Commit 047ce6d3 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'audit-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore:
 "In the finest of holiday of traditions, I have a number of gifts to
  share today. While most of them are re-gifts from others, unlike the
  typical re-gift, these are things you will want in and around your
  tree; I promise.

  This pull request is perhaps a bit larger than our typical PR, but
  most of it comes from Jan's rework of audit's fanotify code; a very
  welcome improvement. We ran this through our normal regression tests,
  as well as some newly created stress tests and everything looks good.

  Richard added a few patches, mostly cleaning up a few things and and
  shortening some of the audit records that we send to userspace; a
  change the userspace folks are quite happy about.

  Finally YueHaibing and I kick in a few patches to simplify things a
  bit and make the code less prone to errors.

  Lastly, I want to say thanks one more time to everyone who has
  contributed patches, testing, and code reviews for the audit subsystem
  over the past year. The project is what it is due to your help and
  contributions - thank you"

* tag 'audit-pr-20181224' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: (22 commits)
  audit: remove duplicated include from audit.c
  audit: shorten PATH cap values when zero
  audit: use current whenever possible
  audit: minimize our use of audit_log_format()
  audit: remove WATCH and TREE config options
  audit: use session_info helper
  audit: localize audit_log_session_info prototype
  audit: Use 'mark' name for fsnotify_mark variables
  audit: Replace chunk attached to mark instead of replacing mark
  audit: Simplify locking around untag_chunk()
  audit: Drop all unused chunk nodes during deletion
  audit: Guarantee forward progress of chunk untagging
  audit: Allocate fsnotify mark independently of chunk
  audit: Provide helper for dropping mark's chunk reference
  audit: Remove pointless check in insert_hash()
  audit: Factor out chunk replacement code
  audit: Make hash table insertion safe against concurrent lookups
  audit: Embed key into chunk
  audit: Fix possible tagging failures
  audit: Fix possible spurious -ENOSPC error
  ...
parents a3b5c106 d406db52
...@@ -61,20 +61,19 @@ static void tty_audit_log(const char *description, dev_t dev, ...@@ -61,20 +61,19 @@ static void tty_audit_log(const char *description, dev_t dev,
unsigned char *data, size_t size) unsigned char *data, size_t size)
{ {
struct audit_buffer *ab; struct audit_buffer *ab;
struct task_struct *tsk = current; pid_t pid = task_pid_nr(current);
pid_t pid = task_pid_nr(tsk); uid_t uid = from_kuid(&init_user_ns, task_uid(current));
uid_t uid = from_kuid(&init_user_ns, task_uid(tsk)); uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(tsk)); unsigned int sessionid = audit_get_sessionid(current);
unsigned int sessionid = audit_get_sessionid(tsk);
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY);
if (ab) { if (ab) {
char name[sizeof(tsk->comm)]; char name[sizeof(current->comm)];
audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u major=%d" audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u major=%d"
" minor=%d comm=", description, pid, uid, " minor=%d comm=", description, pid, uid,
loginuid, sessionid, MAJOR(dev), MINOR(dev)); loginuid, sessionid, MAJOR(dev), MINOR(dev));
get_task_comm(name, tsk); get_task_comm(name, current);
audit_log_untrustedstring(ab, name); audit_log_untrustedstring(ab, name);
audit_log_format(ab, " data="); audit_log_format(ab, " data=");
audit_log_n_hex(ab, data, size); audit_log_n_hex(ab, data, size);
......
...@@ -115,8 +115,6 @@ extern int audit_classify_compat_syscall(int abi, unsigned syscall); ...@@ -115,8 +115,6 @@ extern int audit_classify_compat_syscall(int abi, unsigned syscall);
struct filename; struct filename;
extern void audit_log_session_info(struct audit_buffer *ab);
#define AUDIT_OFF 0 #define AUDIT_OFF 0
#define AUDIT_ON 1 #define AUDIT_ON 1
#define AUDIT_LOCKED 2 #define AUDIT_LOCKED 2
...@@ -153,8 +151,7 @@ extern void audit_log_link_denied(const char *operation); ...@@ -153,8 +151,7 @@ extern void audit_log_link_denied(const char *operation);
extern void audit_log_lost(const char *message); extern void audit_log_lost(const char *message);
extern int audit_log_task_context(struct audit_buffer *ab); extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab, extern void audit_log_task_info(struct audit_buffer *ab);
struct task_struct *tsk);
extern int audit_update_lsm_rules(void); extern int audit_update_lsm_rules(void);
...@@ -202,8 +199,7 @@ static inline int audit_log_task_context(struct audit_buffer *ab) ...@@ -202,8 +199,7 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
{ {
return 0; return 0;
} }
static inline void audit_log_task_info(struct audit_buffer *ab, static inline void audit_log_task_info(struct audit_buffer *ab)
struct task_struct *tsk)
{ } { }
#define audit_enabled AUDIT_OFF #define audit_enabled AUDIT_OFF
#endif /* CONFIG_AUDIT */ #endif /* CONFIG_AUDIT */
......
...@@ -335,15 +335,6 @@ config HAVE_ARCH_AUDITSYSCALL ...@@ -335,15 +335,6 @@ config HAVE_ARCH_AUDITSYSCALL
config AUDITSYSCALL config AUDITSYSCALL
def_bool y def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
config AUDIT_WATCH
def_bool y
depends on AUDITSYSCALL
select FSNOTIFY
config AUDIT_TREE
def_bool y
depends on AUDITSYSCALL
select FSNOTIFY select FSNOTIFY
source "kernel/irq/Kconfig" source "kernel/irq/Kconfig"
......
...@@ -76,9 +76,7 @@ obj-$(CONFIG_IKCONFIG) += configs.o ...@@ -76,9 +76,7 @@ obj-$(CONFIG_IKCONFIG) += configs.o
obj-$(CONFIG_SMP) += stop_machine.o obj-$(CONFIG_SMP) += stop_machine.o
obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
obj-$(CONFIG_AUDIT) += audit.o auditfilter.o obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
obj-$(CONFIG_AUDITSYSCALL) += auditsc.o obj-$(CONFIG_AUDITSYSCALL) += auditsc.o audit_watch.o audit_fsnotify.o audit_tree.o
obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_fsnotify.o
obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
obj-$(CONFIG_GCOV_KERNEL) += gcov/ obj-$(CONFIG_GCOV_KERNEL) += gcov/
obj-$(CONFIG_KCOV) += kcov.o obj-$(CONFIG_KCOV) += kcov.o
obj-$(CONFIG_KPROBES) += kprobes.o obj-$(CONFIG_KPROBES) += kprobes.o
......
