Commit dc9eb698 authored by Eric Paris's avatar Eric Paris

audit: stop pushing loginid, uid, sessionid as arguments

We always use current.  Stop pulling this when the skb comes in and
pushing it around as arguments.  Just get it at the end when you need
it.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 18900909
...@@ -202,10 +202,12 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch) ...@@ -202,10 +202,12 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
* reference to the tty audit buffer if available. * reference to the tty audit buffer if available.
* Flush the buffer or return an appropriate error code. * Flush the buffer or return an appropriate error code.
*/ */
int tty_audit_push_task(struct task_struct *tsk, kuid_t loginuid, u32 sessionid) int tty_audit_push_task(struct task_struct *tsk)
{ {
struct tty_audit_buf *buf = ERR_PTR(-EPERM); struct tty_audit_buf *buf = ERR_PTR(-EPERM);
unsigned long flags; unsigned long flags;
kuid_t loginuid = audit_get_loginuid(tsk);
u32 sessionid = audit_get_sessionid(tsk);
if (!lock_task_sighand(tsk, &flags)) if (!lock_task_sighand(tsk, &flags))
return -ESRCH; return -ESRCH;
......
...@@ -441,8 +441,7 @@ extern int audit_update_lsm_rules(void); ...@@ -441,8 +441,7 @@ extern int audit_update_lsm_rules(void);
extern int audit_filter_user(int type); extern int audit_filter_user(int type);
extern int audit_filter_type(int type); extern int audit_filter_type(int type);
extern int audit_receive_filter(int type, int pid, int seq, extern int audit_receive_filter(int type, int pid, int seq,
void *data, size_t datasz, kuid_t loginuid, void *data, size_t datasz);
u32 sessionid, u32 sid);
extern int audit_enabled; extern int audit_enabled;
#else /* CONFIG_AUDIT */ #else /* CONFIG_AUDIT */
static inline __printf(4, 5) static inline __printf(4, 5)
......
...@@ -517,8 +517,7 @@ extern void tty_audit_exit(void); ...@@ -517,8 +517,7 @@ extern void tty_audit_exit(void);
extern void tty_audit_fork(struct signal_struct *sig); extern void tty_audit_fork(struct signal_struct *sig);
extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
extern void tty_audit_push(struct tty_struct *tty); extern void tty_audit_push(struct tty_struct *tty);
extern int tty_audit_push_task(struct task_struct *tsk, extern int tty_audit_push_task(struct task_struct *tsk);
kuid_t loginuid, u32 sessionid);
#else #else
static inline void tty_audit_add_data(struct tty_struct *tty, static inline void tty_audit_add_data(struct tty_struct *tty,
unsigned char *data, size_t size, unsigned icanon) unsigned char *data, size_t size, unsigned icanon)
...@@ -536,8 +535,7 @@ static inline void tty_audit_fork(struct signal_struct *sig) ...@@ -536,8 +535,7 @@ static inline void tty_audit_fork(struct signal_struct *sig)
static inline void tty_audit_push(struct tty_struct *tty) static inline void tty_audit_push(struct tty_struct *tty)
{ {
} }
static inline int tty_audit_push_task(struct task_struct *tsk, static inline int tty_audit_push_task(struct task_struct *tsk)
kuid_t loginuid, u32 sessionid)
{ {
return 0; return 0;
} }
......
