Lines Matching full:context
41 * Subject and object context labeling support added by <danjones@us.ibm.com>
228 * it's going to remain 1-element for almost any setup) until we free context itself.
459 /* Determine if any context name data matches a rule's watch data */
876 static inline void audit_proctitle_free(struct audit_context *context) in audit_proctitle_free() argument
878 kfree(context->proctitle.value); in audit_proctitle_free()
879 context->proctitle.value = NULL; in audit_proctitle_free()
880 context->proctitle.len = 0; in audit_proctitle_free()
883 static inline void audit_free_module(struct audit_context *context) in audit_free_module() argument
885 if (context->type == AUDIT_KERN_MODULE) { in audit_free_module()
886 kfree(context->module.name); in audit_free_module()
887 context->module.name = NULL; in audit_free_module()
890 static inline void audit_free_names(struct audit_context *context) in audit_free_names() argument
894 list_for_each_entry_safe(n, next, &context->names_list, list) { in audit_free_names()
901 context->name_count = 0; in audit_free_names()
902 path_put(&context->pwd); in audit_free_names()
903 context->pwd.dentry = NULL; in audit_free_names()
904 context->pwd.mnt = NULL; in audit_free_names()
907 static inline void audit_free_aux(struct audit_context *context) in audit_free_aux() argument
911 while ((aux = context->aux)) { in audit_free_aux()
912 context->aux = aux->next; in audit_free_aux()
915 while ((aux = context->aux_pids)) { in audit_free_aux()
916 context->aux_pids = aux->next; in audit_free_aux()
923 struct audit_context *context; in audit_alloc_context() local
925 context = kzalloc(sizeof(*context), GFP_KERNEL); in audit_alloc_context()
926 if (!context) in audit_alloc_context()
928 context->state = state; in audit_alloc_context()
929 context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; in audit_alloc_context()
930 INIT_LIST_HEAD(&context->killed_trees); in audit_alloc_context()
931 INIT_LIST_HEAD(&context->names_list); in audit_alloc_context()
932 return context; in audit_alloc_context()
936 * audit_alloc - allocate an audit context block for a task
939 * Filter on the task information and allocate a per-task audit context
946 struct audit_context *context; in audit_alloc() local
959 if (!(context = audit_alloc_context(state))) { in audit_alloc()
964 context->filterkey = key; in audit_alloc()
966 audit_set_context(tsk, context); in audit_alloc()
971 static inline void audit_free_context(struct audit_context *context) in audit_free_context() argument
973 audit_free_module(context); in audit_free_context()
974 audit_free_names(context); in audit_free_context()
975 unroll_tree_refs(context, NULL, 0); in audit_free_context()
976 free_tree_refs(context); in audit_free_context()
977 audit_free_aux(context); in audit_free_context()
978 kfree(context->filterkey); in audit_free_context()
979 kfree(context->sockaddr); in audit_free_context()
980 audit_proctitle_free(context); in audit_free_context()
981 kfree(context); in audit_free_context()
984 static int audit_log_pid_context(struct audit_context *context, pid_t pid, in audit_log_pid_context() argument
993 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); in audit_log_pid_context()
1016 static void audit_log_execve_info(struct audit_context *context, in audit_log_execve_info() argument
1053 audit_log_format(*ab, "argc=%d", context->execve.argc); in audit_log_execve_info()
1125 *ab = audit_log_start(context, in audit_log_execve_info()
1182 } while (arg < context->execve.argc); in audit_log_execve_info()
1217 static void show_special(struct audit_context *context, int *call_panic) in show_special() argument
1222 ab = audit_log_start(context, GFP_KERNEL, context->type); in show_special()
1226 switch (context->type) { in show_special()
1228 int nargs = context->socketcall.nargs; in show_special()
1232 context->socketcall.args[i]); in show_special()
1235 u32 osid = context->ipc.osid; in show_special()
1238 from_kuid(&init_user_ns, context->ipc.uid), in show_special()
1239 from_kgid(&init_user_ns, context->ipc.gid), in show_special()
1240 context->ipc.mode); in show_special()
1252 if (context->ipc.has_perm) { in show_special()
1254 ab = audit_log_start(context, GFP_KERNEL, in show_special()
1260 context->ipc.qbytes, in show_special()
1261 context->ipc.perm_uid, in show_special()
1262 context->ipc.perm_gid, in show_special()
1263 context->ipc.perm_mode); in show_special()
1270 context->mq_open.oflag, context->mq_open.mode, in show_special()
1271 context->mq_open.attr.mq_flags, in show_special()
1272 context->mq_open.attr.mq_maxmsg, in show_special()
1273 context->mq_open.attr.mq_msgsize, in show_special()
1274 context->mq_open.attr.mq_curmsgs); in show_special()
1280 context->mq_sendrecv.mqdes, in show_special()
1281 context->mq_sendrecv.msg_len, in show_special()
1282 context->mq_sendrecv.msg_prio, in show_special()
1283 (long long) context->mq_sendrecv.abs_timeout.tv_sec, in show_special()
1284 context->mq_sendrecv.abs_timeout.tv_nsec); in show_special()
1288 context->mq_notify.mqdes, in show_special()
1289 context->mq_notify.sigev_signo); in show_special()
1292 struct mq_attr *attr = &context->mq_getsetattr.mqstat; in show_special()
1296 context->mq_getsetattr.mqdes, in show_special()
1301 audit_log_format(ab, "pid=%d", context->capset.pid); in show_special()
1302 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable); in show_special()
1303 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted); in show_special()
1304 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective); in show_special()
1305 audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient); in show_special()
1308 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, in show_special()
1309 context->mmap.flags); in show_special()
1312 audit_log_execve_info(context, &ab); in show_special()
1316 if (context->module.name) { in show_special()
1317 audit_log_untrustedstring(ab, context->module.name); in show_special()
1340 * @context: audit_context for the task
1346 static void audit_log_name(struct audit_context *context, struct audit_names *n, in audit_log_name() argument
1351 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); in audit_log_name()
1370 audit_log_d_path(ab, " name=", &context->pwd); in audit_log_name()
1435 struct audit_context *context = audit_context(); in audit_log_proctitle() local
1438 if (!context || context->dummy) in audit_log_proctitle()
1441 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE); in audit_log_proctitle()
1448 if (!context->proctitle.value) { in audit_log_proctitle()
1463 context->proctitle.value = buf; in audit_log_proctitle()
1464 context->proctitle.len = res; in audit_log_proctitle()
1466 msg = context->proctitle.value; in audit_log_proctitle()
1467 len = context->proctitle.len; in audit_log_proctitle()
1476 struct audit_context *context = audit_context(); in audit_log_exit() local
1481 context->personality = current->personality; in audit_log_exit()
1483 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); in audit_log_exit()
1487 context->arch, context->major); in audit_log_exit()
1488 if (context->personality != PER_LINUX) in audit_log_exit()
1489 audit_log_format(ab, " per=%lx", context->personality); in audit_log_exit()
1490 if (context->return_valid) in audit_log_exit()
1492 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", in audit_log_exit()
1493 context->return_code); in audit_log_exit()
1497 context->argv[0], in audit_log_exit()
1498 context->argv[1], in audit_log_exit()
1499 context->argv[2], in audit_log_exit()
1500 context->argv[3], in audit_log_exit()
1501 context->name_count); in audit_log_exit()
1504 audit_log_key(ab, context->filterkey); in audit_log_exit()
1507 for (aux = context->aux; aux; aux = aux->next) { in audit_log_exit()
1509 ab = audit_log_start(context, GFP_KERNEL, aux->type); in audit_log_exit()
1538 if (context->type) in audit_log_exit()
1539 show_special(context, &call_panic); in audit_log_exit()
1541 if (context->fds[0] >= 0) { in audit_log_exit()
1542 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR); in audit_log_exit()
1545 context->fds[0], context->fds[1]); in audit_log_exit()
1550 if (context->sockaddr_len) { in audit_log_exit()
1551 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR); in audit_log_exit()
1554 audit_log_n_hex(ab, (void *)context->sockaddr, in audit_log_exit()
1555 context->sockaddr_len); in audit_log_exit()
1560 for (aux = context->aux_pids; aux; aux = aux->next) { in audit_log_exit()
1564 if (audit_log_pid_context(context, axs->target_pid[i], in audit_log_exit()
1573 if (context->target_pid && in audit_log_exit()
1574 audit_log_pid_context(context, context->target_pid, in audit_log_exit()
1575 context->target_auid, context->target_uid, in audit_log_exit()
1576 context->target_sessionid, in audit_log_exit()
1577 context->target_sid, context->target_comm)) in audit_log_exit()
1580 if (context->pwd.dentry && context->pwd.mnt) { in audit_log_exit()
1581 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); in audit_log_exit()
1583 audit_log_d_path(ab, "cwd=", &context->pwd); in audit_log_exit()
1589 list_for_each_entry(n, &context->names_list, list) { in audit_log_exit()
1592 audit_log_name(context, n, NULL, i++, &call_panic); in audit_log_exit()
1598 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); in audit_log_exit()
1606 * __audit_free - free a per-task audit context
1607 * @tsk: task whose audit context block to free
1613 struct audit_context *context = tsk->audit_context; in __audit_free() local
1615 if (!context) in __audit_free()
1618 if (!list_empty(&context->killed_trees)) in __audit_free()
1619 audit_kill_trees(context); in __audit_free()
1626 if (tsk == current && !context->dummy && context->in_syscall) { in __audit_free()
1627 context->return_valid = 0; in __audit_free()
1628 context->return_code = 0; in __audit_free()
1630 audit_filter_syscall(tsk, context, in __audit_free()
1632 audit_filter_inodes(tsk, context); in __audit_free()
1633 if (context->current_state == AUDIT_RECORD_CONTEXT) in __audit_free()
1638 audit_free_context(context); in __audit_free()
1649 * Fill in audit context at syscall entry. This only happens if the
1650 * audit context was created when the task was created and the state or
1651 * filters demand the audit context be built. If the state from the
1660 struct audit_context *context = audit_context(); in __audit_syscall_entry() local
1663 if (!audit_enabled || !context) in __audit_syscall_entry()
1666 BUG_ON(context->in_syscall || context->name_count); in __audit_syscall_entry()
1668 state = context->state; in __audit_syscall_entry()
1672 context->dummy = !audit_n_rules; in __audit_syscall_entry()
1673 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) { in __audit_syscall_entry()
1674 context->prio = 0; in __audit_syscall_entry()
1679 context->arch = syscall_get_arch(current); in __audit_syscall_entry()
1680 context->major = major; in __audit_syscall_entry()
1681 context->argv[0] = a1; in __audit_syscall_entry()
1682 context->argv[1] = a2; in __audit_syscall_entry()
1683 context->argv[2] = a3; in __audit_syscall_entry()
1684 context->argv[3] = a4; in __audit_syscall_entry()
1685 context->serial = 0; in __audit_syscall_entry()
1686 context->in_syscall = 1; in __audit_syscall_entry()
1687 context->current_state = state; in __audit_syscall_entry()
1688 context->ppid = 0; in __audit_syscall_entry()
1689 ktime_get_coarse_real_ts64(&context->ctime); in __audit_syscall_entry()
1693 * __audit_syscall_exit - deallocate audit context after a system call
1697 * Tear down after system call. If the audit context has been marked as
1705 struct audit_context *context; in __audit_syscall_exit() local
1707 context = audit_context(); in __audit_syscall_exit()
1708 if (!context) in __audit_syscall_exit()
1711 if (!list_empty(&context->killed_trees)) in __audit_syscall_exit()
1712 audit_kill_trees(context); in __audit_syscall_exit()
1714 if (!context->dummy && context->in_syscall) { in __audit_syscall_exit()
1716 context->return_valid = AUDITSC_SUCCESS; in __audit_syscall_exit()
1718 context->return_valid = AUDITSC_FAILURE; in __audit_syscall_exit()
1734 context->return_code = -EINTR; in __audit_syscall_exit()
1736 context->return_code = return_code; in __audit_syscall_exit()
1738 audit_filter_syscall(current, context, in __audit_syscall_exit()
1740 audit_filter_inodes(current, context); in __audit_syscall_exit()
1741 if (context->current_state == AUDIT_RECORD_CONTEXT) in __audit_syscall_exit()
1745 context->in_syscall = 0; in __audit_syscall_exit()
1746 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; in __audit_syscall_exit()
1748 audit_free_module(context); in __audit_syscall_exit()
1749 audit_free_names(context); in __audit_syscall_exit()
1750 unroll_tree_refs(context, NULL, 0); in __audit_syscall_exit()
1751 audit_free_aux(context); in __audit_syscall_exit()
1752 context->aux = NULL; in __audit_syscall_exit()
1753 context->aux_pids = NULL; in __audit_syscall_exit()
1754 context->target_pid = 0; in __audit_syscall_exit()
1755 context->target_sid = 0; in __audit_syscall_exit()
1756 context->sockaddr_len = 0; in __audit_syscall_exit()
1757 context->type = 0; in __audit_syscall_exit()
1758 context->fds[0] = -1; in __audit_syscall_exit()
1759 if (context->state != AUDIT_RECORD_CONTEXT) { in __audit_syscall_exit()
1760 kfree(context->filterkey); in __audit_syscall_exit()
1761 context->filterkey = NULL; in __audit_syscall_exit()
1767 struct audit_context *context; in handle_one() local
1773 context = audit_context(); in handle_one()
1774 p = context->trees; in handle_one()
1775 count = context->tree_count; in handle_one()
1781 if (likely(put_tree_ref(context, chunk))) in handle_one()
1783 if (unlikely(!grow_tree_refs(context))) { in handle_one()
1785 audit_set_auditable(context); in handle_one()
1787 unroll_tree_refs(context, p, count); in handle_one()
1790 put_tree_ref(context, chunk); in handle_one()
1795 struct audit_context *context; in handle_path() local
1802 context = audit_context(); in handle_path()
1803 p = context->trees; in handle_path()
1804 count = context->tree_count; in handle_path()
1816 if (unlikely(!put_tree_ref(context, chunk))) { in handle_path()
1831 unroll_tree_refs(context, p, count); in handle_path()
1835 if (grow_tree_refs(context)) { in handle_path()
1837 unroll_tree_refs(context, p, count); in handle_path()
1842 unroll_tree_refs(context, p, count); in handle_path()
1843 audit_set_auditable(context); in handle_path()
1849 static struct audit_names *audit_alloc_name(struct audit_context *context, in audit_alloc_name() argument
1854 if (context->name_count < AUDIT_NAMES) { in audit_alloc_name()
1855 aname = &context->preallocated_names[context->name_count]; in audit_alloc_name()
1866 list_add_tail(&aname->list, &context->names_list); in audit_alloc_name()
1868 context->name_count++; in audit_alloc_name()
1876 * Search the audit_names list for the current audit context. If there is an
1883 struct audit_context *context = audit_context(); in __audit_reusename() local
1886 list_for_each_entry(n, &context->names_list, list) { in __audit_reusename()
1897 inline void _audit_getcwd(struct audit_context *context) in _audit_getcwd() argument
1899 if (!context->pwd.dentry) in _audit_getcwd()
1900 get_fs_pwd(current->fs, &context->pwd); in _audit_getcwd()
1905 struct audit_context *context = audit_context(); in __audit_getcwd() local
1907 if (context->in_syscall) in __audit_getcwd()
1908 _audit_getcwd(context); in __audit_getcwd()
1915 * Add a name to the list of audit names for this context.
1920 struct audit_context *context = audit_context(); in __audit_getname() local
1923 if (!context->in_syscall) in __audit_getname()
1926 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN); in __audit_getname()
1935 _audit_getcwd(context); in __audit_getname()
1989 struct audit_context *context = audit_context(); in __audit_inode() local
1997 if (!context->in_syscall) in __audit_inode()
2035 list_for_each_entry_reverse(n, &context->names_list, list) { in __audit_inode()
2062 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN); in __audit_inode()
2097 * This call updates the audit context with the child's information.
2107 struct audit_context *context = audit_context(); in __audit_inode_child() local
2115 if (!context->in_syscall) in __audit_inode_child()
2138 list_for_each_entry(n, &context->names_list, list) { in __audit_inode_child()
2155 list_for_each_entry(n, &context->names_list, list) { in __audit_inode_child()
2175 n = audit_alloc_name(context, AUDIT_TYPE_PARENT); in __audit_inode_child()
2182 found_child = audit_alloc_name(context, type); in __audit_inode_child()
2187 * directory. All names for this context are relinquished in in __audit_inode_child()
2209 * Also sets the context as auditable.
2237 struct audit_context *context = audit_context(); in __audit_mq_open() local
2240 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr)); in __audit_mq_open()
2242 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr)); in __audit_mq_open()
2244 context->mq_open.oflag = oflag; in __audit_mq_open()
2245 context->mq_open.mode = mode; in __audit_mq_open()
2247 context->type = AUDIT_MQ_OPEN; in __audit_mq_open()
2261 struct audit_context *context = audit_context(); in __audit_mq_sendrecv() local
2262 struct timespec64 *p = &context->mq_sendrecv.abs_timeout; in __audit_mq_sendrecv()
2269 context->mq_sendrecv.mqdes = mqdes; in __audit_mq_sendrecv()
2270 context->mq_sendrecv.msg_len = msg_len; in __audit_mq_sendrecv()
2271 context->mq_sendrecv.msg_prio = msg_prio; in __audit_mq_sendrecv()
2273 context->type = AUDIT_MQ_SENDRECV; in __audit_mq_sendrecv()
2285 struct audit_context *context = audit_context(); in __audit_mq_notify() local
2288 context->mq_notify.sigev_signo = notification->sigev_signo; in __audit_mq_notify()
2290 context->mq_notify.sigev_signo = 0; in __audit_mq_notify()
2292 context->mq_notify.mqdes = mqdes; in __audit_mq_notify()
2293 context->type = AUDIT_MQ_NOTIFY; in __audit_mq_notify()
2304 struct audit_context *context = audit_context(); in __audit_mq_getsetattr() local
2305 context->mq_getsetattr.mqdes = mqdes; in __audit_mq_getsetattr()
2306 context->mq_getsetattr.mqstat = *mqstat; in __audit_mq_getsetattr()
2307 context->type = AUDIT_MQ_GETSETATTR; in __audit_mq_getsetattr()
2317 struct audit_context *context = audit_context(); in __audit_ipc_obj() local
2318 context->ipc.uid = ipcp->uid; in __audit_ipc_obj()
2319 context->ipc.gid = ipcp->gid; in __audit_ipc_obj()
2320 context->ipc.mode = ipcp->mode; in __audit_ipc_obj()
2321 context->ipc.has_perm = 0; in __audit_ipc_obj()
2322 security_ipc_getsecid(ipcp, &context->ipc.osid); in __audit_ipc_obj()
2323 context->type = AUDIT_IPC; in __audit_ipc_obj()
2337 struct audit_context *context = audit_context(); in __audit_ipc_set_perm() local
2339 context->ipc.qbytes = qbytes; in __audit_ipc_set_perm()
2340 context->ipc.perm_uid = uid; in __audit_ipc_set_perm()
2341 context->ipc.perm_gid = gid; in __audit_ipc_set_perm()
2342 context->ipc.perm_mode = mode; in __audit_ipc_set_perm()
2343 context->ipc.has_perm = 1; in __audit_ipc_set_perm()
2348 struct audit_context *context = audit_context(); in __audit_bprm() local
2350 context->type = AUDIT_EXECVE; in __audit_bprm()
2351 context->execve.argc = bprm->argc; in __audit_bprm()
2363 struct audit_context *context = audit_context(); in __audit_socketcall() local
2367 context->type = AUDIT_SOCKETCALL; in __audit_socketcall()
2368 context->socketcall.nargs = nargs; in __audit_socketcall()
2369 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long)); in __audit_socketcall()
2381 struct audit_context *context = audit_context(); in __audit_fd_pair() local
2382 context->fds[0] = fd1; in __audit_fd_pair()
2383 context->fds[1] = fd2; in __audit_fd_pair()
2391 * Returns 0 for success or NULL context or < 0 on error.
2395 struct audit_context *context = audit_context(); in __audit_sockaddr() local
2397 if (!context->sockaddr) { in __audit_sockaddr()
2401 context->sockaddr = p; in __audit_sockaddr()
2404 context->sockaddr_len = len; in __audit_sockaddr()
2405 memcpy(context->sockaddr, a, len); in __audit_sockaddr()
2411 struct audit_context *context = audit_context(); in __audit_ptrace() local
2413 context->target_pid = task_tgid_nr(t); in __audit_ptrace()
2414 context->target_auid = audit_get_loginuid(t); in __audit_ptrace()
2415 context->target_uid = task_uid(t); in __audit_ptrace()
2416 context->target_sessionid = audit_get_sessionid(t); in __audit_ptrace()
2417 security_task_getsecid(t, &context->target_sid); in __audit_ptrace()
2418 memcpy(context->target_comm, t->comm, TASK_COMM_LEN); in __audit_ptrace()
2487 struct audit_context *context = audit_context(); in __audit_log_bprm_fcaps() local
2495 ax->d.next = context->aux; in __audit_log_bprm_fcaps()
2496 context->aux = (void *)ax; in __audit_log_bprm_fcaps()
2528 struct audit_context *context = audit_context(); in __audit_log_capset() local
2529 context->capset.pid = task_tgid_nr(current); in __audit_log_capset()
2530 context->capset.cap.effective = new->cap_effective; in __audit_log_capset()
2531 context->capset.cap.inheritable = new->cap_effective; in __audit_log_capset()
2532 context->capset.cap.permitted = new->cap_permitted; in __audit_log_capset()
2533 context->capset.cap.ambient = new->cap_ambient; in __audit_log_capset()
2534 context->type = AUDIT_CAPSET; in __audit_log_capset()
2539 struct audit_context *context = audit_context(); in __audit_mmap_fd() local
2540 context->mmap.fd = fd; in __audit_mmap_fd()
2541 context->mmap.flags = flags; in __audit_mmap_fd()
2542 context->type = AUDIT_MMAP; in __audit_mmap_fd()
2547 struct audit_context *context = audit_context(); in __audit_log_kern_module() local
2549 context->module.name = kstrdup(name, GFP_KERNEL); in __audit_log_kern_module()
2550 if (!context->module.name) in __audit_log_kern_module()
2552 context->type = AUDIT_KERN_MODULE; in __audit_log_kern_module()
2666 * and dummy context state because seccomp actions should be logged even when