audit_receive_msg

Name:audit_receive_msg

Proto:static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)

Type:int

Parameter:

Type	Parameter	Name
struct sk_buff *	skb
struct nlmsghdr *	nlh

1178

msg_type = Message content

1180

char * ctx = NULL

1183

err = Check for appropriate CAP_AUDIT_ capabilities on incoming audit* control messages.

1184

If err Then Return err

1187

seq = Sequence number

1188

data = lmsg_data - head of message payload*@nlh: netlink message header

1189

data_len = lmsg_len - length of message payload*@nlh: netlink message header

1192

Case msg_type == Get status

1194

memset( & s, 0, size of s )

1195

1 = enabled, 0 = disabled = audit_enabled

1196

Failure-to-log action = If auditing cannot proceed, audit_failure selects what happens.

1199

pid of auditd process = auditd_pid_vnr - Return the auditd PID relative to the namespace* Description:* Returns the PID in relation to the namespace, 0 on failure.

1200

messages rate limit (per second) = If audit_rate_limit is non-zero, limit the rate of sending audit records* to that number per second. This prevents DoS attacks, but results in* audit records being dropped.

1201

waiting messages limit = Number of outstanding audit_buffers allowed.* When set to zero, this means unlimited.

1202

messages lost = atomic_read( & Records can be lost in several ways:0) [suppressed in audit_alloc]1) out of memory in audit_log_start [kmalloc of struct audit_buffer]2) out of memory in audit_log_move [alloc_skb]3) suppressed due to audit_rate_limit4) suppressed due to )

1203

messages waiting in queue = skb_queue_len - get queue length*@list_: list to measure* Return the length of an &sk_buff queue.

1204

bitmap of kernel audit features = AUDIT_FEATURE_BITMAP_ALL

1205

message queue wait timeout = audit_backlog_wait_time

1206

audit_send_reply - send an audit reply message via netlink*@request_skb: skb of request we are replying to (used to target the reply)*@seq: sequence number*@type: audit message type*@done: done (last) flag*@multi: multi-part message flag*@payload: payload

1207

Break

1209

Case msg_type == Set status (enable/disable/auditd)

1211

memset( & s, 0, size of s )

1213

No 3D Now!( & s, data, min_t - return minimum of two values, using the specified type*@type: data type to use*@x: first value*@y: second value(size_t, size of s , data_len))

1214

If Bit mask for valid entries & Mask values Then

1215

err = audit_set_enabled( 1 = enabled, 0 = disabled )

1216

If err < 0 Then Return err

1219

If Bit mask for valid entries & AUDIT_STATUS_FAILURE Then

1220

err = audit_set_failure( Failure-to-log action )

1221

If err < 0 Then Return err

1224

If Bit mask for valid entries & AUDIT_STATUS_PID Then

1231

new_pid = pid of auditd process

1233

req_pid = task_tgid(current process)

1237

If new_pid && new_pid != pid_vnr(req_pid) Then Return -EINVAL

1241

audit_replace(req_pid)

1243

auditd_pid = auditd_pid_vnr - Return the auditd PID relative to the namespace* Description:* Returns the PID in relation to the namespace, 0 on failure.

1244

If auditd_pid Then

1246

If new_pid Then

1247

audit_log_config_change("audit_pid", new_pid, auditd_pid, 0)

1249

Return -EEXIST

1252

If pid_vnr(req_pid) != auditd_pid Then

1253

audit_log_config_change("audit_pid", new_pid, auditd_pid, 0)

1255

Return -EACCES

1259

If new_pid Then

1261

err = auditd_set - Set/Reset the auditd connection state*@pid: auditd PID*@portid: auditd netlink portid*@net: auditd network namespace pointer* Description:* This function will obtain and drop network namespace references as* necessary

1264

If audit_enabled != AUDIT_OFF Then audit_log_config_change("audit_pid", new_pid, auditd_pid, err ? 0 : 1)

1269

If err Then Return err

1273

wake_up_interruptible( & kauditd_wait)

1274

Else

1275

If audit_enabled != AUDIT_OFF Then audit_log_config_change("audit_pid", new_pid, auditd_pid, 1)

1281

auditd_reset - Disconnect the auditd connection*@ac: auditd connection state* Description:* Break the auditd/kauditd connection and move all the queued records into the* hold queue in case auditd reconnects

1284

If Bit mask for valid entries & AUDIT_STATUS_RATE_LIMIT Then

1285

err = audit_set_rate_limit( messages rate limit (per second) )

1286

If err < 0 Then Return err

1289

If Bit mask for valid entries & AUDIT_STATUS_BACKLOG_LIMIT Then

1290

err = audit_set_backlog_limit( waiting messages limit )

1291

If err < 0 Then Return err

1294

If Bit mask for valid entries & AUDIT_STATUS_BACKLOG_WAIT_TIME Then

1295

If size of s > Length of message including header Then Return -EINVAL

1297

If message queue wait timeout > 10 * AUDIT_BACKLOG_WAIT_TIME Then Return -EINVAL

1299

err = audit_set_backlog_wait_time( message queue wait timeout )

1300

If err < 0 Then Return err

1303

If Bit mask for valid entries == AUDIT_STATUS_LOST Then

1304

lost = atomic_xchg( & Records can be lost in several ways:0) [suppressed in audit_alloc]1) out of memory in audit_log_start [kmalloc of struct audit_buffer]2) out of memory in audit_log_move [alloc_skb]3) suppressed due to audit_rate_limit4) suppressed due to , 0)

1306

audit_log_config_change("lost", 0, lost, 1)

1307

Return lost

1309

Break

1311

Case msg_type == Get which features are enabled

1312

err = audit_get_feature(skb)

1313

If err Then Return err

1315

Break

1316

Case msg_type == Turn an audit feature on or off

1317

If data_len < sizeof(structaudit_features) Then Return -EINVAL

1319

err = audit_set_feature(data)

1320

If err Then Return err

1322

Break

1323

Case msg_type == Message from userspace -- deprecated

1324

Case msg_type == Userspace messages mostly uninteresting to kernel ...AUDIT_LAST_USER_MSG

1325

Case msg_type == More user space messages ...AUDIT_LAST_USER_MSG2

1326

If Not audit_enabled && msg_type != We filter this differently Then Return 0

1329

err = audit_filter(msg_type, Apply rule to user-generated messages )

1330

If err == 1 Then

1331

str = data

1333

err = 0

1334

If msg_type == Non-ICANON TTY input meaning Then

1335

err = tty_audit_push()

1336

If err Then Break

1339

audit_log_user_recv_msg( & ab, msg_type)

1340

If msg_type != Non-ICANON TTY input meaning Then

1342

str[data_len - 1] = '\0'

1343

audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.

1346

Else

1347

audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.

1348

If data_len > 0 && str[data_len - 1] == '\0' Then data_len--

1350

audit_log_n_untrustedstring - log a string that may contain random characters*@ab: audit_buffer*@len: length of string (not including trailing null)*@string: string to be logged* This code will escape a string that is passed to it if the string* contains

1352

audit_log_end - end one audit record*@ab: the audit_buffer* We can not do a netlink send inside an irq context because it blocks (last* arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a* queue and a tasklet is scheduled to remove

1354

Break

1355

Case msg_type == Add syscall filtering rule

1356

Case msg_type == Delete syscall filtering rule

1357

If data_len < sizeof(structaudit_rule_data) Then Return -EINVAL

1359

If audit_enabled == AUDIT_LOCKED Then

1360

audit_log_common_recv_msg(audit_context(), & ab, Audit system configuration change )

1362

audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.

1366

audit_log_end - end one audit record*@ab: the audit_buffer* We can not do a netlink send inside an irq context because it blocks (last* arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a* queue and a tasklet is scheduled to remove

1367

Return -EPERM

1369

err = Private API (for audit.c only)

1370

Break

1371

Case msg_type == List syscall filtering rules

1372

err = audit_list_rules_send - list the audit rules*@request_skb: skb of request we are replying to (used to target the reply)*@seq: netlink audit message sequence (serial) number

1373

Break

1374

Case msg_type == Trim junk from watched tree

1375

audit_trim_trees()

1376

audit_log_common_recv_msg(audit_context(), & ab, Audit system configuration change )

1378

audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.

1379

audit_log_end - end one audit record*@ab: the audit_buffer* We can not do a netlink send inside an irq context because it blocks (last* arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a* queue and a tasklet is scheduled to remove

1380

Break

1381

Case msg_type == Append to watched tree

1382

1384

msglen = data_len

1387

1388

If msglen < 2 * sizeof(u32) Then Break

1390

No 3D Now!(sizes, bufp, 2 * sizeof(u32))

1391

bufp += 2 * sizeof(u32)

1392

msglen -= 2 * sizeof(u32)

1393

old = audit_unpack_string( & bufp, & msglen, sizes[0])

1394

If IS_ERR(old) Then

1395

err = PTR_ERR(old)

1396

Break

1398

new = audit_unpack_string( & bufp, & msglen, sizes[1])

1399

If IS_ERR(new) Then

1400

err = PTR_ERR(new)

1401

1402

Break

1405

err = audit_tag_tree(old, new)

1407

audit_log_common_recv_msg(audit_context(), & ab, Audit system configuration change )

1409

audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.

1410

audit_log_untrustedstring - log a string that may contain random characters*@ab: audit_buffer*@string: string to be logged* Same as audit_log_n_untrustedstring(), except that strlen is used to* determine string length.

1411

audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.

1412

audit_log_untrustedstring - log a string that may contain random characters*@ab: audit_buffer*@string: string to be logged* Same as audit_log_n_untrustedstring(), except that strlen is used to* determine string length.

1413

audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.

1414

audit_log_end - end one audit record*@ab: the audit_buffer* We can not do a netlink send inside an irq context because it blocks (last* arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a* queue and a tasklet is scheduled to remove

1415

1416

1417

Break

1419

Case msg_type == Get info about sender of signal to auditd

1420

len = 0

1421

If audit_sig_sid Then

1422

err = security_secid_to_secctx(audit_sig_sid, & ctx, & len)

1423

If err Then Return err

1426

sig_data = Allocation memory

1427

If Not sig_data Then

1428

If audit_sig_sid Then security_release_secctx(ctx, len)

1430

Return -ENOMEM

1432

uid = m_kuid - Create a uid from a kuid user-namespace pair.*@targ: The user namespace we want a uid in.*@kuid: The kernel internal uid to start with.* Map @kuid into the user-namespace specified by @targ and* return the resulting uid.

1433

pid = audit_sig_pid

1434

If audit_sig_sid Then

1435

No 3D Now!(ctx, ctx, len)

1436

security_release_secctx(ctx, len)

1438

audit_send_reply - send an audit reply message via netlink*@request_skb: skb of request we are replying to (used to target the reply)*@seq: sequence number*@type: audit message type*@done: done (last) flag*@multi: multi-part message flag*@payload: payload

1440

kfree(sig_data)

1441

Break

1442

Case msg_type == Get TTY auditing status

1446

t = READ_ONCE(audit_tty)

1447

1 = enabled, 0 = disabled = t & values for ->signal->audit_tty

1448

1 = enabled, 0 = disabled = Not Not (t & AUDIT_TTY_LOG_PASSWD)

1450

audit_send_reply - send an audit reply message via netlink*@request_skb: skb of request we are replying to (used to target the reply)*@seq: sequence number*@type: audit message type*@done: done (last) flag*@multi: multi-part message flag*@payload: payload

1451

Break

1453

Case msg_type == Set TTY auditing status

1458

memset( & s, 0, size of s )

1460

No 3D Now!( & s, data, min_t - return minimum of two values, using the specified type*@type: data type to use*@x: first value*@y: second value(size_t, size of s , data_len))

1462

If 1 = enabled, 0 = disabled != 0 && 1 = enabled, 0 = disabled != 1 || 1 = enabled, 0 = disabled != 0 && 1 = enabled, 0 = disabled != 1 Then err = -EINVAL

1466

If err Then t = READ_ONCE(audit_tty)

1468

Else

1469

t = 1 = enabled, 0 = disabled | - 1 = enabled, 0 = disabled & AUDIT_TTY_LOG_PASSWD

1470

t = xchg( & audit_tty, t)

1472

1 = enabled, 0 = disabled = t & values for ->signal->audit_tty

1473

1 = enabled, 0 = disabled = Not Not (t & AUDIT_TTY_LOG_PASSWD)

1475

audit_log_common_recv_msg(audit_context(), & ab, Audit system configuration change )

1477

audit_log_format - format a message into the audit buffer.*@ab: audit_buffer*@fmt: format string*@...: optional parameters matching @fmt string* All the work is done in audit_log_vformat.

1481

audit_log_end - end one audit record*@ab: the audit_buffer* We can not do a netlink send inside an irq context because it blocks (last* arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a* queue and a tasklet is scheduled to remove

1482

Break

1484

Default

1485

1486

Break

1489

Return If err < 0 Then err Else 0

**Caller**
Name	Describe
audit_receive	audit_receive - receive messages from a netlink control socket@skb: the message buffer Parse the provided skb and deal with any messages that may be present,* malformed skbs are discarded.

Source code conversion tool public plug-in interface	X
Support c/c++/esqlc/java Oracle/Informix/Mysql Plug-in can realize: logical Report Code generation and batch code conversion