Commit e1760bd5 authored by Eric W. Biederman's avatar Eric W. Biederman

userns: Convert the audit loginuid to be a kuid

Always store audit loginuids in type kuid_t.

Print loginuids by converting them into uids in the appropriate user
namespace, and then printing the resulting uid.

Modify audit_get_loginuid to return a kuid_t.

Modify audit_set_loginuid to take a kuid_t.

Modify /proc/<pid>/loginuid on read to convert the loginuid into the
user namespace of the opener of the file.

Modify /proc/<pid>/loginud on write to convert the loginuid
rom the user namespace of the opener of the file.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <paul@paul-moore.com> ?
Cc: David Miller <davem@davemloft.net>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent ca57ec0f
...@@ -61,7 +61,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf) ...@@ -61,7 +61,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
} }
static void tty_audit_log(const char *description, struct task_struct *tsk, static void tty_audit_log(const char *description, struct task_struct *tsk,
uid_t loginuid, unsigned sessionid, int major, kuid_t loginuid, unsigned sessionid, int major,
int minor, unsigned char *data, size_t size) int minor, unsigned char *data, size_t size)
{ {
struct audit_buffer *ab; struct audit_buffer *ab;
...@@ -73,7 +73,9 @@ static void tty_audit_log(const char *description, struct task_struct *tsk, ...@@ -73,7 +73,9 @@ static void tty_audit_log(const char *description, struct task_struct *tsk,
audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u " audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u "
"major=%d minor=%d comm=", description, "major=%d minor=%d comm=", description,
tsk->pid, uid, loginuid, sessionid, tsk->pid, uid,
from_kuid(&init_user_ns, loginuid),
sessionid,
major, minor); major, minor);
get_task_comm(name, tsk); get_task_comm(name, tsk);
audit_log_untrustedstring(ab, name); audit_log_untrustedstring(ab, name);
...@@ -89,7 +91,7 @@ static void tty_audit_log(const char *description, struct task_struct *tsk, ...@@ -89,7 +91,7 @@ static void tty_audit_log(const char *description, struct task_struct *tsk,
* Generate an audit message from the contents of @buf, which is owned by * Generate an audit message from the contents of @buf, which is owned by
* @tsk with @loginuid. @buf->mutex must be locked. * @tsk with @loginuid. @buf->mutex must be locked.
*/ */
static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid, static void tty_audit_buf_push(struct task_struct *tsk, kuid_t loginuid,
unsigned int sessionid, unsigned int sessionid,
struct tty_audit_buf *buf) struct tty_audit_buf *buf)
{ {
...@@ -112,7 +114,7 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid, ...@@ -112,7 +114,7 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
*/ */
static void tty_audit_buf_push_current(struct tty_audit_buf *buf) static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
{ {
uid_t auid = audit_get_loginuid(current); kuid_t auid = audit_get_loginuid(current);
unsigned int sessionid = audit_get_sessionid(current); unsigned int sessionid = audit_get_sessionid(current);
tty_audit_buf_push(current, auid, sessionid, buf); tty_audit_buf_push(current, auid, sessionid, buf);
} }
...@@ -179,7 +181,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch) ...@@ -179,7 +181,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
} }
if (should_audit && audit_enabled) { if (should_audit && audit_enabled) {
uid_t auid; kuid_t auid;
unsigned int sessionid; unsigned int sessionid;
auid = audit_get_loginuid(current); auid = audit_get_loginuid(current);
...@@ -199,7 +201,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch) ...@@ -199,7 +201,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
* reference to the tty audit buffer if available. * reference to the tty audit buffer if available.
* Flush the buffer or return an appropriate error code. * Flush the buffer or return an appropriate error code.
*/ */
int tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid) int tty_audit_push_task(struct task_struct *tsk, kuid_t loginuid, u32 sessionid)
{ {
struct tty_audit_buf *buf = ERR_PTR(-EPERM); struct tty_audit_buf *buf = ERR_PTR(-EPERM);
unsigned long flags; unsigned long flags;
......
...@@ -1089,7 +1089,8 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf, ...@@ -1089,7 +1089,8 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
if (!task) if (!task)
return -ESRCH; return -ESRCH;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u", length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
audit_get_loginuid(task)); from_kuid(file->f_cred->user_ns,
audit_get_loginuid(task)));
put_task_struct(task); put_task_struct(task);
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
} }
...@@ -1101,6 +1102,7 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, ...@@ -1101,6 +1102,7 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
char *page, *tmp; char *page, *tmp;
ssize_t length; ssize_t length;
uid_t loginuid; uid_t loginuid;
kuid_t kloginuid;
rcu_read_lock(); rcu_read_lock();
if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) { if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) {
...@@ -1130,7 +1132,13 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, ...@@ -1130,7 +1132,13 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
goto out_free_page; goto out_free_page;
} }
length = audit_set_loginuid(loginuid); kloginuid = make_kuid(file->f_cred->user_ns, loginuid);
if (!uid_valid(kloginuid)) {
length = -EINVAL;
goto out_free_page;
}
length = audit_set_loginuid(kloginuid);
if (likely(length == 0)) if (likely(length == 0))
length = count; length = count;
......
...@@ -527,7 +527,7 @@ static inline void audit_ptrace(struct task_struct *t) ...@@ -527,7 +527,7 @@ static inline void audit_ptrace(struct task_struct *t)
extern unsigned int audit_serial(void); extern unsigned int audit_serial(void);
extern int auditsc_get_stamp(struct audit_context *ctx, extern int auditsc_get_stamp(struct audit_context *ctx,
struct timespec *t, unsigned int *serial); struct timespec *t, unsigned int *serial);
extern int audit_set_loginuid(uid_t loginuid); extern int audit_set_loginuid(kuid_t loginuid);
#define audit_get_loginuid(t) ((t)->loginuid) #define audit_get_loginuid(t) ((t)->loginuid)
#define audit_get_sessionid(t) ((t)->sessionid) #define audit_get_sessionid(t) ((t)->sessionid)
extern void audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_context(struct audit_buffer *ab);
...@@ -639,7 +639,7 @@ extern int audit_signals; ...@@ -639,7 +639,7 @@ extern int audit_signals;
#define audit_core_dumps(i) do { ; } while (0) #define audit_core_dumps(i) do { ; } while (0)
#define audit_seccomp(i,s,c) do { ; } while (0) #define audit_seccomp(i,s,c) do { ; } while (0)
#define auditsc_get_stamp(c,t,s) (0) #define auditsc_get_stamp(c,t,s) (0)
#define audit_get_loginuid(t) (-1) #define audit_get_loginuid(t) (INVALID_UID)
#define audit_get_sessionid(t) (-1) #define audit_get_sessionid(t) (-1)
#define audit_log_task_context(b) do { ; } while (0) #define audit_log_task_context(b) do { ; } while (0)
#define audit_ipc_obj(i) ((void)0) #define audit_ipc_obj(i) ((void)0)
...@@ -705,7 +705,7 @@ extern int audit_update_lsm_rules(void); ...@@ -705,7 +705,7 @@ extern int audit_update_lsm_rules(void);
extern int audit_filter_user(void); extern int audit_filter_user(void);
extern int audit_filter_type(int type); extern int audit_filter_type(int type);
extern int audit_receive_filter(int type, int pid, int seq, extern int audit_receive_filter(int type, int pid, int seq,
void *data, size_t datasz, uid_t loginuid, void *data, size_t datasz, kuid_t loginuid,
u32 sessionid, u32 sid); u32 sessionid, u32 sid);
extern int audit_enabled; extern int audit_enabled;
#else #else
......
...@@ -92,7 +92,7 @@ extern struct group_info init_groups; ...@@ -92,7 +92,7 @@ extern struct group_info init_groups;
#ifdef CONFIG_AUDITSYSCALL #ifdef CONFIG_AUDITSYSCALL
#define INIT_IDS \ #define INIT_IDS \
.loginuid = -1, \ .loginuid = INVALID_UID, \
.sessionid = -1, .sessionid = -1,
#else #else
#define INIT_IDS #define INIT_IDS
......
...@@ -1426,7 +1426,7 @@ struct task_struct { ...@@ -1426,7 +1426,7 @@ struct task_struct {
struct audit_context *audit_context; struct audit_context *audit_context;
#ifdef CONFIG_AUDITSYSCALL #ifdef CONFIG_AUDITSYSCALL
uid_t loginuid; kuid_t loginuid;
unsigned int sessionid; unsigned int sessionid;
#endif #endif
struct seccomp seccomp; struct seccomp seccomp;
......
...@@ -553,7 +553,7 @@ extern void tty_audit_fork(struct signal_struct *sig); ...@@ -553,7 +553,7 @@ extern void tty_audit_fork(struct signal_struct *sig);
extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
extern void tty_audit_push(struct tty_struct *tty); extern void tty_audit_push(struct tty_struct *tty);
extern int tty_audit_push_task(struct task_struct *tsk, extern int tty_audit_push_task(struct task_struct *tsk,
uid_t loginuid, u32 sessionid); kuid_t loginuid, u32 sessionid);
#else #else
static inline void tty_audit_add_data(struct tty_struct *tty, static inline void tty_audit_add_data(struct tty_struct *tty,
unsigned char *data, size_t size) unsigned char *data, size_t size)
...@@ -572,7 +572,7 @@ static inline void tty_audit_push(struct tty_struct *tty) ...@@ -572,7 +572,7 @@ static inline void tty_audit_push(struct tty_struct *tty)
{ {
} }
static inline int tty_audit_push_task(struct task_struct *tsk, static inline int tty_audit_push_task(struct task_struct *tsk,
uid_t loginuid, u32 sessionid) kuid_t loginuid, u32 sessionid)
{ {
return 0; return 0;
} }
......
...@@ -110,7 +110,7 @@ struct cipso_v4_doi; ...@@ -110,7 +110,7 @@ struct cipso_v4_doi;
/* NetLabel audit information */ /* NetLabel audit information */
struct netlbl_audit { struct netlbl_audit {
u32 secid; u32 secid;
uid_t loginuid; kuid_t loginuid;
u32 sessionid; u32 sessionid;
}; };
......
...@@ -662,7 +662,7 @@ struct xfrm_spi_skb_cb { ...@@ -662,7 +662,7 @@ struct xfrm_spi_skb_cb {
/* Audit Information */ /* Audit Information */
struct xfrm_audit { struct xfrm_audit {
u32 secid; u32 secid;
uid_t loginuid; kuid_t loginuid;
u32 sessionid; u32 sessionid;
}; };
...@@ -681,13 +681,14 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op) ...@@ -681,13 +681,14 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
return audit_buf; return audit_buf;
} }
static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid, static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
struct audit_buffer *audit_buf) struct audit_buffer *audit_buf)
{ {
char *secctx; char *secctx;
u32 secctx_len; u32 secctx_len;
audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses); audit_log_format(audit_buf, " auid=%u ses=%u",
from_kuid(&init_user_ns, auid), ses);
if (secid != 0 && if (secid != 0 &&
security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx); audit_log_format(audit_buf, " subj=%s", secctx);
...@@ -697,13 +698,13 @@ static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid, ...@@ -697,13 +698,13 @@ static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
} }
extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
u32 auid, u32 ses, u32 secid); kuid_t auid, u32 ses, u32 secid);
extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
u32 auid, u32 ses, u32 secid); kuid_t auid, u32 ses, u32 secid);
extern void xfrm_audit_state_add(struct xfrm_state *x, int result, extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
u32 auid, u32 ses, u32 secid); kuid_t auid, u32 ses, u32 secid);
extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
u32 auid, u32 ses, u32 secid); kuid_t auid, u32 ses, u32 secid);
extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x, extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
struct sk_buff *skb); struct sk_buff *skb);
extern void xfrm_audit_state_replay(struct xfrm_state *x, extern void xfrm_audit_state_replay(struct xfrm_state *x,
...@@ -716,22 +717,22 @@ extern void xfrm_audit_state_icvfail(struct xfrm_state *x, ...@@ -716,22 +717,22 @@ extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
#else #else
static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
u32 auid, u32 ses, u32 secid) kuid_t auid, u32 ses, u32 secid)
{ {
} }
static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
u32 auid, u32 ses, u32 secid) kuid_t auid, u32 ses, u32 secid)
{ {
} }
static inline void xfrm_audit_state_add(struct xfrm_state *x, int result, static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
u32 auid, u32 ses, u32 secid) kuid_t auid, u32 ses, u32 secid)
{ {
} }
static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result, static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
u32 auid, u32 ses, u32 secid) kuid_t auid, u32 ses, u32 secid)
{ {
} }
......
...@@ -265,7 +265,7 @@ void audit_log_lost(const char *message) ...@@ -265,7 +265,7 @@ void audit_log_lost(const char *message)
} }
static int audit_log_config_change(char *function_name, int new, int old, static int audit_log_config_change(char *function_name, int new, int old,
uid_t loginuid, u32 sessionid, u32 sid, kuid_t loginuid, u32 sessionid, u32 sid,
int allow_changes) int allow_changes)
{ {
struct audit_buffer *ab; struct audit_buffer *ab;
...@@ -273,7 +273,7 @@ static int audit_log_config_change(char *function_name, int new, int old, ...@@ -273,7 +273,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
old, loginuid, sessionid); old, from_kuid(&init_user_ns, loginuid), sessionid);
if (sid) { if (sid) {
char *ctx = NULL; char *ctx = NULL;
u32 len; u32 len;
...@@ -293,7 +293,7 @@ static int audit_log_config_change(char *function_name, int new, int old, ...@@ -293,7 +293,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
} }
static int audit_do_config_change(char *function_name, int *to_change, static int audit_do_config_change(char *function_name, int *to_change,
int new, uid_t loginuid, u32 sessionid, int new, kuid_t loginuid, u32 sessionid,
u32 sid) u32 sid)
{ {
int allow_changes, rc = 0, old = *to_change; int allow_changes, rc = 0, old = *to_change;
...@@ -320,21 +320,21 @@ static int audit_do_config_change(char *function_name, int *to_change, ...@@ -320,21 +320,21 @@ static int audit_do_config_change(char *function_name, int *to_change,
return rc; return rc;
} }
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid, static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid,
u32 sid) u32 sid)
{ {
return audit_do_config_change("audit_rate_limit", &audit_rate_limit, return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
limit, loginuid, sessionid, sid); limit, loginuid, sessionid, sid);
} }
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid, static int audit_set_backlog_limit(int limit, kuid_t loginuid, u32 sessionid,
u32 sid) u32 sid)
{ {
return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
limit, loginuid, sessionid, sid); limit, loginuid, sessionid, sid);
} }
static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid) static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid)
{ {
int rc; int rc;
if (state < AUDIT_OFF || state > AUDIT_LOCKED) if (state < AUDIT_OFF || state > AUDIT_LOCKED)
...@@ -349,7 +349,7 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid) ...@@ -349,7 +349,7 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
return rc; return rc;
} }
static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid) static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, u32 sid)
{ {
if (state != AUDIT_FAIL_SILENT if (state != AUDIT_FAIL_SILENT
&& state != AUDIT_FAIL_PRINTK && state != AUDIT_FAIL_PRINTK
...@@ -607,7 +607,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) ...@@ -607,7 +607,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
} }
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
uid_t auid, u32 ses, u32 sid) kuid_t auid, u32 ses, u32 sid)
{ {
int rc = 0; int rc = 0;
char *ctx = NULL; char *ctx = NULL;
...@@ -622,7 +622,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, ...@@ -622,7 +622,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u", audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
task_tgid_vnr(current), task_tgid_vnr(current),
from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_uid()),
auid, ses); from_kuid(&init_user_ns, auid), ses);
if (sid) { if (sid) {
rc = security_secid_to_secctx(sid, &ctx, &len); rc = security_secid_to_secctx(sid, &ctx, &len);
if (rc) if (rc)
...@@ -644,7 +644,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -644,7 +644,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
int err; int err;
struct audit_buffer *ab; struct audit_buffer *ab;
u16 msg_type = nlh->nlmsg_type; u16 msg_type = nlh->nlmsg_type;
uid_t loginuid; /* loginuid of sender */ kuid_t loginuid; /* loginuid of sender */
u32 sessionid; u32 sessionid;
struct audit_sig_info *sig_data; struct audit_sig_info *sig_data;
char *ctx = NULL; char *ctx = NULL;
......
...@@ -241,7 +241,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc ...@@ -241,7 +241,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
struct audit_buffer *ab; struct audit_buffer *ab;
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
audit_log_format(ab, "auid=%u ses=%u op=", audit_log_format(ab, "auid=%u ses=%u op=",
audit_get_loginuid(current), from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current)); audit_get_sessionid(current));
audit_log_string(ab, op); audit_log_string(ab, op);
audit_log_format(ab, " path="); audit_log_format(ab, " path=");
......
...@@ -1109,7 +1109,7 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) ...@@ -1109,7 +1109,7 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
} }
/* Log rule additions and removals */ /* Log rule additions and removals */
static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
char *action, struct audit_krule *rule, char *action, struct audit_krule *rule,
int res) int res)
{ {
...@@ -1121,7 +1121,8 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, ...@@ -1121,7 +1121,8 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab) if (!ab)
return; return;
audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid); audit_log_format(ab, "auid=%u ses=%u",
from_kuid(&init_user_ns, loginuid), sessionid);
if (sid) { if (sid) {
char *ctx = NULL; char *ctx = NULL;
u32 len; u32 len;
...@@ -1152,7 +1153,7 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, ...@@ -1152,7 +1153,7 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
* @sid: SE Linux Security ID of sender * @sid: SE Linux Security ID of sender
*/ */
int audit_receive_filter(int type, int pid, int seq, void *data, int audit_receive_filter(int type, int pid, int seq, void *data,
size_t datasz, uid_t loginuid, u32 sessionid, u32 sid) size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
{ {
struct task_struct *tsk; struct task_struct *tsk;
struct audit_netlink_list *dest; struct audit_netlink_list *dest;
......
...@@ -149,7 +149,7 @@ struct audit_aux_data_execve { ...@@ -149,7 +149,7 @@ struct audit_aux_data_execve {
struct audit_aux_data_pids { struct audit_aux_data_pids {
struct audit_aux_data d; struct audit_aux_data d;
pid_t target_pid[AUDIT_AUX_PIDS]; pid_t target_pid[AUDIT_AUX_PIDS];
uid_t target_auid[AUDIT_AUX_PIDS]; kuid_t target_auid[AUDIT_AUX_PIDS];
uid_t target_uid[AUDIT_AUX_PIDS]; uid_t target_uid[AUDIT_AUX_PIDS];
unsigned int target_sessionid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS];
u32 target_sid[AUDIT_AUX_PIDS]; u32 target_sid[AUDIT_AUX_PIDS];
...@@ -214,7 +214,7 @@ struct audit_context { ...@@ -214,7 +214,7 @@ struct audit_context {
int arch; int arch;
pid_t target_pid; pid_t target_pid;
uid_t target_auid; kuid_t target_auid;
uid_t target_uid; uid_t target_uid;
unsigned int target_sessionid; unsigned int target_sessionid;
u32 target_sid; u32 target_sid;
...@@ -1176,7 +1176,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk ...@@ -1176,7 +1176,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
} }
static int audit_log_pid_context(struct audit_context *context, pid_t pid, static int audit_log_pid_context(struct audit_context *context, pid_t pid,
uid_t auid, uid_t uid, unsigned int sessionid, kuid_t auid, uid_t uid, unsigned int sessionid,
u32 sid, char *comm) u32 sid, char *comm)
{ {
struct audit_buffer *ab; struct audit_buffer *ab;
...@@ -1188,7 +1188,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, ...@@ -1188,7 +1188,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
if (!ab) if (!ab)
return rc; return rc;
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
uid, sessionid); uid, sessionid);
if (security_secid_to_secctx(sid, &ctx, &len)) { if (security_secid_to_secctx(sid, &ctx, &len)) {
audit_log_format(ab, " obj=(none)"); audit_log_format(ab, " obj=(none)");
...@@ -1630,7 +1631,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts ...@@ -1630,7 +1631,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
context->name_count, context->name_count,
context->ppid, context->ppid,
context->pid, context->pid,
tsk->loginuid, from_kuid(&init_user_ns, tsk->loginuid),
context->uid, context->uid,
context->gid, context->gid,
context->euid, context->suid, context->fsuid, context->euid, context->suid, context->fsuid,
...@@ -2291,14 +2292,14 @@ static atomic_t session_id = ATOMIC_INIT(0); ...@@ -2291,14 +2292,14 @@ static atomic_t session_id = ATOMIC_INIT(0);
* *
* Called (set) from fs/proc/base.c::proc_loginuid_write(). * Called (set) from fs/proc/base.c::proc_loginuid_write().
*/ */
int audit_set_loginuid(uid_t loginuid) int audit_set_loginuid(kuid_t loginuid)
{ {
struct task_struct *task = current; struct task_struct *task = current;
struct audit_context *context = task->audit_context; struct audit_context *context = task->audit_context;
unsigned int sessionid; unsigned int sessionid;
#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE #ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
if (task->loginuid != -1) if (uid_valid(task->loginuid))
return -EPERM; return -EPERM;
#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ #else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
if (!capable(CAP_AUDIT_CONTROL)) if (!capable(CAP_AUDIT_CONTROL))
...@@ -2315,7 +2316,8 @@ int audit_set_loginuid(uid_t loginuid) ...@@ -2315,7 +2316,8 @@ int audit_set_loginuid(uid_t loginuid)
"old auid=%u new auid=%u" "old auid=%u new auid=%u"
" old ses=%u new ses=%u", " old ses=%u new ses=%u",
task->pid, task_uid(task), task->pid, task_uid(task),
task->loginuid, loginuid, from_kuid(&init_user_ns, task->loginuid),
from_kuid(&init_user_ns, loginuid),
task->sessionid, sessionid); task->sessionid, sessionid);
audit_log_end(ab); audit_log_end(ab);
} }
...@@ -2543,7 +2545,7 @@ int __audit_signal_info(int sig, struct task_struct *t) ...@@ -2543,7 +2545,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
if (audit_pid && t->tgid == audit_pid) { if (audit_pid && t->tgid == audit_pid) {
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) { if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
audit_sig_pid = tsk->pid; audit_sig_pid = tsk->pid;
if (tsk->loginuid != -1) if (uid_valid(tsk->loginuid))
audit_sig_uid = tsk->loginuid; audit_sig_uid = tsk->loginuid;
else else
audit_sig_uid = uid; audit_sig_uid = uid;
......
...@@ -4524,7 +4524,7 @@ static int __dev_set_promiscuity(struct net_device *dev, int inc) ...@@ -4524,7 +4524,7 @@ static int __dev_set_promiscuity(struct net_device *dev, int inc)
"dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u", "dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
dev->name, (dev->flags & IFF_PROMISC), dev->name, (dev->flags & IFF_PROMISC),
(old_flags & IFF_PROMISC), (old_flags & IFF_PROMISC),
audit_get_loginuid(current), from_kuid(&init_user_ns, audit_get_loginuid(current)),
from_kuid(&init_user_ns, uid), from_kuid(&init_user_ns, uid),
from_kgid(&init_user_ns, gid), from_kgid(&init_user_ns, gid),
audit_get_sessionid(current)); audit_get_sessionid(current));
......
...@@ -1541,7 +1541,7 @@ int __init netlbl_unlabel_defconf(void) ...@@ -1541,7 +1541,7 @@ int __init netlbl_unlabel_defconf(void)
* it is called is at bootup before the audit subsystem is reporting * it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */ * messages so don't worry to much about these values. */
security_task_getsecid(current, &audit_info.secid); security_task_getsecid(current, &audit_info.secid);
audit_info.loginuid = 0; audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0; audit_info.sessionid = 0;
entry = kzalloc(sizeof(*entry), GFP_KERNEL); entry = kzalloc(sizeof(*entry), GFP_KERNEL);
......
...@@ -109,7 +109,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, ...@@ -109,7 +109,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
return NULL; return NULL;
audit_log_format(audit_buf, "netlabel: auid=%u ses=%u", audit_log_format(audit_buf, "netlabel: auid=%u ses=%u",
audit_info->loginuid, from_kuid(&init_user_ns, audit_info->loginuid),
audit_info->sessionid); audit_info->sessionid);
if (audit_info->secid != 0 && if (audit_info->secid != 0 &&
......
...@@ -2630,12 +2630,12 @@ static void xfrm_policy_fini(struct net *net) ...@@ -2630,12 +2630,12 @@ static void xfrm_policy_fini(struct net *net)
flush_work(&net->xfrm.policy_hash_work); flush_work(&net->xfrm.policy_hash_work);
#ifdef CONFIG_XFRM_SUB_POLICY #ifdef CONFIG_XFRM_SUB_POLICY
audit_info.loginuid = -1; audit_info.loginuid = INVALID_UID;
audit_info.sessionid = -1; audit_info.sessionid = -1;
audit_info.secid = 0; audit_info.secid = 0;
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info); xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
#endif #endif
audit_info.loginuid = -1; audit_info.loginuid = INVALID_UID;
audit_info.sessionid = -1; audit_info.sessionid = -1;
audit_info.secid = 0; audit_info.secid = 0;
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info); xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
...@@ -2742,7 +2742,7 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, ...@@ -2742,7 +2742,7 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
} }
void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
uid_t auid, u32 sessionid, u32 secid) kuid_t auid, u32 sessionid, u32 secid)
{ {
struct audit_buffer *audit_buf; struct audit_buffer *audit_buf;
...@@ -2757,7 +2757,7 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, ...@@ -2757,7 +2757,7 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
uid_t auid, u32 sessionid, u32 secid) kuid_t auid, u32 sessionid, u32 secid)
{ {
struct audit_buffer *audit_buf; struct audit_buffer *audit_buf;
......
...@@ -2045,7 +2045,7 @@ void xfrm_state_fini(struct net *net) ...@@ -2045,7 +2045,7 @@ void xfrm_state_fini(struct net *net)
unsigned int sz; unsigned int sz;
flush_work(&net->xfrm.state_hash_work); flush_work(&net->xfrm.state_hash_work);
audit_info.loginuid = -1; audit_info.loginuid = INVALID_UID;
audit_info.sessionid = -1; audit_info.sessionid = -1;
audit_info.secid = 0; audit_info.secid = 0;
xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info); xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info);
...@@ -2112,7 +2112,7 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, ...@@ -2112,7 +2112,7 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
} }
void xfrm_audit_state_add(struct xfrm_state *x, int result, void xfrm_audit_state_add(struct xfrm_state *x, int result,
uid_t auid, u32 sessionid, u32 secid) kuid_t auid, u32 sessionid, u32 secid)
{ {
struct audit_buffer *audit_buf; struct audit_buffer *audit_buf;
...@@ -2127,7 +2127,7 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result, ...@@ -2127,7 +2127,7 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result,
EXPORT_SYMBOL_GPL(xfrm_audit_state_add); EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
void xfrm_audit_state_delete(struct xfrm_state *x, int result, void xfrm_audit_state_delete(struct xfrm_state *x, int result,
uid_t auid, u32 sessionid, u32 secid) kuid_t auid, u32 sessionid, u32 secid)
{ {
struct audit_buffer *audit_buf; struct audit_buffer *audit_buf;
......
...@@ -575,7 +575,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -575,7 +575,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_state *x; struct xfrm_state *x;
int err; int err;
struct km_event c; struct km_event c;
uid_t loginuid = audit_get_loginuid(current); kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current); u32 sessionid = audit_get_sessionid(current);
u32 sid; u32 sid;
...@@ -654,7 +654,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -654,7 +654,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
int err = -ESRCH; int err = -ESRCH;
struct km_event c; struct km_event c;
struct xfrm_usersa_id *p = nlmsg_data(nlh); struct xfrm_usersa_id *p = nlmsg_data(nlh);
uid_t loginuid = audit_get_loginuid(current); kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current); u32 sessionid = audit_get_sessionid(current);
u32 sid; u32 sid;
...@@ -1369,7 +1369,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -1369,7 +1369,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
struct km_event c; struct km_event c;
int err; int err;
int excl; int excl;
uid_t loginuid = audit_get_loginuid(current); kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current); u32 sessionid = audit_get_sessionid(current);
u32 sid; u32 sid;
...@@ -1624,7 +1624,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -1624,7 +1624,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
NETLINK_CB(skb).pid); NETLINK_CB(skb).pid);
} }
} else { } else {
uid_t loginuid = audit_get_loginuid(current); kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current); u32 sessionid = audit_get_sessionid(current);
u32 sid; u32 sid;
...@@ -1918,7 +1918,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -1918,7 +1918,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
err = 0; err = 0;
if (up->hard) { if (up->hard) {
uid_t loginuid = audit_get_loginuid(current); kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current); u32 sessionid = audit_get_sessionid(current);
u32 sid; u32 sid;
...@@ -1961,7 +1961,7 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -1961,7 +1961,7 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
km_state_expired(x, ue->hard, current->pid); km_state_expired(x, ue->hard, current->pid);
if (ue->hard) { if (ue->hard) {
uid_t loginuid = audit_get_loginuid(current); kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current); u32 sessionid = audit_get_sessionid(current);
u32 sid; u32 sid;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment