audit: rework execve audit (bdf4c48a) · Commits · 戴 / test

Documentation/filesystems/proc.txt

+7 −0

Original line number	Diff line number	Diff line
		@@ -1065,6 +1065,13 @@ check the amount of free space (value is in seconds). Default settings are: 4,
		resume it if we have a value of 3 or more percent; consider information about
		the amount of free space valid for 30 seconds

		audit_argv_kb
		-------------

		The file contains a single value denoting the limit on the argv array size
		for execve (in KiB). This limit is only applied when system call auditing for
		execve is enabled, otherwise the value is ignored.

		ctrl-alt-del
		------------

fs/exec.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1154,6 +1154,7 @@ int do_execve(char * filename,
		{
		struct linux_binprm *bprm;
		struct file *file;
		unsigned long env_p;
		int retval;
		int i;

		@@ -1208,9 +1209,11 @@ int do_execve(char * filename,
		if (retval < 0)
		goto out;

		env_p = bprm->p;
		retval = copy_strings(bprm->argc, argv, bprm);
		if (retval < 0)
		goto out;
		bprm->argv_len = env_p - bprm->p;

		retval = search_binary_handler(bprm,regs);
		if (retval >= 0) {

include/linux/binfmts.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -40,6 +40,7 @@ struct linux_binprm{
		unsigned interp_flags;
		unsigned interp_data;
		unsigned long loader, exec;
		unsigned long argv_len;
		};

		#define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0

kernel/auditsc.c

+63 −21

Original line number	Diff line number	Diff line
		@@ -153,7 +153,7 @@ struct audit_aux_data_execve {
		struct audit_aux_data d;
		int argc;
		int envc;
		char mem[0];
		struct mm_struct *mm;
		};

		struct audit_aux_data_socketcall {
		@@ -831,6 +831,55 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
		return rc;
		}

		static void audit_log_execve_info(struct audit_buffer *ab,
		struct audit_aux_data_execve *axi)
		{
		int i;
		long len, ret;
		const char __user p = (const char __user )axi->mm->arg_start;
		char *buf;

		if (axi->mm != current->mm)
		return; /* execve failed, no additional info */

		for (i = 0; i < axi->argc; i++, p += len) {
		len = strnlen_user(p, MAX_ARG_PAGES*PAGE_SIZE);
		/*
		* We just created this mm, if we can't find the strings
		* we just copied into it something is _very_ wrong. Similar
		* for strings that are too long, we should not have created
		* any.
		*/
		if (!len \|\| len > MAX_ARG_STRLEN) {
		WARN_ON(1);
		send_sig(SIGKILL, current, 0);
		}

		buf = kmalloc(len, GFP_KERNEL);
		if (!buf) {
		audit_panic("out of memory for argv string\n");
		break;
		}

		ret = copy_from_user(buf, p, len);
		/*
		* There is no reason for this copy to be short. We just
		* copied them here, and the mm hasn't been exposed to user-
		* space yet.
		*/
		if (!ret) {
		WARN_ON(1);
		send_sig(SIGKILL, current, 0);
		}

		audit_log_format(ab, "a%d=", i);
		audit_log_untrustedstring(ab, buf);
		audit_log_format(ab, "\n");

		kfree(buf);
		}
		}

		static void audit_log_exit(struct audit_context context, struct task_struct tsk)
		{
		int i, call_panic = 0;
		@@ -971,13 +1020,7 @@ static void audit_log_exit(struct audit_context context, struct task_struct ts

		case AUDIT_EXECVE: {
		struct audit_aux_data_execve axi = (void )aux;
		int i;
		const char *p;
		for (i = 0, p = axi->mem; i < axi->argc; i++) {
		audit_log_format(ab, "a%d=", i);
		p = audit_log_untrustedstring(ab, p);
		audit_log_format(ab, "\n");
		}
		audit_log_execve_info(ab, axi);
		break; }

		case AUDIT_SOCKETCALL: {
		@@ -1821,32 +1864,31 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
		return 0;
		}

		int audit_argv_kb = 32;

		int audit_bprm(struct linux_binprm *bprm)
		{
		struct audit_aux_data_execve *ax;
		struct audit_context *context = current->audit_context;
		unsigned long p, next;
		void *to;

		if (likely(!audit_enabled \|\| !context \|\| context->dummy))
		return 0;

		ax = kmalloc(sizeof(ax) + PAGE_SIZE MAX_ARG_PAGES - bprm->p,
		GFP_KERNEL);
		/*
		* Even though the stack code doesn't limit the arg+env size any more,
		* the audit code requires that _all_ arguments be logged in a single
		* netlink skb. Hence cap it :-(
		*/
		if (bprm->argv_len > (audit_argv_kb << 10))
		return -E2BIG;

		ax = kmalloc(sizeof(*ax), GFP_KERNEL);
		if (!ax)
		return -ENOMEM;

		ax->argc = bprm->argc;
		ax->envc = bprm->envc;
		for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
		struct page *page = bprm->page[p / PAGE_SIZE];
		void *kaddr = kmap(page);
		next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
		memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
		to += next - p;
		kunmap(page);
		}

		ax->mm = bprm->mm;
		ax->d.type = AUDIT_EXECVE;
		ax->d.next = context->aux;
		context->aux = (void *)ax;

kernel/sysctl.c

+11 −0

Original line number	Diff line number	Diff line
		@@ -78,6 +78,7 @@ extern int percpu_pagelist_fraction;
		extern int compat_log;
		extern int maps_protect;
		extern int sysctl_stat_interval;
		extern int audit_argv_kb;

		/* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */
		static int maxolduid = 65535;
		@@ -306,6 +307,16 @@ static ctl_table kern_table[] = {
		.mode = 0644,
		.proc_handler = &proc_dointvec,
		},
		#ifdef CONFIG_AUDITSYSCALL
		{
		.ctl_name = CTL_UNNUMBERED,
		.procname = "audit_argv_kb",
		.data = &audit_argv_kb,
		.maxlen = sizeof(int),
		.mode = 0644,
		.proc_handler = &proc_dointvec,
		},
		#endif
		{
		.ctl_name = KERN_CORE_PATTERN,
		.procname = "core_pattern",

Admin message