...@@ -60,7 +60,6 @@ ...@@ -60,7 +60,6 @@
#include <linux/mutex.h> #include <linux/mutex.h>
#include <linux/gfp.h> #include <linux/gfp.h>
#include <linux/pid.h> #include <linux/pid.h>
#include <linux/slab.h>
#include <linux/audit.h> #include <linux/audit.h>
...@@ -400,7 +399,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old, ...@@ -400,7 +399,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old,
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab)) if (unlikely(!ab))
return rc; return rc;
audit_log_format(ab, "%s=%u old=%u", function_name, new, old); audit_log_format(ab, "%s=%u old=%u ", function_name, new, old);
audit_log_session_info(ab); audit_log_session_info(ab);
rc = audit_log_task_context(ab); rc = audit_log_task_context(ab);
if (rc) if (rc)
...@@ -1067,7 +1066,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) ...@@ -1067,7 +1066,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type); *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab)) if (unlikely(!*ab))
return; return;
audit_log_format(*ab, "pid=%d uid=%u", pid, uid); audit_log_format(*ab, "pid=%d uid=%u ", pid, uid);
audit_log_session_info(*ab); audit_log_session_info(*ab);
audit_log_task_context(*ab); audit_log_task_context(*ab);
} }
...@@ -1096,10 +1095,11 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature ...@@ -1096,10 +1095,11 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
if (audit_enabled == AUDIT_OFF) if (audit_enabled == AUDIT_OFF)
return; return;
ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FEATURE_CHANGE); ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FEATURE_CHANGE);
if (!ab) if (!ab)
return; return;
audit_log_task_info(ab, current); audit_log_task_info(ab);
audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
audit_feature_names[which], !!old_feature, !!new_feature, audit_feature_names[which], !!old_feature, !!new_feature,
!!old_lock, !!new_lock, res); !!old_lock, !!new_lock, res);
...@@ -2042,7 +2042,7 @@ void audit_log_session_info(struct audit_buffer *ab) ...@@ -2042,7 +2042,7 @@ void audit_log_session_info(struct audit_buffer *ab)
unsigned int sessionid = audit_get_sessionid(current); unsigned int sessionid = audit_get_sessionid(current);
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
audit_log_format(ab, " auid=%u ses=%u", auid, sessionid); audit_log_format(ab, "auid=%u ses=%u", auid, sessionid);
} }
void audit_log_key(struct audit_buffer *ab, char *key) void audit_log_key(struct audit_buffer *ab, char *key)
...@@ -2058,11 +2058,13 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) ...@@ -2058,11 +2058,13 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
{ {
int i; int i;
audit_log_format(ab, " %s=", prefix); if (cap_isclear(*cap)) {
CAP_FOR_EACH_U32(i) { audit_log_format(ab, " %s=0", prefix);
audit_log_format(ab, "%08x", return;
cap->cap[CAP_LAST_U32 - i]);
} }
audit_log_format(ab, " %s=", prefix);
CAP_FOR_EACH_U32(i)
audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]);
} }
static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
...@@ -2177,22 +2179,21 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, ...@@ -2177,22 +2179,21 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
} }
/* log the audit_names record type */ /* log the audit_names record type */
audit_log_format(ab, " nametype=");
switch(n->type) { switch(n->type) {
case AUDIT_TYPE_NORMAL: case AUDIT_TYPE_NORMAL:
audit_log_format(ab, "NORMAL"); audit_log_format(ab, " nametype=NORMAL");
break; break;
case AUDIT_TYPE_PARENT: case AUDIT_TYPE_PARENT:
audit_log_format(ab, "PARENT"); audit_log_format(ab, " nametype=PARENT");
break; break;
case AUDIT_TYPE_CHILD_DELETE: case AUDIT_TYPE_CHILD_DELETE:
audit_log_format(ab, "DELETE"); audit_log_format(ab, " nametype=DELETE");
break; break;
case AUDIT_TYPE_CHILD_CREATE: case AUDIT_TYPE_CHILD_CREATE:
audit_log_format(ab, "CREATE"); audit_log_format(ab, " nametype=CREATE");
break; break;
default: default:
audit_log_format(ab, "UNKNOWN"); audit_log_format(ab, " nametype=UNKNOWN");
break; break;
} }
...@@ -2247,15 +2248,15 @@ void audit_log_d_path_exe(struct audit_buffer *ab, ...@@ -2247,15 +2248,15 @@ void audit_log_d_path_exe(struct audit_buffer *ab,
audit_log_format(ab, " exe=(null)"); audit_log_format(ab, " exe=(null)");
} }
struct tty_struct *audit_get_tty(struct task_struct *tsk) struct tty_struct *audit_get_tty(void)
{ {
struct tty_struct *tty = NULL; struct tty_struct *tty = NULL;
unsigned long flags; unsigned long flags;
spin_lock_irqsave(&tsk->sighand->siglock, flags); spin_lock_irqsave(&current->sighand->siglock, flags);
if (tsk->signal) if (current->signal)
tty = tty_kref_get(tsk->signal->tty); tty = tty_kref_get(current->signal->tty);
spin_unlock_irqrestore(&tsk->sighand->siglock, flags); spin_unlock_irqrestore(&current->sighand->siglock, flags);
return tty; return tty;
} }
...@@ -2264,25 +2265,24 @@ void audit_put_tty(struct tty_struct *tty) ...@@ -2264,25 +2265,24 @@ void audit_put_tty(struct tty_struct *tty)
tty_kref_put(tty); tty_kref_put(tty);
} }
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) void audit_log_task_info(struct audit_buffer *ab)
{ {
const struct cred *cred; const struct cred *cred;
char comm[sizeof(tsk->comm)]; char comm[sizeof(current->comm)];
struct tty_struct *tty; struct tty_struct *tty;
if (!ab) if (!ab)
return; return;
/* tsk == current */
cred = current_cred(); cred = current_cred();
tty = audit_get_tty(tsk); tty = audit_get_tty();
audit_log_format(ab, audit_log_format(ab,
" ppid=%d pid=%d auid=%u uid=%u gid=%u" " ppid=%d pid=%d auid=%u uid=%u gid=%u"
" euid=%u suid=%u fsuid=%u" " euid=%u suid=%u fsuid=%u"
" egid=%u sgid=%u fsgid=%u tty=%s ses=%u", " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
task_ppid_nr(tsk), task_ppid_nr(current),
task_tgid_nr(tsk), task_tgid_nr(current),
from_kuid(&init_user_ns, audit_get_loginuid(tsk)), from_kuid(&init_user_ns, audit_get_loginuid(current)),
from_kuid(&init_user_ns, cred->uid), from_kuid(&init_user_ns, cred->uid),
from_kgid(&init_user_ns, cred->gid), from_kgid(&init_user_ns, cred->gid),
from_kuid(&init_user_ns, cred->euid), from_kuid(&init_user_ns, cred->euid),
...@@ -2292,11 +2292,11 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) ...@@ -2292,11 +2292,11 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
from_kgid(&init_user_ns, cred->sgid), from_kgid(&init_user_ns, cred->sgid),
from_kgid(&init_user_ns, cred->fsgid), from_kgid(&init_user_ns, cred->fsgid),
tty ? tty_name(tty) : "(none)", tty ? tty_name(tty) : "(none)",
audit_get_sessionid(tsk)); audit_get_sessionid(current));
audit_put_tty(tty); audit_put_tty(tty);
audit_log_format(ab, " comm="); audit_log_format(ab, " comm=");
audit_log_untrustedstring(ab, get_task_comm(comm, tsk)); audit_log_untrustedstring(ab, get_task_comm(comm, current));
audit_log_d_path_exe(ab, tsk->mm); audit_log_d_path_exe(ab, current->mm);
audit_log_task_context(ab); audit_log_task_context(ab);
} }
EXPORT_SYMBOL(audit_log_task_info); EXPORT_SYMBOL(audit_log_task_info);
...@@ -2317,7 +2317,7 @@ void audit_log_link_denied(const char *operation) ...@@ -2317,7 +2317,7 @@ void audit_log_link_denied(const char *operation)
if (!ab) if (!ab)
return; return;
audit_log_format(ab, "op=%s", operation); audit_log_format(ab, "op=%s", operation);
audit_log_task_info(ab, current); audit_log_task_info(ab);
audit_log_format(ab, " res=0"); audit_log_format(ab, " res=0");
audit_log_end(ab); audit_log_end(ab);
} }
......
...@@ -210,6 +210,8 @@ struct audit_context { ...@@ -210,6 +210,8 @@ struct audit_context {
extern bool audit_ever_enabled; extern bool audit_ever_enabled;
extern void audit_log_session_info(struct audit_buffer *ab);
extern void audit_copy_inode(struct audit_names *name, extern void audit_copy_inode(struct audit_names *name,
const struct dentry *dentry, const struct dentry *dentry,
struct inode *inode); struct inode *inode);
...@@ -262,11 +264,11 @@ extern struct audit_entry *audit_dupe_rule(struct audit_krule *old); ...@@ -262,11 +264,11 @@ extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
extern void audit_log_d_path_exe(struct audit_buffer *ab, extern void audit_log_d_path_exe(struct audit_buffer *ab,
struct mm_struct *mm); struct mm_struct *mm);
extern struct tty_struct *audit_get_tty(struct task_struct *tsk); extern struct tty_struct *audit_get_tty(void);
extern void audit_put_tty(struct tty_struct *tty); extern void audit_put_tty(struct tty_struct *tty);
/* audit watch functions */ /* audit watch functions */
#ifdef CONFIG_AUDIT_WATCH #ifdef CONFIG_AUDITSYSCALL
extern void audit_put_watch(struct audit_watch *watch); extern void audit_put_watch(struct audit_watch *watch);
extern void audit_get_watch(struct audit_watch *watch); extern void audit_get_watch(struct audit_watch *watch);
extern int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op); extern int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op);
...@@ -299,9 +301,9 @@ extern int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark ...@@ -299,9 +301,9 @@ extern int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark
#define audit_mark_compare(m, i, d) 0 #define audit_mark_compare(m, i, d) 0
#define audit_exe_compare(t, m) (-EINVAL) #define audit_exe_compare(t, m) (-EINVAL)
#define audit_dupe_exe(n, o) (-EINVAL) #define audit_dupe_exe(n, o) (-EINVAL)
#endif /* CONFIG_AUDIT_WATCH */ #endif /* CONFIG_AUDITSYSCALL */
#ifdef CONFIG_AUDIT_TREE #ifdef CONFIG_AUDITSYSCALL
extern struct audit_chunk *audit_tree_lookup(const struct inode *inode); extern struct audit_chunk *audit_tree_lookup(const struct inode *inode);
extern void audit_put_chunk(struct audit_chunk *chunk); extern void audit_put_chunk(struct audit_chunk *chunk);
extern bool audit_tree_match(struct audit_chunk *chunk, struct audit_tree *tree); extern bool audit_tree_match(struct audit_chunk *chunk, struct audit_tree *tree);
......
...@@ -130,10 +130,8 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c ...@@ -130,10 +130,8 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab)) if (unlikely(!ab))
return; return;
audit_log_format(ab, "auid=%u ses=%u op=%s", audit_log_session_info(ab);
from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_log_format(ab, " op=%s path=", op);
audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, audit_mark->path); audit_log_untrustedstring(ab, audit_mark->path);
audit_log_key(ab, rule->filterkey); audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=1", rule->listnr); audit_log_format(ab, " list=%d res=1", rule->listnr);
......
This diff is collapsed.
...@@ -245,10 +245,8 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc ...@@ -245,10 +245,8 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (!ab) if (!ab)
return; return;
audit_log_format(ab, "auid=%u ses=%u op=%s", audit_log_session_info(ab);
from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_log_format(ab, "op=%s path=", op);
audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path); audit_log_untrustedstring(ab, w->path);
audit_log_key(ab, r->filterkey); audit_log_key(ab, r->filterkey);
audit_log_format(ab, " list=%d res=1", r->listnr); audit_log_format(ab, " list=%d res=1", r->listnr);
......
This diff is collapsed.
...@@ -336,7 +336,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, ...@@ -336,7 +336,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
audit_log_untrustedstring(ab, filename); audit_log_untrustedstring(ab, filename);
audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash); audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash);
audit_log_task_info(ab, current); audit_log_task_info(ab);
audit_log_end(ab); audit_log_end(ab);
iint->flags |= IMA_AUDITED; iint->flags |= IMA_AUDITED;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment