Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e1760bd5 authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

userns: Convert the audit loginuid to be a kuid 



Always store audit loginuids in type kuid_t.

Print loginuids by converting them into uids in the appropriate user
namespace, and then printing the resulting uid.

Modify audit_get_loginuid to return a kuid_t.

Modify audit_set_loginuid to take a kuid_t.

Modify /proc/<pid>/loginuid on read to convert the loginuid into the
user namespace of the opener of the file.

Modify /proc/<pid>/loginud on write to convert the loginuid
rom the user namespace of the opener of the file.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <paul@paul-moore.com> ?
Cc: David Miller <davem@davemloft.net>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent ca57ec0f

drivers/tty/tty_audit.c

+8 −6
Original line number Diff line number Diff line
@@ -61,7 +61,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf) 
}



static void tty_audit_log(const char *description, struct task_struct *tsk,

			  uid_t loginuid, unsigned sessionid, int major,

			  kuid_t loginuid, unsigned sessionid, int major,

			  int minor, unsigned char *data, size_t size)

{

	struct audit_buffer *ab;
@@ -73,7 +73,9 @@ static void tty_audit_log(const char *description, struct task_struct *tsk, 


		audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u "

				 "major=%d minor=%d comm=", description,

				 tsk->pid, uid, loginuid, sessionid,

				 tsk->pid, uid,

				 from_kuid(&init_user_ns, loginuid),

				 sessionid,

				 major, minor);

		get_task_comm(name, tsk);

		audit_log_untrustedstring(ab, name);
@@ -89,7 +91,7 @@ static void tty_audit_log(const char *description, struct task_struct *tsk, 
 *	Generate an audit message from the contents of @buf, which is owned by

 *	@tsk with @loginuid.  @buf->mutex must be locked.

 */

static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,

static void tty_audit_buf_push(struct task_struct *tsk, kuid_t loginuid,

			       unsigned int sessionid,

			       struct tty_audit_buf *buf)

{
@@ -112,7 +114,7 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid, 
 */

static void tty_audit_buf_push_current(struct tty_audit_buf *buf)

{

	uid_t auid = audit_get_loginuid(current);

	kuid_t auid = audit_get_loginuid(current);

	unsigned int sessionid = audit_get_sessionid(current);

	tty_audit_buf_push(current, auid, sessionid, buf);

}
@@ -179,7 +181,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch) 
	}



	if (should_audit && audit_enabled) {

		uid_t auid;

		kuid_t auid;

		unsigned int sessionid;



		auid = audit_get_loginuid(current);
@@ -199,7 +201,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch) 
 * reference to the tty audit buffer if available.

 * Flush the buffer or return an appropriate error code.

 */

int tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)

int tty_audit_push_task(struct task_struct *tsk, kuid_t loginuid, u32 sessionid)

{

	struct tty_audit_buf *buf = ERR_PTR(-EPERM);

	unsigned long flags;

fs/proc/base.c

+10 −2
Original line number Diff line number Diff line
@@ -1089,7 +1089,8 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf, 
	if (!task)

		return -ESRCH;

	length = scnprintf(tmpbuf, TMPBUFLEN, "%u",

				audit_get_loginuid(task));

			   from_kuid(file->f_cred->user_ns,

				     audit_get_loginuid(task)));

	put_task_struct(task);

	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);

}
@@ -1101,6 +1102,7 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, 
	char *page, *tmp;

	ssize_t length;

	uid_t loginuid;

	kuid_t kloginuid;



	rcu_read_lock();

	if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) {
@@ -1130,7 +1132,13 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, 
		goto out_free_page;



	}

	length = audit_set_loginuid(loginuid);

	kloginuid = make_kuid(file->f_cred->user_ns, loginuid);

	if (!uid_valid(kloginuid)) {

		length = -EINVAL;

		goto out_free_page;

	}



	length = audit_set_loginuid(kloginuid);

	if (likely(length == 0))

		length = count;

include/linux/audit.h

+3 −3
Original line number Diff line number Diff line
@@ -527,7 +527,7 @@ static inline void audit_ptrace(struct task_struct *t) 
extern unsigned int audit_serial(void);

extern int auditsc_get_stamp(struct audit_context *ctx,

			      struct timespec *t, unsigned int *serial);

extern int  audit_set_loginuid(uid_t loginuid);

extern int  audit_set_loginuid(kuid_t loginuid);

#define audit_get_loginuid(t) ((t)->loginuid)

#define audit_get_sessionid(t) ((t)->sessionid)

extern void audit_log_task_context(struct audit_buffer *ab);
@@ -639,7 +639,7 @@ extern int audit_signals; 
#define audit_core_dumps(i) do { ; } while (0)

#define audit_seccomp(i,s,c) do { ; } while (0)

#define auditsc_get_stamp(c,t,s) (0)

#define audit_get_loginuid(t) (-1)

#define audit_get_loginuid(t) (INVALID_UID)

#define audit_get_sessionid(t) (-1)

#define audit_log_task_context(b) do { ; } while (0)

#define audit_ipc_obj(i) ((void)0)
@@ -705,7 +705,7 @@ extern int audit_update_lsm_rules(void); 
extern int audit_filter_user(void);

extern int audit_filter_type(int type);

extern int  audit_receive_filter(int type, int pid, int seq,

				void *data, size_t datasz, uid_t loginuid,

				void *data, size_t datasz, kuid_t loginuid,

				u32 sessionid, u32 sid);

extern int audit_enabled;

#else

include/linux/init_task.h

+1 −1
Original line number Diff line number Diff line
@@ -92,7 +92,7 @@ extern struct group_info init_groups; 


#ifdef CONFIG_AUDITSYSCALL

#define INIT_IDS \

	.loginuid = -1, \

	.loginuid = INVALID_UID, \

	.sessionid = -1,

#else

#define INIT_IDS

include/linux/sched.h

+1 −1
Original line number Diff line number Diff line
@@ -1426,7 +1426,7 @@ struct task_struct { 


	struct audit_context *audit_context;

#ifdef CONFIG_AUDITSYSCALL

	uid_t loginuid;

	kuid_t loginuid;

	unsigned int sessionid;

#endif

	struct seccomp seccomp;