Merge git://git.infradead.org/users/eparis/audit
authorLinus Torvalds <torvalds@linux-foundation.org>
Fri, 22 Nov 2013 03:18:14 +0000 (19:18 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 22 Nov 2013 03:18:14 +0000 (19:18 -0800)
Pull audit updates from Eric Paris:
 "Nothing amazing.  Formatting, small bug fixes, couple of fixes where
  we didn't get records due to some old VFS changes, and a change to how
  we collect execve info..."

Fixed conflict in fs/exec.c as per Eric and linux-next.

* git://git.infradead.org/users/eparis/audit: (28 commits)
  audit: fix type of sessionid in audit_set_loginuid()
  audit: call audit_bprm() only once to add AUDIT_EXECVE information
  audit: move audit_aux_data_execve contents into audit_context union
  audit: remove unused envc member of audit_aux_data_execve
  audit: Kill the unused struct audit_aux_data_capset
  audit: do not reject all AUDIT_INODE filter types
  audit: suppress stock memalloc failure warnings since already managed
  audit: log the audit_names record type
  audit: add child record before the create to handle case where create fails
  audit: use given values in tty_audit enable api
  audit: use nlmsg_len() to get message payload length
  audit: use memset instead of trying to initialize field by field
  audit: fix info leak in AUDIT_GET requests
  audit: update AUDIT_INODE filter rule to comparator function
  audit: audit feature to set loginuid immutable
  audit: audit feature to only allow unsetting the loginuid
  audit: allow unsetting the loginuid (with priv)
  audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE
  audit: loginuid functions coding style
  selinux: apply selinux checks on new audit message types
  ...

1  2 
fs/exec.c
fs/namei.c
include/uapi/linux/audit.h
init/Kconfig
kernel/audit.c
security/lsm_audit.c

diff --cc fs/exec.c
index 977319fd77f39de88ef66979d1de95f7d846f9a6,c5c24f2fc44ad604b1ada2438fa1fa2158384321..7ea097f6b341f06982f3ea3b068de5755b1605e0
+++ b/fs/exec.c
@@@ -1380,71 -1383,72 +1380,68 @@@ int search_binary_handler(struct linux_
        if (retval)
                return retval;
  
-       retval = audit_bprm(bprm);
-       if (retval)
-               return retval;
 +      retval = -ENOENT;
 + retry:
 +      read_lock(&binfmt_lock);
 +      list_for_each_entry(fmt, &formats, lh) {
 +              if (!try_module_get(fmt->module))
 +                      continue;
 +              read_unlock(&binfmt_lock);
 +              bprm->recursion_depth++;
 +              retval = fmt->load_binary(bprm);
 +              bprm->recursion_depth--;
 +              if (retval >= 0 || retval != -ENOEXEC ||
 +                  bprm->mm == NULL || bprm->file == NULL) {
 +                      put_binfmt(fmt);
 +                      return retval;
 +              }
 +              read_lock(&binfmt_lock);
 +              put_binfmt(fmt);
 +      }
 +      read_unlock(&binfmt_lock);
 +
 +      if (need_retry && retval == -ENOEXEC) {
 +              if (printable(bprm->buf[0]) && printable(bprm->buf[1]) &&
 +                  printable(bprm->buf[2]) && printable(bprm->buf[3]))
 +                      return retval;
 +              if (request_module("binfmt-%04x", *(ushort *)(bprm->buf + 2)) < 0)
 +                      return retval;
 +              need_retry = false;
 +              goto retry;
 +      }
 +
 +      return retval;
 +}
 +EXPORT_SYMBOL(search_binary_handler);
 +
 +static int exec_binprm(struct linux_binprm *bprm)
 +{
 +      pid_t old_pid, old_vpid;
 +      int ret;
 +
        /* Need to fetch pid before load_binary changes it */
        old_pid = current->pid;
        rcu_read_lock();
        old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
        rcu_read_unlock();
  
 -      retval = -ENOENT;
 -      for (try=0; try<2; try++) {
 -              read_lock(&binfmt_lock);
 -              list_for_each_entry(fmt, &formats, lh) {
 -                      int (*fn)(struct linux_binprm *) = fmt->load_binary;
 -                      if (!fn)
 -                              continue;
 -                      if (!try_module_get(fmt->module))
 -                              continue;
 -                      read_unlock(&binfmt_lock);
 -                      bprm->recursion_depth = depth + 1;
 -                      retval = fn(bprm);
 -                      bprm->recursion_depth = depth;
 -                      if (retval >= 0) {
 -                              if (depth == 0) {
 -                                      audit_bprm(bprm);
 -                                      trace_sched_process_exec(current, old_pid, bprm);
 -                                      ptrace_event(PTRACE_EVENT_EXEC, old_vpid);
 -                              }
 -                              put_binfmt(fmt);
 -                              allow_write_access(bprm->file);
 -                              if (bprm->file)
 -                                      fput(bprm->file);
 -                              bprm->file = NULL;
 -                              current->did_exec = 1;
 -                              proc_exec_connector(current);
 -                              return retval;
 -                      }
 -                      read_lock(&binfmt_lock);
 -                      put_binfmt(fmt);
 -                      if (retval != -ENOEXEC || bprm->mm == NULL)
 -                              break;
 -                      if (!bprm->file) {
 -                              read_unlock(&binfmt_lock);
 -                              return retval;
 -                      }
 -              }
 -              read_unlock(&binfmt_lock);
 -#ifdef CONFIG_MODULES
 -              if (retval != -ENOEXEC || bprm->mm == NULL) {
 -                      break;
 -              } else {
 -#define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e))
 -                      if (printable(bprm->buf[0]) &&
 -                          printable(bprm->buf[1]) &&
 -                          printable(bprm->buf[2]) &&
 -                          printable(bprm->buf[3]))
 -                              break; /* -ENOEXEC */
 -                      if (try)
 -                              break; /* -ENOEXEC */
 -                      request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2]));
 +      ret = search_binary_handler(bprm);
 +      if (ret >= 0) {
++              audit_bprm(bprm);
 +              trace_sched_process_exec(current, old_pid, bprm);
 +              ptrace_event(PTRACE_EVENT_EXEC, old_vpid);
 +              current->did_exec = 1;
 +              proc_exec_connector(current);
 +
 +              if (bprm->file) {
 +                      allow_write_access(bprm->file);
 +                      fput(bprm->file);
 +                      bprm->file = NULL; /* to catch use-after-free */
                }
 -#else
 -              break;
 -#endif
        }
 -      return retval;
 -}
  
 -EXPORT_SYMBOL(search_binary_handler);
 +      return ret;
 +}
  
  /*
   * sys_execve() executes a new program.
diff --cc fs/namei.c
Simple merge
Simple merge
diff --cc init/Kconfig
Simple merge
diff --cc kernel/audit.c
Simple merge
Simple merge