Lines Matching full:context
41 * Subject and object context labeling support added by <danjones@us.ibm.com>
227 * it's going to remain 1-element for almost any setup) until we free context itself.
463 /* Determine if any context name data matches a rule's watch data */
879 static inline void audit_proctitle_free(struct audit_context *context) in audit_proctitle_free() argument
881 kfree(context->proctitle.value); in audit_proctitle_free()
882 context->proctitle.value = NULL; in audit_proctitle_free()
883 context->proctitle.len = 0; in audit_proctitle_free()
886 static inline void audit_free_module(struct audit_context *context) in audit_free_module() argument
888 if (context->type == AUDIT_KERN_MODULE) { in audit_free_module()
889 kfree(context->module.name); in audit_free_module()
890 context->module.name = NULL; in audit_free_module()
893 static inline void audit_free_names(struct audit_context *context) in audit_free_names() argument
897 list_for_each_entry_safe(n, next, &context->names_list, list) { in audit_free_names()
904 context->name_count = 0; in audit_free_names()
905 path_put(&context->pwd); in audit_free_names()
906 context->pwd.dentry = NULL; in audit_free_names()
907 context->pwd.mnt = NULL; in audit_free_names()
910 static inline void audit_free_aux(struct audit_context *context) in audit_free_aux() argument
914 while ((aux = context->aux)) { in audit_free_aux()
915 context->aux = aux->next; in audit_free_aux()
918 while ((aux = context->aux_pids)) { in audit_free_aux()
919 context->aux_pids = aux->next; in audit_free_aux()
926 struct audit_context *context; in audit_alloc_context() local
928 context = kzalloc(sizeof(*context), GFP_KERNEL); in audit_alloc_context()
929 if (!context) in audit_alloc_context()
931 context->state = state; in audit_alloc_context()
932 context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0; in audit_alloc_context()
933 INIT_LIST_HEAD(&context->killed_trees); in audit_alloc_context()
934 INIT_LIST_HEAD(&context->names_list); in audit_alloc_context()
935 context->fds[0] = -1; in audit_alloc_context()
936 context->return_valid = AUDITSC_INVALID; in audit_alloc_context()
937 return context; in audit_alloc_context()
941 * audit_alloc - allocate an audit context block for a task
944 * Filter on the task information and allocate a per-task audit context
951 struct audit_context *context; in audit_alloc() local
964 if (!(context = audit_alloc_context(state))) { in audit_alloc()
969 context->filterkey = key; in audit_alloc()
971 audit_set_context(tsk, context); in audit_alloc()
976 static inline void audit_free_context(struct audit_context *context) in audit_free_context() argument
978 audit_free_module(context); in audit_free_context()
979 audit_free_names(context); in audit_free_context()
980 unroll_tree_refs(context, NULL, 0); in audit_free_context()
981 free_tree_refs(context); in audit_free_context()
982 audit_free_aux(context); in audit_free_context()
983 kfree(context->filterkey); in audit_free_context()
984 kfree(context->sockaddr); in audit_free_context()
985 audit_proctitle_free(context); in audit_free_context()
986 kfree(context); in audit_free_context()
989 static int audit_log_pid_context(struct audit_context *context, pid_t pid, in audit_log_pid_context() argument
998 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); in audit_log_pid_context()
1021 static void audit_log_execve_info(struct audit_context *context, in audit_log_execve_info() argument
1058 audit_log_format(*ab, "argc=%d", context->execve.argc); in audit_log_execve_info()
1130 *ab = audit_log_start(context, in audit_log_execve_info()
1187 } while (arg < context->execve.argc); in audit_log_execve_info()
1222 static void show_special(struct audit_context *context, int *call_panic) in show_special() argument
1227 ab = audit_log_start(context, GFP_KERNEL, context->type); in show_special()
1231 switch (context->type) { in show_special()
1233 int nargs = context->socketcall.nargs; in show_special()
1238 context->socketcall.args[i]); in show_special()
1241 u32 osid = context->ipc.osid; in show_special()
1244 from_kuid(&init_user_ns, context->ipc.uid), in show_special()
1245 from_kgid(&init_user_ns, context->ipc.gid), in show_special()
1246 context->ipc.mode); in show_special()
1259 if (context->ipc.has_perm) { in show_special()
1261 ab = audit_log_start(context, GFP_KERNEL, in show_special()
1267 context->ipc.qbytes, in show_special()
1268 context->ipc.perm_uid, in show_special()
1269 context->ipc.perm_gid, in show_special()
1270 context->ipc.perm_mode); in show_special()
1277 context->mq_open.oflag, context->mq_open.mode, in show_special()
1278 context->mq_open.attr.mq_flags, in show_special()
1279 context->mq_open.attr.mq_maxmsg, in show_special()
1280 context->mq_open.attr.mq_msgsize, in show_special()
1281 context->mq_open.attr.mq_curmsgs); in show_special()
1287 context->mq_sendrecv.mqdes, in show_special()
1288 context->mq_sendrecv.msg_len, in show_special()
1289 context->mq_sendrecv.msg_prio, in show_special()
1290 (long long) context->mq_sendrecv.abs_timeout.tv_sec, in show_special()
1291 context->mq_sendrecv.abs_timeout.tv_nsec); in show_special()
1295 context->mq_notify.mqdes, in show_special()
1296 context->mq_notify.sigev_signo); in show_special()
1299 struct mq_attr *attr = &context->mq_getsetattr.mqstat; in show_special()
1304 context->mq_getsetattr.mqdes, in show_special()
1309 audit_log_format(ab, "pid=%d", context->capset.pid); in show_special()
1310 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable); in show_special()
1311 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted); in show_special()
1312 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective); in show_special()
1313 audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient); in show_special()
1316 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, in show_special()
1317 context->mmap.flags); in show_special()
1320 audit_log_execve_info(context, &ab); in show_special()
1324 if (context->module.name) { in show_special()
1325 audit_log_untrustedstring(ab, context->module.name); in show_special()
1349 * @context: audit_context for the task
1355 static void audit_log_name(struct audit_context *context, struct audit_names *n, in audit_log_name() argument
1360 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); in audit_log_name()
1379 if (context->pwd.dentry && context->pwd.mnt) in audit_log_name()
1380 audit_log_d_path(ab, " name=", &context->pwd); in audit_log_name()
1447 struct audit_context *context = audit_context(); in audit_log_proctitle() local
1450 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE); in audit_log_proctitle()
1457 if (!context->proctitle.value) { in audit_log_proctitle()
1472 context->proctitle.value = buf; in audit_log_proctitle()
1473 context->proctitle.len = res; in audit_log_proctitle()
1475 msg = context->proctitle.value; in audit_log_proctitle()
1476 len = context->proctitle.len; in audit_log_proctitle()
1485 struct audit_context *context = audit_context(); in audit_log_exit() local
1490 context->personality = current->personality; in audit_log_exit()
1492 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); in audit_log_exit()
1496 context->arch, context->major); in audit_log_exit()
1497 if (context->personality != PER_LINUX) in audit_log_exit()
1498 audit_log_format(ab, " per=%lx", context->personality); in audit_log_exit()
1499 if (context->return_valid != AUDITSC_INVALID) in audit_log_exit()
1501 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", in audit_log_exit()
1502 context->return_code); in audit_log_exit()
1506 context->argv[0], in audit_log_exit()
1507 context->argv[1], in audit_log_exit()
1508 context->argv[2], in audit_log_exit()
1509 context->argv[3], in audit_log_exit()
1510 context->name_count); in audit_log_exit()
1513 audit_log_key(ab, context->filterkey); in audit_log_exit()
1516 for (aux = context->aux; aux; aux = aux->next) { in audit_log_exit()
1518 ab = audit_log_start(context, GFP_KERNEL, aux->type); in audit_log_exit()
1548 if (context->type) in audit_log_exit()
1549 show_special(context, &call_panic); in audit_log_exit()
1551 if (context->fds[0] >= 0) { in audit_log_exit()
1552 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR); in audit_log_exit()
1555 context->fds[0], context->fds[1]); in audit_log_exit()
1560 if (context->sockaddr_len) { in audit_log_exit()
1561 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR); in audit_log_exit()
1564 audit_log_n_hex(ab, (void *)context->sockaddr, in audit_log_exit()
1565 context->sockaddr_len); in audit_log_exit()
1570 for (aux = context->aux_pids; aux; aux = aux->next) { in audit_log_exit()
1574 if (audit_log_pid_context(context, axs->target_pid[i], in audit_log_exit()
1583 if (context->target_pid && in audit_log_exit()
1584 audit_log_pid_context(context, context->target_pid, in audit_log_exit()
1585 context->target_auid, context->target_uid, in audit_log_exit()
1586 context->target_sessionid, in audit_log_exit()
1587 context->target_sid, context->target_comm)) in audit_log_exit()
1590 if (context->pwd.dentry && context->pwd.mnt) { in audit_log_exit()
1591 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); in audit_log_exit()
1593 audit_log_d_path(ab, "cwd=", &context->pwd); in audit_log_exit()
1599 list_for_each_entry(n, &context->names_list, list) { in audit_log_exit()
1602 audit_log_name(context, n, NULL, i++, &call_panic); in audit_log_exit()
1608 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); in audit_log_exit()
1616 * __audit_free - free a per-task audit context
1617 * @tsk: task whose audit context block to free
1623 struct audit_context *context = tsk->audit_context; in __audit_free() local
1625 if (!context) in __audit_free()
1628 if (!list_empty(&context->killed_trees)) in __audit_free()
1629 audit_kill_trees(context); in __audit_free()
1636 if (tsk == current && !context->dummy && context->in_syscall) { in __audit_free()
1637 context->return_valid = AUDITSC_INVALID; in __audit_free()
1638 context->return_code = 0; in __audit_free()
1640 audit_filter_syscall(tsk, context); in __audit_free()
1641 audit_filter_inodes(tsk, context); in __audit_free()
1642 if (context->current_state == AUDIT_STATE_RECORD) in __audit_free()
1647 audit_free_context(context); in __audit_free()
1658 * Fill in audit context at syscall entry. This only happens if the
1659 * audit context was created when the task was created and the state or
1660 * filters demand the audit context be built. If the state from the
1669 struct audit_context *context = audit_context(); in __audit_syscall_entry() local
1672 if (!audit_enabled || !context) in __audit_syscall_entry()
1675 BUG_ON(context->in_syscall || context->name_count); in __audit_syscall_entry()
1677 state = context->state; in __audit_syscall_entry()
1681 context->dummy = !audit_n_rules; in __audit_syscall_entry()
1682 if (!context->dummy && state == AUDIT_STATE_BUILD) { in __audit_syscall_entry()
1683 context->prio = 0; in __audit_syscall_entry()
1688 context->arch = syscall_get_arch(current); in __audit_syscall_entry()
1689 context->major = major; in __audit_syscall_entry()
1690 context->argv[0] = a1; in __audit_syscall_entry()
1691 context->argv[1] = a2; in __audit_syscall_entry()
1692 context->argv[2] = a3; in __audit_syscall_entry()
1693 context->argv[3] = a4; in __audit_syscall_entry()
1694 context->serial = 0; in __audit_syscall_entry()
1695 context->in_syscall = 1; in __audit_syscall_entry()
1696 context->current_state = state; in __audit_syscall_entry()
1697 context->ppid = 0; in __audit_syscall_entry()
1698 ktime_get_coarse_real_ts64(&context->ctime); in __audit_syscall_entry()
1702 * __audit_syscall_exit - deallocate audit context after a system call
1706 * Tear down after system call. If the audit context has been marked as
1714 struct audit_context *context; in __audit_syscall_exit() local
1716 context = audit_context(); in __audit_syscall_exit()
1717 if (!context) in __audit_syscall_exit()
1720 if (!list_empty(&context->killed_trees)) in __audit_syscall_exit()
1721 audit_kill_trees(context); in __audit_syscall_exit()
1723 if (!context->dummy && context->in_syscall) { in __audit_syscall_exit()
1725 context->return_valid = AUDITSC_SUCCESS; in __audit_syscall_exit()
1727 context->return_valid = AUDITSC_FAILURE; in __audit_syscall_exit()
1743 context->return_code = -EINTR; in __audit_syscall_exit()
1745 context->return_code = return_code; in __audit_syscall_exit()
1747 audit_filter_syscall(current, context); in __audit_syscall_exit()
1748 audit_filter_inodes(current, context); in __audit_syscall_exit()
1749 if (context->current_state == AUDIT_STATE_RECORD) in __audit_syscall_exit()
1753 context->in_syscall = 0; in __audit_syscall_exit()
1754 context->prio = context->state == AUDIT_STATE_RECORD ? ~0ULL : 0; in __audit_syscall_exit()
1756 audit_free_module(context); in __audit_syscall_exit()
1757 audit_free_names(context); in __audit_syscall_exit()
1758 unroll_tree_refs(context, NULL, 0); in __audit_syscall_exit()
1759 audit_free_aux(context); in __audit_syscall_exit()
1760 context->aux = NULL; in __audit_syscall_exit()
1761 context->aux_pids = NULL; in __audit_syscall_exit()
1762 context->target_pid = 0; in __audit_syscall_exit()
1763 context->target_sid = 0; in __audit_syscall_exit()
1764 context->sockaddr_len = 0; in __audit_syscall_exit()
1765 context->type = 0; in __audit_syscall_exit()
1766 context->fds[0] = -1; in __audit_syscall_exit()
1767 if (context->state != AUDIT_STATE_RECORD) { in __audit_syscall_exit()
1768 kfree(context->filterkey); in __audit_syscall_exit()
1769 context->filterkey = NULL; in __audit_syscall_exit()
1775 struct audit_context *context; in handle_one() local
1782 context = audit_context(); in handle_one()
1783 p = context->trees; in handle_one()
1784 count = context->tree_count; in handle_one()
1790 if (likely(put_tree_ref(context, chunk))) in handle_one()
1792 if (unlikely(!grow_tree_refs(context))) { in handle_one()
1794 audit_set_auditable(context); in handle_one()
1796 unroll_tree_refs(context, p, count); in handle_one()
1799 put_tree_ref(context, chunk); in handle_one()
1804 struct audit_context *context; in handle_path() local
1811 context = audit_context(); in handle_path()
1812 p = context->trees; in handle_path()
1813 count = context->tree_count; in handle_path()
1827 if (unlikely(!put_tree_ref(context, chunk))) { in handle_path()
1842 unroll_tree_refs(context, p, count); in handle_path()
1846 if (grow_tree_refs(context)) { in handle_path()
1848 unroll_tree_refs(context, p, count); in handle_path()
1853 unroll_tree_refs(context, p, count); in handle_path()
1854 audit_set_auditable(context); in handle_path()
1860 static struct audit_names *audit_alloc_name(struct audit_context *context, in audit_alloc_name() argument
1865 if (context->name_count < AUDIT_NAMES) { in audit_alloc_name()
1866 aname = &context->preallocated_names[context->name_count]; in audit_alloc_name()
1877 list_add_tail(&aname->list, &context->names_list); in audit_alloc_name()
1879 context->name_count++; in audit_alloc_name()
1880 if (!context->pwd.dentry) in audit_alloc_name()
1881 get_fs_pwd(current->fs, &context->pwd); in audit_alloc_name()
1889 * Search the audit_names list for the current audit context. If there is an
1896 struct audit_context *context = audit_context(); in __audit_reusename() local
1899 list_for_each_entry(n, &context->names_list, list) { in __audit_reusename()
1914 * Add a name to the list of audit names for this context.
1919 struct audit_context *context = audit_context(); in __audit_getname() local
1922 if (!context->in_syscall) in __audit_getname()
1925 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN); in __audit_getname()
1986 struct audit_context *context = audit_context(); in __audit_inode() local
1994 if (!context->in_syscall) in __audit_inode()
2032 list_for_each_entry_reverse(n, &context->names_list, list) { in __audit_inode()
2059 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN); in __audit_inode()
2094 * This call updates the audit context with the child's information.
2104 struct audit_context *context = audit_context(); in __audit_inode_child() local
2112 if (!context->in_syscall) in __audit_inode_child()
2135 list_for_each_entry(n, &context->names_list, list) { in __audit_inode_child()
2152 list_for_each_entry(n, &context->names_list, list) { in __audit_inode_child()
2172 n = audit_alloc_name(context, AUDIT_TYPE_PARENT); in __audit_inode_child()
2179 found_child = audit_alloc_name(context, type); in __audit_inode_child()
2184 * directory. All names for this context are relinquished in in __audit_inode_child()
2206 * Also sets the context as auditable.
2234 struct audit_context *context = audit_context(); in __audit_mq_open() local
2237 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr)); in __audit_mq_open()
2239 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr)); in __audit_mq_open()
2241 context->mq_open.oflag = oflag; in __audit_mq_open()
2242 context->mq_open.mode = mode; in __audit_mq_open()
2244 context->type = AUDIT_MQ_OPEN; in __audit_mq_open()
2258 struct audit_context *context = audit_context(); in __audit_mq_sendrecv() local
2259 struct timespec64 *p = &context->mq_sendrecv.abs_timeout; in __audit_mq_sendrecv()
2266 context->mq_sendrecv.mqdes = mqdes; in __audit_mq_sendrecv()
2267 context->mq_sendrecv.msg_len = msg_len; in __audit_mq_sendrecv()
2268 context->mq_sendrecv.msg_prio = msg_prio; in __audit_mq_sendrecv()
2270 context->type = AUDIT_MQ_SENDRECV; in __audit_mq_sendrecv()
2282 struct audit_context *context = audit_context(); in __audit_mq_notify() local
2285 context->mq_notify.sigev_signo = notification->sigev_signo; in __audit_mq_notify()
2287 context->mq_notify.sigev_signo = 0; in __audit_mq_notify()
2289 context->mq_notify.mqdes = mqdes; in __audit_mq_notify()
2290 context->type = AUDIT_MQ_NOTIFY; in __audit_mq_notify()
2301 struct audit_context *context = audit_context(); in __audit_mq_getsetattr() local
2303 context->mq_getsetattr.mqdes = mqdes; in __audit_mq_getsetattr()
2304 context->mq_getsetattr.mqstat = *mqstat; in __audit_mq_getsetattr()
2305 context->type = AUDIT_MQ_GETSETATTR; in __audit_mq_getsetattr()
2315 struct audit_context *context = audit_context(); in __audit_ipc_obj() local
2317 context->ipc.uid = ipcp->uid; in __audit_ipc_obj()
2318 context->ipc.gid = ipcp->gid; in __audit_ipc_obj()
2319 context->ipc.mode = ipcp->mode; in __audit_ipc_obj()
2320 context->ipc.has_perm = 0; in __audit_ipc_obj()
2321 security_ipc_getsecid(ipcp, &context->ipc.osid); in __audit_ipc_obj()
2322 context->type = AUDIT_IPC; in __audit_ipc_obj()
2336 struct audit_context *context = audit_context(); in __audit_ipc_set_perm() local
2338 context->ipc.qbytes = qbytes; in __audit_ipc_set_perm()
2339 context->ipc.perm_uid = uid; in __audit_ipc_set_perm()
2340 context->ipc.perm_gid = gid; in __audit_ipc_set_perm()
2341 context->ipc.perm_mode = mode; in __audit_ipc_set_perm()
2342 context->ipc.has_perm = 1; in __audit_ipc_set_perm()
2347 struct audit_context *context = audit_context(); in __audit_bprm() local
2349 context->type = AUDIT_EXECVE; in __audit_bprm()
2350 context->execve.argc = bprm->argc; in __audit_bprm()
2362 struct audit_context *context = audit_context(); in __audit_socketcall() local
2366 context->type = AUDIT_SOCKETCALL; in __audit_socketcall()
2367 context->socketcall.nargs = nargs; in __audit_socketcall()
2368 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long)); in __audit_socketcall()
2380 struct audit_context *context = audit_context(); in __audit_fd_pair() local
2382 context->fds[0] = fd1; in __audit_fd_pair()
2383 context->fds[1] = fd2; in __audit_fd_pair()
2391 * Returns 0 for success or NULL context or < 0 on error.
2395 struct audit_context *context = audit_context(); in __audit_sockaddr() local
2397 if (!context->sockaddr) { in __audit_sockaddr()
2402 context->sockaddr = p; in __audit_sockaddr()
2405 context->sockaddr_len = len; in __audit_sockaddr()
2406 memcpy(context->sockaddr, a, len); in __audit_sockaddr()
2412 struct audit_context *context = audit_context(); in __audit_ptrace() local
2414 context->target_pid = task_tgid_nr(t); in __audit_ptrace()
2415 context->target_auid = audit_get_loginuid(t); in __audit_ptrace()
2416 context->target_uid = task_uid(t); in __audit_ptrace()
2417 context->target_sessionid = audit_get_sessionid(t); in __audit_ptrace()
2418 security_task_getsecid_obj(t, &context->target_sid); in __audit_ptrace()
2419 memcpy(context->target_comm, t->comm, TASK_COMM_LEN); in __audit_ptrace()
2488 struct audit_context *context = audit_context(); in __audit_log_bprm_fcaps() local
2496 ax->d.next = context->aux; in __audit_log_bprm_fcaps()
2497 context->aux = (void *)ax; in __audit_log_bprm_fcaps()
2530 struct audit_context *context = audit_context(); in __audit_log_capset() local
2532 context->capset.pid = task_tgid_nr(current); in __audit_log_capset()
2533 context->capset.cap.effective = new->cap_effective; in __audit_log_capset()
2534 context->capset.cap.inheritable = new->cap_effective; in __audit_log_capset()
2535 context->capset.cap.permitted = new->cap_permitted; in __audit_log_capset()
2536 context->capset.cap.ambient = new->cap_ambient; in __audit_log_capset()
2537 context->type = AUDIT_CAPSET; in __audit_log_capset()
2542 struct audit_context *context = audit_context(); in __audit_mmap_fd() local
2544 context->mmap.fd = fd; in __audit_mmap_fd()
2545 context->mmap.flags = flags; in __audit_mmap_fd()
2546 context->type = AUDIT_MMAP; in __audit_mmap_fd()
2551 struct audit_context *context = audit_context(); in __audit_log_kern_module() local
2553 context->module.name = kstrdup(name, GFP_KERNEL); in __audit_log_kern_module()
2554 if (!context->module.name) in __audit_log_kern_module()
2556 context->type = AUDIT_KERN_MODULE; in __audit_log_kern_module()
2670 * and dummy context state because seccomp actions should be logged even when