...@@ -265,17 +265,22 @@ void audit_log_lost(const char *message) ...@@ -265,17 +265,22 @@ void audit_log_lost(const char *message)
} }
static int audit_log_config_change(char *function_name, int new, int old, static int audit_log_config_change(char *function_name, int new, int old,
kuid_t loginuid, u32 sessionid, u32 sid,
int allow_changes) int allow_changes)
{ {
struct audit_buffer *ab; struct audit_buffer *ab;
int rc = 0; int rc = 0;
u32 sessionid = audit_get_sessionid(current);
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
u32 sid;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab)) if (unlikely(!ab))
return rc; return rc;
audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
old, from_kuid(&init_user_ns, loginuid), sessionid); old, auid, sessionid);
security_task_getsecid(current, &sid);
if (sid) { if (sid) {
char *ctx = NULL; char *ctx = NULL;
u32 len; u32 len;
...@@ -294,9 +299,7 @@ static int audit_log_config_change(char *function_name, int new, int old, ...@@ -294,9 +299,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
return rc; return rc;
} }
static int audit_do_config_change(char *function_name, int *to_change, static int audit_do_config_change(char *function_name, int *to_change, int new)
int new, kuid_t loginuid, u32 sessionid,
u32 sid)
{ {
int allow_changes, rc = 0, old = *to_change; int allow_changes, rc = 0, old = *to_change;
...@@ -307,8 +310,7 @@ static int audit_do_config_change(char *function_name, int *to_change, ...@@ -307,8 +310,7 @@ static int audit_do_config_change(char *function_name, int *to_change,
allow_changes = 1; allow_changes = 1;
if (audit_enabled != AUDIT_OFF) { if (audit_enabled != AUDIT_OFF) {
rc = audit_log_config_change(function_name, new, old, loginuid, rc = audit_log_config_change(function_name, new, old, allow_changes);
sessionid, sid, allow_changes);
if (rc) if (rc)
allow_changes = 0; allow_changes = 0;
} }
...@@ -322,44 +324,37 @@ static int audit_do_config_change(char *function_name, int *to_change, ...@@ -322,44 +324,37 @@ static int audit_do_config_change(char *function_name, int *to_change,
return rc; return rc;
} }
static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid, static int audit_set_rate_limit(int limit)
u32 sid)
{ {
return audit_do_config_change("audit_rate_limit", &audit_rate_limit, return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
limit, loginuid, sessionid, sid);
} }
static int audit_set_backlog_limit(int limit, kuid_t loginuid, u32 sessionid, static int audit_set_backlog_limit(int limit)
u32 sid)
{ {
return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
limit, loginuid, sessionid, sid);
} }
static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid) static int audit_set_enabled(int state)
{ {
int rc; int rc;
if (state < AUDIT_OFF || state > AUDIT_LOCKED) if (state < AUDIT_OFF || state > AUDIT_LOCKED)
return -EINVAL; return -EINVAL;
rc = audit_do_config_change("audit_enabled", &audit_enabled, state, rc = audit_do_config_change("audit_enabled", &audit_enabled, state);
loginuid, sessionid, sid);
if (!rc) if (!rc)
audit_ever_enabled |= !!state; audit_ever_enabled |= !!state;
return rc; return rc;
} }
static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, u32 sid) static int audit_set_failure(int state)
{ {
if (state != AUDIT_FAIL_SILENT if (state != AUDIT_FAIL_SILENT
&& state != AUDIT_FAIL_PRINTK && state != AUDIT_FAIL_PRINTK
&& state != AUDIT_FAIL_PANIC) && state != AUDIT_FAIL_PANIC)
return -EINVAL; return -EINVAL;
return audit_do_config_change("audit_failure", &audit_failure, state, return audit_do_config_change("audit_failure", &audit_failure, state);
loginuid, sessionid, sid);
} }
/* /*
...@@ -627,12 +622,15 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) ...@@ -627,12 +622,15 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
return err; return err;
} }
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
kuid_t auid, u32 ses, u32 sid)
{ {
int rc = 0; int rc = 0;
char *ctx = NULL; char *ctx = NULL;
u32 len; u32 len;
u32 sessionid = audit_get_sessionid(current);
uid_t uid = from_kuid(&init_user_ns, current_uid());
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
u32 sid;
if (!audit_enabled) { if (!audit_enabled) {
*ab = NULL; *ab = NULL;
