Merge tag 'audit-pr-20210629' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

   a per-task filter.  At syscall entry, the audit_state is augmented by

   the syscall filter. */

enum audit_state {

	AUDIT_DISABLED,		/* Do not create per-task audit_context.

	AUDIT_STATE_DISABLED,	/* Do not create per-task audit_context.

				 * No syscall-specific audit records can

				 * be generated. */

	AUDIT_BUILD_CONTEXT,	/* Create the per-task audit_context,

	AUDIT_STATE_BUILD,	/* Create the per-task audit_context,

				 * and fill it in at syscall

				 * entry time.  This makes a full

				 * syscall record available if some

				 * other part of the kernel decides it

				 * should be recorded. */

	AUDIT_RECORD_CONTEXT	/* Create the per-task audit_context,

	AUDIT_STATE_RECORD	/* Create the per-task audit_context,

				 * always fill it in at syscall entry

				 * time, and always write out the audit

				 * record at syscall exit time.  */

	return 0;

}

#define audit_filter_inodes(t, c) AUDIT_DISABLED

#define audit_filter_inodes(t, c) AUDIT_STATE_DISABLED

#endif /* CONFIG_AUDITSYSCALL */

extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);

		tree = container_of(cursor.next, struct audit_tree, list);

		get_tree(tree);

		list_del(&cursor);

		list_add(&cursor, &tree->list);

		list_move(&cursor, &tree->list);

		mutex_unlock(&audit_filter_mutex);

		err = kern_path(tree->pathname, 0, &path);

		tree = container_of(cursor.next, struct audit_tree, list);

		get_tree(tree);

		list_del(&cursor);

		list_add(&cursor, &tree->list);

		list_move(&cursor, &tree->list);

		mutex_unlock(&audit_filter_mutex);

		err = kern_path(tree->pathname, 0, &path2);

		mutex_lock(&audit_filter_mutex);

		spin_lock(&hash_lock);

		if (!tree->goner) {

			list_del(&tree->list);

			list_add(&tree->list, &tree_list);

			list_move(&tree->list, &tree_list);

		}

		spin_unlock(&hash_lock);

		put_tree(tree);

		tree = container_of(barrier.prev, struct audit_tree, list);

		get_tree(tree);

		list_del(&tree->list);

		list_add(&tree->list, &barrier);

		list_move(&tree->list, &barrier);

		mutex_unlock(&audit_filter_mutex);

		if (!failed) {

static int audit_match_perm(struct audit_context *ctx, int mask)

{

	unsigned n;

	if (unlikely(!ctx))

		return 0;

	n = ctx->major;

{

	if (!ctx->prio) {

		ctx->prio = 1;

		ctx->current_state = AUDIT_RECORD_CONTEXT;

		ctx->current_state = AUDIT_STATE_RECORD;

	}

}

{

	struct audit_tree_refs *p = ctx->trees;

	int left = ctx->tree_count;

	if (likely(left)) {

		p->c[--left] = chunk;

		ctx->tree_count = left;

static int grow_tree_refs(struct audit_context *ctx)

{

	struct audit_tree_refs *p = ctx->trees;

	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);

	if (!ctx->trees) {

		ctx->trees = p;

{

	struct audit_tree_refs *q;

	int n;

	if (!p) {

		/* we started with empty chain */

		p = ctx->first_trees;

static void free_tree_refs(struct audit_context *ctx)

{

	struct audit_tree_refs *p, *q;

	for (p = ctx->first_trees; p; p = q) {

		q = p->next;

		kfree(p);

{

	struct audit_tree_refs *p;

	int n;

	if (!tree)

		return 0;

	/* full ones */

	}

	switch (rule->action) {

	case AUDIT_NEVER:

		*state = AUDIT_DISABLED;

		*state = AUDIT_STATE_DISABLED;

		break;

	case AUDIT_ALWAYS:

		*state = AUDIT_RECORD_CONTEXT;

		*state = AUDIT_STATE_RECORD;

		break;

	}

	return 1;

	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {

		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,

				       &state, true)) {

			if (state == AUDIT_RECORD_CONTEXT)

			if (state == AUDIT_STATE_RECORD)

				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);

			rcu_read_unlock();

			return state;

		}

	}

	rcu_read_unlock();

	return AUDIT_BUILD_CONTEXT;

	return AUDIT_STATE_BUILD;

}

static int audit_in_mask(const struct audit_krule *rule, unsigned long val)

/* At syscall exit time, this filter is called if the audit_state is

 * not low enough that auditing cannot take place, but is also not

 * high enough that we already know we have to write an audit record

 * (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).

 * (i.e., the state is AUDIT_STATE_BUILD).

 */

static void audit_filter_syscall(struct task_struct *tsk,

				 struct audit_context *ctx)

	if (!context)

		return NULL;

	context->state = state;

	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;

	context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0;

	INIT_LIST_HEAD(&context->killed_trees);

	INIT_LIST_HEAD(&context->names_list);

	context->fds[0] = -1;

		return 0; /* Return if not auditing. */

	state = audit_filter_task(tsk, &key);

	if (state == AUDIT_DISABLED) {

	if (state == AUDIT_STATE_DISABLED) {

		clear_task_syscall_work(tsk, SYSCALL_AUDIT);

		return 0;

	}

	switch (context->type) {

	case AUDIT_SOCKETCALL: {

		int nargs = context->socketcall.nargs;

		audit_log_format(ab, "nargs=%d", nargs);

		for (i = 0; i < nargs; i++)

			audit_log_format(ab, " a%d=%lx", i,

		if (osid) {

			char *ctx = NULL;

			u32 len;

			if (security_secid_to_secctx(osid, &ctx, &len)) {

				audit_log_format(ab, " osid=%u", osid);

				*call_panic = 1;

		break;

	case AUDIT_MQ_GETSETATTR: {

		struct mq_attr *attr = &context->mq_getsetattr.mqstat;

		audit_log_format(ab,

			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "

			"mq_curmsgs=%ld ",

static inline int audit_proctitle_rtrim(char *proctitle, int len)

{

	char *end = proctitle + len - 1;

	while (end > proctitle && !isprint(*end))

		end--;

		case AUDIT_BPRM_FCAPS: {

			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;

			audit_log_format(ab, "fver=%x", axs->fcap_ver);

			audit_log_cap(ab, "fp", &axs->fcap.permitted);

			audit_log_cap(ab, "fi", &axs->fcap.inheritable);

		audit_filter_syscall(tsk, context);

		audit_filter_inodes(tsk, context);

		if (context->current_state == AUDIT_RECORD_CONTEXT)

		if (context->current_state == AUDIT_STATE_RECORD)

			audit_log_exit();

	}

 * Fill in audit context at syscall entry.  This only happens if the

 * audit context was created when the task was created and the state or

 * filters demand the audit context be built.  If the state from the

 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,

 * per-task filter or from the per-syscall filter is AUDIT_STATE_RECORD,

 * then the record will be written at syscall exit time (otherwise, it

 * will only be written if another part of the kernel requests that it

 * be written).

	BUG_ON(context->in_syscall || context->name_count);

	state = context->state;

	if (state == AUDIT_DISABLED)

	if (state == AUDIT_STATE_DISABLED)

		return;

	context->dummy = !audit_n_rules;

	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {

	if (!context->dummy && state == AUDIT_STATE_BUILD) {

		context->prio = 0;

		if (auditd_test_task(current))

			return;

 * @return_code: return value of the syscall

 *

 * Tear down after system call.  If the audit context has been marked as

 * auditable (either because of the AUDIT_RECORD_CONTEXT state from

 * auditable (either because of the AUDIT_STATE_RECORD state from

 * filtering, or because some other part of the kernel wrote an audit

 * message), then write out the syscall information.  In call cases,

 * free the names stored from getname().

		audit_filter_syscall(current, context);

		audit_filter_inodes(current, context);

		if (context->current_state == AUDIT_RECORD_CONTEXT)

		if (context->current_state == AUDIT_STATE_RECORD)

			audit_log_exit();

	}

	context->in_syscall = 0;

	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;

	context->prio = context->state == AUDIT_STATE_RECORD ? ~0ULL : 0;

	audit_free_module(context);

	audit_free_names(context);

	context->sockaddr_len = 0;

	context->type = 0;

	context->fds[0] = -1;

	if (context->state != AUDIT_RECORD_CONTEXT) {

	if (context->state != AUDIT_STATE_RECORD) {

		kfree(context->filterkey);

		context->filterkey = NULL;

	}

	struct audit_tree_refs *p;

	struct audit_chunk *chunk;

	int count;

	if (likely(!inode->i_fsnotify_marks))

		return;

	context = audit_context();

	seq = read_seqbegin(&rename_lock);

	for(;;) {

		struct inode *inode = d_backing_inode(d);

		if (inode && unlikely(inode->i_fsnotify_marks)) {

			struct audit_chunk *chunk;

			chunk = audit_tree_lookup(inode);

			if (chunk) {

				if (unlikely(!put_tree_ref(context, chunk))) {

	*serial    = ctx->serial;

	if (!ctx->prio) {

		ctx->prio = 1;

		ctx->current_state = AUDIT_RECORD_CONTEXT;

		ctx->current_state = AUDIT_STATE_RECORD;

	}

	return 1;

}

void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)

{

	struct audit_context *context = audit_context();

	context->mq_getsetattr.mqdes = mqdes;

	context->mq_getsetattr.mqstat = *mqstat;

	context->type = AUDIT_MQ_GETSETATTR;

void __audit_ipc_obj(struct kern_ipc_perm *ipcp)

{

	struct audit_context *context = audit_context();

	context->ipc.uid = ipcp->uid;

	context->ipc.gid = ipcp->gid;

	context->ipc.mode = ipcp->mode;

void __audit_fd_pair(int fd1, int fd2)

{

	struct audit_context *context = audit_context();

	context->fds[0] = fd1;

	context->fds[1] = fd2;

}

	if (!context->sockaddr) {

		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);

		if (!p)

			return -ENOMEM;

		context->sockaddr = p;

void __audit_log_capset(const struct cred *new, const struct cred *old)

{

	struct audit_context *context = audit_context();

	context->capset.pid = task_tgid_nr(current);

	context->capset.cap.effective   = new->cap_effective;

	context->capset.cap.inheritable = new->cap_effective;

void __audit_mmap_fd(int fd, int flags)

{

	struct audit_context *context = audit_context();

	context->mmap.fd = fd;

	context->mmap.flags = flags;

	context->type = AUDIT_MMAP;

struct list_head *audit_killed_trees(void)

{

	struct audit_context *ctx = audit_context();

	if (likely(!ctx || !ctx->in_syscall))

		return NULL;

	return &ctx->killed_trees;

		return -EINVAL;

	ad->u.net->v6info.saddr = ip6->saddr;

	ad->u.net->v6info.daddr = ip6->daddr;

	ret = 0;

	/* IPv6 can have several extension header before the Transport header

	 * skip them */

	offset = skb_network_offset(skb);