audit: move loginuid and sessionid from CONFIG_AUDITSYSCALL to CONFIG_AUDIT

loginuid and sessionid (and audit_log_session_info) should be part of
CONFIG_AUDIT scope and not CONFIG_AUDITSYSCALL since it is used in
CONFIG_CHANGE, ANOM_LINK, FEATURE_CHANGE (and INTEGRITY_RULE), none of
which are otherwise dependent on AUDITSYSCALL.

Please see github issue
https://github.com/linux-audit/audit-kernel/issues/104

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: tweaked subject line for better grep'ing]
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 633a6346257346595a71843092fb79efd71c14f8..a23651ce69601b9dc7d31fd979cee362d17a3e7f 100644 (file)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1210,7 +1210,7 @@ static const struct file_operations proc_oom_score_adj_operations = {
        .llseek         = default_llseek,
 };
 
-#ifdef CONFIG_AUDITSYSCALL
+#ifdef CONFIG_AUDIT
 #define TMPBUFLEN 11
 static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
                                  size_t count, loff_t *ppos)
@@ -3002,7 +3002,7 @@ static const struct pid_entry tgid_base_stuff[] = {
        ONE("oom_score",  S_IRUGO, proc_oom_score),
        REG("oom_adj",    S_IRUGO|S_IWUSR, proc_oom_adj_operations),
        REG("oom_score_adj", S_IRUGO|S_IWUSR, proc_oom_score_adj_operations),
-#ifdef CONFIG_AUDITSYSCALL
+#ifdef CONFIG_AUDIT
        REG("loginuid",   S_IWUSR|S_IRUGO, proc_loginuid_operations),
        REG("sessionid",  S_IRUGO, proc_sessionid_operations),
 #endif
@@ -3390,7 +3390,7 @@ static const struct pid_entry tid_base_stuff[] = {
        ONE("oom_score", S_IRUGO, proc_oom_score),
        REG("oom_adj",   S_IRUGO|S_IWUSR, proc_oom_adj_operations),
        REG("oom_score_adj", S_IRUGO|S_IWUSR, proc_oom_score_adj_operations),
-#ifdef CONFIG_AUDITSYSCALL
+#ifdef CONFIG_AUDIT
        REG("loginuid",  S_IWUSR|S_IRUGO, proc_loginuid_operations),
        REG("sessionid",  S_IRUGO, proc_sessionid_operations),
 #endif

diff --git a/include/linux/audit.h b/include/linux/audit.h
index a625c29a2ea2aa3047cbb22ac919d82446d88aaa..ecb5d317d6a26cc49a5f44a181f055a30132465b 100644 (file)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -159,6 +159,18 @@ extern int             audit_update_lsm_rules(void);
 extern int audit_rule_change(int type, int seq, void *data, size_t datasz);
 extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
 
+extern int audit_set_loginuid(kuid_t loginuid);
+
+static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
+{
+       return tsk->loginuid;
+}
+
+static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
+{
+       return tsk->sessionid;
+}
+
 extern u32 audit_enabled;
 #else /* CONFIG_AUDIT */
 static inline __printf(4, 5)
@@ -201,6 +213,17 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
 }
 static inline void audit_log_task_info(struct audit_buffer *ab)
 { }
+
+static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
+{
+       return INVALID_UID;
+}
+
+static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
+{
+       return AUDIT_SID_UNSET;
+}
+
 #define audit_enabled AUDIT_OFF
 #endif /* CONFIG_AUDIT */
 
@@ -323,17 +346,6 @@ static inline void audit_ptrace(struct task_struct *t)
 extern unsigned int audit_serial(void);
 extern int auditsc_get_stamp(struct audit_context *ctx,
                              struct timespec64 *t, unsigned int *serial);
-extern int audit_set_loginuid(kuid_t loginuid);
-
-static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
-{
-       return tsk->loginuid;
-}
-
-static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
-{
-       return tsk->sessionid;
-}
 
 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
@@ -519,14 +531,6 @@ static inline int auditsc_get_stamp(struct audit_context *ctx,
 {
        return 0;
 }
-static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
-{
-       return INVALID_UID;
-}
-static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
-{
-       return AUDIT_SID_UNSET;
-}
 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 { }
 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,

diff --git a/include/linux/sched.h b/include/linux/sched.h
index 89541d248893e2e04b3e1849956a43b8b4c9c12d..f9788bb122c533b1c71bd448c803fe8cd8e76a39 100644 (file)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -886,7 +886,7 @@ struct task_struct {
        struct callback_head            *task_works;
 
        struct audit_context            *audit_context;
-#ifdef CONFIG_AUDITSYSCALL
+#ifdef CONFIG_AUDIT
        kuid_t                          loginuid;
        unsigned int                    sessionid;
 #endif

diff --git a/init/init_task.c b/init/init_task.c
index 5aebe3be4d7cd65ce1bed995c76b9293fea00b2d..39c3109acc1aba93bff8436719421ba3571c24b6 100644 (file)
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -121,7 +121,7 @@ struct task_struct init_task
        .thread_pid     = &init_struct_pid,
        .thread_group   = LIST_HEAD_INIT(init_task.thread_group),
        .thread_node    = LIST_HEAD_INIT(init_signals.thread_head),
-#ifdef CONFIG_AUDITSYSCALL
+#ifdef CONFIG_AUDIT
        .loginuid       = INVALID_UID,
        .sessionid      = AUDIT_SID_UNSET,
 #endif

diff --git a/kernel/audit.c b/kernel/audit.c
index c2a7662cc254e1b61bbaa12dac077c391f92ece3..2a32f304223d1aeb05ea26025edafbce36628bac 100644 (file)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2335,6 +2335,91 @@ void audit_log_link_denied(const char *operation)
        audit_log_end(ab);
 }
 
