mirror of
https://github.com/torvalds/linux.git
synced 2025-11-04 10:40:15 +02:00
userns: Convert the audit loginuid to be a kuid
Always store audit loginuids in type kuid_t. Print loginuids by converting them into uids in the appropriate user namespace, and then printing the resulting uid. Modify audit_get_loginuid to return a kuid_t. Modify audit_set_loginuid to take a kuid_t. Modify /proc/<pid>/loginuid on read to convert the loginuid into the user namespace of the opener of the file. Modify /proc/<pid>/loginud on write to convert the loginuid rom the user namespace of the opener of the file. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Paris <eparis@redhat.com> Cc: Paul Moore <paul@paul-moore.com> ? Cc: David Miller <davem@davemloft.net> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
Eric W. Biederman
parent
ca57ec0f00
commit
e1760bd5ff
18 changed files with 80 additions and 66 deletions
|
|
@ -61,7 +61,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
|
||||||
}
|
}
|
||||||
|
|
||||||
static void tty_audit_log(const char *description, struct task_struct *tsk,
|
static void tty_audit_log(const char *description, struct task_struct *tsk,
|
||||||
uid_t loginuid, unsigned sessionid, int major,
|
kuid_t loginuid, unsigned sessionid, int major,
|
||||||
int minor, unsigned char *data, size_t size)
|
int minor, unsigned char *data, size_t size)
|
||||||
{
|
{
|
||||||
struct audit_buffer *ab;
|
struct audit_buffer *ab;
|
||||||
|
|
@ -73,7 +73,9 @@ static void tty_audit_log(const char *description, struct task_struct *tsk,
|
||||||
|
|
||||||
audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u "
|
audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u "
|
||||||
"major=%d minor=%d comm=", description,
|
"major=%d minor=%d comm=", description,
|
||||||
tsk->pid, uid, loginuid, sessionid,
|
tsk->pid, uid,
|
||||||
|
from_kuid(&init_user_ns, loginuid),
|
||||||
|
sessionid,
|
||||||
major, minor);
|
major, minor);
|
||||||
get_task_comm(name, tsk);
|
get_task_comm(name, tsk);
|
||||||
audit_log_untrustedstring(ab, name);
|
audit_log_untrustedstring(ab, name);
|
||||||
|
|
@ -89,7 +91,7 @@ static void tty_audit_log(const char *description, struct task_struct *tsk,
|
||||||
* Generate an audit message from the contents of @buf, which is owned by
|
* Generate an audit message from the contents of @buf, which is owned by
|
||||||
* @tsk with @loginuid. @buf->mutex must be locked.
|
* @tsk with @loginuid. @buf->mutex must be locked.
|
||||||
*/
|
*/
|
||||||
static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
|
static void tty_audit_buf_push(struct task_struct *tsk, kuid_t loginuid,
|
||||||
unsigned int sessionid,
|
unsigned int sessionid,
|
||||||
struct tty_audit_buf *buf)
|
struct tty_audit_buf *buf)
|
||||||
{
|
{
|
||||||
|
|
@ -112,7 +114,7 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
|
||||||
*/
|
*/
|
||||||
static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
|
static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
|
||||||
{
|
{
|
||||||
uid_t auid = audit_get_loginuid(current);
|
kuid_t auid = audit_get_loginuid(current);
|
||||||
unsigned int sessionid = audit_get_sessionid(current);
|
unsigned int sessionid = audit_get_sessionid(current);
|
||||||
tty_audit_buf_push(current, auid, sessionid, buf);
|
tty_audit_buf_push(current, auid, sessionid, buf);
|
||||||
}
|
}
|
||||||
|
|
@ -179,7 +181,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (should_audit && audit_enabled) {
|
if (should_audit && audit_enabled) {
|
||||||
uid_t auid;
|
kuid_t auid;
|
||||||
unsigned int sessionid;
|
unsigned int sessionid;
|
||||||
|
|
||||||
auid = audit_get_loginuid(current);
|
auid = audit_get_loginuid(current);
|
||||||
|
|
@ -199,7 +201,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
|
||||||
* reference to the tty audit buffer if available.
|
* reference to the tty audit buffer if available.
|
||||||
* Flush the buffer or return an appropriate error code.
|
* Flush the buffer or return an appropriate error code.
|
||||||
*/
|
*/
|
||||||
int tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)
|
int tty_audit_push_task(struct task_struct *tsk, kuid_t loginuid, u32 sessionid)
|
||||||
{
|
{
|
||||||
struct tty_audit_buf *buf = ERR_PTR(-EPERM);
|
struct tty_audit_buf *buf = ERR_PTR(-EPERM);
|
||||||
unsigned long flags;
|
unsigned long flags;
|
||||||
|
|
|
||||||
|
|
@ -1089,7 +1089,8 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
|
||||||
if (!task)
|
if (!task)
|
||||||
return -ESRCH;
|
return -ESRCH;
|
||||||
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
|
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
|
||||||
audit_get_loginuid(task));
|
from_kuid(file->f_cred->user_ns,
|
||||||
|
audit_get_loginuid(task)));
|
||||||
put_task_struct(task);
|
put_task_struct(task);
|
||||||
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
|
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
|
||||||
}
|
}
|
||||||
|
|
@ -1101,6 +1102,7 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
|
||||||
char *page, *tmp;
|
char *page, *tmp;
|
||||||
ssize_t length;
|
ssize_t length;
|
||||||
uid_t loginuid;
|
uid_t loginuid;
|
||||||
|
kuid_t kloginuid;
|
||||||
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) {
|
if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) {
|
||||||
|
|
@ -1130,7 +1132,13 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
|
||||||
goto out_free_page;
|
goto out_free_page;
|
||||||
|
|
||||||
}
|
}
|
||||||
length = audit_set_loginuid(loginuid);
|
kloginuid = make_kuid(file->f_cred->user_ns, loginuid);
|
||||||
|
if (!uid_valid(kloginuid)) {
|
||||||
|
length = -EINVAL;
|
||||||
|
goto out_free_page;
|
||||||
|
}
|
||||||
|
|
||||||
|
length = audit_set_loginuid(kloginuid);
|
||||||
if (likely(length == 0))
|
if (likely(length == 0))
|
||||||
length = count;
|
length = count;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -527,7 +527,7 @@ static inline void audit_ptrace(struct task_struct *t)
|
||||||
extern unsigned int audit_serial(void);
|
extern unsigned int audit_serial(void);
|
||||||
extern int auditsc_get_stamp(struct audit_context *ctx,
|
extern int auditsc_get_stamp(struct audit_context *ctx,
|
||||||
struct timespec *t, unsigned int *serial);
|
struct timespec *t, unsigned int *serial);
|
||||||
extern int audit_set_loginuid(uid_t loginuid);
|
extern int audit_set_loginuid(kuid_t loginuid);
|
||||||
#define audit_get_loginuid(t) ((t)->loginuid)
|
#define audit_get_loginuid(t) ((t)->loginuid)
|
||||||
#define audit_get_sessionid(t) ((t)->sessionid)
|
#define audit_get_sessionid(t) ((t)->sessionid)
|
||||||
extern void audit_log_task_context(struct audit_buffer *ab);
|
extern void audit_log_task_context(struct audit_buffer *ab);
|
||||||
|
|
@ -639,7 +639,7 @@ extern int audit_signals;
|
||||||
#define audit_core_dumps(i) do { ; } while (0)
|
#define audit_core_dumps(i) do { ; } while (0)
|
||||||
#define audit_seccomp(i,s,c) do { ; } while (0)
|
#define audit_seccomp(i,s,c) do { ; } while (0)
|
||||||
#define auditsc_get_stamp(c,t,s) (0)
|
#define auditsc_get_stamp(c,t,s) (0)
|
||||||
#define audit_get_loginuid(t) (-1)
|
#define audit_get_loginuid(t) (INVALID_UID)
|
||||||
#define audit_get_sessionid(t) (-1)
|
#define audit_get_sessionid(t) (-1)
|
||||||
#define audit_log_task_context(b) do { ; } while (0)
|
#define audit_log_task_context(b) do { ; } while (0)
|
||||||
#define audit_ipc_obj(i) ((void)0)
|
#define audit_ipc_obj(i) ((void)0)
|
||||||
|
|
@ -705,7 +705,7 @@ extern int audit_update_lsm_rules(void);
|
||||||
extern int audit_filter_user(void);
|
extern int audit_filter_user(void);
|
||||||
extern int audit_filter_type(int type);
|
extern int audit_filter_type(int type);
|
||||||
extern int audit_receive_filter(int type, int pid, int seq,
|
extern int audit_receive_filter(int type, int pid, int seq,
|
||||||
void *data, size_t datasz, uid_t loginuid,
|
void *data, size_t datasz, kuid_t loginuid,
|
||||||
u32 sessionid, u32 sid);
|
u32 sessionid, u32 sid);
|
||||||
extern int audit_enabled;
|
extern int audit_enabled;
|
||||||
#else
|
#else
|
||||||
|
|
|
||||||
|
|
@ -92,7 +92,7 @@ extern struct group_info init_groups;
|
||||||
|
|
||||||
#ifdef CONFIG_AUDITSYSCALL
|
#ifdef CONFIG_AUDITSYSCALL
|
||||||
#define INIT_IDS \
|
#define INIT_IDS \
|
||||||
.loginuid = -1, \
|
.loginuid = INVALID_UID, \
|
||||||
.sessionid = -1,
|
.sessionid = -1,
|
||||||
#else
|
#else
|
||||||
#define INIT_IDS
|
#define INIT_IDS
|
||||||
|
|
|
||||||
|
|
@ -1426,7 +1426,7 @@ struct task_struct {
|
||||||
|
|
||||||
struct audit_context *audit_context;
|
struct audit_context *audit_context;
|
||||||
#ifdef CONFIG_AUDITSYSCALL
|
#ifdef CONFIG_AUDITSYSCALL
|
||||||
uid_t loginuid;
|
kuid_t loginuid;
|
||||||
unsigned int sessionid;
|
unsigned int sessionid;
|
||||||
#endif
|
#endif
|
||||||
struct seccomp seccomp;
|
struct seccomp seccomp;
|
||||||
|
|
|
||||||
|
|
@ -553,7 +553,7 @@ extern void tty_audit_fork(struct signal_struct *sig);
|
||||||
extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
|
extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
|
||||||
extern void tty_audit_push(struct tty_struct *tty);
|
extern void tty_audit_push(struct tty_struct *tty);
|
||||||
extern int tty_audit_push_task(struct task_struct *tsk,
|
extern int tty_audit_push_task(struct task_struct *tsk,
|
||||||
uid_t loginuid, u32 sessionid);
|
kuid_t loginuid, u32 sessionid);
|
||||||
#else
|
#else
|
||||||
static inline void tty_audit_add_data(struct tty_struct *tty,
|
static inline void tty_audit_add_data(struct tty_struct *tty,
|
||||||
unsigned char *data, size_t size)
|
unsigned char *data, size_t size)
|
||||||
|
|
@ -572,7 +572,7 @@ static inline void tty_audit_push(struct tty_struct *tty)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
static inline int tty_audit_push_task(struct task_struct *tsk,
|
static inline int tty_audit_push_task(struct task_struct *tsk,
|
||||||
uid_t loginuid, u32 sessionid)
|
kuid_t loginuid, u32 sessionid)
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -110,7 +110,7 @@ struct cipso_v4_doi;
|
||||||
/* NetLabel audit information */
|
/* NetLabel audit information */
|
||||||
struct netlbl_audit {
|
struct netlbl_audit {
|
||||||
u32 secid;
|
u32 secid;
|
||||||
uid_t loginuid;
|
kuid_t loginuid;
|
||||||
u32 sessionid;
|
u32 sessionid;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -662,7 +662,7 @@ struct xfrm_spi_skb_cb {
|
||||||
/* Audit Information */
|
/* Audit Information */
|
||||||
struct xfrm_audit {
|
struct xfrm_audit {
|
||||||
u32 secid;
|
u32 secid;
|
||||||
uid_t loginuid;
|
kuid_t loginuid;
|
||||||
u32 sessionid;
|
u32 sessionid;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -681,13 +681,14 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
|
||||||
return audit_buf;
|
return audit_buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
|
static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
|
||||||
struct audit_buffer *audit_buf)
|
struct audit_buffer *audit_buf)
|
||||||
{
|
{
|
||||||
char *secctx;
|
char *secctx;
|
||||||
u32 secctx_len;
|
u32 secctx_len;
|
||||||
|
|
||||||
audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
|
audit_log_format(audit_buf, " auid=%u ses=%u",
|
||||||
|
from_kuid(&init_user_ns, auid), ses);
|
||||||
if (secid != 0 &&
|
if (secid != 0 &&
|
||||||
security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
|
security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
|
||||||
audit_log_format(audit_buf, " subj=%s", secctx);
|
audit_log_format(audit_buf, " subj=%s", secctx);
|
||||||
|
|
@ -697,13 +698,13 @@ static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
|
||||||
}
|
}
|
||||||
|
|
||||||
extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
|
extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
|
||||||
u32 auid, u32 ses, u32 secid);
|
kuid_t auid, u32 ses, u32 secid);
|
||||||
extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
|
extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
|
||||||
u32 auid, u32 ses, u32 secid);
|
kuid_t auid, u32 ses, u32 secid);
|
||||||
extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
|
extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
|
||||||
u32 auid, u32 ses, u32 secid);
|
kuid_t auid, u32 ses, u32 secid);
|
||||||
extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
|
extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
|
||||||
u32 auid, u32 ses, u32 secid);
|
kuid_t auid, u32 ses, u32 secid);
|
||||||
extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
|
extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
|
||||||
struct sk_buff *skb);
|
struct sk_buff *skb);
|
||||||
extern void xfrm_audit_state_replay(struct xfrm_state *x,
|
extern void xfrm_audit_state_replay(struct xfrm_state *x,
|
||||||
|
|
@ -716,22 +717,22 @@ extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
|
||||||
#else
|
#else
|
||||||
|
|
||||||
static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
|
static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
|
||||||
u32 auid, u32 ses, u32 secid)
|
kuid_t auid, u32 ses, u32 secid)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
|
static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
|
||||||
u32 auid, u32 ses, u32 secid)
|
kuid_t auid, u32 ses, u32 secid)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
|
static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
|
||||||
u32 auid, u32 ses, u32 secid)
|
kuid_t auid, u32 ses, u32 secid)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
|
static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
|
||||||
u32 auid, u32 ses, u32 secid)
|
kuid_t auid, u32 ses, u32 secid)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -265,7 +265,7 @@ void audit_log_lost(const char *message)
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_log_config_change(char *function_name, int new, int old,
|
static int audit_log_config_change(char *function_name, int new, int old,
|
||||||
uid_t loginuid, u32 sessionid, u32 sid,
|
kuid_t loginuid, u32 sessionid, u32 sid,
|
||||||
int allow_changes)
|
int allow_changes)
|
||||||
{
|
{
|
||||||
struct audit_buffer *ab;
|
struct audit_buffer *ab;
|
||||||
|
|
@ -273,7 +273,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
|
||||||
|
|
||||||
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
||||||
audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
|
audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
|
||||||
old, loginuid, sessionid);
|
old, from_kuid(&init_user_ns, loginuid), sessionid);
|
||||||
if (sid) {
|
if (sid) {
|
||||||
char *ctx = NULL;
|
char *ctx = NULL;
|
||||||
u32 len;
|
u32 len;
|
||||||
|
|
@ -293,7 +293,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_do_config_change(char *function_name, int *to_change,
|
static int audit_do_config_change(char *function_name, int *to_change,
|
||||||
int new, uid_t loginuid, u32 sessionid,
|
int new, kuid_t loginuid, u32 sessionid,
|
||||||
u32 sid)
|
u32 sid)
|
||||||
{
|
{
|
||||||
int allow_changes, rc = 0, old = *to_change;
|
int allow_changes, rc = 0, old = *to_change;
|
||||||
|
|
@ -320,21 +320,21 @@ static int audit_do_config_change(char *function_name, int *to_change,
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid,
|
static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid,
|
||||||
u32 sid)
|
u32 sid)
|
||||||
{
|
{
|
||||||
return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
|
return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
|
||||||
limit, loginuid, sessionid, sid);
|
limit, loginuid, sessionid, sid);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid,
|
static int audit_set_backlog_limit(int limit, kuid_t loginuid, u32 sessionid,
|
||||||
u32 sid)
|
u32 sid)
|
||||||
{
|
{
|
||||||
return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
|
return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
|
||||||
limit, loginuid, sessionid, sid);
|
limit, loginuid, sessionid, sid);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
|
static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid)
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
if (state < AUDIT_OFF || state > AUDIT_LOCKED)
|
if (state < AUDIT_OFF || state > AUDIT_LOCKED)
|
||||||
|
|
@ -349,7 +349,7 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid)
|
static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, u32 sid)
|
||||||
{
|
{
|
||||||
if (state != AUDIT_FAIL_SILENT
|
if (state != AUDIT_FAIL_SILENT
|
||||||
&& state != AUDIT_FAIL_PRINTK
|
&& state != AUDIT_FAIL_PRINTK
|
||||||
|
|
@ -607,7 +607,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
|
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
|
||||||
uid_t auid, u32 ses, u32 sid)
|
kuid_t auid, u32 ses, u32 sid)
|
||||||
{
|
{
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
char *ctx = NULL;
|
char *ctx = NULL;
|
||||||
|
|
@ -622,7 +622,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
|
||||||
audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
|
audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
|
||||||
task_tgid_vnr(current),
|
task_tgid_vnr(current),
|
||||||
from_kuid(&init_user_ns, current_uid()),
|
from_kuid(&init_user_ns, current_uid()),
|
||||||
auid, ses);
|
from_kuid(&init_user_ns, auid), ses);
|
||||||
if (sid) {
|
if (sid) {
|
||||||
rc = security_secid_to_secctx(sid, &ctx, &len);
|
rc = security_secid_to_secctx(sid, &ctx, &len);
|
||||||
if (rc)
|
if (rc)
|
||||||
|
|
@ -644,7 +644,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
||||||
int err;
|
int err;
|
||||||
struct audit_buffer *ab;
|
struct audit_buffer *ab;
|
||||||
u16 msg_type = nlh->nlmsg_type;
|
u16 msg_type = nlh->nlmsg_type;
|
||||||
uid_t loginuid; /* loginuid of sender */
|
kuid_t loginuid; /* loginuid of sender */
|
||||||
u32 sessionid;
|
u32 sessionid;
|
||||||
struct audit_sig_info *sig_data;
|
struct audit_sig_info *sig_data;
|
||||||
char *ctx = NULL;
|
char *ctx = NULL;
|
||||||
|
|
|
||||||
|
|
@ -241,7 +241,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
|
||||||
struct audit_buffer *ab;
|
struct audit_buffer *ab;
|
||||||
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
|
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
|
||||||
audit_log_format(ab, "auid=%u ses=%u op=",
|
audit_log_format(ab, "auid=%u ses=%u op=",
|
||||||
audit_get_loginuid(current),
|
from_kuid(&init_user_ns, audit_get_loginuid(current)),
|
||||||
audit_get_sessionid(current));
|
audit_get_sessionid(current));
|
||||||
audit_log_string(ab, op);
|
audit_log_string(ab, op);
|
||||||
audit_log_format(ab, " path=");
|
audit_log_format(ab, " path=");
|
||||||
|
|
|
||||||
|
|
@ -1109,7 +1109,7 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Log rule additions and removals */
|
/* Log rule additions and removals */
|
||||||
static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
|
static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
|
||||||
char *action, struct audit_krule *rule,
|
char *action, struct audit_krule *rule,
|
||||||
int res)
|
int res)
|
||||||
{
|
{
|
||||||
|
|
@ -1121,7 +1121,8 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
|
||||||
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
||||||
if (!ab)
|
if (!ab)
|
||||||
return;
|
return;
|
||||||
audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
|
audit_log_format(ab, "auid=%u ses=%u",
|
||||||
|
from_kuid(&init_user_ns, loginuid), sessionid);
|
||||||
if (sid) {
|
if (sid) {
|
||||||
char *ctx = NULL;
|
char *ctx = NULL;
|
||||||
u32 len;
|
u32 len;
|
||||||
|
|
@ -1152,7 +1153,7 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
|
||||||
* @sid: SE Linux Security ID of sender
|
* @sid: SE Linux Security ID of sender
|
||||||
*/
|
*/
|
||||||
int audit_receive_filter(int type, int pid, int seq, void *data,
|
int audit_receive_filter(int type, int pid, int seq, void *data,
|
||||||
size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
|
size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
|
||||||
{
|
{
|
||||||
struct task_struct *tsk;
|
struct task_struct *tsk;
|
||||||
struct audit_netlink_list *dest;
|
struct audit_netlink_list *dest;
|
||||||
|
|
|
||||||
|
|
@ -149,7 +149,7 @@ struct audit_aux_data_execve {
|
||||||
struct audit_aux_data_pids {
|
struct audit_aux_data_pids {
|
||||||
struct audit_aux_data d;
|
struct audit_aux_data d;
|
||||||
pid_t target_pid[AUDIT_AUX_PIDS];
|
pid_t target_pid[AUDIT_AUX_PIDS];
|
||||||
uid_t target_auid[AUDIT_AUX_PIDS];
|
kuid_t target_auid[AUDIT_AUX_PIDS];
|
||||||
uid_t target_uid[AUDIT_AUX_PIDS];
|
uid_t target_uid[AUDIT_AUX_PIDS];
|
||||||
unsigned int target_sessionid[AUDIT_AUX_PIDS];
|
unsigned int target_sessionid[AUDIT_AUX_PIDS];
|
||||||
u32 target_sid[AUDIT_AUX_PIDS];
|
u32 target_sid[AUDIT_AUX_PIDS];
|
||||||
|
|
@ -214,7 +214,7 @@ struct audit_context {
|
||||||
int arch;
|
int arch;
|
||||||
|
|
||||||
pid_t target_pid;
|
pid_t target_pid;
|
||||||
uid_t target_auid;
|
kuid_t target_auid;
|
||||||
uid_t target_uid;
|
uid_t target_uid;
|
||||||
unsigned int target_sessionid;
|
unsigned int target_sessionid;
|
||||||
u32 target_sid;
|
u32 target_sid;
|
||||||
|
|
@ -1176,7 +1176,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
|
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
|
||||||
uid_t auid, uid_t uid, unsigned int sessionid,
|
kuid_t auid, uid_t uid, unsigned int sessionid,
|
||||||
u32 sid, char *comm)
|
u32 sid, char *comm)
|
||||||
{
|
{
|
||||||
struct audit_buffer *ab;
|
struct audit_buffer *ab;
|
||||||
|
|
@ -1188,7 +1188,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
|
||||||
if (!ab)
|
if (!ab)
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
|
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
|
||||||
|
from_kuid(&init_user_ns, auid),
|
||||||
uid, sessionid);
|
uid, sessionid);
|
||||||
if (security_secid_to_secctx(sid, &ctx, &len)) {
|
if (security_secid_to_secctx(sid, &ctx, &len)) {
|
||||||
audit_log_format(ab, " obj=(none)");
|
audit_log_format(ab, " obj=(none)");
|
||||||
|
|
@ -1630,7 +1631,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
|
||||||
context->name_count,
|
context->name_count,
|
||||||
context->ppid,
|
context->ppid,
|
||||||
context->pid,
|
context->pid,
|
||||||
tsk->loginuid,
|
from_kuid(&init_user_ns, tsk->loginuid),
|
||||||
context->uid,
|
context->uid,
|
||||||
context->gid,
|
context->gid,
|
||||||
context->euid, context->suid, context->fsuid,
|
context->euid, context->suid, context->fsuid,
|
||||||
|
|
@ -2291,14 +2292,14 @@ static atomic_t session_id = ATOMIC_INIT(0);
|
||||||
*
|
*
|
||||||
* Called (set) from fs/proc/base.c::proc_loginuid_write().
|
* Called (set) from fs/proc/base.c::proc_loginuid_write().
|
||||||
*/
|
*/
|
||||||
int audit_set_loginuid(uid_t loginuid)
|
int audit_set_loginuid(kuid_t loginuid)
|
||||||
{
|
{
|
||||||
struct task_struct *task = current;
|
struct task_struct *task = current;
|
||||||
struct audit_context *context = task->audit_context;
|
struct audit_context *context = task->audit_context;
|
||||||
unsigned int sessionid;
|
unsigned int sessionid;
|
||||||
|
|
||||||
#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
|
#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
|
||||||
if (task->loginuid != -1)
|
if (uid_valid(task->loginuid))
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
|
#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
|
||||||
if (!capable(CAP_AUDIT_CONTROL))
|
if (!capable(CAP_AUDIT_CONTROL))
|
||||||
|
|
@ -2315,7 +2316,8 @@ int audit_set_loginuid(uid_t loginuid)
|
||||||
"old auid=%u new auid=%u"
|
"old auid=%u new auid=%u"
|
||||||
" old ses=%u new ses=%u",
|
" old ses=%u new ses=%u",
|
||||||
task->pid, task_uid(task),
|
task->pid, task_uid(task),
|
||||||
task->loginuid, loginuid,
|
from_kuid(&init_user_ns, task->loginuid),
|
||||||
|
from_kuid(&init_user_ns, loginuid),
|
||||||
task->sessionid, sessionid);
|
task->sessionid, sessionid);
|
||||||
audit_log_end(ab);
|
audit_log_end(ab);
|
||||||
}
|
}
|
||||||
|
|
@ -2543,7 +2545,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
|
||||||
if (audit_pid && t->tgid == audit_pid) {
|
if (audit_pid && t->tgid == audit_pid) {
|
||||||
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
|
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
|
||||||
audit_sig_pid = tsk->pid;
|
audit_sig_pid = tsk->pid;
|
||||||
if (tsk->loginuid != -1)
|
if (uid_valid(tsk->loginuid))
|
||||||
audit_sig_uid = tsk->loginuid;
|
audit_sig_uid = tsk->loginuid;
|
||||||
else
|
else
|
||||||
audit_sig_uid = uid;
|
audit_sig_uid = uid;
|
||||||
|
|
|
||||||
|
|
@ -4524,7 +4524,7 @@ static int __dev_set_promiscuity(struct net_device *dev, int inc)
|
||||||
"dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
|
"dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
|
||||||
dev->name, (dev->flags & IFF_PROMISC),
|
dev->name, (dev->flags & IFF_PROMISC),
|
||||||
(old_flags & IFF_PROMISC),
|
(old_flags & IFF_PROMISC),
|
||||||
audit_get_loginuid(current),
|
from_kuid(&init_user_ns, audit_get_loginuid(current)),
|
||||||
from_kuid(&init_user_ns, uid),
|
from_kuid(&init_user_ns, uid),
|
||||||
from_kgid(&init_user_ns, gid),
|
from_kgid(&init_user_ns, gid),
|
||||||
audit_get_sessionid(current));
|
audit_get_sessionid(current));
|
||||||
|
|
|
||||||
|
|
@ -1541,7 +1541,7 @@ int __init netlbl_unlabel_defconf(void)
|
||||||
* it is called is at bootup before the audit subsystem is reporting
|
* it is called is at bootup before the audit subsystem is reporting
|
||||||
* messages so don't worry to much about these values. */
|
* messages so don't worry to much about these values. */
|
||||||
security_task_getsecid(current, &audit_info.secid);
|
security_task_getsecid(current, &audit_info.secid);
|
||||||
audit_info.loginuid = 0;
|
audit_info.loginuid = GLOBAL_ROOT_UID;
|
||||||
audit_info.sessionid = 0;
|
audit_info.sessionid = 0;
|
||||||
|
|
||||||
entry = kzalloc(sizeof(*entry), GFP_KERNEL);
|
entry = kzalloc(sizeof(*entry), GFP_KERNEL);
|
||||||
|
|
|
||||||
|
|
@ -109,7 +109,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
audit_log_format(audit_buf, "netlabel: auid=%u ses=%u",
|
audit_log_format(audit_buf, "netlabel: auid=%u ses=%u",
|
||||||
audit_info->loginuid,
|
from_kuid(&init_user_ns, audit_info->loginuid),
|
||||||
audit_info->sessionid);
|
audit_info->sessionid);
|
||||||
|
|
||||||
if (audit_info->secid != 0 &&
|
if (audit_info->secid != 0 &&
|
||||||
|
|
|
||||||
|
|
@ -2630,12 +2630,12 @@ static void xfrm_policy_fini(struct net *net)
|
||||||
|
|
||||||
flush_work(&net->xfrm.policy_hash_work);
|
flush_work(&net->xfrm.policy_hash_work);
|
||||||
#ifdef CONFIG_XFRM_SUB_POLICY
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
||||||
audit_info.loginuid = -1;
|
audit_info.loginuid = INVALID_UID;
|
||||||
audit_info.sessionid = -1;
|
audit_info.sessionid = -1;
|
||||||
audit_info.secid = 0;
|
audit_info.secid = 0;
|
||||||
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
|
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
|
||||||
#endif
|
#endif
|
||||||
audit_info.loginuid = -1;
|
audit_info.loginuid = INVALID_UID;
|
||||||
audit_info.sessionid = -1;
|
audit_info.sessionid = -1;
|
||||||
audit_info.secid = 0;
|
audit_info.secid = 0;
|
||||||
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
|
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
|
||||||
|
|
@ -2742,7 +2742,7 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
|
||||||
}
|
}
|
||||||
|
|
||||||
void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
|
void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
|
||||||
uid_t auid, u32 sessionid, u32 secid)
|
kuid_t auid, u32 sessionid, u32 secid)
|
||||||
{
|
{
|
||||||
struct audit_buffer *audit_buf;
|
struct audit_buffer *audit_buf;
|
||||||
|
|
||||||
|
|
@ -2757,7 +2757,7 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
|
||||||
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
|
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
|
||||||
|
|
||||||
void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
|
void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
|
||||||
uid_t auid, u32 sessionid, u32 secid)
|
kuid_t auid, u32 sessionid, u32 secid)
|
||||||
{
|
{
|
||||||
struct audit_buffer *audit_buf;
|
struct audit_buffer *audit_buf;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2045,7 +2045,7 @@ void xfrm_state_fini(struct net *net)
|
||||||
unsigned int sz;
|
unsigned int sz;
|
||||||
|
|
||||||
flush_work(&net->xfrm.state_hash_work);
|
flush_work(&net->xfrm.state_hash_work);
|
||||||
audit_info.loginuid = -1;
|
audit_info.loginuid = INVALID_UID;
|
||||||
audit_info.sessionid = -1;
|
audit_info.sessionid = -1;
|
||||||
audit_info.secid = 0;
|
audit_info.secid = 0;
|
||||||
xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info);
|
xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info);
|
||||||
|
|
@ -2112,7 +2112,7 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
|
||||||
}
|
}
|
||||||
|
|
||||||
void xfrm_audit_state_add(struct xfrm_state *x, int result,
|
void xfrm_audit_state_add(struct xfrm_state *x, int result,
|
||||||
uid_t auid, u32 sessionid, u32 secid)
|
kuid_t auid, u32 sessionid, u32 secid)
|
||||||
{
|
{
|
||||||
struct audit_buffer *audit_buf;
|
struct audit_buffer *audit_buf;
|
||||||
|
|
||||||
|
|
@ -2127,7 +2127,7 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result,
|
||||||
EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
|
EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
|
||||||
|
|
||||||
void xfrm_audit_state_delete(struct xfrm_state *x, int result,
|
void xfrm_audit_state_delete(struct xfrm_state *x, int result,
|
||||||
uid_t auid, u32 sessionid, u32 secid)
|
kuid_t auid, u32 sessionid, u32 secid)
|
||||||
{
|
{
|
||||||
struct audit_buffer *audit_buf;
|
struct audit_buffer *audit_buf;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -575,7 +575,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
|
||||||
struct xfrm_state *x;
|
struct xfrm_state *x;
|
||||||
int err;
|
int err;
|
||||||
struct km_event c;
|
struct km_event c;
|
||||||
uid_t loginuid = audit_get_loginuid(current);
|
kuid_t loginuid = audit_get_loginuid(current);
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
u32 sid;
|
u32 sid;
|
||||||
|
|
||||||
|
|
@ -654,7 +654,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
|
||||||
int err = -ESRCH;
|
int err = -ESRCH;
|
||||||
struct km_event c;
|
struct km_event c;
|
||||||
struct xfrm_usersa_id *p = nlmsg_data(nlh);
|
struct xfrm_usersa_id *p = nlmsg_data(nlh);
|
||||||
uid_t loginuid = audit_get_loginuid(current);
|
kuid_t loginuid = audit_get_loginuid(current);
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
u32 sid;
|
u32 sid;
|
||||||
|
|
||||||
|
|
@ -1369,7 +1369,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
|
||||||
struct km_event c;
|
struct km_event c;
|
||||||
int err;
|
int err;
|
||||||
int excl;
|
int excl;
|
||||||
uid_t loginuid = audit_get_loginuid(current);
|
kuid_t loginuid = audit_get_loginuid(current);
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
u32 sid;
|
u32 sid;
|
||||||
|
|
||||||
|
|
@ -1624,7 +1624,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
|
||||||
NETLINK_CB(skb).pid);
|
NETLINK_CB(skb).pid);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
uid_t loginuid = audit_get_loginuid(current);
|
kuid_t loginuid = audit_get_loginuid(current);
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
u32 sid;
|
u32 sid;
|
||||||
|
|
||||||
|
|
@ -1918,7 +1918,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
|
||||||
|
|
||||||
err = 0;
|
err = 0;
|
||||||
if (up->hard) {
|
if (up->hard) {
|
||||||
uid_t loginuid = audit_get_loginuid(current);
|
kuid_t loginuid = audit_get_loginuid(current);
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
u32 sid;
|
u32 sid;
|
||||||
|
|
||||||
|
|
@ -1961,7 +1961,7 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
|
||||||
km_state_expired(x, ue->hard, current->pid);
|
km_state_expired(x, ue->hard, current->pid);
|
||||||
|
|
||||||
if (ue->hard) {
|
if (ue->hard) {
|
||||||
uid_t loginuid = audit_get_loginuid(current);
|
kuid_t loginuid = audit_get_loginuid(current);
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
u32 sid;
|
u32 sid;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue