Commit b8989bcc authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'stable-4.11' of git://git.infradead.org/users/pcmoore/audit

Pull audit updates from Paul Moore:
 "The audit changes for v4.11 are relatively small compared to what we
  did for v4.10, both in terms of size and impact.

   - two patches from Steve tweak the formatting for some of the audit
     records to make them more consistent with other audit records.

   - three patches from Richard record the name of a module on module
     load, fix the logging of sockaddr information when using
     socketcall() on 32-bit systems, and add the ability to reset
     audit's lost record counter.

   - my lone patch just fixes an annoying style nit that I was reminded
     about by one of Richard's patches.

  All these patches pass our test suite"

* 'stable-4.11' of git://git.infradead.org/users/pcmoore/audit:
  audit: remove unnecessary curly braces from switch/case statements
  audit: log module name on init_module
  audit: log 32-bit socketcalls
  audit: add feature audit_lost reset
  audit: Make AUDIT_ANOM_ABEND event normalized
  audit: Make AUDIT_KERNEL event conform to the specification
parents c9341ee0 fe8e52b9
...@@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, ...@@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
const struct cred *old); const struct cred *old);
extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags); extern void __audit_mmap_fd(int fd, int flags);
extern void __audit_log_kern_module(char *name);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{ {
...@@ -387,6 +388,20 @@ static inline int audit_socketcall(int nargs, unsigned long *args) ...@@ -387,6 +388,20 @@ static inline int audit_socketcall(int nargs, unsigned long *args)
return __audit_socketcall(nargs, args); return __audit_socketcall(nargs, args);
return 0; return 0;
} }
static inline int audit_socketcall_compat(int nargs, u32 *args)
{
unsigned long a[AUDITSC_ARGS];
int i;
if (audit_dummy_context())
return 0;
for (i = 0; i < nargs; i++)
a[i] = (unsigned long)args[i];
return __audit_socketcall(nargs, a);
}
static inline int audit_sockaddr(int len, void *addr) static inline int audit_sockaddr(int len, void *addr)
{ {
if (unlikely(!audit_dummy_context())) if (unlikely(!audit_dummy_context()))
...@@ -436,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags) ...@@ -436,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
__audit_mmap_fd(fd, flags); __audit_mmap_fd(fd, flags);
} }
static inline void audit_log_kern_module(char *name)
{
if (!audit_dummy_context())
__audit_log_kern_module(name);
}
extern int audit_n_rules; extern int audit_n_rules;
extern int audit_signals; extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */ #else /* CONFIG_AUDITSYSCALL */
...@@ -513,6 +534,12 @@ static inline int audit_socketcall(int nargs, unsigned long *args) ...@@ -513,6 +534,12 @@ static inline int audit_socketcall(int nargs, unsigned long *args)
{ {
return 0; return 0;
} }
static inline int audit_socketcall_compat(int nargs, u32 *args)
{
return 0;
}
static inline void audit_fd_pair(int fd1, int fd2) static inline void audit_fd_pair(int fd1, int fd2)
{ } { }
static inline int audit_sockaddr(int len, void *addr) static inline int audit_sockaddr(int len, void *addr)
...@@ -541,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new, ...@@ -541,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
{ } { }
static inline void audit_mmap_fd(int fd, int flags) static inline void audit_mmap_fd(int fd, int flags)
{ } { }
static inline void audit_log_kern_module(char *name)
{
}
static inline void audit_ptrace(struct task_struct *t) static inline void audit_ptrace(struct task_struct *t)
{ } { }
#define audit_n_rules 0 #define audit_n_rules 0
......
...@@ -111,6 +111,7 @@ ...@@ -111,6 +111,7 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */ #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
...@@ -326,17 +327,21 @@ enum { ...@@ -326,17 +327,21 @@ enum {
#define AUDIT_STATUS_RATE_LIMIT 0x0008 #define AUDIT_STATUS_RATE_LIMIT 0x0008
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010 #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER) AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET)
/* deprecated: AUDIT_VERSION_* */ /* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
......
...@@ -1058,6 +1058,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -1058,6 +1058,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err < 0) if (err < 0)
return err; return err;
} }
if (s.mask == AUDIT_STATUS_LOST) {
u32 lost = atomic_xchg(&audit_lost, 0);
audit_log_config_change("lost", 0, lost, 1);
return lost;
}
break; break;
} }
case AUDIT_GET_FEATURE: case AUDIT_GET_FEATURE:
...@@ -1349,7 +1355,9 @@ static int __init audit_init(void) ...@@ -1349,7 +1355,9 @@ static int __init audit_init(void)
panic("audit: failed to start the kauditd thread (%d)\n", err); panic("audit: failed to start the kauditd thread (%d)\n", err);
} }
audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized"); audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
"state=initialized audit_enabled=%u res=1",
audit_enabled);
return 0; return 0;
} }
......
...@@ -199,6 +199,9 @@ struct audit_context { ...@@ -199,6 +199,9 @@ struct audit_context {
struct { struct {
int argc; int argc;
} execve; } execve;
struct {
char *name;
} module;
}; };
int fds[2]; int fds[2];
struct audit_proctitle proctitle; struct audit_proctitle proctitle;
......
...@@ -1221,7 +1221,7 @@ static void show_special(struct audit_context *context, int *call_panic) ...@@ -1221,7 +1221,7 @@ static void show_special(struct audit_context *context, int *call_panic)
context->ipc.perm_mode); context->ipc.perm_mode);
} }
break; } break; }
case AUDIT_MQ_OPEN: { case AUDIT_MQ_OPEN:
audit_log_format(ab, audit_log_format(ab,
"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld " "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
"mq_msgsize=%ld mq_curmsgs=%ld", "mq_msgsize=%ld mq_curmsgs=%ld",
...@@ -1230,8 +1230,8 @@ static void show_special(struct audit_context *context, int *call_panic) ...@@ -1230,8 +1230,8 @@ static void show_special(struct audit_context *context, int *call_panic)
context->mq_open.attr.mq_maxmsg, context->mq_open.attr.mq_maxmsg,
context->mq_open.attr.mq_msgsize, context->mq_open.attr.mq_msgsize,
context->mq_open.attr.mq_curmsgs); context->mq_open.attr.mq_curmsgs);
break; } break;
case AUDIT_MQ_SENDRECV: { case AUDIT_MQ_SENDRECV:
audit_log_format(ab, audit_log_format(ab,
"mqdes=%d msg_len=%zd msg_prio=%u " "mqdes=%d msg_len=%zd msg_prio=%u "
"abs_timeout_sec=%ld abs_timeout_nsec=%ld", "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
...@@ -1240,12 +1240,12 @@ static void show_special(struct audit_context *context, int *call_panic) ...@@ -1240,12 +1240,12 @@ static void show_special(struct audit_context *context, int *call_panic)
context->mq_sendrecv.msg_prio, context->mq_sendrecv.msg_prio,
context->mq_sendrecv.abs_timeout.tv_sec, context->mq_sendrecv.abs_timeout.tv_sec,
context->mq_sendrecv.abs_timeout.tv_nsec); context->mq_sendrecv.abs_timeout.tv_nsec);
break; } break;
case AUDIT_MQ_NOTIFY: { case AUDIT_MQ_NOTIFY:
audit_log_format(ab, "mqdes=%d sigev_signo=%d", audit_log_format(ab, "mqdes=%d sigev_signo=%d",
context->mq_notify.mqdes, context->mq_notify.mqdes,
context->mq_notify.sigev_signo); context->mq_notify.sigev_signo);
break; } break;
case AUDIT_MQ_GETSETATTR: { case AUDIT_MQ_GETSETATTR: {
struct mq_attr *attr = &context->mq_getsetattr.mqstat; struct mq_attr *attr = &context->mq_getsetattr.mqstat;
audit_log_format(ab, audit_log_format(ab,
...@@ -1255,19 +1255,24 @@ static void show_special(struct audit_context *context, int *call_panic) ...@@ -1255,19 +1255,24 @@ static void show_special(struct audit_context *context, int *call_panic)
attr->mq_flags, attr->mq_maxmsg, attr->mq_flags, attr->mq_maxmsg,
attr->mq_msgsize, attr->mq_curmsgs); attr->mq_msgsize, attr->mq_curmsgs);
break; } break; }
case AUDIT_CAPSET: { case AUDIT_CAPSET:
audit_log_format(ab, "pid=%d", context->capset.pid); audit_log_format(ab, "pid=%d", context->capset.pid);
audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable); audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted); audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
audit_log_cap(ab, "cap_pe", &context->capset.cap.effective); audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
break; } break;
case AUDIT_MMAP: { case AUDIT_MMAP:
audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
context->mmap.flags); context->mmap.flags);
break; } break;
case AUDIT_EXECVE: { case AUDIT_EXECVE:
audit_log_execve_info(context, &ab); audit_log_execve_info(context, &ab);
break; } break;
case AUDIT_KERN_MODULE:
audit_log_format(ab, "name=");
audit_log_untrustedstring(ab, context->module.name);
kfree(context->module.name);
break;
} }
audit_log_end(ab); audit_log_end(ab);
} }
...@@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags) ...@@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
context->type = AUDIT_MMAP; context->type = AUDIT_MMAP;
} }
void __audit_log_kern_module(char *name)
{
struct audit_context *context = current->audit_context;
context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
strcpy(context->module.name, name);
context->type = AUDIT_KERN_MODULE;
}
static void audit_log_task(struct audit_buffer *ab) static void audit_log_task(struct audit_buffer *ab)
{ {
kuid_t auid, uid; kuid_t auid, uid;
...@@ -2411,7 +2425,7 @@ void audit_core_dumps(long signr) ...@@ -2411,7 +2425,7 @@ void audit_core_dumps(long signr)
if (unlikely(!ab)) if (unlikely(!ab))
return; return;
audit_log_task(ab); audit_log_task(ab);
audit_log_format(ab, " sig=%ld", signr); audit_log_format(ab, " sig=%ld res=1", signr);
audit_log_end(ab); audit_log_end(ab);
} }
......
...@@ -61,6 +61,7 @@ ...@@ -61,6 +61,7 @@
#include <linux/pfn.h> #include <linux/pfn.h>
#include <linux/bsearch.h> #include <linux/bsearch.h>
#include <linux/dynamic_debug.h> #include <linux/dynamic_debug.h>
#include <linux/audit.h>
#include <uapi/linux/module.h> #include <uapi/linux/module.h>
#include "module-internal.h" #include "module-internal.h"
...@@ -3608,6 +3609,8 @@ static int load_module(struct load_info *info, const char __user *uargs, ...@@ -3608,6 +3609,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
goto free_copy; goto free_copy;
} }
audit_log_kern_module(mod->name);
/* Reserve our place in the list. */ /* Reserve our place in the list. */
err = add_unformed_module(mod); err = add_unformed_module(mod);
if (err) if (err)
...@@ -3696,7 +3699,7 @@ static int load_module(struct load_info *info, const char __user *uargs, ...@@ -3696,7 +3699,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
mod->name, after_dashes); mod->name, after_dashes);
} }
/* Link in to syfs. */ /* Link in to sysfs. */
err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
if (err < 0) if (err < 0)
goto coming_cleanup; goto coming_cleanup;
......
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
#include <linux/filter.h> #include <linux/filter.h>
#include <linux/compat.h> #include <linux/compat.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/audit.h>
#include <linux/export.h> #include <linux/export.h>
#include <net/scm.h> #include <net/scm.h>
...@@ -781,14 +782,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd, struct compat_mmsghdr __user *, mmsg, ...@@ -781,14 +782,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd, struct compat_mmsghdr __user *, mmsg,
COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
{ {
int ret; u32 a[AUDITSC_ARGS];
u32 a[6]; unsigned int len;
u32 a0, a1; u32 a0, a1;
int ret;
if (call < SYS_SOCKET || call > SYS_SENDMMSG) if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL; return -EINVAL;
if (copy_from_user(a, args, nas[call])) len = nas[call];
if (len > sizeof(a))
return -EINVAL;
if (copy_from_user(a, args, len))
return -EFAULT; return -EFAULT;
ret = audit_socketcall_compat(len / sizeof(a[0]), a);
if (ret)
return ret;
a0 = a[0]; a0 = a[0];
a1 = a[1]; a1 = a[1];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment