LXR RHEL4/kernel/auditsc.c

   1/* auditsc.c -- System-call auditing support
   2 * Handles all system-call specific auditing features.
   3 *
   4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
   5 * All Rights Reserved.
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * This program is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  20 *
  21 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  22 *
  23 * Many of the ideas implemented here are from Stephen C. Tweedie,
  24 * especially the idea of avoiding a copy by using getname.
  25 *
  26 * The method for actual interception of syscall entry and exit (not in
  27 * this file -- see entry.S) is based on a GPL'd patch written by
  28 * okir@suse.de and Copyright 2003 SuSE Linux AG.
  29 *
  30 */
  31
  32#include <linux/init.h>
  33#include <asm/atomic.h>
  34#include <asm/types.h>
  35#include <linux/mm.h>
  36#include <linux/module.h>
  37#include <linux/mount.h>
  38#include <linux/socket.h>
  39#include <linux/audit.h>
  40#include <linux/personality.h>
  41#include <linux/time.h>
  42#include <linux/netlink.h>
  43#include <linux/kthread.h>
  44#include <linux/binfmts.h>
  45#include <asm/unistd.h>
  46
  47/* 0 = no checking
  48   1 = put_count checking
  49   2 = verbose put_count checking
  50*/
  51#define AUDIT_DEBUG 0
  52
  53/* No syscall auditing will take place unless audit_enabled != 0. */
  54extern int audit_enabled;
  55
  56/* AUDIT_NAMES is the number of slots we reserve in the audit_context
  57 * for saving names from getname(). */
  58#define AUDIT_NAMES    20
  59
  60/* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
  61 * audit_context from being used for nameless inodes from
  62 * path_lookup. */
  63#define AUDIT_NAMES_RESERVED 7
  64
  65/* no execve audit message should be longer than this (userspace limits) */
  66#define MAX_EXECVE_AUDIT_LEN 7500
  67
  68/* At task start time, the audit_state is set in the audit_context using
  69   a per-task filter.  At syscall entry, the audit_state is augmented by
  70   the syscall filter. */
  71enum audit_state {
  72        AUDIT_DISABLED,         /* Do not create per-task audit_context.
  73                                 * No syscall-specific audit records can
  74                                 * be generated. */
  75        AUDIT_SETUP_CONTEXT,    /* Create the per-task audit_context,
  76                                 * but don't necessarily fill it in at
  77                                 * syscall entry time (i.e., filter
  78                                 * instead). */
  79        AUDIT_BUILD_CONTEXT,    /* Create the per-task audit_context,
  80                                 * and always fill it in at syscall
  81                                 * entry time.  This makes a full
  82                                 * syscall record available if some
  83                                 * other part of the kernel decides it
  84                                 * should be recorded. */
  85        AUDIT_RECORD_CONTEXT    /* Create the per-task audit_context,
  86                                 * always fill it in at syscall entry
  87                                 * time, and always write out the audit
  88                                 * record at syscall exit time.  */
  89};
  90
  91/* When fs/namei.c:getname() is called, we store the pointer in name and
  92 * we don't let putname() free it (instead we free all of the saved
  93 * pointers at syscall exit time).
  94 *
  95 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
  96struct audit_names {
  97        const char      *name;
  98        unsigned long   ino;
  99        dev_t           dev;
 100        umode_t         mode;
 101        uid_t           uid;
 102        gid_t           gid;
 103        dev_t           rdev;
 104        unsigned        flags;
 105};
 106
 107struct audit_aux_data {
 108        struct audit_aux_data   *next;
 109        int                     type;
 110};
 111
 112struct audit_aux_data_ipcctl {
 113        struct audit_aux_data   d;
 114        struct ipc_perm         p;
 115        unsigned long           qbytes;
 116        uid_t                   uid;
 117        gid_t                   gid;
 118        mode_t                  mode;
 119};
 120
 121struct audit_aux_data_execve {
 122        struct audit_aux_data   d;
 123        int argc;
 124        int envc;
 125        char mem[0];
 126};
 127
 128struct audit_aux_data_socketcall {
 129        struct audit_aux_data   d;
 130        int                     nargs;
 131        unsigned long           args[0];
 132};
 133
 134struct audit_aux_data_sockaddr {
 135        struct audit_aux_data   d;
 136        int                     len;
 137        char                    a[0];
 138};
 139
 140struct audit_aux_data_path {
 141        struct audit_aux_data   d;
 142        struct dentry           *dentry;
 143        struct vfsmount         *mnt;
 144};
 145
 146struct audit_aux_data_watched {
 147        struct audit_aux_data   link;
 148        struct hlist_head       watches;
 149        unsigned long           ino;
 150        int                     mask;
 151        uid_t                   uid;
 152        gid_t                   gid;
 153        dev_t                   dev;
 154        dev_t                   rdev;
 155};
 156
 157/* The per-task audit context. */
 158struct audit_context {
 159        int                 in_syscall; /* 1 if task is in a syscall */
 160        enum audit_state    state;
 161        unsigned int        serial;     /* serial number for record */
 162        struct timespec     ctime;      /* time of syscall entry */
 163        uid_t               loginuid;   /* login uid (identity) */
 164        int                 major;      /* syscall number */
 165        unsigned long       argv[4];    /* syscall arguments */
 166        int                 return_valid; /* return code is valid */
 167        long                return_code;/* syscall return code */
 168        int                 auditable;  /* 1 if record should be written */
 169        int                 name_count;
 170        struct audit_names  names[AUDIT_NAMES];
 171        struct dentry *     pwd;
 172        struct vfsmount *   pwdmnt;
 173        struct audit_context *previous; /* For nested syscalls */
 174        struct audit_aux_data *aux;
 175
 176                                /* Save things to print about task_struct */
 177        pid_t               pid;
 178        uid_t               uid, euid, suid, fsuid;
 179        gid_t               gid, egid, sgid, fsgid;
 180        unsigned long       personality;
 181        int                 arch;
 182
 183#if AUDIT_DEBUG
 184        int                 put_count;
 185        int                 ino_count;
 186#endif
 187};
 188
 189                                /* Public API */
 190/* There are three lists of rules -- one to search at task creation
 191 * time, one to search at syscall entry time, and another to search at
 192 * syscall exit time. */
 193static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
 194        LIST_HEAD_INIT(audit_filter_list[0]),
 195        LIST_HEAD_INIT(audit_filter_list[1]),
 196        LIST_HEAD_INIT(audit_filter_list[2]),
 197        LIST_HEAD_INIT(audit_filter_list[3]),
 198        LIST_HEAD_INIT(audit_filter_list[4]),
 199#if AUDIT_NR_FILTERS != 5
 200#error Fix audit_filter_list initialiser
 201#endif
 202};
 203
 204struct audit_entry {
 205        struct list_head  list;
 206        struct rcu_head   rcu;
 207        struct audit_rule rule;
 208};
 209
 210extern int audit_pid;
 211
 212/* Copy rule from user-space to kernel-space.  Called from 
 213 * audit_add_rule during AUDIT_ADD. */
 214static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
 215{
 216        int i;
 217
 218        if (s->action != AUDIT_NEVER
 219            && s->action != AUDIT_POSSIBLE
 220            && s->action != AUDIT_ALWAYS)
 221                return -1;
 222        if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
 223                return -1;
 224        if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
 225                return -1;
 226
 227        d->flags        = s->flags;
 228        d->action       = s->action;
 229        d->field_count  = s->field_count;
 230        for (i = 0; i < d->field_count; i++) {
 231                d->fields[i] = s->fields[i];
 232                d->values[i] = s->values[i];
 233        }
 234        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];
 235        return 0;
 236}
 237
 238/* Check to see if two rules are identical.  It is called from
 239 * audit_add_rule during AUDIT_ADD and 
 240 * audit_del_rule during AUDIT_DEL. */
 241static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
 242{
 243        int i;
 244
 245        if (a->flags != b->flags)
 246                return 1;
 247
 248        if (a->action != b->action)
 249                return 1;
 250
 251        if (a->field_count != b->field_count)
 252                return 1;
 253
 254        for (i = 0; i < a->field_count; i++) {
 255                if (a->fields[i] != b->fields[i]
 256                    || a->values[i] != b->values[i])
 257                        return 1;
 258        }
 259
 260        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 261                if (a->mask[i] != b->mask[i])
 262                        return 1;
 263
 264        return 0;
 265}
 266
 267/* Note that audit_add_rule and audit_del_rule are called via
 268 * audit_receive() in audit.c, and are protected by
 269 * audit_netlink_sem. */
 270static inline int audit_add_rule(struct audit_rule *rule,
 271                                  struct list_head *list)
 272{
 273        struct audit_entry  *entry;
 274
 275        /* Do not use the _rcu iterator here, since this is the only
 276         * addition routine. */
 277        list_for_each_entry(entry, list, list) {
 278                if (!audit_compare_rule(rule, &entry->rule)) {
 279                        return -EEXIST;
 280                }
 281        }
 282
 283        if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
 284                return -ENOMEM;
 285        if (audit_copy_rule(&entry->rule, rule)) {
 286                kfree(entry);
 287                return -EINVAL;
 288        }
 289
 290        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
 291                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
 292                list_add_rcu(&entry->list, list);
 293        } else {
 294                list_add_tail_rcu(&entry->list, list);
 295        }
 296
 297        return 0;
 298}
 299
 300static inline void audit_free_rule(struct rcu_head *head)
 301{
 302        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
 303        kfree(e);
 304}
 305
 306/* Note that audit_add_rule and audit_del_rule are called via
 307 * audit_receive() in audit.c, and are protected by
 308 * audit_netlink_sem. */
 309static inline int audit_del_rule(struct audit_rule *rule,
 310                                 struct list_head *list)
 311{
 312        struct audit_entry  *e;
 313
 314        /* Do not use the _rcu iterator here, since this is the only
 315         * deletion routine. */
 316        list_for_each_entry(e, list, list) {
 317                if (!audit_compare_rule(rule, &e->rule)) {
 318                        list_del_rcu(&e->list);
 319                        call_rcu(&e->rcu, audit_free_rule);
 320                        return 0;
 321                }
 322        }
 323        return -ENOENT;         /* No matching rule */
 324}
 325
 326#ifdef CONFIG_NET
 327static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
 328{
 329        struct sk_buff *skb;
 330        struct audit_entry *entry;
 331        int i;
 332
 333        /* The *_rcu iterators not needed here because we are
 334           always called with audit_netlink_sem held. */
 335        for (i=0; i<AUDIT_NR_FILTERS; i++) {
 336                list_for_each_entry(entry, &audit_filter_list[i], list) {
 337                        skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
 338                                        &entry->rule, sizeof(entry->rule));
 339                        if (skb)
 340                                skb_queue_tail(q, skb);
 341                }
 342        }
 343        skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
 344        if (skb)
 345                skb_queue_tail(q, skb);
 346}
 347
 348int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
 349                                                        uid_t loginuid)
 350{
 351        struct task_struct *tsk;
 352        struct audit_netlink_list *dest;
 353        int err = 0;
 354        unsigned listnr;
 355
 356        switch (type) {
 357        case AUDIT_LIST:
 358                /* We can't just spew out the rules here because we might fill
 359                 * the available socket buffer space and deadlock waiting for
 360                 * auditctl to read from it... which isn't ever going to
 361                 * happen if we're actually running in the context of auditctl
 362                 * trying to _send_ the stuff */
 363                 
 364                dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
 365                if (!dest)
 366                        return -ENOMEM;
 367                dest->pid = pid;
 368                skb_queue_head_init(&dest->q);
 369
 370                audit_list_rules(pid, seq, &dest->q);
 371
 372                tsk = kthread_run(audit_send_list, dest, "audit_send_list");
 373                if (IS_ERR(tsk)) {
 374                        skb_queue_purge(&dest->q);
 375                        kfree(dest);
 376                        err = PTR_ERR(tsk);
 377                }
 378                break;
 379        case AUDIT_ADD:
 380                listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
 381                if (listnr >= AUDIT_NR_FILTERS)
 382                        return -EINVAL;
 383
 384                err = audit_add_rule(data, &audit_filter_list[listnr]);
 385                if (!err)
 386                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
 387                                  "auid=%u added an audit rule\n", loginuid);
 388                break;
 389        case AUDIT_DEL:
 390                listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
 391                if (listnr >= AUDIT_NR_FILTERS)
 392                        return -EINVAL;
 393
 394                err = audit_del_rule(data, &audit_filter_list[listnr]);
 395                if (!err)
 396                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
 397                                  "auid=%u removed an audit rule\n", loginuid);
 398                break;
 399        default:
 400                return -EINVAL;
 401        }
 402
 403        return err;
 404}
 405#endif
 406
 407/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 408 * otherwise. */
 409static int audit_filter_rules(struct task_struct *tsk,
 410                              struct audit_rule *rule,
 411                              struct audit_context *ctx,
 412                              enum audit_state *state)
 413{
 414        int i, j;
 415
 416        for (i = 0; i < rule->field_count; i++) {
 417                u32 field  = rule->fields[i] & ~AUDIT_NEGATE;
 418                u32 value  = rule->values[i];
 419                int result = 0;
 420
 421                switch (field) {
 422                case AUDIT_PID:
 423                        result = ((u32)tsk->pid == value);
 424                        break;
 425                case AUDIT_UID:
 426                        result = ((u32)tsk->uid == value);
 427                        break;
 428                case AUDIT_EUID:
 429                        result = ((u32)tsk->euid == value);
 430                        break;
 431                case AUDIT_SUID:
 432                        result = ((u32)tsk->suid == value);
 433                        break;
 434                case AUDIT_FSUID:
 435                        result = ((u32)tsk->fsuid == value);
 436                        break;
 437                case AUDIT_GID:
 438                        result = ((u32)tsk->gid == value);
 439                        break;
 440                case AUDIT_EGID:
 441                        result = ((u32)tsk->egid == value);
 442                        break;
 443                case AUDIT_SGID:
 444                        result = ((u32)tsk->sgid == value);
 445                        break;
 446                case AUDIT_FSGID:
 447                        result = ((u32)tsk->fsgid == value);
 448                        break;
 449                case AUDIT_PERS:
 450                        result = ((u32)tsk->personality == value);
 451                        break;
 452                case AUDIT_ARCH:
 453                        if (ctx) 
 454                                result = ((u32)ctx->arch == value);
 455                        break;
 456
 457                case AUDIT_EXIT:
 458                        if (ctx && ctx->return_valid)
 459                                result = ((u32)ctx->return_code == value);
 460                        break;
 461                case AUDIT_SUCCESS:
 462                        if (ctx && ctx->return_valid) {
 463                                if (value)
 464                                        result = ((u32)ctx->return_valid == AUDITSC_SUCCESS);
 465                                else
 466                                        result = ((u32)ctx->return_valid == AUDITSC_FAILURE);
 467                        }
 468                        break;
 469                case AUDIT_DEVMAJOR:
 470                        if (ctx) {
 471                                for (j = 0; j < ctx->name_count; j++) {
 472                                        if ((u32)MAJOR(ctx->names[j].dev)==value) {
 473                                                ++result;
 474                                                break;
 475                                        }
 476                                }
 477                        }
 478                        break;
 479                case AUDIT_DEVMINOR:
 480                        if (ctx) {
 481                                for (j = 0; j < ctx->name_count; j++) {
 482                                        if ((u32)MINOR(ctx->names[j].dev)==value) {
 483                                                ++result;
 484                                                break;
 485                                        }
 486                                }
 487                        }
 488                        break;
 489                case AUDIT_INODE:
 490                        if (ctx) {
 491                                for (j = 0; j < ctx->name_count; j++) {
 492                                        if ((u32)ctx->names[j].ino == value) {
 493                                                ++result;
 494                                                break;
 495                                        }
 496                                }
 497                        }
 498                        break;
 499                case AUDIT_LOGINUID:
 500                        result = 0;
 501                        if (ctx)
 502                                result = ((u32)ctx->loginuid == value);
 503                        break;
 504                case AUDIT_ARG0:
 505                case AUDIT_ARG1:
 506                case AUDIT_ARG2:
 507                case AUDIT_ARG3:
 508                        if (ctx)
 509                                result = ((u32)ctx->argv[field-AUDIT_ARG0]==value);
 510                        break;
 511                }
 512
 513                if (rule->fields[i] & AUDIT_NEGATE)
 514                        result = !result;
 515                if (!result)
 516                        return 0;
 517        }
 518        switch (rule->action) {
 519        case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
 520        case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT;  break;
 521        case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
 522        }
 523        return 1;
 524}
 525
 526/* At process creation time, we can determine if system-call auditing is
 527 * completely disabled for this task.  Since we only have the task
 528 * structure at this point, we can only check uid and gid.
 529 */
 530static enum audit_state audit_filter_task(struct task_struct *tsk)
 531{
 532        struct audit_entry *e;
 533        enum audit_state   state;
 534
 535        rcu_read_lock();
 536        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
 537                if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
 538                        rcu_read_unlock();
 539                        return state;
 540                }
 541        }
 542        rcu_read_unlock();
 543        return AUDIT_BUILD_CONTEXT;
 544}
 545
 546/* At syscall entry and exit time, this filter is called if the
 547 * audit_state is not low enough that auditing cannot take place, but is
 548 * also not high enough that we already know we have to write an audit
 549 * record (i.e., the state is AUDIT_SETUP_CONTEXT or  AUDIT_BUILD_CONTEXT).
 550 */
 551static enum audit_state audit_filter_syscall(struct task_struct *tsk,
 552                                             struct audit_context *ctx,
 553                                             struct list_head *list)
 554{
 555        struct audit_entry *e;
 556        enum audit_state state;
 557
 558        if (audit_pid && tsk->tgid == audit_pid)
 559                return AUDIT_DISABLED;
 560
 561        rcu_read_lock();
 562        if (!list_empty(list)) {
 563                    int word = AUDIT_WORD(ctx->major);
 564                    int bit  = AUDIT_BIT(ctx->major);
 565
 566                    list_for_each_entry_rcu(e, list, list) {
 567                            if ((e->rule.mask[word] & bit) == bit
 568                                && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
 569                                    rcu_read_unlock();
 570                                    return state;
 571                            }
 572                    }
 573        }
 574        rcu_read_unlock();
 575        return AUDIT_BUILD_CONTEXT;
 576}
 577
 578static int audit_filter_user_rules(struct netlink_skb_parms *cb,
 579                              struct audit_rule *rule,
 580                              enum audit_state *state)
 581{
 582        int i;
 583
 584        for (i = 0; i < rule->field_count; i++) {
 585                u32 field  = rule->fields[i] & ~AUDIT_NEGATE;
 586                u32 value  = rule->values[i];
 587                int result = 0;
 588
 589                switch (field) {
 590                case AUDIT_PID:
 591                        result = (cb->creds.pid == value);
 592                        break;
 593                case AUDIT_UID:
 594                        result = (cb->creds.uid == value);
 595                        break;
 596                case AUDIT_GID:
 597                        result = (cb->creds.gid == value);
 598                        break;
 599                case AUDIT_LOGINUID:
 600                        result = (cb->loginuid == value);
 601                        break;
 602                }
 603
 604                if (rule->fields[i] & AUDIT_NEGATE)
 605                        result = !result;
 606                if (!result)
 607                        return 0;
 608        }
 609        switch (rule->action) {
 610        case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
 611        case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT;  break;
 612        case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
 613        }
 614        return 1;
 615}
 616
 617int audit_filter_user(struct netlink_skb_parms *cb, int type)
 618{
 619        struct audit_entry *e;
 620        enum audit_state   state;
 621        int ret = 1;
 622
 623        rcu_read_lock();
 624        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
 625                if (audit_filter_user_rules(cb, &e->rule, &state)) {
 626                        if (state == AUDIT_DISABLED)
 627                                ret = 0;
 628                        break;
 629                }
 630        }
 631        rcu_read_unlock();
 632
 633        return ret; /* Audit by default */
 634}
 635
 636/* This should be called with task_lock() held. */
 637static inline struct audit_context *audit_get_context(struct task_struct *tsk,
 638                                                      int return_valid,
 639                                                      int return_code)
 640{
 641        struct audit_context *context = tsk->audit_context;
 642
 643        if (likely(!context))
 644                return NULL;
 645        context->return_valid = return_valid;
 646        context->return_code  = return_code;
 647
 648        if (context->in_syscall && !context->auditable) {
 649                enum audit_state state;
 650                state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
 651                if (state == AUDIT_RECORD_CONTEXT)
 652                        context->auditable = 1;
 653        }
 654
 655        context->pid = tsk->pid;
 656        context->uid = tsk->uid;
 657        context->gid = tsk->gid;
 658        context->euid = tsk->euid;
 659        context->suid = tsk->suid;
 660        context->fsuid = tsk->fsuid;
 661        context->egid = tsk->egid;
 662        context->sgid = tsk->sgid;
 663        context->fsgid = tsk->fsgid;
 664        context->personality = tsk->personality;
 665        tsk->audit_context = NULL;
 666        return context;
 667}
 668
 669static inline void audit_free_names(struct audit_context *context)
 670{
 671        int i;
 672
 673#if AUDIT_DEBUG == 2
 674        if (context->auditable
 675            ||context->put_count + context->ino_count != context->name_count) {
 676                printk(KERN_ERR "audit.c:%d(:%d): major=%d in_syscall=%d"
 677                       " name_count=%d put_count=%d"
 678                       " ino_count=%d [NOT freeing]\n",
 679                       __LINE__,
 680                       context->serial, context->major, context->in_syscall,
 681                       context->name_count, context->put_count,
 682                       context->ino_count);
 683                for (i = 0; i < context->name_count; i++)
 684                        printk(KERN_ERR "names[%d] = %p = %s\n", i,
 685                               context->names[i].name,
 686                               context->names[i].name);
 687                dump_stack();
 688                return;
 689        }
 690#endif
 691#if AUDIT_DEBUG
 692        context->put_count  = 0;
 693        context->ino_count  = 0;
 694#endif
 695
 696        for (i = 0; i < context->name_count; i++)
 697                if (context->names[i].name)
 698                        __putname(context->names[i].name);
 699        context->name_count = 0;
 700        if (context->pwd)
 701                dput(context->pwd);
 702        if (context->pwdmnt)
 703                mntput(context->pwdmnt);
 704        context->pwd = NULL;
 705        context->pwdmnt = NULL;
 706}
 707
 708static inline void audit_free_aux(struct audit_context *context)
 709{
 710        struct audit_aux_data *aux;
 711        struct audit_watch_info *winfo;
 712        struct hlist_node *pos, *tmp;
 713
 714        while ((aux = context->aux)) {
 715                switch(aux->type) {
 716                case AUDIT_AVC_PATH: {
 717                        struct audit_aux_data_path *axi = (void *)aux;
 718                        dput(axi->dentry);
 719                        mntput(axi->mnt);
 720                        break; }
 721                case AUDIT_FS_INODE: {
 722                        struct audit_aux_data_watched *axi = (void *)aux;
 723                        hlist_for_each_entry_safe(winfo, pos, tmp, &axi->watches, node) {
 724                                audit_watch_put(winfo->watch);
 725                                hlist_del(&winfo->node);
 726                                kfree(winfo);
 727                        }
 728                        break; }
 729                }
 730                
 731                context->aux = aux->next;
 732                kfree(aux);
 733        }
 734}
 735
 736static inline void audit_zero_context(struct audit_context *context,
 737                                      enum audit_state state)
 738{
 739        uid_t loginuid = context->loginuid;
 740
 741        memset(context, 0, sizeof(*context));
 742        context->state      = state;
 743        context->loginuid   = loginuid;
 744}
 745
 746static inline struct audit_context *audit_alloc_context(enum audit_state state)
 747{
 748        struct audit_context *context;
 749
 750        if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
 751                return NULL;
 752        audit_zero_context(context, state);
 753        return context;
 754}
 755
 756/* Filter on the task information and allocate a per-task audit context
 757 * if necessary.  Doing so turns on system call auditing for the
 758 * specified task.  This is called from copy_process, so no lock is
 759 * needed. */
 760int audit_alloc(struct task_struct *tsk)
 761{
 762        struct audit_context *context;
 763        enum audit_state     state;
 764
 765        if (likely(!audit_enabled))
 766                return 0; /* Return if not auditing. */
 767
 768        state = audit_filter_task(tsk);
 769        if (likely(state == AUDIT_DISABLED))
 770                return 0;
 771
 772        if (!(context = audit_alloc_context(state))) {
 773                audit_log_lost("out of memory in audit_alloc");
 774                return -ENOMEM;
 775        }
 776
 777                                /* Preserve login uid */
 778        context->loginuid = -1;
 779        if (current->audit_context)
 780                context->loginuid = current->audit_context->loginuid;
 781
 782        tsk->audit_context  = context;
 783        set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
 784        return 0;
 785}
 786
 787static inline void audit_free_context(struct audit_context *context)
 788{
 789        struct audit_context *previous;
 790        int                  count = 0;
 791
 792        do {
 793                previous = context->previous;
 794                if (previous || (count &&  count < 10)) {
 795                        ++count;
 796                        printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
 797                               " freeing multiple contexts (%d)\n",
 798                               context->serial, context->major,
 799                               context->name_count, count);
 800                }
 801                audit_free_names(context);
 802                audit_free_aux(context);
 803                kfree(context);
 804                context  = previous;
 805        } while (context);
 806        if (count >= 10)
 807                printk(KERN_ERR "audit: freed %d contexts\n", count);
 808}
 809
 810static void audit_log_task_info(struct audit_buffer *ab,
 811                                struct task_struct *tsk)
 812{
 813        char name[sizeof(tsk->comm)];
 814        struct mm_struct *mm = tsk->mm;
 815        struct vm_area_struct *vma;
 816
 817        /* tsk == current */
 818
 819        get_task_comm(name, tsk);
 820        audit_log_format(ab, " comm=");
 821        audit_log_untrustedstring(ab, name);
 822
 823        if (mm) {
 824                down_read(&mm->mmap_sem);
 825                vma = mm->mmap;
 826                while (vma) {
 827                        if ((vma->vm_flags & VM_EXECUTABLE) &&
 828                            vma->vm_file) {
 829                                audit_log_d_path(ab, "exe=",
 830                                                 vma->vm_file->f_dentry,
 831                                                 vma->vm_file->f_vfsmnt);
 832                                break;
 833                        }
 834                        vma = vma->vm_next;
 835                }
 836                up_read(&mm->mmap_sem);
 837        }
 838}
 839
 840/*
 841 * to_send and len_sent accounting are very loose estimates.  We aren't
 842 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
 843 * within about 500 bytes (next page boundry)
 844 *
 845 * why snprintf?  an int is up to 12 digits long.  if we just assumed when
 846 * logging that a[%d]= was going to be 16 characters long we would be wasting
 847 * space in every audit message.  In one 7500 byte message we can log up to
 848 * about 1000 min size arguments.  That comes down to about 50% waste of space
 849 * if we didn't do the snprintf to find out how long arg_num_len was.
 850 */
 851static int audit_log_single_execve_arg(struct audit_context *context,
 852                                        struct audit_buffer **ab,
 853                                        int arg_num,
 854                                        size_t *len_sent,
 855                                        const char *p)
 856{
 857        char arg_num_len_buf[12];
 858        /* how many digits are in arg_num? 3 is the length of " a=" */
 859        size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
 860        size_t len, len_left, to_send;
 861        size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
 862        unsigned int i, has_cntl = 0, too_long = 0;
 863
 864        /* strnlen_user includes the null we don't want to send */
 865        len_left = len = strlen(p);
 866
 867        has_cntl = audit_string_contains_control(p, len);
 868        if (has_cntl)
 869                /*
 870                 * hex messages get logged as 2 bytes, so we can only
 871                 * send half as much in each message
 872                 */
 873                max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
 874
 875        if (len > max_execve_audit_len)
 876                too_long = 1;
 877
 878        /* walk the argument actually logging the message */
 879        for (i = 0; len_left > 0; i++) {
 880                int room_left;
 881
 882                if (len_left > max_execve_audit_len)
 883                        to_send = max_execve_audit_len;
 884                else
 885                        to_send = len_left;
 886
 887                /* do we have space left to send this argument in this ab? */
 888                room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
 889                if (has_cntl)
 890                        room_left -= (to_send * 2);
 891                else
 892                        room_left -= to_send;
 893                if (room_left < 0) {
 894                        *len_sent = 0;
 895                        audit_log_end(*ab);
 896                        *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
 897                        if (!*ab)
 898                                return 0;
 899                }
 900
 901                /*
 902                 * first record needs to say how long the original string was
 903                 * so we can be sure nothing was lost.
 904                 */
 905                if ((i == 0) && (too_long))
 906                        audit_log_format(*ab, " a%d_len=%ld", arg_num,
 907                                         has_cntl ? 2*len : len);
 908
 909                /* actually log it */
 910                audit_log_format(*ab, " a%d", arg_num);
 911                if (too_long)
 912                        audit_log_format(*ab, "[%d]", i);
 913                audit_log_format(*ab, "=");
 914                if (has_cntl)
 915                        audit_log_hex(*ab, p, to_send);
 916                else
 917                        audit_log_n_string(*ab, to_send, p);
 918
 919                p += to_send;
 920                len_left -= to_send;
 921                *len_sent += arg_num_len;
 922                if (has_cntl)
 923                        *len_sent += to_send * 2;
 924                else
 925                        *len_sent += to_send;
 926        }
 927        return len;
 928}
 929
 930static void audit_log_execve_info(struct audit_context *context,
 931                                  struct audit_buffer **ab,
 932                                  struct audit_aux_data_execve *axi)
 933{
 934        int i;
 935        size_t len, len_sent = 0;
 936        const char *p;
 937
 938        p = axi->mem;
 939
 940        audit_log_format(*ab, "argc=%d", axi->argc);
 941
 942        for (i = 0; i < axi->argc; i++) {
 943                len = audit_log_single_execve_arg(context, ab, i, &len_sent, p);
 944                if (len <= 0)
 945                        break;
 946                /* skip the null */
 947                p += len + 1;
 948        }
 949}
 950
 951static void audit_log_exit(struct audit_context *context,
 952                           struct task_struct *tsk)
 953{
 954        int i;
 955        struct audit_buffer *ab;
 956        struct audit_aux_data *aux;
 957        struct audit_watch_info *winfo;
 958        struct hlist_node *pos;
 959
 960        /* tsk == current */
 961
 962        ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
 963        if (!ab)
 964                return;         /* audit_panic has been called */
 965        audit_log_format(ab, "arch=%x syscall=%d",
 966                         context->arch, context->major);
 967        if (context->personality != PER_LINUX)
 968                audit_log_format(ab, " per=%lx", context->personality);
 969        if (context->return_valid)
 970                audit_log_format(ab, " success=%s exit=%ld", 
 971                                 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
 972                                 context->return_code);
 973        audit_log_format(ab,
 974                  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
 975                  " pid=%d auid=%u uid=%u gid=%u"
 976                  " euid=%u suid=%u fsuid=%u"
 977                  " egid=%u sgid=%u fsgid=%u",
 978                  context->argv[0],
 979                  context->argv[1],
 980                  context->argv[2],
 981                  context->argv[3],
 982                  context->name_count,
 983                  context->pid,
 984                  context->loginuid,
 985                  context->uid,
 986                  context->gid,
 987                  context->euid, context->suid, context->fsuid,
 988                  context->egid, context->sgid, context->fsgid);
 989        audit_log_task_info(ab, tsk);
 990        audit_log_end(ab);
 991        for (aux = context->aux; aux; aux = aux->next) {
 992
 993                ab = audit_log_start(context, GFP_KERNEL, aux->type);
 994                if (!ab)
 995                        continue; /* audit_panic has been called */
 996
 997                switch (aux->type) {
 998                case AUDIT_IPC: {
 999                        struct audit_aux_data_ipcctl *axi = (void *)aux;
1000                        audit_log_format(ab,

1001                                         " qbytes=%lx iuid=%u igid=%u mode=%x",
1002                                         axi->qbytes, axi->uid, axi->gid, axi->mode);
1003                        break; }
1004
1005                case AUDIT_EXECVE: {
1006                        struct audit_aux_data_execve *axi = (void *)aux;
1007                        audit_log_execve_info(context, &ab, axi);
1008                        break; }
1009
1010                case AUDIT_SOCKETCALL: {
1011                        int i;
1012                        struct audit_aux_data_socketcall *axs = (void *)aux;
1013                        audit_log_format(ab, "nargs=%d", axs->nargs);
1014                        for (i=0; i<axs->nargs; i++)
1015                                audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
1016                        break; }
1017
1018                case AUDIT_SOCKADDR: {
1019                        struct audit_aux_data_sockaddr *axs = (void *)aux;
1020
1021                        audit_log_format(ab, "saddr=");
1022                        audit_log_hex(ab, axs->a, axs->len);
1023                        break; }
1024
1025                case AUDIT_AVC_PATH: {
1026                        struct audit_aux_data_path *axi = (void *)aux;
1027                        audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
1028                        break; }
1029
1030                case AUDIT_FS_INODE: {
1031                        struct audit_aux_data_watched *axi = (void *)aux;
1032                        struct audit_buffer *sub_ab;
1033                        audit_log_format(ab,
1034                                         "inode=%lu inode_uid=%u inode_gid=%u"
1035                                         " inode_dev=%02x:%02x inode_rdev=%02x:%02x",
1036                                         axi->ino, axi->uid, axi->gid,
1037                                         MAJOR(axi->dev), MINOR(axi->dev),
1038                                         MAJOR(axi->rdev), MINOR(axi->rdev));
1039                        hlist_for_each_entry(winfo, pos, &axi->watches, node) {
1040                                sub_ab = audit_log_start(context, GFP_KERNEL, AUDIT_FS_WATCH);
1041                                if (!sub_ab)
1042                                        return;         /* audit_panic has been called */
1043                                audit_log_format(sub_ab, "watch_inode=%lu", axi->ino);
1044                                audit_log_format(sub_ab, " watch=");
1045                                audit_log_untrustedstring(sub_ab, winfo->watch->w_name);
1046                                audit_log_format(sub_ab,
1047                                                 " filterkey=%s perm=%u perm_mask=%u",
1048                                                 winfo->watch->w_filterkey,
1049                                                 winfo->watch->w_perms, axi->mask);
1050                                audit_log_end(sub_ab);
1051                        }
1052                        break; }
1053                }
1054                audit_log_end(ab);
1055        }
1056
1057        if (context->pwd && context->pwdmnt) {
1058                ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1059                if (ab) {
1060                        audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
1061                        audit_log_end(ab);
1062                }
1063        }
1064        for (i = 0; i < context->name_count; i++) {
1065                ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1066                if (!ab)
1067                        continue; /* audit_panic has been called */
1068
1069                if (context->names[i].name) {
1070                        audit_log_format(ab, "name=");
1071                        audit_log_untrustedstring(ab, context->names[i].name);
1072                }
1073                audit_log_format(ab, " flags=%x", context->names[i].flags);
1074                         
1075                if (context->names[i].ino != (unsigned long)-1)
1076                        audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
1077                                             " ouid=%u ogid=%u rdev=%02x:%02x",
1078                                         context->names[i].ino,
1079                                         MAJOR(context->names[i].dev),
1080                                         MINOR(context->names[i].dev),
1081                                         context->names[i].mode,
1082                                         context->names[i].uid,
1083                                         context->names[i].gid,
1084                                         MAJOR(context->names[i].rdev),
1085                                         MINOR(context->names[i].rdev));
1086                audit_log_end(ab);
1087        }
1088}
1089
1090/* Free a per-task audit context.  Called from copy_process and
1091 * do_exit. */
1092void audit_free(struct task_struct *tsk)
1093{
1094        struct audit_context *context;
1095
1096        context = audit_get_context(tsk, 0, 0);
1097        if (likely(!context))
1098                return;
1099
1100        /* Check for system calls that do not go through the exit
1101         * function (e.g., exit_group), then free context block. 
1102         * We use GFP_ATOMIC here because we might be doing this 
1103         * in the context of the idle thread */
1104        /* that can happen only if we are called from do_exit() */
1105        if (context->in_syscall && context->auditable)
1106                audit_log_exit(context, tsk);
1107
1108        audit_free_context(context);
1109}
1110
1111/* Fill in audit context at syscall entry.  This only happens if the
1112 * audit context was created when the task was created and the state or
1113 * filters demand the audit context be built.  If the state from the
1114 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1115 * then the record will be written at syscall exit time (otherwise, it
1116 * will only be written if another part of the kernel requests that it
1117 * be written). */
1118void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
1119                         unsigned long a1, unsigned long a2,
1120                         unsigned long a3, unsigned long a4)
1121{
1122        struct audit_context *context = tsk->audit_context;
1123        enum audit_state     state;
1124
1125        BUG_ON(!context);
1126
1127        /* This happens only on certain architectures that make system
1128         * calls in kernel_thread via the entry.S interface, instead of
1129         * with direct calls.  (If you are porting to a new
1130         * architecture, hitting this condition can indicate that you
1131         * got the _exit/_leave calls backward in entry.S.)
1132         *
1133         * i386     no
1134         * x86_64   no
1135         * ppc64    yes (see arch/ppc64/kernel/misc.S)
1136         *
1137         * This also happens with vm86 emulation in a non-nested manner
1138         * (entries without exits), so this case must be caught.
1139         */
1140        if (context->in_syscall) {
1141                struct audit_context *newctx;
1142
1143#if defined(__NR_vm86) && defined(__NR_vm86old)
1144                /* vm86 mode should only be entered once */
1145                if (major == __NR_vm86 || major == __NR_vm86old)
1146                        return;
1147#endif
1148#if AUDIT_DEBUG
1149                printk(KERN_ERR
1150                       "audit(:%d) pid=%d in syscall=%d;"
1151                       " entering syscall=%d\n",
1152                       context->serial, tsk->pid, context->major, major);
1153#endif
1154                newctx = audit_alloc_context(context->state);
1155                if (newctx) {
1156                        newctx->previous   = context;
1157                        context            = newctx;
1158                        tsk->audit_context = newctx;
1159                } else  {
1160                        /* If we can't alloc a new context, the best we
1161                         * can do is to leak memory (any pending putname
1162                         * will be lost).  The only other alternative is
1163                         * to abandon auditing. */
1164                        audit_zero_context(context, context->state);
1165                }
1166        }
1167        BUG_ON(context->in_syscall || context->name_count);
1168
1169        if (!audit_enabled)
1170                return;
1171
1172        context->arch       = arch;
1173        context->major      = major;
1174        context->argv[0]    = a1;
1175        context->argv[1]    = a2;
1176        context->argv[2]    = a3;
1177        context->argv[3]    = a4;
1178
1179        state = context->state;
1180        if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)
1181                state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1182        if (likely(state == AUDIT_DISABLED))
1183                return;
1184
1185        context->serial     = 0;
1186        context->ctime      = CURRENT_TIME;
1187        context->in_syscall = 1;
1188        context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
1189}
1190
1191/* Tear down after system call.  If the audit context has been marked as
1192 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1193 * filtering, or because some other part of the kernel write an audit
1194 * message), then write out the syscall information.  In call cases,
1195 * free the names stored from getname(). */
1196void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
1197{
1198        struct audit_context *context;
1199
1200        /* tsk == current */
1201
1202        get_task_struct(tsk);
1203        task_lock(tsk);
1204        context = audit_get_context(tsk, valid, return_code);
1205        task_unlock(tsk);
1206
1207        /* Not having a context here is ok, since the parent may have
1208         * called __put_task_struct. */
1209        if (likely(!context))
1210                goto out;
1211
1212        if (context->in_syscall && context->auditable)
1213                audit_log_exit(context, tsk);
1214
1215        context->in_syscall = 0;
1216        context->auditable  = 0;
1217
1218        if (context->previous) {
1219                struct audit_context *new_context = context->previous;
1220                context->previous  = NULL;
1221                audit_free_context(context);
1222                tsk->audit_context = new_context;
1223        } else {
1224                audit_free_names(context);
1225                audit_free_aux(context);
1226                tsk->audit_context = context;
1227        }
1228 out:
1229        put_task_struct(tsk);
1230}
1231
1232/* Add a name to the list.  Called from fs/namei.c:getname(). */
1233void audit_getname(const char *name)
1234{
1235        struct audit_context *context = current->audit_context;
1236
1237        BUG_ON(!context);
1238        if (!context->in_syscall) {
1239#if AUDIT_DEBUG == 2
1240                printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
1241                       __FILE__, __LINE__, context->serial, name);
1242                dump_stack();
1243#endif
1244                return;
1245        }
1246        BUG_ON(context->name_count >= AUDIT_NAMES);
1247        context->names[context->name_count].name = name;
1248        context->names[context->name_count].ino  = (unsigned long)-1;
1249        ++context->name_count;
1250        if (!context->pwd) {
1251                read_lock(&current->fs->lock);
1252                context->pwd = dget(current->fs->pwd);
1253                context->pwdmnt = mntget(current->fs->pwdmnt);
1254                read_unlock(&current->fs->lock);
1255        }
1256                
1257}
1258
1259/* Intercept a putname request.  Called from
1260 * include/linux/fs.h:putname().  If we have stored the name from
1261 * getname in the audit context, then we delay the putname until syscall
1262 * exit. */
1263void audit_putname(const char *name)
1264{
1265        struct audit_context *context = current->audit_context;
1266
1267        BUG_ON(!context);
1268        if (!context->in_syscall) {
1269#if AUDIT_DEBUG == 2
1270                printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
1271                       __FILE__, __LINE__, context->serial, name);
1272                if (context->name_count) {
1273                        int i;
1274                        for (i = 0; i < context->name_count; i++)
1275                                printk(KERN_ERR "name[%d] = %p = %s\n", i,
1276                                       context->names[i].name,
1277                                       context->names[i].name);
1278                }
1279#endif
1280                __putname(name);
1281        }
1282#if AUDIT_DEBUG
1283        else {
1284                ++context->put_count;
1285                if (context->put_count > context->name_count) {
1286                        printk(KERN_ERR "%s:%d(:%d): major=%d"
1287                               " in_syscall=%d putname(%p) name_count=%d"
1288                               " put_count=%d\n",
1289                               __FILE__, __LINE__,
1290                               context->serial, context->major,
1291                               context->in_syscall, name, context->name_count,
1292                               context->put_count);
1293                        dump_stack();
1294                }
1295        }
1296#endif
1297}
1298EXPORT_SYMBOL(audit_putname);
1299
1300/* Store the inode and device from a lookup.  Called from
1301 * fs/namei.c:path_lookup(). */
1302void audit_inode(const char *name, const struct inode *inode, unsigned flags)
1303{
1304        int idx;
1305        struct audit_context *context = current->audit_context;
1306
1307        if (!context->in_syscall)
1308                return;
1309        if (context->name_count
1310            && context->names[context->name_count-1].name
1311            && context->names[context->name_count-1].name == name)
1312                idx = context->name_count - 1;
1313        else if (context->name_count > 1
1314                 && context->names[context->name_count-2].name
1315                 && context->names[context->name_count-2].name == name)
1316                idx = context->name_count - 2;
1317        else {
1318                /* FIXME: how much do we care about inodes that have no
1319                 * associated name? */
1320                if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
1321                        return;
1322                idx = context->name_count++;
1323                context->names[idx].name = NULL;
1324#if AUDIT_DEBUG
1325                ++context->ino_count;
1326#endif
1327        }
1328        context->names[idx].flags = flags;
1329        context->names[idx].ino   = inode->i_ino;
1330        context->names[idx].dev   = inode->i_sb->s_dev;
1331        context->names[idx].mode  = inode->i_mode;
1332        context->names[idx].uid   = inode->i_uid;
1333        context->names[idx].gid   = inode->i_gid;
1334        context->names[idx].rdev  = inode->i_rdev;
1335}
1336
1337void auditsc_get_stamp(struct audit_context *ctx,
1338                       struct timespec *t, unsigned int *serial)
1339{
1340        if (!ctx->serial)
1341                ctx->serial = audit_serial();
1342        t->tv_sec  = ctx->ctime.tv_sec;
1343        t->tv_nsec = ctx->ctime.tv_nsec;
1344        *serial    = ctx->serial;
1345        ctx->auditable = 1;
1346}
1347
1348int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1349{
1350        if (task->audit_context) {
1351                struct audit_buffer *ab;
1352
1353                ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1354                if (ab) {
1355                        audit_log_format(ab, "login pid=%d uid=%u "
1356                                "old auid=%u new auid=%u",
1357                                task->pid, task->uid, 
1358                                task->audit_context->loginuid, loginuid);
1359                        audit_log_end(ab);
1360                }
1361                task->audit_context->loginuid = loginuid;
1362        }
1363        return 0;
1364}
1365
1366uid_t audit_get_loginuid(struct audit_context *ctx)
1367{
1368        return ctx ? ctx->loginuid : -1;
1369}
1370
1371int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1372{
1373        struct audit_aux_data_ipcctl *ax;
1374        struct audit_context *context = current->audit_context;
1375
1376        if (likely(!context))
1377                return 0;
1378
1379        ax = kmalloc(sizeof(*ax), GFP_KERNEL);
1380        if (!ax)
1381                return -ENOMEM;
1382
1383        ax->qbytes = qbytes;
1384        ax->uid = uid;
1385        ax->gid = gid;
1386        ax->mode = mode;
1387
1388        ax->d.type = AUDIT_IPC;
1389        ax->d.next = context->aux;
1390        context->aux = (void *)ax;
1391        return 0;
1392}
1393
1394int audit_bprm(struct linux_binprm *bprm)
1395{
1396        struct audit_aux_data_execve *ax;
1397        struct audit_context *context = current->audit_context;
1398        unsigned long p, next;
1399        void *to;
1400
1401        if (likely(!audit_enabled || !context))
1402                return 0;
1403
1404        ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
1405                                GFP_KERNEL);
1406        if (!ax)
1407                return -ENOMEM;
1408
1409        ax->argc = bprm->argc;
1410        ax->envc = bprm->envc;
1411        for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
1412                struct page *page = bprm->page[p / PAGE_SIZE];
1413                void *kaddr = kmap(page);
1414                next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
1415                memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
1416                to += next - p;
1417                kunmap(page);
1418        }
1419
1420        ax->d.type = AUDIT_EXECVE;
1421        ax->d.next = context->aux;
1422        context->aux = (void *)ax;
1423        return 0;
1424}
1425
1426int audit_socketcall(int nargs, unsigned long *args)
1427{
1428        struct audit_aux_data_socketcall *ax;
1429        struct audit_context *context = current->audit_context;
1430
1431        if (likely(!context))
1432                return 0;
1433
1434        ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
1435        if (!ax)
1436                return -ENOMEM;
1437
1438        ax->nargs = nargs;
1439        memcpy(ax->args, args, nargs * sizeof(unsigned long));
1440
1441        ax->d.type = AUDIT_SOCKETCALL;
1442        ax->d.next = context->aux;
1443        context->aux = (void *)ax;
1444        return 0;
1445}
1446
1447int audit_sockaddr(int len, void *a)
1448{
1449        struct audit_aux_data_sockaddr *ax;
1450        struct audit_context *context = current->audit_context;
1451
1452        if (likely(!context))
1453                return 0;
1454
1455        ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
1456        if (!ax)
1457                return -ENOMEM;
1458
1459        ax->len = len;
1460        memcpy(ax->a, a, len);
1461
1462        ax->d.type = AUDIT_SOCKADDR;
1463        ax->d.next = context->aux;
1464        context->aux = (void *)ax;
1465        return 0;
1466}
1467
1468int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1469{
1470        struct audit_aux_data_path *ax;
1471        struct audit_context *context = current->audit_context;
1472
1473        if (likely(!context))
1474                return 0;
1475
1476        ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1477        if (!ax)
1478                return -ENOMEM;
1479
1480        ax->dentry = dget(dentry);
1481        ax->mnt = mntget(mnt);
1482
1483        ax->d.type = AUDIT_AVC_PATH;
1484        ax->d.next = context->aux;
1485        context->aux = (void *)ax;
1486        return 0;
1487}
1488
1489void audit_signal_info(int sig, struct task_struct *t)
1490{
1491        extern pid_t audit_sig_pid;
1492        extern uid_t audit_sig_uid;
1493
1494        if (unlikely(audit_pid && t->tgid == audit_pid)) {
1495                if (sig == SIGTERM || sig == SIGHUP) {
1496                        struct audit_context *ctx = current->audit_context;
1497                        audit_sig_pid = current->pid;
1498                        if (ctx)
1499                                audit_sig_uid = ctx->loginuid;
1500                        else
1501                                audit_sig_uid = current->uid;
1502                }
1503        }
1504}
1505
1506#ifdef CONFIG_AUDITFILESYSTEM
1507extern spinlock_t auditfs_lock;
1508
1509/* This has to be here instead of in auditfs.c, because it needs to
1510   see the audit context */
1511void auditfs_attach_wdata(struct inode *inode, struct hlist_head *watches,
1512                         int mask)
1513{
1514        struct audit_context *context = current->audit_context;
1515        struct audit_aux_data_watched *ax;
1516        struct audit_watch *watch;
1517        struct audit_watch_info *this, *winfo;
1518        struct hlist_node *pos, *tmp;
1519
1520        if (!context)
1521                return;
1522
1523        ax = kmalloc(sizeof(*ax), GFP_KERNEL);
1524        if (!ax)
1525                return;
1526
1527        INIT_HLIST_HEAD(&ax->watches);
1528
1529        spin_lock(&auditfs_lock);
1530        hlist_for_each_entry(watch, pos, watches, w_watched) {
1531        restart:
1532                audit_watch_get(watch);
1533                if (mask && (watch->w_perms && !(watch->w_perms&mask))) {
1534                        continue;
1535                }
1536                spin_unlock(&auditfs_lock);
1537                winfo = kmalloc(sizeof(struct audit_watch_info), GFP_KERNEL);
1538                if (!winfo)
1539                        goto auditfs_attach_wdata_fail;
1540                winfo->watch = audit_watch_get(watch);
1541                hlist_add_head(&winfo->node, &ax->watches);
1542                spin_lock(&auditfs_lock);
1543                if (hlist_unhashed(&watch->w_watched)) {
1544                        audit_watch_put(watch);
1545                        /* Someone took it off the list while we didn't have it locked.
1546                           Go through the list of watches again until we find one which 
1547                           we haven't already dealt with... */
1548                        hlist_for_each_entry(watch, pos, watches, w_watched) {
1549                                hlist_for_each_entry(winfo, tmp, &ax->watches, node) {
1550                                        if (winfo->watch == watch)
1551                                                continue;
1552                                }
1553                                /* This watch wasn't found on ax's list, so
1554                                   pick up where we left off. */
1555                                goto restart;
1556                        }
1557                        /* We'd actually covered every watch that still exists */
1558                        break;
1559                }
1560                audit_watch_put(watch);
1561        }
1562        spin_unlock(&auditfs_lock);
1563
1564        if (hlist_empty(&ax->watches))
1565                goto no_watches;
1566
1567        if (context->in_syscall && !context->auditable &&
1568                 AUDIT_DISABLED != audit_filter_syscall(current, context,
1569                                                        &audit_filter_list[AUDIT_FILTER_WATCH]))
1570                context->auditable = 1;
1571
1572        
1573        ax->mask = mask;
1574        ax->ino = inode->i_ino;
1575        ax->uid = inode->i_uid;
1576        ax->gid = inode->i_gid;
1577        ax->dev = inode->i_sb->s_dev;
1578        ax->rdev = inode->i_rdev;
1579
1580        ax->link.type = AUDIT_FS_INODE;
1581        ax->link.next = context->aux;
1582        context->aux = (void *)ax;
1583        return;
1584
1585auditfs_attach_wdata_fail:
1586        hlist_for_each_entry_safe(this, pos, tmp, &ax->watches, node) {
1587                hlist_del(&this->node);
1588                audit_watch_put(this->watch);
1589                kfree(this);
1590        }
1591        audit_panic("failed to allocate memory for fs watch record");
1592 no_watches:
1593        kfree(ax);
1594}
1595
1596#endif /* CONFIG_AUDITFILESYSTEM */
1597