Commit 120a795d authored by Al Viro's avatar Al Viro

audit mmap

Normal syscall audit doesn't catch 5th argument of syscall.  It also
doesn't catch the contents of userland structures pointed to be
syscall argument, so for both old and new mmap(2) ABI it doesn't
record the descriptor we are mapping.  For old one it also misses
flags.
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent af295132
...@@ -102,6 +102,7 @@ ...@@ -102,6 +102,7 @@
#define AUDIT_EOE 1320 /* End of multi-record event */ #define AUDIT_EOE 1320 /* End of multi-record event */
#define AUDIT_BPRM_FCAPS 1321 /* Information about fcaps increasing perms */ #define AUDIT_BPRM_FCAPS 1321 /* Information about fcaps increasing perms */
#define AUDIT_CAPSET 1322 /* Record showing argument to sys_capset */ #define AUDIT_CAPSET 1322 /* Record showing argument to sys_capset */
#define AUDIT_MMAP 1323 /* Record showing descriptor and flags in mmap */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
...@@ -478,6 +479,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, ...@@ -478,6 +479,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
const struct cred *new, const struct cred *new,
const struct cred *old); const struct cred *old);
extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{ {
...@@ -531,6 +533,12 @@ static inline void audit_log_capset(pid_t pid, const struct cred *new, ...@@ -531,6 +533,12 @@ static inline void audit_log_capset(pid_t pid, const struct cred *new,
__audit_log_capset(pid, new, old); __audit_log_capset(pid, new, old);
} }
static inline void audit_mmap_fd(int fd, int flags)
{
if (unlikely(!audit_dummy_context()))
__audit_mmap_fd(fd, flags);
}
extern int audit_n_rules; extern int audit_n_rules;
extern int audit_signals; extern int audit_signals;
#else #else
...@@ -564,6 +572,7 @@ extern int audit_signals; ...@@ -564,6 +572,7 @@ extern int audit_signals;
#define audit_mq_getsetattr(d,s) ((void)0) #define audit_mq_getsetattr(d,s) ((void)0)
#define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; }) #define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; })
#define audit_log_capset(pid, ncr, ocr) ((void)0) #define audit_log_capset(pid, ncr, ocr) ((void)0)
#define audit_mmap_fd(fd, flags) ((void)0)
#define audit_ptrace(t) ((void)0) #define audit_ptrace(t) ((void)0)
#define audit_n_rules 0 #define audit_n_rules 0
#define audit_signals 0 #define audit_signals 0
......
...@@ -241,6 +241,10 @@ struct audit_context { ...@@ -241,6 +241,10 @@ struct audit_context {
pid_t pid; pid_t pid;
struct audit_cap_data cap; struct audit_cap_data cap;
} capset; } capset;
struct {
int fd;
int flags;
} mmap;
}; };
int fds[2]; int fds[2];
...@@ -1305,6 +1309,10 @@ static void show_special(struct audit_context *context, int *call_panic) ...@@ -1305,6 +1309,10 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted); audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
audit_log_cap(ab, "cap_pe", &context->capset.cap.effective); audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
break; } break; }
case AUDIT_MMAP: {
audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
context->mmap.flags);
break; }
} }
audit_log_end(ab); audit_log_end(ab);
} }
...@@ -2476,6 +2484,14 @@ void __audit_log_capset(pid_t pid, ...@@ -2476,6 +2484,14 @@ void __audit_log_capset(pid_t pid,
context->type = AUDIT_CAPSET; context->type = AUDIT_CAPSET;
} }
void __audit_mmap_fd(int fd, int flags)
{
struct audit_context *context = current->audit_context;
context->mmap.fd = fd;
context->mmap.flags = flags;
context->type = AUDIT_MMAP;
}
/** /**
* audit_core_dumps - record information about processes that end abnormally * audit_core_dumps - record information about processes that end abnormally
* @signr: signal value * @signr: signal value
......
...@@ -28,6 +28,7 @@ ...@@ -28,6 +28,7 @@
#include <linux/rmap.h> #include <linux/rmap.h>
#include <linux/mmu_notifier.h> #include <linux/mmu_notifier.h>
#include <linux/perf_event.h> #include <linux/perf_event.h>
#include <linux/audit.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <asm/cacheflush.h> #include <asm/cacheflush.h>
...@@ -1108,6 +1109,7 @@ SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len, ...@@ -1108,6 +1109,7 @@ SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,
unsigned long retval = -EBADF; unsigned long retval = -EBADF;
if (!(flags & MAP_ANONYMOUS)) { if (!(flags & MAP_ANONYMOUS)) {
audit_mmap_fd(fd, flags);
if (unlikely(flags & MAP_HUGETLB)) if (unlikely(flags & MAP_HUGETLB))
return -EINVAL; return -EINVAL;
file = fget(fd); file = fget(fd);
......
...@@ -29,6 +29,7 @@ ...@@ -29,6 +29,7 @@
#include <linux/personality.h> #include <linux/personality.h>
#include <linux/security.h> #include <linux/security.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/audit.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <asm/tlb.h> #include <asm/tlb.h>
...@@ -1458,6 +1459,7 @@ SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len, ...@@ -1458,6 +1459,7 @@ SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,
struct file *file = NULL; struct file *file = NULL;
unsigned long retval = -EBADF; unsigned long retval = -EBADF;
audit_mmap_fd(fd, flags);
if (!(flags & MAP_ANONYMOUS)) { if (!(flags & MAP_ANONYMOUS)) {
file = fget(fd); file = fget(fd);
if (!file) if (!file)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment