Commit dcdaa2f9 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'stable-4.10' of git://git.infradead.org/users/pcmoore/audit

Pull audit updates from Paul Moore:
 "After the small number of patches for v4.9, we've got a much bigger
  pile for v4.10.

  The bulk of these patches involve a rework of the audit backlog queue
  to enable us to move the netlink multicasting out of the task/thread
  that generates the audit record and into the kernel thread that emits
  the record (just like we do for the audit unicast to auditd).

  While we were playing with the backlog queue(s) we fixed a number of
  other little problems with the code, and from all the testing so far
  things look to be in much better shape now. Doing this also allowed us
  to re-enable disabling IRQs for some netns operations ("netns: avoid
  disabling irq for netns id").

  The remaining patches fix some small problems that are well documented
  in the commit descriptions, as well as adding session ID filtering
  support"

* 'stable-4.10' of git://git.infradead.org/users/pcmoore/audit:
  audit: use proper refcount locking on audit_sock
  netns: avoid disabling irq for netns id
  audit: don't ever sleep on a command record/message
  audit: handle a clean auditd shutdown with grace
  audit: wake up kauditd_thread after auditd registers
  audit: rework audit_log_start()
  audit: rework the audit queue handling
  audit: rename the queues and kauditd related functions
  audit: queue netlink multicast sends just like we do for unicast sends
  audit: fixup audit_init()
  audit: move kaudit thread start from auditd registration to kaudit init (#2)
  audit: add support for session ID user filter
  audit: fix formatting of AUDIT_CONFIG_CHANGE events
  audit: skip sessionid sentinel value when auto-incrementing
  audit: tame initialization warning len_abuf in audit_log_execve_info
  audit: less stack usage for /proc/*/loginuid
parents 683b96f4 533c7b69
...@@ -1246,7 +1246,7 @@ static const struct file_operations proc_oom_score_adj_operations = { ...@@ -1246,7 +1246,7 @@ static const struct file_operations proc_oom_score_adj_operations = {
}; };
#ifdef CONFIG_AUDITSYSCALL #ifdef CONFIG_AUDITSYSCALL
#define TMPBUFLEN 21 #define TMPBUFLEN 11
static ssize_t proc_loginuid_read(struct file * file, char __user * buf, static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
......
...@@ -254,6 +254,7 @@ ...@@ -254,6 +254,7 @@
#define AUDIT_OBJ_LEV_LOW 22 #define AUDIT_OBJ_LEV_LOW 22
#define AUDIT_OBJ_LEV_HIGH 23 #define AUDIT_OBJ_LEV_HIGH 23
#define AUDIT_LOGINUID_SET 24 #define AUDIT_LOGINUID_SET 24
#define AUDIT_SESSIONID 25 /* Session ID */
/* These are ONLY useful when checking /* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */ * at syscall exit time (AUDIT_AT_EXIT). */
...@@ -330,10 +331,12 @@ enum { ...@@ -330,10 +331,12 @@ enum {
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008 #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
/* deprecated: AUDIT_VERSION_* */ /* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
......
This diff is collapsed.
...@@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c ...@@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab)) if (unlikely(!ab))
return; return;
audit_log_format(ab, "auid=%u ses=%u op=", audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)), from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current)); audit_get_sessionid(current), op);
audit_log_string(ab, op);
audit_log_format(ab, " path="); audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, audit_mark->path); audit_log_untrustedstring(ab, audit_mark->path);
audit_log_key(ab, rule->filterkey); audit_log_key(ab, rule->filterkey);
......
...@@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule) ...@@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab)) if (unlikely(!ab))
return; return;
audit_log_format(ab, "op="); audit_log_format(ab, "op=remove_rule");
audit_log_string(ab, "remove_rule");
audit_log_format(ab, " dir="); audit_log_format(ab, " dir=");
audit_log_untrustedstring(ab, rule->tree->pathname); audit_log_untrustedstring(ab, rule->tree->pathname);
audit_log_key(ab, rule->filterkey); audit_log_key(ab, rule->filterkey);
......
...@@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc ...@@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab)) if (unlikely(!ab))
return; return;
audit_log_format(ab, "auid=%u ses=%u op=", audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)), from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current)); audit_get_sessionid(current), op);
audit_log_string(ab, op);
audit_log_format(ab, " path="); audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path); audit_log_untrustedstring(ab, w->path);
audit_log_key(ab, r->filterkey); audit_log_key(ab, r->filterkey);
......
...@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) ...@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_EXIT: case AUDIT_EXIT:
case AUDIT_SUCCESS: case AUDIT_SUCCESS:
case AUDIT_INODE: case AUDIT_INODE:
case AUDIT_SESSIONID:
/* bit ops are only useful on syscall args */ /* bit ops are only useful on syscall args */
if (f->op == Audit_bitmask || f->op == Audit_bittest) if (f->op == Audit_bitmask || f->op == Audit_bittest)
return -EINVAL; return -EINVAL;
...@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, ...@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (!gid_valid(f->gid)) if (!gid_valid(f->gid))
goto exit_free; goto exit_free;
break; break;
case AUDIT_SESSIONID:
case AUDIT_ARCH: case AUDIT_ARCH:
entry->rule.arch_f = f; entry->rule.arch_f = f;
break; break;
...@@ -1074,8 +1076,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re ...@@ -1074,8 +1076,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
return; return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
audit_log_task_context(ab); audit_log_task_context(ab);
audit_log_format(ab, " op="); audit_log_format(ab, " op=%s", action);
audit_log_string(ab, action);
audit_log_key(ab, rule->filterkey); audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=%d", rule->listnr, res); audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
audit_log_end(ab); audit_log_end(ab);
......
...@@ -446,6 +446,7 @@ static int audit_filter_rules(struct task_struct *tsk, ...@@ -446,6 +446,7 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred; const struct cred *cred;
int i, need_sid = 1; int i, need_sid = 1;
u32 sid; u32 sid;
unsigned int sessionid;
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
...@@ -508,6 +509,10 @@ static int audit_filter_rules(struct task_struct *tsk, ...@@ -508,6 +509,10 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_FSGID: case AUDIT_FSGID:
result = audit_gid_comparator(cred->fsgid, f->op, f->gid); result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
break; break;
case AUDIT_SESSIONID:
sessionid = audit_get_sessionid(current);
result = audit_comparator(sessionid, f->op, f->val);
break;
case AUDIT_PERS: case AUDIT_PERS:
result = audit_comparator(tsk->personality, f->op, f->val); result = audit_comparator(tsk->personality, f->op, f->val);
break; break;
...@@ -1000,7 +1005,7 @@ static void audit_log_execve_info(struct audit_context *context, ...@@ -1000,7 +1005,7 @@ static void audit_log_execve_info(struct audit_context *context,
long len_rem; long len_rem;
long len_full; long len_full;
long len_buf; long len_buf;
long len_abuf; long len_abuf = 0;
long len_tmp; long len_tmp;
bool require_data; bool require_data;
bool encode; bool encode;
...@@ -2025,8 +2030,11 @@ int audit_set_loginuid(kuid_t loginuid) ...@@ -2025,8 +2030,11 @@ int audit_set_loginuid(kuid_t loginuid)
goto out; goto out;
/* are we setting or clearing? */ /* are we setting or clearing? */
if (uid_valid(loginuid)) if (uid_valid(loginuid)) {
sessionid = (unsigned int)atomic_inc_return(&session_id); sessionid = (unsigned int)atomic_inc_return(&session_id);
if (unlikely(sessionid == (unsigned int)-1))
sessionid = (unsigned int)atomic_inc_return(&session_id);
}
task->sessionid = sessionid; task->sessionid = sessionid;
task->loginuid = loginuid; task->loginuid = loginuid;
......
...@@ -218,16 +218,15 @@ static void rtnl_net_notifyid(struct net *net, int cmd, int id); ...@@ -218,16 +218,15 @@ static void rtnl_net_notifyid(struct net *net, int cmd, int id);
*/ */
int peernet2id_alloc(struct net *net, struct net *peer) int peernet2id_alloc(struct net *net, struct net *peer)
{ {
unsigned long flags;
bool alloc; bool alloc;
int id; int id;
if (atomic_read(&net->count) == 0) if (atomic_read(&net->count) == 0)
return NETNSA_NSID_NOT_ASSIGNED; return NETNSA_NSID_NOT_ASSIGNED;
spin_lock_irqsave(&net->nsid_lock, flags); spin_lock_bh(&net->nsid_lock);
alloc = atomic_read(&peer->count) == 0 ? false : true; alloc = atomic_read(&peer->count) == 0 ? false : true;
id = __peernet2id_alloc(net, peer, &alloc); id = __peernet2id_alloc(net, peer, &alloc);
spin_unlock_irqrestore(&net->nsid_lock, flags); spin_unlock_bh(&net->nsid_lock);
if (alloc && id >= 0) if (alloc && id >= 0)
rtnl_net_notifyid(net, RTM_NEWNSID, id); rtnl_net_notifyid(net, RTM_NEWNSID, id);
return id; return id;
...@@ -236,12 +235,11 @@ int peernet2id_alloc(struct net *net, struct net *peer) ...@@ -236,12 +235,11 @@ int peernet2id_alloc(struct net *net, struct net *peer)
/* This function returns, if assigned, the id of a peer netns. */ /* This function returns, if assigned, the id of a peer netns. */
int peernet2id(struct net *net, struct net *peer) int peernet2id(struct net *net, struct net *peer)
{ {
unsigned long flags;
int id; int id;
spin_lock_irqsave(&net->nsid_lock, flags); spin_lock_bh(&net->nsid_lock);
id = __peernet2id(net, peer); id = __peernet2id(net, peer);
spin_unlock_irqrestore(&net->nsid_lock, flags); spin_unlock_bh(&net->nsid_lock);
return id; return id;
} }
EXPORT_SYMBOL(peernet2id); EXPORT_SYMBOL(peernet2id);
...@@ -256,18 +254,17 @@ bool peernet_has_id(struct net *net, struct net *peer) ...@@ -256,18 +254,17 @@ bool peernet_has_id(struct net *net, struct net *peer)
struct net *get_net_ns_by_id(struct net *net, int id) struct net *get_net_ns_by_id(struct net *net, int id)
{ {
unsigned long flags;
struct net *peer; struct net *peer;
if (id < 0) if (id < 0)
return NULL; return NULL;
rcu_read_lock(); rcu_read_lock();
spin_lock_irqsave(&net->nsid_lock, flags); spin_lock_bh(&net->nsid_lock);
peer = idr_find(&net->netns_ids, id); peer = idr_find(&net->netns_ids, id);
if (peer) if (peer)
get_net(peer); get_net(peer);
spin_unlock_irqrestore(&net->nsid_lock, flags); spin_unlock_bh(&net->nsid_lock);
rcu_read_unlock(); rcu_read_unlock();
return peer; return peer;
...@@ -437,17 +434,17 @@ static void cleanup_net(struct work_struct *work) ...@@ -437,17 +434,17 @@ static void cleanup_net(struct work_struct *work)
for_each_net(tmp) { for_each_net(tmp) {
int id; int id;
spin_lock_irq(&tmp->nsid_lock); spin_lock_bh(&tmp->nsid_lock);
id = __peernet2id(tmp, net); id = __peernet2id(tmp, net);
if (id >= 0) if (id >= 0)
idr_remove(&tmp->netns_ids, id); idr_remove(&tmp->netns_ids, id);
spin_unlock_irq(&tmp->nsid_lock); spin_unlock_bh(&tmp->nsid_lock);
if (id >= 0) if (id >= 0)
rtnl_net_notifyid(tmp, RTM_DELNSID, id); rtnl_net_notifyid(tmp, RTM_DELNSID, id);
} }
spin_lock_irq(&net->nsid_lock); spin_lock_bh(&net->nsid_lock);
idr_destroy(&net->netns_ids); idr_destroy(&net->netns_ids);
spin_unlock_irq(&net->nsid_lock); spin_unlock_bh(&net->nsid_lock);
} }
rtnl_unlock(); rtnl_unlock();
...@@ -576,7 +573,6 @@ static int rtnl_net_newid(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -576,7 +573,6 @@ static int rtnl_net_newid(struct sk_buff *skb, struct nlmsghdr *nlh)
{ {
struct net *net = sock_net(skb->sk); struct net *net = sock_net(skb->sk);
struct nlattr *tb[NETNSA_MAX + 1]; struct nlattr *tb[NETNSA_MAX + 1];
unsigned long flags;
struct net *peer; struct net *peer;
int nsid, err; int nsid, err;
...@@ -597,15 +593,15 @@ static int rtnl_net_newid(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -597,15 +593,15 @@ static int rtnl_net_newid(struct sk_buff *skb, struct nlmsghdr *nlh)
if (IS_ERR(peer)) if (IS_ERR(peer))
return PTR_ERR(peer); return PTR_ERR(peer);
spin_lock_irqsave(&net->nsid_lock, flags); spin_lock_bh(&net->nsid_lock);
if (__peernet2id(net, peer) >= 0) { if (__peernet2id(net, peer) >= 0) {
spin_unlock_irqrestore(&net->nsid_lock, flags); spin_unlock_bh(&net->nsid_lock);
err = -EEXIST; err = -EEXIST;
goto out; goto out;
} }
err = alloc_netid(net, peer, nsid); err = alloc_netid(net, peer, nsid);
spin_unlock_irqrestore(&net->nsid_lock, flags); spin_unlock_bh(&net->nsid_lock);
if (err >= 0) { if (err >= 0) {
rtnl_net_notifyid(net, RTM_NEWNSID, err); rtnl_net_notifyid(net, RTM_NEWNSID, err);
err = 0; err = 0;
...@@ -727,11 +723,10 @@ static int rtnl_net_dumpid(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -727,11 +723,10 @@ static int rtnl_net_dumpid(struct sk_buff *skb, struct netlink_callback *cb)
.idx = 0, .idx = 0,
.s_idx = cb->args[0], .s_idx = cb->args[0],
}; };
unsigned long flags;
spin_lock_irqsave(&net->nsid_lock, flags); spin_lock_bh(&net->nsid_lock);
idr_for_each(&net->netns_ids, rtnl_net_dumpid_one, &net_cb); idr_for_each(&net->netns_ids, rtnl_net_dumpid_one, &net_cb);
spin_unlock_irqrestore(&net->nsid_lock, flags); spin_unlock_bh(&net->nsid_lock);
cb->args[0] = net_cb.idx; cb->args[0] = net_cb.idx;
return skb->len; return skb->len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment