diff options
author | Djalal Harouni <tixxdz@opendz.org> | 2014-08-20 16:58:57 +0100 |
---|---|---|
committer | Daniel Mack <zonque@gmail.com> | 2014-08-20 18:01:36 +0200 |
commit | 82b2e72e7894f8160b69ea70eda8354b7a79cbc3 (patch) | |
tree | dbcbc5de2bda2c77dcdf3ef5a850442a89a783ee | |
parent | 7bde48f293f5207ba5820c80bd473012aa453ba0 (diff) | |
download | kdbus-bus-82b2e72e7894f8160b69ea70eda8354b7a79cbc3.tar.gz kdbus-bus-82b2e72e7894f8160b69ea70eda8354b7a79cbc3.tar.bz2 kdbus-bus-82b2e72e7894f8160b69ea70eda8354b7a79cbc3.zip |
kdbus: do the audit loginuid translation as late as possible
Do the namespace translation just before pushing into the receiver's
slice, so we map to the receiver's user namespace.
Patch tested.
Signed-off-by: Djalal Harouni <tixxdz@opendz.org>
-rw-r--r-- | connection.c | 37 | ||||
-rw-r--r-- | metadata.c | 3 | ||||
-rw-r--r-- | metadata.h | 4 |
3 files changed, 44 insertions, 0 deletions
diff --git a/connection.c b/connection.c index 9250dab09e1..283a3fc9023 100644 --- a/connection.c +++ b/connection.c @@ -10,6 +10,7 @@ * your option) any later version. */ +#include <linux/audit.h> #include <linux/device.h> #include <linux/file.h> #include <linux/fs.h> @@ -67,6 +68,9 @@ struct kdbus_conn_reply; * @auxgrp_item_offset: The offset of the auxgrp item inside the slice, if * the user requested this metainfo in its attach flags. * 0 if unused. + * @audit_item_offset: The offset of the audit item inside the slice, if + * the user requested this metainfo in its attach flags. + * 0 if unused. * @uid: The UID to patch into the final message * @gid: The GID to patch into the final message * @pid: The PID to patch into the final message @@ -75,6 +79,8 @@ struct kdbus_conn_reply; * This information is translated into the user's * namespace when the message is installed. * @auxgroup_count: The number of items in @auxgrps. + * @loginuid: The audit login uid to patch into the final + * message */ struct kdbus_conn_queue { struct list_head entry; @@ -95,6 +101,7 @@ struct kdbus_conn_queue { int user; off_t creds_item_offset; off_t auxgrp_item_offset; + off_t audit_item_offset; /* to honor namespaces, we have to store the following here */ kuid_t uid; @@ -104,6 +111,8 @@ struct kdbus_conn_queue { kgid_t *auxgrps; unsigned int auxgrps_count; + + kuid_t loginuid; }; /** @@ -676,6 +685,12 @@ static int kdbus_conn_queue_alloc(struct kdbus_conn *conn, meta->auxgrps_item_off; } + if (meta->attached & KDBUS_ATTACH_AUDIT) { + queue->loginuid = audit_get_loginuid(current); + queue->audit_item_offset = meta_off + + meta->audit_item_off; + } + ret = kdbus_pool_slice_copy(queue->slice, meta_off, kmsg->meta->data, kmsg->meta->size); @@ -983,6 +998,22 @@ static int kdbus_conn_creds_install(struct kdbus_conn_queue *queue) return ret; } +static int kdbus_conn_audit_install(struct kdbus_conn_queue *queue) +{ + int ret; + u64 loginuid; + off_t off = queue->audit_item_offset + + offsetof(struct kdbus_item, audit) + + offsetof(struct kdbus_audit, loginuid); + + loginuid = from_kuid_munged(current_user_ns(), queue->loginuid); + + ret = kdbus_pool_slice_copy_user(queue->slice, off, + &loginuid, sizeof(loginuid)); + + return ret; +} + static int kdbus_conn_msg_install(struct kdbus_conn_queue *queue) { int *memfds = NULL; @@ -1036,6 +1067,12 @@ static int kdbus_conn_msg_install(struct kdbus_conn_queue *queue) goto exit_rewind_fds; } + if (queue->audit_item_offset) { + ret = kdbus_conn_audit_install(queue); + if (ret < 0) + goto exit_rewind_fds; + } + kfree(fds); kfree(memfds); kdbus_pool_slice_flush(queue->slice); diff --git a/metadata.c b/metadata.c index 934aa626bd4..dabc614cbc9 100644 --- a/metadata.c +++ b/metadata.c @@ -119,6 +119,9 @@ kdbus_meta_append_item(struct kdbus_meta *meta, u64 type, size_t payload_size) case KDBUS_ITEM_AUXGROUPS: meta->auxgrps_item_off = meta->size; break; + case KDBUS_ITEM_AUDIT: + meta->audit_item_off = meta->size; + break; } meta->size += extra_size; diff --git a/metadata.h b/metadata.h index 1bdb53751d9..ea77783b24f 100644 --- a/metadata.h +++ b/metadata.h @@ -26,6 +26,9 @@ * @auxgrps_item_off The offset of the auxgroups item in the * @data buffer field, if the user requested * this metainfo. 0 if unused. + * @audit_item_off The offset of the audit item in the @data + * buffer field, if the user requested this + * metainfo. 0 if unused. * * Used to collect and store connection metadata in a pre-compiled * buffer containing struct kdbus_item. @@ -39,6 +42,7 @@ struct kdbus_meta { off_t creds_item_off; off_t auxgrps_item_off; + off_t audit_item_off; }; struct kdbus_conn; |