[PATCH] execve argument logging
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Al Viro
+5
-3
@@ -1026,18 +1026,20 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
|
||||
* or a space. Unescaped strings will start and end with a double quote mark.
|
||||
* Strings that are escaped are printed in hex (2 digits per char).
|
||||
*/
|
||||
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
|
||||
const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
|
||||
{
|
||||
const unsigned char *p = string;
|
||||
size_t len = strlen(string);
|
||||
|
||||
while (*p) {
|
||||
if (*p == '"' || *p < 0x21 || *p > 0x7f) {
|
||||
audit_log_hex(ab, string, strlen(string));
|
||||
return;
|
||||
audit_log_hex(ab, string, len);
|
||||
return string + len + 1;
|
||||
}
|
||||
p++;
|
||||
}
|
||||
audit_log_format(ab, "\"%s\"", string);
|
||||
return p + 1;
|
||||
}
|
||||
|
||||
/* This is a helper-function to print the escaped d_path */
|
||||
|
||||
@@ -59,6 +59,7 @@
|
||||
#include <linux/list.h>
|
||||
#include <linux/tty.h>
|
||||
#include <linux/selinux.h>
|
||||
#include <linux/binfmts.h>
|
||||
|
||||
#include "audit.h"
|
||||
|
||||
@@ -110,6 +111,13 @@ struct audit_aux_data_ipcctl {
|
||||
u32 osid;
|
||||
};
|
||||
|
||||
struct audit_aux_data_execve {
|
||||
struct audit_aux_data d;
|
||||
int argc;
|
||||
int envc;
|
||||
char mem[0];
|
||||
};
|
||||
|
||||
struct audit_aux_data_socketcall {
|
||||
struct audit_aux_data d;
|
||||
int nargs;
|
||||
@@ -667,6 +675,16 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
|
||||
kfree(ctx);
|
||||
}
|
||||
break; }
|
||||
case AUDIT_EXECVE: {
|
||||
struct audit_aux_data_execve *axi = (void *)aux;
|
||||
int i;
|
||||
const char *p;
|
||||
for (i = 0, p = axi->mem; i < axi->argc; i++) {
|
||||
audit_log_format(ab, "a%d=", i);
|
||||
p = audit_log_untrustedstring(ab, p);
|
||||
audit_log_format(ab, "\n");
|
||||
}
|
||||
break; }
|
||||
|
||||
case AUDIT_SOCKETCALL: {
|
||||
int i;
|
||||
@@ -1231,6 +1249,39 @@ int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode,
|
||||
return 0;
|
||||
}
|
||||
|
||||
int audit_bprm(struct linux_binprm *bprm)
|
||||
{
|
||||
struct audit_aux_data_execve *ax;
|
||||
struct audit_context *context = current->audit_context;
|
||||
unsigned long p, next;
|
||||
void *to;
|
||||
|
||||
if (likely(!audit_enabled || !context))
|
||||
return 0;
|
||||
|
||||
ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
|
||||
GFP_KERNEL);
|
||||
if (!ax)
|
||||
return -ENOMEM;
|
||||
|
||||
ax->argc = bprm->argc;
|
||||
ax->envc = bprm->envc;
|
||||
for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
|
||||
struct page *page = bprm->page[p / PAGE_SIZE];
|
||||
void *kaddr = kmap(page);
|
||||
next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
|
||||
memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
|
||||
to += next - p;
|
||||
kunmap(page);
|
||||
}
|
||||
|
||||
ax->d.type = AUDIT_EXECVE;
|
||||
ax->d.next = context->aux;
|
||||
context->aux = (void *)ax;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* audit_socketcall - record audit data for sys_socketcall
|
||||
* @nargs: number of args
|
||||
|
||||
Reference in New Issue
Block a user