bk://linux-audit.bkbits.net/audit-2.6-mm
pmeda@akamai.com|ChangeSet|20050323111951|27179 pmeda

# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
#   2005/03/23 13:24:26-08:00 akpm@bix.(none) 
#   Merge bk://linux-audit.bkbits.net/audit-2.6-mm
#   into bix.(none):/usr/src/bk-audit
# 
# fs/namei.c
#   2005/03/23 13:24:21-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# ChangeSet
#   2005/03/23 11:19:51+00:00 pmeda@akamai.com 
#   namei: add audit_inode to all branches in path_lookup
#   
#   Main change is in path_lookup: added a goto to do audit_inode
#   instead of return statement, when emul_lookup_dentry for root
#   is successful.  The existing code does audit_inode only when
#   lookup is done in normal root or cwd.
#   
#   Other changes: Some lookup routines are returning zero on success,
#   and some are returning zero on failure. I documented the related
#   function signatures in this code path, so that one can glance over
#   abstract functions without understanding the entire code.
#   
#   Signed-off-by: Prasanna Meda <pmeda@akamai.com>
#   Signed-off-by: David Woodhouse <dwmw2@infradead.org>
# 
# fs/namei.c
#   2005/03/23 11:19:33+00:00 pmeda@akamai.com +12 -8
#   namei: add audit_inode to all branches in path_lookup
#   
#   Main change is in path_lookup: added a goto to do audit_inode
#   instead of return statement, when emul_lookup_dentry for root
#   is successful.  The existing code does audit_inode only when
#   lookup is done in normal root or cwd.
#   
#   Other changes: Some lookup routines are returning zero on success,
#   and some are returning zero on failure. I documented the related
#   function signatures in this code path, so that one can glance over
#   abstract functions without understanding the entire code.
# 
# ChangeSet
#   2005/03/19 09:19:30+00:00 akpm@osdl.org 
#   audit_log_untrustedstring() warning fix
#   
#   kernel/audit.c: In function `audit_log_untrustedstring':
#   kernel/audit.c:736: warning: comparison is always false due to limited range of data type
#   
#   Signed-off-by: Andrew Morton <akpm@osdl.org>
#   Signed-off-by: David Woodhouse <dwmw2@infradead.org>
# 
# kernel/audit.c
#   2005/03/19 09:19:07+00:00 akpm@osdl.org +1 -1
#   kernel/audit.c: In function `audit_log_untrustedstring':
#   kernel/audit.c:736: warning: comparison is always false due to limited range of data type
# 
# ChangeSet
#   2005/03/18 11:50:08-08:00 akpm@bix.(none) 
#   Merge bk://linux-audit.bkbits.net/audit-2.6-mm
#   into bix.(none):/usr/src/bk-audit
# 
# kernel/auditsc.c
#   2005/03/18 11:50:03-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# include/linux/fs.h
#   2005/03/18 11:50:03-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# include/linux/audit.h
#   2005/03/18 11:50:03-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# fs/proc/base.c
#   2005/03/18 11:50:03-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# fs/namei.c
#   2005/03/18 11:50:03-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# arch/um/kernel/ptrace.c
#   2005/03/18 11:50:03-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# arch/mips/kernel/ptrace.c
#   2005/03/18 11:50:03-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# ChangeSet
#   2005/03/18 15:37:50+00:00 dwmw2@shinybook.infradead.org 
#   AUDIT: Avoid log pollution by untrusted strings.
#   
#   We log strings from userspace, such as arguments to open(). These could
#   be formatted to contain \n followed by fake audit log entries. Provide
#   a function for logging such strings, which gives a hex dump when the
#   string contains anything but basic printable ASCII characters. Use it
#   for logging filenames.
#   
#   Signed-off-by: David Woodhouse <dwmw2@infradead.org>
# 
# kernel/auditsc.c
#   2005/03/18 15:37:33+00:00 dwmw2@shinybook.infradead.org +4 -3
#   Use audit_log_untrustedstring() for logging names.
# 
# kernel/audit.c
#   2005/03/18 15:37:33+00:00 dwmw2@shinybook.infradead.org +23 -0
#   Add audit_log_hex() and audit_log_untrustedstring()
# 
# include/linux/audit.h
#   2005/03/18 15:37:33+00:00 dwmw2@shinybook.infradead.org +7 -1
#   Add definitions of audit_log_hex() and audit_log_untrustedstring()
# 
# ChangeSet
#   2005/03/17 16:20:18-08:00 akpm@bix.(none) 
#   Merge bix.(none):/usr/src/bk25 into bix.(none):/usr/src/bk-audit
# 
# kernel/auditsc.c
#   2005/03/17 16:20:14-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# include/linux/fs.h
#   2005/03/17 16:20:14-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# include/linux/audit.h
#   2005/03/17 16:20:14-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# fs/proc/base.c
#   2005/03/17 16:20:14-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# fs/namei.c
#   2005/03/17 16:20:14-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# arch/um/kernel/ptrace.c
#   2005/03/17 16:20:14-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# arch/mips/kernel/ptrace.c
#   2005/03/17 16:20:13-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# ChangeSet
#   2005/03/17 13:10:52+00:00 dwmw2@shinybook.infradead.org 
#   Merge
# 
# fs/proc/base.c
#   2005/03/17 13:10:39+00:00 dwmw2@shinybook.infradead.org +0 -0
#   SCCS merged
# 
# kernel/auditsc.c
#   2005/03/17 13:07:53+00:00 dwmw2@shinybook.infradead.org +0 -0
#   Auto merged
# 
# include/linux/fs.h
#   2005/03/17 13:07:53+00:00 dwmw2@shinybook.infradead.org +0 -0
#   Auto merged
# 
# include/linux/audit.h
#   2005/03/17 13:07:53+00:00 dwmw2@shinybook.infradead.org +0 -0
#   Auto merged
# 
# fs/namei.c
#   2005/03/17 13:07:53+00:00 dwmw2@shinybook.infradead.org +0 -0
#   Auto merged
# 
# arch/um/kernel/ptrace.c
#   2005/03/17 13:07:52+00:00 dwmw2@shinybook.infradead.org +0 -0
#   Auto merged
# 
# arch/mips/kernel/ptrace.c
#   2005/03/17 13:07:52+00:00 dwmw2@shinybook.infradead.org +0 -0
#   Auto merged
# 
# ChangeSet
#   2005/03/15 23:46:54-08:00 akpm@bix.(none) 
#   Merge bix.(none):/usr/src/bk25 into bix.(none):/usr/src/bk-audit
# 
# fs/proc/base.c
#   2005/03/15 23:46:49-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# ChangeSet
#   2005/03/12 12:49:23-08:00 akpm@bix.(none) 
#   Merge bk://linux-audit.bkbits.net/audit-2.6-mm
#   into bix.(none):/usr/src/bk-audit
# 
# include/linux/audit.h
#   2005/03/12 12:49:19-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# ChangeSet
#   2005/03/12 12:48:02-08:00 akpm@bix.(none) 
#   Merge bix.(none):/usr/src/bk25 into bix.(none):/usr/src/bk-audit
# 
# include/linux/audit.h
#   2005/03/12 12:47:57-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# ChangeSet
#   2005/03/10 17:50:49-08:00 akpm@bix.(none) 
#   Merge bix.(none):/usr/src/bk25 into bix.(none):/usr/src/bk-audit
# 
# fs/namei.c
#   2005/03/10 17:50:44-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# ChangeSet
#   2005/03/10 12:59:07-08:00 akpm@bix.(none) 
#   Merge
# 
# fs/proc/base.c
#   2005/03/10 12:59:05-08:00 akpm@bix.(none) +0 -0
#   SCCS merged
# 
# kernel/auditsc.c
#   2005/03/10 12:53:45-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# include/linux/fs.h
#   2005/03/10 12:53:45-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# fs/namei.c
#   2005/03/10 12:53:45-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# arch/um/kernel/ptrace.c
#   2005/03/10 12:53:45-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
# arch/mips/kernel/ptrace.c
#   2005/03/10 12:53:45-08:00 akpm@bix.(none) +0 -0
#   Auto merged
# 
diff -Nru a/fs/namei.c b/fs/namei.c
--- a/fs/namei.c	2005-03-23 19:32:33 -08:00
+++ b/fs/namei.c	2005-03-23 19:32:33 -08:00
@@ -686,11 +686,11 @@
 
 /*
  * Name resolution.
+ * This is the basic name resolution function, turning a pathname into
+ * the final dentry. We expect 'base' to be positive and a directory.
  *
- * This is the basic name resolution function, turning a pathname
- * into the final dentry.
- *
- * We expect 'base' to be positive and a directory.
+ * Returns 0 and nd will have valid dentry and mnt on success.
+ * Returns error and drops reference to input namei data on failure.
  */
 static fastcall int __link_path_walk(const char * name, struct nameidata *nd)
 {
@@ -929,8 +929,10 @@
 	return link_path_walk(name, nd);
 }
 
-/* SMP-safe */
-/* returns 1 if everything is done */
+/* 
+ * SMP-safe: Returns 1 and nd will have valid dentry and mnt, if
+ * everything is done. Returns 0 and drops input nd, if lookup failed;
+ */
 static int __emul_lookup_dentry(const char *name, struct nameidata *nd)
 {
 	if (path_walk(name, nd))
@@ -994,9 +996,10 @@
 	}
 }
 
+/* Returns 0 and nd will be valid on success; Retuns error, otherwise. */
 int fastcall path_lookup(const char *name, unsigned int flags, struct nameidata *nd)
 {
-	int retval;
+	int retval = 0;
 
 	nd->last_type = LAST_ROOT; /* if there are only slashes... */
 	nd->flags = flags;
@@ -1009,7 +1012,7 @@
 			nd->dentry = dget(current->fs->altroot);
 			read_unlock(&current->fs->lock);
 			if (__emul_lookup_dentry(name,nd))
-				return 0;
+				goto out; /* found in altroot */
 			read_lock(&current->fs->lock);
 		}
 		nd->mnt = mntget(current->fs->rootmnt);
@@ -1021,6 +1024,7 @@
 	read_unlock(&current->fs->lock);
 	current->total_link_count = 0;
 	retval = link_path_walk(name, nd);
+out:
 	if (unlikely(current->audit_context
 		     && nd && nd->dentry && nd->dentry->d_inode))
 		audit_inode(name, nd->dentry->d_inode);
diff -Nru a/include/linux/audit.h b/include/linux/audit.h
--- a/include/linux/audit.h	2005-03-23 19:32:33 -08:00
+++ b/include/linux/audit.h	2005-03-23 19:32:33 -08:00
@@ -174,11 +174,15 @@
 					     const char *fmt, ...)
 			    __attribute__((format(printf,2,3)));
 extern void		    audit_log_end(struct audit_buffer *ab);
+extern void		    audit_log_hex(struct audit_buffer *ab,
+					  const unsigned char *buf,
+					  size_t len);
+extern void		    audit_log_untrustedstring(struct audit_buffer *ab,
+						      const char *string);
 extern void		    audit_log_d_path(struct audit_buffer *ab,
 					     const char *prefix,
 					     struct dentry *dentry,
 					     struct vfsmount *vfsmnt);
-
 				/* Private API (for auditsc.c only) */
 extern void		    audit_send_reply(int pid, int seq, int type,
 					     int done, int multi,
@@ -190,6 +194,8 @@
 #define audit_log_vformat(b,f,a) do { ; } while (0)
 #define audit_log_format(b,f,...) do { ; } while (0)
 #define audit_log_end(b) do { ; } while (0)
+#define audit_log_hex(a,b,l) do { ; } while (0)
+#define audit_log_untrustedstring(a,s) do { ; } while (0)
 #define audit_log_d_path(b,p,d,v) do { ; } while (0)
 #endif
 #endif
diff -Nru a/kernel/audit.c b/kernel/audit.c
--- a/kernel/audit.c	2005-03-23 19:32:33 -08:00
+++ b/kernel/audit.c	2005-03-23 19:32:33 -08:00
@@ -720,6 +720,29 @@
 	va_end(args);
 }
 
+void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
+{
+	int i;
+
+	for (i=0; i<len; i++)
+		audit_log_format(ab, "%02x", buf[i]);
+}
+
+void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+{
+	const unsigned char *p = string;
+
+	while (*p) {
+		if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
+			audit_log_hex(ab, string, strlen(string));
+			return;
+		}
+		p++;
+	}
+	audit_log_format(ab, "\"%s\"", string);
+}
+
+
 /* This is a helper-function to print the d_path without using a static
  * buffer or allocating another buffer in addition to the one in
  * audit_buffer. */
diff -Nru a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c	2005-03-23 19:32:33 -08:00
+++ b/kernel/auditsc.c	2005-03-23 19:32:33 -08:00
@@ -668,9 +668,10 @@
 		if (!ab)
 			continue; /* audit_panic has been called */
 		audit_log_format(ab, "item=%d", i);
-		if (context->names[i].name)
-			audit_log_format(ab, " name=%s",
-					 context->names[i].name);
+		if (context->names[i].name) {
+			audit_log_format(ab, " name=");
+			audit_log_untrustedstring(ab, context->names[i].name);
+		}
 		if (context->names[i].ino != (unsigned long)-1)
 			audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
 					     " uid=%d gid=%d rdev=%02x:%02x",