+/* global counter which is incremented every time something logs in */
+static atomic_t session_id = ATOMIC_INIT(0);
+
+static int audit_set_loginuid_perm(kuid_t loginuid)
+{
+       /* if we are unset, we don't need privs */
+       if (!audit_loginuid_set(current))
+               return 0;
+       /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
+       if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
+               return -EPERM;
+       /* it is set, you need permission */
+       if (!capable(CAP_AUDIT_CONTROL))
+               return -EPERM;
+       /* reject if this is not an unset and we don't allow that */
+       if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID)
+                                && uid_valid(loginuid))
+               return -EPERM;
+       return 0;
+}
+
+static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
+                                  unsigned int oldsessionid,
+                                  unsigned int sessionid, int rc)
+{
+       struct audit_buffer *ab;
+       uid_t uid, oldloginuid, loginuid;
+       struct tty_struct *tty;
+
+       if (!audit_enabled)
+               return;
+
+       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+       if (!ab)
+               return;
+
+       uid = from_kuid(&init_user_ns, task_uid(current));
+       oldloginuid = from_kuid(&init_user_ns, koldloginuid);
+       loginuid = from_kuid(&init_user_ns, kloginuid),
+       tty = audit_get_tty();
+
+       audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
+       audit_log_task_context(ab);
+       audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
+                        oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
+                        oldsessionid, sessionid, !rc);
+       audit_put_tty(tty);
+       audit_log_end(ab);
+}
+
+/**
+ * audit_set_loginuid - set current task's loginuid
+ * @loginuid: loginuid value
+ *
+ * Returns 0.
+ *
+ * Called (set) from fs/proc/base.c::proc_loginuid_write().
+ */
+int audit_set_loginuid(kuid_t loginuid)
+{
+       unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
+       kuid_t oldloginuid;
+       int rc;
+
+       oldloginuid = audit_get_loginuid(current);
+       oldsessionid = audit_get_sessionid(current);
+
+       rc = audit_set_loginuid_perm(loginuid);
+       if (rc)
+               goto out;
+
+       /* are we setting or clearing? */
+       if (uid_valid(loginuid)) {
+               sessionid = (unsigned int)atomic_inc_return(&session_id);
+               if (unlikely(sessionid == AUDIT_SID_UNSET))
+                       sessionid = (unsigned int)atomic_inc_return(&session_id);
+       }
+
+       current->sessionid = sessionid;
+       current->loginuid = loginuid;
+out:
+       audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
+       return rc;
+}
+
 /**
  * audit_log_end - end one audit record
  * @ab: the audit_buffer

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b585ceb2f7a2c68d0bc4187f8c16cd0492f15f0b..572d247957fb41a2b7157f6cfdec6efcf79f9f7f 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1983,90 +1983,6 @@ int auditsc_get_stamp(struct audit_context *ctx,
        return 1;
 }
 
-/* global counter which is incremented every time something logs in */
-static atomic_t session_id = ATOMIC_INIT(0);
-
-static int audit_set_loginuid_perm(kuid_t loginuid)
-{
-       /* if we are unset, we don't need privs */
-       if (!audit_loginuid_set(current))
-               return 0;
-       /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
-       if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
-               return -EPERM;
-       /* it is set, you need permission */
-       if (!capable(CAP_AUDIT_CONTROL))
-               return -EPERM;
-       /* reject if this is not an unset and we don't allow that */
-       if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
-               return -EPERM;
-       return 0;
-}
-
-static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
-                                  unsigned int oldsessionid, unsigned int sessionid,
-                                  int rc)
-{
-       struct audit_buffer *ab;
-       uid_t uid, oldloginuid, loginuid;
-       struct tty_struct *tty;
-
-       if (!audit_enabled)
-               return;
-
-       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
-       if (!ab)
-               return;
-
-       uid = from_kuid(&init_user_ns, task_uid(current));
-       oldloginuid = from_kuid(&init_user_ns, koldloginuid);
-       loginuid = from_kuid(&init_user_ns, kloginuid),
-       tty = audit_get_tty();
-
-       audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
-       audit_log_task_context(ab);
-       audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
-                        oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
-                        oldsessionid, sessionid, !rc);
-       audit_put_tty(tty);
-       audit_log_end(ab);
-}
-
-/**
- * audit_set_loginuid - set current task's audit_context loginuid
- * @loginuid: loginuid value
- *
- * Returns 0.
- *
- * Called (set) from fs/proc/base.c::proc_loginuid_write().
- */
-int audit_set_loginuid(kuid_t loginuid)
-{
-       unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
-       kuid_t oldloginuid;
-       int rc;
-
-       oldloginuid = audit_get_loginuid(current);
-       oldsessionid = audit_get_sessionid(current);
-
-       rc = audit_set_loginuid_perm(loginuid);
-       if (rc)
-               goto out;
-
-       /* are we setting or clearing? */
-       if (uid_valid(loginuid)) {
-               sessionid = (unsigned int)atomic_inc_return(&session_id);
-               if (unlikely(sessionid == AUDIT_SID_UNSET))
-                       sessionid = (unsigned int)atomic_inc_return(&session_id);
-       }
-
-       current->sessionid = sessionid;
-       current->loginuid = loginuid;
-out:
-       audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
-       return rc;
-}
-
 /**
  * __audit_mq_open - record audit data for a POSIX MQ open
  * @oflag: open flag