Merge tag 'audit-pr-20211101' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

tjh.dev / kernel

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

Merge tag 'audit-pr-20211101' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore:
"Add some additional audit logging to capture the openat2() syscall
open_how struct info.

Previous variations of the open()/openat() syscalls allowed audit
admins to inspect the syscall args to get the information contained in
the new open_how struct used in openat2()"

* tag 'audit-pr-20211101' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: return early if the filter rule has a lower priority
audit: add OPENAT2 record to list "how" info
audit: add support for the openat2 syscall
audit: replace magic audit syscall class numbers with macros
lsm_audit: avoid overloading the "key" audit field
audit: Convert to SPDX identifier
audit: rename struct node to struct audit_node to prevent future name collisions

Linus Torvalds 4 years ago d2fac0af cdab10bf

+184 -98

23 changed files

expand all collapse all

MAINTAINERS

arch

alpha

kernel

audit.c

ia64

kernel

audit.c

parisc

kernel

audit.c

compat_audit.c

powerpc

kernel

audit.c

compat_audit.c

s390

kernel

audit.c

compat_audit.c

sparc

kernel

audit.c

compat_audit.c

x86

ia32

audit.c

kernel

audit_64.c

open.c

include

linux

audit.h

audit_arch.h

uapi

linux

audit.h

kernel

audit.h

audit_tree.c

auditsc.c

lib

audit.c

compat_audit.c

security

lsm_audit.c

MAINTAINERS

reviewed

··· 3127 3127 T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git 3128 3128 F: include/asm-generic/audit_*.h 3129 3129 F: include/linux/audit.h 3130 3130 + F: include/linux/audit_arch.h 3130 3131 F: include/uapi/linux/audit.h 3131 3132 F: kernel/audit* 3132 3133 F: lib/*audit.c

+6 -4

arch/alpha/kernel/audit.c

reviewed

··· 37 37 { 38 38 switch(syscall) { 39 39 case __NR_open: 40 40 - return 2; 40 40 + return AUDITSC_OPEN; 41 41 case __NR_openat: 42 42 - return 3; 42 42 + return AUDITSC_OPENAT; 43 43 case __NR_execve: 44 44 - return 5; 44 44 + return AUDITSC_EXECVE; 45 45 + case __NR_openat2: 46 46 + return AUDITSC_OPENAT2; 45 47 default: 46 46 - return 0; 48 48 + return AUDITSC_NATIVE; 47 49 } 48 50 } 49 51

+6 -4

arch/ia64/kernel/audit.c

reviewed

··· 38 38 { 39 39 switch(syscall) { 40 40 case __NR_open: 41 41 - return 2; 41 41 + return AUDITSC_OPEN; 42 42 case __NR_openat: 43 43 - return 3; 43 43 + return AUDITSC_OPENAT; 44 44 case __NR_execve: 45 45 - return 5; 45 45 + return AUDITSC_EXECVE; 46 46 + case __NR_openat2: 47 47 + return AUDITSC_OPENAT2; 46 48 default: 47 47 - return 0; 49 49 + return AUDITSC_NATIVE; 48 50 } 49 51 } 50 52

+6 -4

arch/parisc/kernel/audit.c

reviewed

··· 47 47 #endif 48 48 switch (syscall) { 49 49 case __NR_open: 50 50 - return 2; 50 50 + return AUDITSC_OPEN; 51 51 case __NR_openat: 52 52 - return 3; 52 52 + return AUDITSC_OPENAT; 53 53 case __NR_execve: 54 54 - return 5; 54 54 + return AUDITSC_EXECVE; 55 55 + case __NR_openat2: 56 56 + return AUDITSC_OPENAT2; 55 57 default: 56 56 - return 0; 58 58 + return AUDITSC_NATIVE; 57 59 } 58 60 } 59 61

+7 -4

arch/parisc/kernel/compat_audit.c

reviewed

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 + #include <linux/audit_arch.h> 2 3 #include <asm/unistd.h> 3 4 4 5 unsigned int parisc32_dir_class[] = { ··· 31 30 { 32 31 switch (syscall) { 33 32 case __NR_open: 34 34 - return 2; 33 33 + return AUDITSC_OPEN; 35 34 case __NR_openat: 36 36 - return 3; 35 35 + return AUDITSC_OPENAT; 37 36 case __NR_execve: 38 38 - return 5; 37 37 + return AUDITSC_EXECVE; 38 38 + case __NR_openat2: 39 39 + return AUDITSC_OPENAT2; 39 40 default: 40 40 - return 1; 41 41 + return AUDITSC_COMPAT; 41 42 } 42 43 }

+7 -5

arch/powerpc/kernel/audit.c

reviewed

··· 47 47 #endif 48 48 switch(syscall) { 49 49 case __NR_open: 50 50 - return 2; 50 50 + return AUDITSC_OPEN; 51 51 case __NR_openat: 52 52 - return 3; 52 52 + return AUDITSC_OPENAT; 53 53 case __NR_socketcall: 54 54 - return 4; 54 54 + return AUDITSC_SOCKETCALL; 55 55 case __NR_execve: 56 56 - return 5; 56 56 + return AUDITSC_EXECVE; 57 57 + case __NR_openat2: 58 58 + return AUDITSC_OPENAT2; 57 59 default: 58 58 - return 0; 60 60 + return AUDITSC_NATIVE; 59 61 } 60 62 } 61 63

+8 -5

arch/powerpc/kernel/compat_audit.c

reviewed

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 #undef __powerpc64__ 3 3 + #include <linux/audit_arch.h> 3 4 #include <asm/unistd.h> 4 5 5 6 unsigned ppc32_dir_class[] = { ··· 32 31 { 33 32 switch(syscall) { 34 33 case __NR_open: 35 35 - return 2; 34 34 + return AUDITSC_OPEN; 36 35 case __NR_openat: 37 37 - return 3; 36 36 + return AUDITSC_OPENAT; 38 37 case __NR_socketcall: 39 39 - return 4; 38 38 + return AUDITSC_SOCKETCALL; 40 39 case __NR_execve: 41 41 - return 5; 40 40 + return AUDITSC_EXECVE; 41 41 + case __NR_openat2: 42 42 + return AUDITSC_OPENAT2; 42 43 default: 43 43 - return 1; 44 44 + return AUDITSC_COMPAT; 44 45 } 45 46 }

+7 -5

arch/s390/kernel/audit.c

reviewed

··· 47 47 #endif 48 48 switch(syscall) { 49 49 case __NR_open: 50 50 - return 2; 50 50 + return AUDITSC_OPEN; 51 51 case __NR_openat: 52 52 - return 3; 52 52 + return AUDITSC_OPENAT; 53 53 case __NR_socketcall: 54 54 - return 4; 54 54 + return AUDITSC_SOCKETCALL; 55 55 case __NR_execve: 56 56 - return 5; 56 56 + return AUDITSC_EXECVE; 57 57 + case __NR_openat2: 58 58 + return AUDITSC_OPENAT2; 57 59 default: 58 58 - return 0; 60 60 + return AUDITSC_NATIVE; 59 61 } 60 62 } 61 63

+8 -5

arch/s390/kernel/compat_audit.c

reviewed

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 #undef __s390x__ 3 3 + #include <linux/audit_arch.h> 3 4 #include <asm/unistd.h> 4 5 #include "audit.h" 5 6 ··· 33 32 { 34 33 switch(syscall) { 35 34 case __NR_open: 36 36 - return 2; 35 35 + return AUDITSC_OPEN; 37 36 case __NR_openat: 38 38 - return 3; 37 37 + return AUDITSC_OPENAT; 39 38 case __NR_socketcall: 40 40 - return 4; 39 39 + return AUDITSC_SOCKETCALL; 41 40 case __NR_execve: 42 42 - return 5; 41 41 + return AUDITSC_EXECVE; 42 42 + case __NR_openat2: 43 43 + return AUDITSC_OPENAT2; 43 44 default: 44 44 - return 1; 45 45 + return AUDITSC_COMPAT; 45 46 } 46 47 }

+7 -5

arch/sparc/kernel/audit.c

reviewed

··· 48 48 #endif 49 49 switch(syscall) { 50 50 case __NR_open: 51 51 - return 2; 51 51 + return AUDITSC_OPEN; 52 52 case __NR_openat: 53 53 - return 3; 53 53 + return AUDITSC_OPENAT; 54 54 case __NR_socketcall: 55 55 - return 4; 55 55 + return AUDITSC_SOCKETCALL; 56 56 case __NR_execve: 57 57 - return 5; 57 57 + return AUDITSC_EXECVE; 58 58 + case __NR_openat2: 59 59 + return AUDITSC_OPENAT2; 58 60 default: 59 59 - return 0; 61 61 + return AUDITSC_NATIVE; 60 62 } 61 63 } 62 64

+8 -5

arch/sparc/kernel/compat_audit.c

reviewed

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 #define __32bit_syscall_numbers__ 3 3 + #include <linux/audit_arch.h> 3 4 #include <asm/unistd.h> 4 5 #include "kernel.h" 5 6 ··· 33 32 { 34 33 switch(syscall) { 35 34 case __NR_open: 36 36 - return 2; 35 35 + return AUDITSC_OPEN; 37 36 case __NR_openat: 38 38 - return 3; 37 37 + return AUDITSC_OPENAT; 39 38 case __NR_socketcall: 40 40 - return 4; 39 39 + return AUDITSC_SOCKETCALL; 41 40 case __NR_execve: 42 42 - return 5; 41 41 + return AUDITSC_EXECVE; 42 42 + case __NR_openat2: 43 43 + return AUDITSC_OPENAT2; 43 44 default: 44 44 - return 1; 45 45 + return AUDITSC_COMPAT; 45 46 } 46 47 }

+8 -5

arch/x86/ia32/audit.c

reviewed

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 + #include <linux/audit_arch.h> 2 3 #include <asm/unistd_32.h> 3 4 #include <asm/audit.h> 4 5 ··· 32 31 { 33 32 switch (syscall) { 34 33 case __NR_open: 35 35 - return 2; 34 34 + return AUDITSC_OPEN; 36 35 case __NR_openat: 37 37 - return 3; 36 36 + return AUDITSC_OPENAT; 38 37 case __NR_socketcall: 39 39 - return 4; 38 38 + return AUDITSC_SOCKETCALL; 40 39 case __NR_execve: 41 40 case __NR_execveat: 42 42 - return 5; 41 41 + return AUDITSC_EXECVE; 42 42 + case __NR_openat2: 43 43 + return AUDITSC_OPENAT2; 43 44 default: 44 44 - return 1; 45 45 + return AUDITSC_COMPAT; 45 46 } 46 47 }

+6 -4

arch/x86/kernel/audit_64.c

reviewed

··· 47 47 #endif 48 48 switch(syscall) { 49 49 case __NR_open: 50 50 - return 2; 50 50 + return AUDITSC_OPEN; 51 51 case __NR_openat: 52 52 - return 3; 52 52 + return AUDITSC_OPENAT; 53 53 case __NR_execve: 54 54 case __NR_execveat: 55 55 - return 5; 55 55 + return AUDITSC_EXECVE; 56 56 + case __NR_openat2: 57 57 + return AUDITSC_OPENAT2; 56 58 default: 57 57 - return 0; 59 59 + return AUDITSC_NATIVE; 58 60 } 59 61 } 60 62

fs/open.c

reviewed

··· 1248 1248 if (err) 1249 1249 return err; 1250 1250 1251 1251 + audit_openat2_how(&tmp); 1252 1252 + 1251 1253 /* O_LARGEFILE is only allowed for non-O_PATH. */ 1252 1254 if (!(tmp.flags & O_PATH) && force_o_largefile()) 1253 1255 tmp.flags |= O_LARGEFILE;

+11

include/linux/audit.h

reviewed

··· 11 11 12 12 #include <linux/sched.h> 13 13 #include <linux/ptrace.h> 14 14 + #include <linux/audit_arch.h> 14 15 #include <uapi/linux/audit.h> 15 16 #include <uapi/linux/netfilter/nf_tables.h> 16 17 ··· 417 416 const struct cred *old); 418 417 extern void __audit_log_capset(const struct cred *new, const struct cred *old); 419 418 extern void __audit_mmap_fd(int fd, int flags); 419 419 + extern void __audit_openat2_how(struct open_how *how); 420 420 extern void __audit_log_kern_module(char *name); 421 421 extern void __audit_fanotify(unsigned int response); 422 422 extern void __audit_tk_injoffset(struct timespec64 offset); ··· 512 510 { 513 511 if (unlikely(!audit_dummy_context())) 514 512 __audit_mmap_fd(fd, flags); 513 513 + } 514 514 + 515 515 + static inline void audit_openat2_how(struct open_how *how) 516 516 + { 517 517 + if (unlikely(!audit_dummy_context())) 518 518 + __audit_openat2_how(how); 515 519 } 516 520 517 521 static inline void audit_log_kern_module(char *name) ··· 677 669 const struct cred *old) 678 670 { } 679 671 static inline void audit_mmap_fd(int fd, int flags) 672 672 + { } 673 673 + 674 674 + static inline void audit_openat2_how(struct open_how *how) 680 675 { } 681 676 682 677 static inline void audit_log_kern_module(char *name)

+24

include/linux/audit_arch.h

reviewed

··· 1 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 2 + /* audit_arch.h -- Arch layer specific support for audit 3 3 + * 4 4 + * Copyright 2021 Red Hat Inc., Durham, North Carolina. 5 5 + * All Rights Reserved. 6 6 + * 7 7 + * Author: Richard Guy Briggs <rgb@redhat.com> 8 8 + */ 9 9 + #ifndef _LINUX_AUDIT_ARCH_H_ 10 10 + #define _LINUX_AUDIT_ARCH_H_ 11 11 + 12 12 + enum auditsc_class_t { 13 13 + AUDITSC_NATIVE = 0, 14 14 + AUDITSC_COMPAT, 15 15 + AUDITSC_OPEN, 16 16 + AUDITSC_OPENAT, 17 17 + AUDITSC_SOCKETCALL, 18 18 + AUDITSC_EXECVE, 19 19 + AUDITSC_OPENAT2, 20 20 + 21 21 + AUDITSC_NVALS /* count */ 22 22 + }; 23 23 + 24 24 + #endif

include/uapi/linux/audit.h

reviewed

··· 119 119 #define AUDIT_BPF 1334 /* BPF subsystem */ 120 120 #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ 121 121 #define AUDIT_URINGOP 1336 /* io_uring operation */ 122 122 + #define AUDIT_OPENAT2 1337 /* Record showing openat2 how args */ 122 123 123 124 #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 124 125 #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */

kernel/audit.h

reviewed

··· 14 14 #include <linux/skbuff.h> 15 15 #include <uapi/linux/mqueue.h> 16 16 #include <linux/tty.h> 17 17 + #include <uapi/linux/openat2.h> // struct open_how 17 18 18 19 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 19 20 * for saving names from getname(). If we get more names we will allocate ··· 194 193 int fd; 195 194 int flags; 196 195 } mmap; 196 196 + struct open_how openat2; 197 197 struct { 198 198 int argc; 199 199 } execve;

+10 -10

kernel/audit_tree.c

reviewed

··· 30 30 int count; 31 31 atomic_long_t refs; 32 32 struct rcu_head head; 33 33 - struct node { 33 33 + struct audit_node { 34 34 struct list_head list; 35 35 struct audit_tree *owner; 36 36 unsigned index; /* index; upper bit indicates 'will prune' */ ··· 269 269 270 270 /* tagging and untagging inodes with trees */ 271 271 272 272 - static struct audit_chunk *find_chunk(struct node *p) 272 272 + static struct audit_chunk *find_chunk(struct audit_node *p) 273 273 { 274 274 int index = p->index & ~(1U<<31); 275 275 p -= index; ··· 322 322 list_replace_rcu(&old->hash, &new->hash); 323 323 } 324 324 325 325 - static void remove_chunk_node(struct audit_chunk *chunk, struct node *p) 325 325 + static void remove_chunk_node(struct audit_chunk *chunk, struct audit_node *p) 326 326 { 327 327 struct audit_tree *owner = p->owner; 328 328 ··· 459 459 { 460 460 struct fsnotify_mark *mark; 461 461 struct audit_chunk *chunk, *old; 462 462 - struct node *p; 462 462 + struct audit_node *p; 463 463 int n; 464 464 465 465 mutex_lock(&audit_tree_group->mark_mutex); ··· 570 570 { 571 571 spin_lock(&hash_lock); 572 572 while (!list_empty(&victim->chunks)) { 573 573 - struct node *p; 573 573 + struct audit_node *p; 574 574 struct audit_chunk *chunk; 575 575 struct fsnotify_mark *mark; 576 576 577 577 - p = list_first_entry(&victim->chunks, struct node, list); 577 577 + p = list_first_entry(&victim->chunks, struct audit_node, list); 578 578 /* have we run out of marked? */ 579 579 if (tagged && !(p->index & (1U<<31))) 580 580 break; ··· 616 616 } 617 617 /* reorder */ 618 618 for (p = tree->chunks.next; p != &tree->chunks; p = q) { 619 619 - struct node *node = list_entry(p, struct node, list); 619 619 + struct audit_node *node = list_entry(p, struct audit_node, list); 620 620 q = p->next; 621 621 if (node->index & (1U<<31)) { 622 622 list_del_init(p); ··· 684 684 struct audit_tree *tree; 685 685 struct path path; 686 686 struct vfsmount *root_mnt; 687 687 - struct node *node; 687 687 + struct audit_node *node; 688 688 int err; 689 689 690 690 tree = container_of(cursor.next, struct audit_tree, list); ··· 840 840 drop_collected_mounts(mnt); 841 841 842 842 if (!err) { 843 843 - struct node *node; 843 843 + struct audit_node *node; 844 844 spin_lock(&hash_lock); 845 845 list_for_each_entry(node, &tree->chunks, list) 846 846 node->index &= ~(1U<<31); ··· 939 939 mutex_unlock(&audit_filter_mutex); 940 940 941 941 if (!failed) { 942 942 - struct node *node; 942 942 + struct audit_node *node; 943 943 spin_lock(&hash_lock); 944 944 list_for_each_entry(node, &tree->chunks, list) 945 945 node->index &= ~(1U<<31);

+29 -22

kernel/auditsc.c

reviewed

··· 1 1 + // SPDX-License-Identifier: GPL-2.0-or-later 1 2 /* auditsc.c -- System-call auditing support 2 3 * Handles all system-call specific auditing features. 3 4 * ··· 6 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 7 6 * Copyright (C) 2005, 2006 IBM Corporation 8 7 * All Rights Reserved. 9 9 - * 10 10 - * This program is free software; you can redistribute it and/or modify 11 11 - * it under the terms of the GNU General Public License as published by 12 12 - * the Free Software Foundation; either version 2 of the License, or 13 13 - * (at your option) any later version. 14 14 - * 15 15 - * This program is distributed in the hope that it will be useful, 16 16 - * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 17 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 18 - * GNU General Public License for more details. 19 19 - * 20 20 - * You should have received a copy of the GNU General Public License 21 21 - * along with this program; if not, write to the Free Software 22 22 - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 8 * 24 9 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 25 10 * ··· 63 76 #include <linux/fsnotify_backend.h> 64 77 #include <uapi/linux/limits.h> 65 78 #include <uapi/linux/netfilter/nf_tables.h> 79 79 + #include <uapi/linux/openat2.h> // struct open_how 66 80 67 81 #include "audit.h" 68 82 ··· 154 166 n = ctx->major; 155 167 156 168 switch (audit_classify_syscall(ctx->arch, n)) { 157 157 - case 0: /* native */ 169 169 + case AUDITSC_NATIVE: 158 170 if ((mask & AUDIT_PERM_WRITE) && 159 171 audit_match_class(AUDIT_CLASS_WRITE, n)) 160 172 return 1; ··· 165 177 audit_match_class(AUDIT_CLASS_CHATTR, n)) 166 178 return 1; 167 179 return 0; 168 168 - case 1: /* 32bit on biarch */ 180 180 + case AUDITSC_COMPAT: /* 32bit on biarch */ 169 181 if ((mask & AUDIT_PERM_WRITE) && 170 182 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 171 183 return 1; ··· 176 188 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 177 189 return 1; 178 190 return 0; 179 179 - case 2: /* open */ 191 191 + case AUDITSC_OPEN: 180 192 return mask & ACC_MODE(ctx->argv[1]); 181 181 - case 3: /* openat */ 193 193 + case AUDITSC_OPENAT: 182 194 return mask & ACC_MODE(ctx->argv[2]); 183 183 - case 4: /* socketcall */ 195 195 + case AUDITSC_SOCKETCALL: 184 196 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 185 185 - case 5: /* execve */ 197 197 + case AUDITSC_EXECVE: 186 198 return mask & AUDIT_PERM_EXEC; 199 199 + case AUDITSC_OPENAT2: 200 200 + return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); 187 201 default: 188 202 return 0; 189 203 } ··· 470 480 u32 sid; 471 481 unsigned int sessionid; 472 482 483 483 + if (ctx && rule->prio <= ctx->prio) 484 484 + return 0; 485 485 + 473 486 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); 474 487 475 488 for (i = 0; i < rule->field_count; i++) { ··· 740 747 } 741 748 742 749 if (ctx) { 743 743 - if (rule->prio <= ctx->prio) 744 744 - return 0; 745 750 if (rule->filterkey) { 746 751 kfree(ctx->filterkey); 747 752 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); ··· 1427 1436 case AUDIT_MMAP: 1428 1437 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, 1429 1438 context->mmap.flags); 1439 1439 + break; 1440 1440 + case AUDIT_OPENAT2: 1441 1441 + audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx", 1442 1442 + context->openat2.flags, 1443 1443 + context->openat2.mode, 1444 1444 + context->openat2.resolve); 1430 1445 break; 1431 1446 case AUDIT_EXECVE: 1432 1447 audit_log_execve_info(context, &ab); ··· 2810 2813 context->mmap.fd = fd; 2811 2814 context->mmap.flags = flags; 2812 2815 context->type = AUDIT_MMAP; 2816 2816 + } 2817 2817 + 2818 2818 + void __audit_openat2_how(struct open_how *how) 2819 2819 + { 2820 2820 + struct audit_context *context = audit_context(); 2821 2821 + 2822 2822 + context->openat2.flags = how->flags; 2823 2823 + context->openat2.mode = how->mode; 2824 2824 + context->openat2.resolve = how->resolve; 2825 2825 + context->type = AUDIT_OPENAT2; 2813 2826 } 2814 2827 2815 2828 void __audit_log_kern_module(char *name)

+9 -5

lib/audit.c

reviewed

··· 45 45 switch(syscall) { 46 46 #ifdef __NR_open 47 47 case __NR_open: 48 48 - return 2; 48 48 + return AUDITSC_OPEN; 49 49 #endif 50 50 #ifdef __NR_openat 51 51 case __NR_openat: 52 52 - return 3; 52 52 + return AUDITSC_OPENAT; 53 53 #endif 54 54 #ifdef __NR_socketcall 55 55 case __NR_socketcall: 56 56 - return 4; 56 56 + return AUDITSC_SOCKETCALL; 57 57 #endif 58 58 #ifdef __NR_execveat 59 59 case __NR_execveat: 60 60 #endif 61 61 case __NR_execve: 62 62 - return 5; 62 62 + return AUDITSC_EXECVE; 63 63 + #ifdef __NR_openat2 64 64 + case __NR_openat2: 65 65 + return AUDITSC_OPENAT2; 66 66 + #endif 63 67 default: 64 64 - return 0; 68 68 + return AUDITSC_NATIVE; 65 69 } 66 70 } 67 71

+10 -5

lib/compat_audit.c

reviewed

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 #include <linux/init.h> 3 3 #include <linux/types.h> 4 4 + #include <linux/audit_arch.h> 4 5 #include <asm/unistd32.h> 5 6 6 7 unsigned compat_dir_class[] = { ··· 34 33 switch (syscall) { 35 34 #ifdef __NR_open 36 35 case __NR_open: 37 37 - return 2; 36 36 + return AUDITSC_OPEN; 38 37 #endif 39 38 #ifdef __NR_openat 40 39 case __NR_openat: 41 41 - return 3; 40 40 + return AUDITSC_OPENAT; 42 41 #endif 43 42 #ifdef __NR_socketcall 44 43 case __NR_socketcall: 45 45 - return 4; 44 44 + return AUDITSC_SOCKETCALL; 46 45 #endif 47 46 case __NR_execve: 48 48 - return 5; 47 47 + return AUDITSC_EXECVE; 48 48 + #ifdef __NR_openat2 49 49 + case __NR_openat2: 50 50 + return AUDITSC_OPENAT2; 51 51 + #endif 49 52 default: 50 50 - return 1; 53 53 + return AUDITSC_COMPAT; 51 54 } 52 55 }

+1 -1

security/lsm_audit.c

reviewed

··· 224 224 case LSM_AUDIT_DATA_NONE: 225 225 return; 226 226 case LSM_AUDIT_DATA_IPC: 227 227 - audit_log_format(ab, " key=%d ", a->u.ipc_id); 227 227 + audit_log_format(ab, " ipc_key=%d ", a->u.ipc_id); 228 228 break; 229 229 case LSM_AUDIT_DATA_CAP: 230 230 audit_log_format(ab, " capability=%d ", a->u.cap);