUDIT_INODE_NOEVAL) {
2256
		name->fcap_ver = -1;
2257
		return;
2258
	}
2259
	audit_copy_fcaps(name, dentry);
2260
}
2261

2262
/**
2263
 * __audit_inode - store the inode and device from a lookup
2264
 * @name: name being audited
2265
 * @dentry: dentry being audited
2266
 * @flags: attributes for this particular entry
2267
 */
2268
void __audit_inode(struct filename *name, const struct dentry *dentry,
2269
		   unsigned int flags)
2270
{
2271
	struct audit_context *context = audit_context();
2272
	struct inode *inode = d_backing_inode(dentry);
2273
	struct audit_names *n;
2274
	bool parent = flags & AUDIT_INODE_PARENT;
2275
	struct audit_entry *e;
2276
	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2277
	int i;
2278

2279
	if (context->context == AUDIT_CTX_UNUSED)
2280
		return;
2281

2282
	rcu_read_lock();
2283
	list_for_each_entry_rcu(e, list, list) {
2284
		for (i = 0; i < e->rule.field_count; i++) {
2285
			struct audit_field *f = &e->rule.fields[i];
2286

2287
			if (f->type == AUDIT_FSTYPE
2288
			    && audit_comparator(inode->i_sb->s_magic,
2289
						f->op, f->val)
2290
			    && e->rule.action == AUDIT_NEVER) {
2291
				rcu_read_unlock();
2292
				return;
2293
			}
2294
		}
2295
	}
2296
	rcu_read_unlock();
2297

2298
	if (!name)
2299
		goto out_alloc;
2300

2301
	/*
2302
	 * If we have a pointer to an audit_names entry already, then we can
2303
	 * just use it directly if the type is correct.
2304
	 */
2305
	n = name->aname;
2306
	if (n) {
2307
		if (parent) {
2308
			if (n->type == AUDIT_TYPE_PARENT ||
2309
			    n->type == AUDIT_TYPE_UNKNOWN)
2310
				goto out;
2311
		} else {
2312
			if (n->type != AUDIT_TYPE_PARENT)
2313
				goto out;
2314
		}
2315
	}
2316

2317
	list_for_each_entry_reverse(n, &context->names_list, list) {
2318
		if (n->ino) {
2319
			/* valid inode number, use that for the comparison */
2320
			if (n->ino != inode->i_ino ||
2321
			    n->dev != inode->i_sb->s_dev)
2322
				continue;
2323
		} else if (n->name) {
2324
			/* inode number has not been set, check the name */
2325
			if (strcmp(n->name->name, name->name))
2326
				continue;
2327
		} else
2328
			/* no inode and no name (?!) ... this is odd ... */
2329
			continue;
2330

2331
		/* match the correct record type */
2332
		if (parent) {
2333
			if (n->type == AUDIT_TYPE_PARENT ||
2334
			    n->type == AUDIT_TYPE_UNKNOWN)
2335
				goto out;
2336
		} else {
2337
			if (n->type != AUDIT_TYPE_PARENT)
2338
				goto out;
2339
		}
2340
	}
2341

2342
out_alloc:
2343
	/* unable to find an entry with both a matching name and type */
2344
	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2345
	if (!n)
2346
		return;
2347
	if (name) {
2348
		n->name = name;
2349
		refname(name);
2350
	}
2351

2352
out:
2353
	if (parent) {
2354
		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2355
		n->type = AUDIT_TYPE_PARENT;
2356
		if (flags & AUDIT_INODE_HIDDEN)
2357
			n->hidden = true;
2358
	} else {
2359
		n->name_len = AUDIT_NAME_FULL;
2360
		n->type = AUDIT_TYPE_NORMAL;
2361
	}
2362
	handle_path(dentry);
2363
	audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
2364
}
2365

2366
void __audit_file(const struct file *file)
2367
{
2368
	__audit_inode(NULL, file->f_path.dentry, 0);
2369
}
2370

2371
/**
2372
 * __audit_inode_child - collect inode info for created/removed objects
2373
 * @parent: inode of dentry parent
2374
 * @dentry: dentry being audited
2375
 * @type:   AUDIT_TYPE_* value that we're looking for
2376
 *
2377
 * For syscalls that create or remove filesystem objects, audit_inode
2378
 * can only collect information for the filesystem object's parent.
2379
 * This call updates the audit context with the child's information.
2380
 * Syscalls that create a new filesystem object must be hooked after
2381
 * the object is created.  Syscalls that remove a filesystem object
2382
 * must be hooked prior, in order to capture the target inode during
2383
 * unsuccessful attempts.
2384
 */
2385
void __audit_inode_child(struct inode *parent,
2386
			 const struct dentry *dentry,
2387
			 const unsigned char type)
2388
{
2389
	struct audit_context *context = audit_context();
2390
	struct inode *inode = d_backing_inode(dentry);
2391
	const struct qstr *dname = &dentry->d_name;
2392
	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2393
	struct audit_entry *e;
2394
	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2395
	int i;
2396

2397
	if (context->context == AUDIT_CTX_UNUSED)
2398
		return;
2399

2400
	rcu_read_lock();
2401
	list_for_each_entry_rcu(e, list, list) {
2402
		for (i = 0; i < e->rule.field_count; i++) {
2403
			struct audit_field *f = &e->rule.fields[i];
2404

2405
			if (f->type == AUDIT_FSTYPE
2406
			    && audit_comparator(parent->i_sb->s_magic,
2407
						f->op, f->val)
2408
			    && e->rule.action == AUDIT_NEVER) {
2409
				rcu_read_unlock();
2410
				return;
2411
			}
2412
		}
2413
	}
2414
	rcu_read_unlock();
2415

2416
	if (inode)
2417
		handle_one(inode);
2418

2419
	/* look for a parent entry first */
2420
	list_for_each_entry(n, &context->names_list, list) {
2421
		if (!n->name ||
2422
		    (n->type != AUDIT_TYPE_PARENT &&
2423
		     n->type != AUDIT_TYPE_UNKNOWN))
2424
			continue;
2425

2426
		if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
2427
		    !audit_compare_dname_path(dname,
2428
					      n->name->name, n->name_len)) {
2429
			if (n->type == AUDIT_TYPE_UNKNOWN)
2430
				n->type = AUDIT_TYPE_PARENT;
2431
			found_parent = n;
2432
			break;
2433
		}
2434
	}
2435

2436
	cond_resched();
2437

2438
	/* is there a matching child entry? */
2439
	list_for_each_entry(n, &context->names_list, list) {
2440
		/* can only match entries that have a name */
2441
		if (!n->name ||
2442
		    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
2443
			continue;
2444

2445
		if (!strcmp(dname->name, n->name->name) ||
2446
		    !audit_compare_dname_path(dname, n->name->name,
2447
						found_parent ?
2448
						found_parent->name_len :
2449
						AUDIT_NAME_FULL)) {
2450
			if (n->type == AUDIT_TYPE_UNKNOWN)
2451
				n->type = type;
2452
			found_child = n;
2453
			break;
2454
		}
2455
	}
2456

2457
	if (!found_parent) {
2458
		/* create a new, "anonymous" parent record */
2459
		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2460
		if (!n)
2461
			return;
2462
		audit_copy_inode(n, NULL, parent, 0);
2463
	}
2464

2465
	if (!found_child) {
2466
		found_child = audit_alloc_name(context, type);
2467
		if (!found_child)
2468
			return;
2469

2470
		/* Re-use the name belonging to the slot for a matching parent
2471
		 * directory. All names for this context are relinquished in
2472
		 * audit_free_names() */
2473
		if (found_parent) {
2474
			found_child->name = found_parent->name;
2475
			found_child->name_len = AUDIT_NAME_FULL;
2476
			refname(found_child->name);
2477
		}
2478
	}
2479

2480
	if (inode)
2481
		audit_copy_inode(found_child, dentry, inode, 0);
2482
	else
2483
		found_child->ino = AUDIT_INO_UNSET;
2484
}
2485
EXPORT_SYMBOL_GPL(__audit_inode_child);
2486

2487
/**
2488
 * auditsc_get_stamp - get local copies of audit_context values
2489
 * @ctx: audit_context for the task
2490
 * @stamp: timestamp to record
2491
 *
2492
 * Also sets the context as auditable.
2493
 */
2494
int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp)
2495
{
2496
	if (ctx->context == AUDIT_CTX_UNUSED)
2497
		return 0;
2498
	if (!ctx->stamp.serial)
2499
		ctx->stamp.serial = audit_serial();
2500
	*stamp = ctx->stamp;
2501
	if (!ctx->prio) {
2502
		ctx->prio = 1;
2503
		ctx->current_state = AUDIT_STATE_RECORD;
2504
	}
2505
	return 1;
2506
}
2507

2508
/**
2509
 * __audit_mq_open - record audit data for a POSIX MQ open
2510
 * @oflag: open flag
2511
 * @mode: mode bits
2512
 * @attr: queue attributes
2513
 *
2514
 */
2515
void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2516
{
2517
	struct audit_context *context = audit_context();
2518

2519
	if (attr)
2520
		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2521
	else
2522
		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2523

2524
	context->mq_open.oflag = oflag;
2525
	context->mq_open.mode = mode;
2526

2527
	context->type = AUDIT_MQ_OPEN;
2528
}
2529

2530
/**
2531
 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2532
 * @mqdes: MQ descriptor
2533
 * @msg_len: Message length
2534
 * @msg_prio: Message priority
2535
 * @abs_timeout: Message timeout in absolute time
2536
 *
2537
 */
2538
void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2539
			const struct timespec64 *abs_timeout)
2540
{
2541
	struct audit_context *context = audit_context();
2542
	struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
2543

2544
	if (abs_timeout)
2545
		memcpy(p, abs_timeout, sizeof(*p));
2546
	else
2547
		memset(p, 0, sizeof(*p));
2548

2549
	context->mq_sendrecv.mqdes = mqdes;
2550
	context->mq_sendrecv.msg_len = msg_len;
2551
	context->mq_sendrecv.msg_prio = msg_prio;
2552

2553
	context->type = AUDIT_MQ_SENDRECV;
2554
}
2555

2556
/**
2557
 * __audit_mq_notify - record audit data for a POSIX MQ notify
2558
 * @mqdes: MQ descriptor
2559
 * @notification: Notification event
2560
 *
2561
 */
2562

2563
void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2564
{
2565
	struct audit_context *context = audit_context();
2566

2567
	if (notification)
2568
		context->mq_notify.sigev_signo = notification->sigev_signo;
2569
	else
2570
		context->mq_notify.sigev_signo = 0;
2571

2572
	context->mq_notify.mqdes = mqdes;
2573
	context->type = AUDIT_MQ_NOTIFY;
2574
}
2575

2576
/**
2577
 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2578
 * @mqdes: MQ descriptor
2579
 * @mqstat: MQ flags
2580
 *
2581
 */
2582
void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2583
{
2584
	struct audit_context *context = audit_context();
2585

2586
	context->mq_getsetattr.mqdes = mqdes;
2587
	context->mq_getsetattr.mqstat = *mqstat;
2588
	context->type = AUDIT_MQ_GETSETATTR;
2589
}
2590

2591
/**
2592
 * __audit_ipc_obj - record audit data for ipc object
2593
 * @ipcp: ipc permissions
2594
 *
2595
 */
2596
void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2597
{
2598
	struct audit_context *context = audit_context();
2599

2600
	context->ipc.uid = ipcp->uid;
2601
	context->ipc.gid = ipcp->gid;
2602
	context->ipc.mode = ipcp->mode;
2603
	context->ipc.has_perm = 0;
2604
	security_ipc_getlsmprop(ipcp, &context->ipc.oprop);
2605
	context->type = AUDIT_IPC;
2606
}
2607

2608
/**
2609
 * __audit_ipc_set_perm - record audit data for new ipc permissions
2610
 * @qbytes: msgq bytes
2611
 * @uid: msgq user id
2612
 * @gid: msgq group id
2613
 * @mode: msgq mode (permissions)
2614
 *
2615
 * Called only after audit_ipc_obj().
2616
 */
2617
void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2618
{
2619
	struct audit_context *context = audit_context();
2620

2621
	context->ipc.qbytes = qbytes;
2622
	context->ipc.perm_uid = uid;
2623
	context->ipc.perm_gid = gid;
2624
	context->ipc.perm_mode = mode;
2625
	context->ipc.has_perm = 1;
2626
}
2627

2628
void __audit_bprm(struct linux_binprm *bprm)
2629
{
2630
	struct audit_context *context = audit_context();
2631

2632
	context->type = AUDIT_EXECVE;
2633
	context->execve.argc = bprm->argc;
2634
}
2635

2636

2637
/**
2638
 * __audit_socketcall - record audit data for sys_socketcall
2639
 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2640
 * @args: args array
2641
 *
2642
 */
2643
int __audit_socketcall(int nargs, unsigned long *args)
2644
{
2645
	struct audit_context *context = audit_context();
2646

2647
	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2648
		return -EINVAL;
2649
	context->type = AUDIT_SOCKETCALL;
2650
	context->socketcall.nargs = nargs;
2651
	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2652
	return 0;
2653
}
2654

2655
/**
2656
 * __audit_fd_pair - record audit data for pipe and socketpair
2657
 * @fd1: the first file descriptor
2658
 * @fd2: the second file descriptor
2659
 *
2660
 */
2661
void __audit_fd_pair(int fd1, int fd2)
2662
{
2663
	struct audit_context *context = audit_context();
2664

2665
	context->fds[0] = fd1;
2666
	context->fds[1] = fd2;
2667
}
2668

2669
/**
2670
 * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2671
 * @len: data length in user space
2672
 * @a: data address in kernel space
2673
 *
2674
 * Returns 0 for success or NULL context or < 0 on error.
2675
 */
2676
int __audit_sockaddr(int len, void *a)
2677
{
2678
	struct audit_context *context = audit_context();
2679

2680
	if (!context->sockaddr) {
2681
		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2682

2683
		if (!p)
2684
			return -ENOMEM;
2685
		context->sockaddr = p;
2686
	}
2687

2688
	context->sockaddr_len = len;
2689
	memcpy(context->sockaddr, a, len);
2690
	return 0;
2691
}
2692

2693
void __audit_ptrace(struct task_struct *t)
2694
{
2695
	struct audit_context *context = audit_context();
2696

2697
	context->target_pid = task_tgid_nr(t);
2698
	context->target_auid = audit_get_loginuid(t);
2699
	context->target_uid = task_uid(t);
2700
	context->target_sessionid = audit_get_sessionid(t);
2701
	strscpy(context->target_comm, t->comm);
2702
	security_task_getlsmprop_obj(t, &context->target_ref);
2703
}
2704

2705
/**
2706
 * audit_signal_info_syscall - record signal info for syscalls
2707
 * @t: task being signaled
2708
 *
2709
 * If the audit subsystem is being terminated, record the task (pid)
2710
 * and uid that is doing that.
2711
 */
2712
int audit_signal_info_syscall(struct task_struct *t)
2713
{
2714
	struct audit_aux_data_pids *axp;
2715
	struct audit_context *ctx = audit_context();
2716
	kuid_t t_uid = task_uid(t);
2717

2718
	if (!audit_signals || audit_dummy_context())
2719
		return 0;
2720

2721
	/* optimize the common case by putting first signal recipient directly
2722
	 * in audit_context */
2723
	if (!ctx->target_pid) {
2724
		ctx->target_pid = task_tgid_nr(t);
2725
		ctx->target_auid = audit_get_loginuid(t);
2726
		ctx->target_uid = t_uid;
2727
		ctx->target_sessionid = audit_get_sessionid(t);
2728
		strscpy(ctx->target_comm, t->comm);
2729
		security_task_getlsmprop_obj(t, &ctx->target_ref);
2730
		return 0;
2731
	}
2732

2733
	axp = (void *)ctx->aux_pids;
2734
	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2735
		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2736
		if (!axp)
2737
			return -ENOMEM;
2738

2739
		axp->d.type = AUDIT_OBJ_PID;
2740
		axp->d.next = ctx->aux_pids;
2741
		ctx->aux_pids = (void *)axp;
2742
	}
2743
	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2744

2745
	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2746
	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2747
	axp->target_uid[axp->pid_count] = t_uid;
2748
	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2749
	security_task_getlsmprop_obj(t, &axp->target_ref[axp->pid_count]);
2750
	strscpy(axp->target_comm[axp->pid_count], t->comm);
2751
	axp->pid_count++;
2752

2753
	return 0;
2754
}
2755

2756
/**
2757
 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2758
 * @bprm: pointer to the bprm being processed
2759
 * @new: the proposed new credentials
2760
 * @old: the old credentials
2761
 *
2762
 * Simply check if the proc already has the caps given by the file and if not
2763
 * store the priv escalation info for later auditing at the end of the syscall
2764
 *
2765
 * -Eric
2766
 */
2767
int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2768
			   const struct cred *new, const struct cred *old)
2769
{
2770
	struct audit_aux_data_bprm_fcaps *ax;
2771
	struct audit_context *context = audit_context();
2772
	struct cpu_vfs_cap_data vcaps;
2773

2774
	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2775
	if (!ax)
2776
		return -ENOMEM;
2777

2778
	ax->d.type = AUDIT_BPRM_FCAPS;
2779
	ax->d.next = context->aux;
2780
	context->aux = (void *)ax;
2781

2782
	get_vfs_caps_from_disk(&nop_mnt_idmap,
2783
			       bprm->file->f_path.dentry, &vcaps);
2784

2785
	ax->fcap.permitted = vcaps.permitted;
2786
	ax->fcap.inheritable = vcaps.inheritable;
2787
	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2788
	ax->fcap.rootid = vcaps.rootid;
2789
	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2790

2791
	ax->old_pcap.permitted   = old->cap_permitted;
2792
	ax->old_pcap.inheritable = old->cap_inheritable;
2793
	ax->old_pcap.effective   = old->cap_effective;
2794
	ax->old_pcap.ambient     = old->cap_ambient;
2795

2796
	ax->new_pcap.permitted   = new->cap_permitted;
2797
	ax->new_pcap.inheritable = new->cap_inheritable;
2798
	ax->new_pcap.effective   = new->cap_effective;
2799
	ax->new_pcap.ambient     = new->cap_ambient;
2800
	return 0;
2801
}
2802

2803
/**
2804
 * __audit_log_capset - store information about the arguments to the capset syscall
2805
 * @new: the new credentials
2806
 * @old: the old (current) credentials
2807
 *
2808
 * Record the arguments userspace sent to sys_capset for later printing by the
2809
 * audit system if applicable
2810
 */
2811
void __audit_log_capset(const struct cred *new, const struct cred *old)
2812
{
2813
	struct audit_context *context = audit_context();
2814

2815
	context->capset.pid = task_tgid_nr(current);
2816
	context->capset.cap.effective   = new->cap_effective;
2817
	context->capset.cap.inheritable = new->cap_effective;
2818
	context->capset.cap.permitted   = new->cap_permitted;
2819
	context->capset.cap.ambient     = new->cap_ambient;
2820
	context->type = AUDIT_CAPSET;
2821
}
2822

2823
void __audit_mmap_fd(int fd, int flags)
2824
{
2825
	struct audit_context *context = audit_context();
2826

2827
	context->mmap.fd = fd;
2828
	context->mmap.flags = flags;
2829
	context->type = AUDIT_MMAP;
2830
}
2831

2832
void __audit_openat2_how(struct open_how *how)
2833
{
2834
	struct audit_context *context = audit_context();
2835

2836
	context->openat2.flags = how->flags;
2837
	context->openat2.mode = how->mode;
2838
	context->openat2.resolve = how->resolve;
2839
	context->type = AUDIT_OPENAT2;
2840
}
2841

2842
void __audit_log_kern_module(const char *name)
2843
{
2844
	struct audit_context *context = audit_context();
2845

2846
	context->module.name = kstrdup(name, GFP_KERNEL);
2847
	if (!context->module.name)
2848
		audit_log_lost("out of memory in __audit_log_kern_module");
2849
	context->type = AUDIT_KERN_MODULE;
2850
}
2851

2852
void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
2853
{
2854
	/* {subj,obj}_trust values are {0,1,2}: no,yes,unknown */
2855
	switch (friar->hdr.type) {
2856
	case FAN_RESPONSE_INFO_NONE:
2857
		audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
2858
			  "resp=%u fan_type=%u fan_info=0 subj_trust=2 obj_trust=2",
2859
			  response, FAN_RESPONSE_INFO_NONE);
2860
		break;
2861
	case FAN_RESPONSE_INFO_AUDIT_RULE:
2862
		audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
2863
			  "resp=%u fan_type=%u fan_info=%X subj_trust=%u obj_trust=%u",
2864
			  response, friar->hdr.type, friar->rule_number,
2865
			  friar->subj_trust, friar->obj_trust);
2866
	}
2867
}
2868

2869
void __audit_tk_injoffset(struct timespec64 offset)
2870
{
2871
	struct audit_context *context = audit_context();
2872

2873
	/* only set type if not already set by NTP */
2874
	if (!context->type)
2875
		context->type = AUDIT_TIME_INJOFFSET;
2876
	memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));
2877
}
2878

2879
void __audit_ntp_log(const struct audit_ntp_data *ad)
2880
{
2881
	struct audit_context *context = audit_context();
2882
	int type;
2883

2884
	for (type = 0; type < AUDIT_NTP_NVALS; type++)
2885
		if (ad->vals[type].newval != ad->vals[type].oldval) {
2886
			/* unconditionally set type, overwriting TK */
2887
			context->type = AUDIT_TIME_ADJNTPVAL;
2888
			memcpy(&context->time.ntp_data, ad, sizeof(*ad));
2889
			break;
2890
		}
2891
}
2892

2893
void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
2894
		       enum audit_nfcfgop op, gfp_t gfp)
2895
{
2896
	struct audit_buffer *ab;
2897
	char comm[sizeof(current->comm)];
2898

2899
	ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG);
2900
	if (!ab)
2901
		return;
2902
	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
2903
			 name, af, nentries, audit_nfcfgs[op].s);
2904

2905
	audit_log_format(ab, " pid=%u", task_tgid_nr(current));
2906
	audit_log_task_context(ab); /* subj= */
2907
	audit_log_format(ab, " comm=");
2908
	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2909
	audit_log_end(ab);
2910
}
2911
EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
2912

2913
static void audit_log_task(struct audit_buffer *ab)
2914
{
2915
	kuid_t auid, uid;
2916
	kgid_t gid;
2917
	unsigned int sessionid;
2918
	char comm[sizeof(current->comm)];
2919

2920
	auid = audit_get_loginuid(current);
2921
	sessionid = audit_get_sessionid(current);
2922
	current_uid_gid(&uid, &gid);
2923

2924
	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2925
			 from_kuid(&init_user_ns, auid),
2926
			 from_kuid(&init_user_ns, uid),
2927
			 from_kgid(&init_user_ns, gid),
2928
			 sessionid);
2929
	audit_log_task_context(ab);
2930
	audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2931
	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2932
	audit_log_d_path_exe(ab, current->mm);
2933
}
2934

2935
/**
2936
 * audit_core_dumps - record information about processes that end abnormally
2937
 * @signr: signal value
2938
 *
2939
 * If a process ends with a core dump, something fishy is going on and we
2940
 * should record the event for investigation.
2941
 */
2942
void audit_core_dumps(long signr)
2943
{
2944
	struct audit_buffer *ab;
2945

2946
	if (!audit_enabled)
2947
		return;
2948

2949
	if (signr == SIGQUIT)	/* don't care for those */
2950
		return;
2951

2952
	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
2953
	if (unlikely(!ab))
2954
		return;
2955
	audit_log_task(ab);
2956
	audit_log_format(ab, " sig=%ld res=1", signr);
2957
	audit_log_end(ab);
2958
}
2959

2960
/**
2961
 * audit_seccomp - record information about a seccomp action
2962
 * @syscall: syscall number
2963
 * @signr: signal value
2964
 * @code: the seccomp action
2965
 *
2966
 * Record the information associated with a seccomp action. Event filtering for
2967
 * seccomp actions that are not to be logged is done in seccomp_log().
2968
 * Therefore, this function forces auditing independent of the audit_enabled
2969
 * and dummy context state because seccomp actions should be logged even when
2970
 * audit is not in use.
2971
 */
2972
void audit_seccomp(unsigned long syscall, long signr, int code)
2973
{
2974
	struct audit_buffer *ab;
2975

2976
	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
2977
	if (unlikely(!ab))
2978
		return;
2979
	audit_log_task(ab);
2980
	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2981
			 signr, syscall_get_arch(current), syscall,
2982
			 in_compat_syscall(), KSTK_EIP(current), code);
2983
	audit_log_end(ab);
2984
}
2985

2986
void audit_seccomp_actions_logged(const char *names, const char *old_names,
2987
				  int res)
2988
{
2989
	struct audit_buffer *ab;
2990

2991
	if (!audit_enabled)
2992
		return;
2993

2994
	ab = audit_log_start(audit_context(), GFP_KERNEL,
2995
			     AUDIT_CONFIG_CHANGE);
2996
	if (unlikely(!ab))
2997
		return;
2998

2999
	audit_log_format(ab,
3000
			 "op=seccomp-logging actions=%s old-actions=%s res=%d",
3001
			 names, old_names, res);
3002
	audit_log_end(ab);
3003
}
3004

3005
struct list_head *audit_killed_trees(void)
3006
{
3007
	struct audit_context *ctx = audit_context();
3008
	if (likely(!ctx || ctx->context == AUDIT_CTX_UNUSED))
3009
		return NULL;
3010
	return &ctx->killed_trees;
3011
}
3012

3013