...@@ -643,9 +641,8 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, ...@@ -643,9 +641,8 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
if (unlikely(!*ab)) if (unlikely(!*ab))
return rc; return rc;
audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u", audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
task_tgid_vnr(current), task_tgid_vnr(current), uid, auid, sessionid);
from_kuid(&init_user_ns, current_uid()), security_task_getsecid(current, &sid);
from_kuid(&init_user_ns, auid), ses);
if (sid) { if (sid) {
rc = security_secid_to_secctx(sid, &ctx, &len); rc = security_secid_to_secctx(sid, &ctx, &len);
if (rc) if (rc)
...@@ -661,14 +658,12 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, ...@@ -661,14 +658,12 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{ {
u32 seq, sid; u32 seq;
void *data; void *data;
struct audit_status *status_get, status_set; struct audit_status *status_get, status_set;
int err; int err;
struct audit_buffer *ab; struct audit_buffer *ab;
u16 msg_type = nlh->nlmsg_type; u16 msg_type = nlh->nlmsg_type;
kuid_t loginuid; /* loginuid of sender */
u32 sessionid;
struct audit_sig_info *sig_data; struct audit_sig_info *sig_data;
char *ctx = NULL; char *ctx = NULL;
u32 len; u32 len;
...@@ -677,9 +672,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -677,9 +672,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err) if (err)
return err; return err;
loginuid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
security_task_getsecid(current, &sid);
seq = nlh->nlmsg_seq; seq = nlh->nlmsg_seq;
data = nlmsg_data(nlh); data = nlmsg_data(nlh);
...@@ -700,14 +692,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -700,14 +692,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EINVAL; return -EINVAL;
status_get = (struct audit_status *)data; status_get = (struct audit_status *)data;
if (status_get->mask & AUDIT_STATUS_ENABLED) { if (status_get->mask & AUDIT_STATUS_ENABLED) {
err = audit_set_enabled(status_get->enabled, err = audit_set_enabled(status_get->enabled);
loginuid, sessionid, sid);
if (err < 0) if (err < 0)
return err; return err;
} }
if (status_get->mask & AUDIT_STATUS_FAILURE) { if (status_get->mask & AUDIT_STATUS_FAILURE) {
err = audit_set_failure(status_get->failure, err = audit_set_failure(status_get->failure);
loginuid, sessionid, sid);
if (err < 0) if (err < 0)
return err; return err;
} }
...@@ -715,22 +705,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -715,22 +705,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
int new_pid = status_get->pid; int new_pid = status_get->pid;
if (audit_enabled != AUDIT_OFF) if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid, audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid, loginuid,
sessionid, sid, 1);
audit_pid = new_pid; audit_pid = new_pid;
audit_nlk_portid = NETLINK_CB(skb).portid; audit_nlk_portid = NETLINK_CB(skb).portid;
} }
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) { if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(status_get->rate_limit, err = audit_set_rate_limit(status_get->rate_limit);
loginuid, sessionid, sid);
if (err < 0) if (err < 0)
return err; return err;
} }
if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
err = audit_set_backlog_limit(status_get->backlog_limit, err = audit_set_backlog_limit(status_get->backlog_limit);
loginuid, sessionid, sid);
break; break;
case AUDIT_USER: case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
...@@ -742,14 +727,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -742,14 +727,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err == 1) { if (err == 1) {
err = 0; err = 0;
if (msg_type == AUDIT_USER_TTY) { if (msg_type == AUDIT_USER_TTY) {
err = tty_audit_push_task(current, loginuid, err = tty_audit_push_task(current);
sessionid);
if (err) if (err)
break; break;
} }
audit_log_common_recv_msg(&ab, msg_type, audit_log_common_recv_msg(&ab, msg_type);
loginuid, sessionid, sid);
if (msg_type != AUDIT_USER_TTY) if (msg_type != AUDIT_USER_TTY)
audit_log_format(ab, " msg='%.1024s'", audit_log_format(ab, " msg='%.1024s'",
(char *)data); (char *)data);
...@@ -772,26 +754,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -772,26 +754,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
return -EINVAL; return -EINVAL;
if (audit_enabled == AUDIT_LOCKED) { if (audit_enabled == AUDIT_LOCKED) {
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
loginuid, sessionid, sid); audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled);
audit_log_format(ab, " audit_enabled=%d res=0",
audit_enabled);
audit_log_end(ab); audit_log_end(ab);
return -EPERM; return -EPERM;
} }
/* fallthrough */ /* fallthrough */
case AUDIT_LIST_RULES: case AUDIT_LIST_RULES:
err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid, err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid,
seq, data, nlmsg_len(nlh), seq, data, nlmsg_len(nlh));
loginuid, sessionid, sid);
break; break;
case AUDIT_TRIM: case AUDIT_TRIM:
audit_trim_trees(); audit_trim_trees();
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
loginuid, sessionid, sid);
audit_log_format(ab, " op=trim res=1"); audit_log_format(ab, " op=trim res=1");
audit_log_end(ab); audit_log_end(ab);
break; break;
...@@ -821,8 +796,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -821,8 +796,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
/* OK, here comes... */ /* OK, here comes... */
err = audit_tag_tree(old, new); err = audit_tag_tree(old, new);
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
loginuid, sessionid, sid);
audit_log_format(ab, " op=make_equiv old="); audit_log_format(ab, " op=make_equiv old=");
audit_log_untrustedstring(ab, old); audit_log_untrustedstring(ab, old);
......
...@@ -980,11 +980,12 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) ...@@ -980,11 +980,12 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
} }
/* Log rule additions and removals */ /* Log rule additions and removals */
static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid, static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
char *action, struct audit_krule *rule,
int res)
{ {
struct audit_buffer *ab; struct audit_buffer *ab;
uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
u32 sessionid = audit_get_sessionid(current);
u32 sid;
if (!audit_enabled) if (!audit_enabled)
return; return;
...@@ -992,8 +993,8 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid, ...@@ -992,8 +993,8 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab) if (!ab)
return; return;
audit_log_format(ab, "auid=%u ses=%u", audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
from_kuid(&init_user_ns, loginuid), sessionid); security_task_getsecid(current, &sid);
if (sid) { if (sid) {
char *ctx = NULL; char *ctx = NULL;
u32 len; u32 len;
...@@ -1022,8 +1023,7 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid, ...@@ -1022,8 +1023,7 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
* @sessionid: sessionid for netlink audit message * @sessionid: sessionid for netlink audit message
* @sid: SE Linux Security ID of sender * @sid: SE Linux Security ID of sender
*/ */
int audit_receive_filter(int type, int pid, int seq, void *data, int audit_receive_filter(int type, int pid, int seq, void *data, size_t datasz)
size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
{ {
struct task_struct *tsk; struct task_struct *tsk;
struct audit_netlink_list *dest; struct audit_netlink_list *dest;
...@@ -1061,9 +1061,7 @@ int audit_receive_filter(int type, int pid, int seq, void *data, ...@@ -1061,9 +1061,7 @@ int audit_receive_filter(int type, int pid, int seq, void *data,
return PTR_ERR(entry); return PTR_ERR(entry);
err = audit_add_rule(entry); err = audit_add_rule(entry);
audit_log_rule_change(loginuid, sessionid, sid, "add rule", audit_log_rule_change("add rule", &entry->rule, !err);
&entry->rule, !err);
if (err) if (err)
audit_free_rule(entry); audit_free_rule(entry);
break; break;
...@@ -1073,9 +1071,7 @@ int audit_receive_filter(int type, int pid, int seq, void *data, ...@@ -1073,9 +1071,7 @@ int audit_receive_filter(int type, int pid, int seq, void *data,
return PTR_ERR(entry); return PTR_ERR(entry);
err = audit_del_rule(entry); err = audit_del_rule(entry);
audit_log_rule_change(loginuid, sessionid, sid, "remove rule", audit_log_rule_change("remove rule", &entry->rule, !err);
&entry->rule, !err);
audit_free_rule(entry); audit_free_rule(entry);
break; break;
default: default:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment