userns: Convert the audit loginuid to be a kuid
Always store audit loginuids in type kuid_t. Print loginuids by converting them into uids in the appropriate user namespace, and then printing the resulting uid. Modify audit_get_loginuid to return a kuid_t. Modify audit_set_loginuid to take a kuid_t. Modify /proc/<pid>/loginuid on read to convert the loginuid into the user namespace of the opener of the file. Modify /proc/<pid>/loginud on write to convert the loginuid rom the user namespace of the opener of the file. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Paris <eparis@redhat.com> Cc: Paul Moore <paul@paul-moore.com> ? Cc: David Miller <davem@davemloft.net> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
+10
-10
@@ -265,7 +265,7 @@ void audit_log_lost(const char *message)
|
||||
}
|
||||
|
||||
static int audit_log_config_change(char *function_name, int new, int old,
|
||||
uid_t loginuid, u32 sessionid, u32 sid,
|
||||
kuid_t loginuid, u32 sessionid, u32 sid,
|
||||
int allow_changes)
|
||||
{
|
||||
struct audit_buffer *ab;
|
||||
@@ -273,7 +273,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
|
||||
|
||||
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
||||
audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
|
||||
old, loginuid, sessionid);
|
||||
old, from_kuid(&init_user_ns, loginuid), sessionid);
|
||||
if (sid) {
|
||||
char *ctx = NULL;
|
||||
u32 len;
|
||||
@@ -293,7 +293,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
|
||||
}
|
||||
|
||||
static int audit_do_config_change(char *function_name, int *to_change,
|
||||
int new, uid_t loginuid, u32 sessionid,
|
||||
int new, kuid_t loginuid, u32 sessionid,
|
||||
u32 sid)
|
||||
{
|
||||
int allow_changes, rc = 0, old = *to_change;
|
||||
@@ -320,21 +320,21 @@ static int audit_do_config_change(char *function_name, int *to_change,
|
||||
return rc;
|
||||
}
|
||||
|
||||
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid,
|
||||
static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid,
|
||||
u32 sid)
|
||||
{
|
||||
return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
|
||||
limit, loginuid, sessionid, sid);
|
||||
}
|
||||
|
||||
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid,
|
||||
static int audit_set_backlog_limit(int limit, kuid_t loginuid, u32 sessionid,
|
||||
u32 sid)
|
||||
{
|
||||
return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
|
||||
limit, loginuid, sessionid, sid);
|
||||
}
|
||||
|
||||
static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
|
||||
static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid)
|
||||
{
|
||||
int rc;
|
||||
if (state < AUDIT_OFF || state > AUDIT_LOCKED)
|
||||
@@ -349,7 +349,7 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
|
||||
return rc;
|
||||
}
|
||||
|
||||
static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid)
|
||||
static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, u32 sid)
|
||||
{
|
||||
if (state != AUDIT_FAIL_SILENT
|
||||
&& state != AUDIT_FAIL_PRINTK
|
||||
@@ -607,7 +607,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
|
||||
}
|
||||
|
||||
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
|
||||
uid_t auid, u32 ses, u32 sid)
|
||||
kuid_t auid, u32 ses, u32 sid)
|
||||
{
|
||||
int rc = 0;
|
||||
char *ctx = NULL;
|
||||
@@ -622,7 +622,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
|
||||
audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
|
||||
task_tgid_vnr(current),
|
||||
from_kuid(&init_user_ns, current_uid()),
|
||||
auid, ses);
|
||||
from_kuid(&init_user_ns, auid), ses);
|
||||
if (sid) {
|
||||
rc = security_secid_to_secctx(sid, &ctx, &len);
|
||||
if (rc)
|
||||
@@ -644,7 +644,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
||||
int err;
|
||||
struct audit_buffer *ab;
|
||||
u16 msg_type = nlh->nlmsg_type;
|
||||
uid_t loginuid; /* loginuid of sender */
|
||||
kuid_t loginuid; /* loginuid of sender */
|
||||
u32 sessionid;
|
||||
struct audit_sig_info *sig_data;
|
||||
char *ctx = NULL;
|
||||
|
||||
@@ -241,7 +241,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
|
||||
struct audit_buffer *ab;
|
||||
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
|
||||
audit_log_format(ab, "auid=%u ses=%u op=",
|
||||
audit_get_loginuid(current),
|
||||
from_kuid(&init_user_ns, audit_get_loginuid(current)),
|
||||
audit_get_sessionid(current));
|
||||
audit_log_string(ab, op);
|
||||
audit_log_format(ab, " path=");
|
||||
|
||||
@@ -1109,7 +1109,7 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
|
||||
}
|
||||
|
||||
/* Log rule additions and removals */
|
||||
static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
|
||||
static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
|
||||
char *action, struct audit_krule *rule,
|
||||
int res)
|
||||
{
|
||||
@@ -1121,7 +1121,8 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
|
||||
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
||||
if (!ab)
|
||||
return;
|
||||
audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
|
||||
audit_log_format(ab, "auid=%u ses=%u",
|
||||
from_kuid(&init_user_ns, loginuid), sessionid);
|
||||
if (sid) {
|
||||
char *ctx = NULL;
|
||||
u32 len;
|
||||
@@ -1152,7 +1153,7 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
|
||||
* @sid: SE Linux Security ID of sender
|
||||
*/
|
||||
int audit_receive_filter(int type, int pid, int seq, void *data,
|
||||
size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
|
||||
size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
|
||||
{
|
||||
struct task_struct *tsk;
|
||||
struct audit_netlink_list *dest;
|
||||
|
||||
+11
-9
@@ -149,7 +149,7 @@ struct audit_aux_data_execve {
|
||||
struct audit_aux_data_pids {
|
||||
struct audit_aux_data d;
|
||||
pid_t target_pid[AUDIT_AUX_PIDS];
|
||||
uid_t target_auid[AUDIT_AUX_PIDS];
|
||||
kuid_t target_auid[AUDIT_AUX_PIDS];
|
||||
uid_t target_uid[AUDIT_AUX_PIDS];
|
||||
unsigned int target_sessionid[AUDIT_AUX_PIDS];
|
||||
u32 target_sid[AUDIT_AUX_PIDS];
|
||||
@@ -214,7 +214,7 @@ struct audit_context {
|
||||
int arch;
|
||||
|
||||
pid_t target_pid;
|
||||
uid_t target_auid;
|
||||
kuid_t target_auid;
|
||||
uid_t target_uid;
|
||||
unsigned int target_sessionid;
|
||||
u32 target_sid;
|
||||
@@ -1176,7 +1176,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
|
||||
}
|
||||
|
||||
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
|
||||
uid_t auid, uid_t uid, unsigned int sessionid,
|
||||
kuid_t auid, uid_t uid, unsigned int sessionid,
|
||||
u32 sid, char *comm)
|
||||
{
|
||||
struct audit_buffer *ab;
|
||||
@@ -1188,7 +1188,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
|
||||
if (!ab)
|
||||
return rc;
|
||||
|
||||
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
|
||||
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
|
||||
from_kuid(&init_user_ns, auid),
|
||||
uid, sessionid);
|
||||
if (security_secid_to_secctx(sid, &ctx, &len)) {
|
||||
audit_log_format(ab, " obj=(none)");
|
||||
@@ -1630,7 +1631,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
|
||||
context->name_count,
|
||||
context->ppid,
|
||||
context->pid,
|
||||
tsk->loginuid,
|
||||
from_kuid(&init_user_ns, tsk->loginuid),
|
||||
context->uid,
|
||||
context->gid,
|
||||
context->euid, context->suid, context->fsuid,
|
||||
@@ -2291,14 +2292,14 @@ static atomic_t session_id = ATOMIC_INIT(0);
|
||||
*
|
||||
* Called (set) from fs/proc/base.c::proc_loginuid_write().
|
||||
*/
|
||||
int audit_set_loginuid(uid_t loginuid)
|
||||
int audit_set_loginuid(kuid_t loginuid)
|
||||
{
|
||||
struct task_struct *task = current;
|
||||
struct audit_context *context = task->audit_context;
|
||||
unsigned int sessionid;
|
||||
|
||||
#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
|
||||
if (task->loginuid != -1)
|
||||
if (uid_valid(task->loginuid))
|
||||
return -EPERM;
|
||||
#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
|
||||
if (!capable(CAP_AUDIT_CONTROL))
|
||||
@@ -2315,7 +2316,8 @@ int audit_set_loginuid(uid_t loginuid)
|
||||
"old auid=%u new auid=%u"
|
||||
" old ses=%u new ses=%u",
|
||||
task->pid, task_uid(task),
|
||||
task->loginuid, loginuid,
|
||||
from_kuid(&init_user_ns, task->loginuid),
|
||||
from_kuid(&init_user_ns, loginuid),
|
||||
task->sessionid, sessionid);
|
||||
audit_log_end(ab);
|
||||
}
|
||||
@@ -2543,7 +2545,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
|
||||
if (audit_pid && t->tgid == audit_pid) {
|
||||
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
|
||||
audit_sig_pid = tsk->pid;
|
||||
if (tsk->loginuid != -1)
|
||||
if (uid_valid(tsk->loginuid))
|
||||
audit_sig_uid = tsk->loginuid;
|
||||
else
|
||||
audit_sig_uid = uid;
|
||||
|
||||
Reference in New Issue
Block a user