xref: /openbmc/linux/kernel/audit_tree.c (revision 9d56dd3b083a3bec56e9da35ce07baca81030b03)
1 #include "audit.h"
2 #include <linux/inotify.h>
3 #include <linux/namei.h>
4 #include <linux/mount.h>
5 #include <linux/kthread.h>
6 
7 struct audit_tree;
8 struct audit_chunk;
9 
10 struct audit_tree {
11 	atomic_t count;
12 	int goner;
13 	struct audit_chunk *root;
14 	struct list_head chunks;
15 	struct list_head rules;
16 	struct list_head list;
17 	struct list_head same_root;
18 	struct rcu_head head;
19 	char pathname[];
20 };
21 
22 struct audit_chunk {
23 	struct list_head hash;
24 	struct inotify_watch watch;
25 	struct list_head trees;		/* with root here */
26 	int dead;
27 	int count;
28 	atomic_long_t refs;
29 	struct rcu_head head;
30 	struct node {
31 		struct list_head list;
32 		struct audit_tree *owner;
33 		unsigned index;		/* index; upper bit indicates 'will prune' */
34 	} owners[];
35 };
36 
37 static LIST_HEAD(tree_list);
38 static LIST_HEAD(prune_list);
39 
40 /*
41  * One struct chunk is attached to each inode of interest.
42  * We replace struct chunk on tagging/untagging.
43  * Rules have pointer to struct audit_tree.
44  * Rules have struct list_head rlist forming a list of rules over
45  * the same tree.
46  * References to struct chunk are collected at audit_inode{,_child}()
47  * time and used in AUDIT_TREE rule matching.
48  * These references are dropped at the same time we are calling
49  * audit_free_names(), etc.
50  *
51  * Cyclic lists galore:
52  * tree.chunks anchors chunk.owners[].list			hash_lock
53  * tree.rules anchors rule.rlist				audit_filter_mutex
54  * chunk.trees anchors tree.same_root				hash_lock
55  * chunk.hash is a hash with middle bits of watch.inode as
56  * a hash function.						RCU, hash_lock
57  *
58  * tree is refcounted; one reference for "some rules on rules_list refer to
59  * it", one for each chunk with pointer to it.
60  *
61  * chunk is refcounted by embedded inotify_watch + .refs (non-zero refcount
62  * of watch contributes 1 to .refs).
63  *
64  * node.index allows to get from node.list to containing chunk.
65  * MSB of that sucker is stolen to mark taggings that we might have to
66  * revert - several operations have very unpleasant cleanup logics and
67  * that makes a difference.  Some.
68  */
69 
70 static struct inotify_handle *rtree_ih;
71 
72 static struct audit_tree *alloc_tree(const char *s)
73 {
74 	struct audit_tree *tree;
75 
76 	tree = kmalloc(sizeof(struct audit_tree) + strlen(s) + 1, GFP_KERNEL);
77 	if (tree) {
78 		atomic_set(&tree->count, 1);
79 		tree->goner = 0;
80 		INIT_LIST_HEAD(&tree->chunks);
81 		INIT_LIST_HEAD(&tree->rules);
82 		INIT_LIST_HEAD(&tree->list);
83 		INIT_LIST_HEAD(&tree->same_root);
84 		tree->root = NULL;
85 		strcpy(tree->pathname, s);
86 	}
87 	return tree;
88 }
89 
90 static inline void get_tree(struct audit_tree *tree)
91 {
92 	atomic_inc(&tree->count);
93 }
94 
95 static void __put_tree(struct rcu_head *rcu)
96 {
97 	struct audit_tree *tree = container_of(rcu, struct audit_tree, head);
98 	kfree(tree);
99 }
100 
101 static inline void put_tree(struct audit_tree *tree)
102 {
103 	if (atomic_dec_and_test(&tree->count))
104 		call_rcu(&tree->head, __put_tree);
105 }
106 
107 /* to avoid bringing the entire thing in audit.h */
108 const char *audit_tree_path(struct audit_tree *tree)
109 {
110 	return tree->pathname;
111 }
112 
113 static struct audit_chunk *alloc_chunk(int count)
114 {
115 	struct audit_chunk *chunk;
116 	size_t size;
117 	int i;
118 
119 	size = offsetof(struct audit_chunk, owners) + count * sizeof(struct node);
120 	chunk = kzalloc(size, GFP_KERNEL);
121 	if (!chunk)
122 		return NULL;
123 
124 	INIT_LIST_HEAD(&chunk->hash);
125 	INIT_LIST_HEAD(&chunk->trees);
126 	chunk->count = count;
127 	atomic_long_set(&chunk->refs, 1);
128 	for (i = 0; i < count; i++) {
129 		INIT_LIST_HEAD(&chunk->owners[i].list);
130 		chunk->owners[i].index = i;
131 	}
132 	inotify_init_watch(&chunk->watch);
133 	return chunk;
134 }
135 
136 static void free_chunk(struct audit_chunk *chunk)
137 {
138 	int i;
139 
140 	for (i = 0; i < chunk->count; i++) {
141 		if (chunk->owners[i].owner)
142 			put_tree(chunk->owners[i].owner);
143 	}
144 	kfree(chunk);
145 }
146 
147 void audit_put_chunk(struct audit_chunk *chunk)
148 {
149 	if (atomic_long_dec_and_test(&chunk->refs))
150 		free_chunk(chunk);
151 }
152 
153 static void __put_chunk(struct rcu_head *rcu)
154 {
155 	struct audit_chunk *chunk = container_of(rcu, struct audit_chunk, head);
156 	audit_put_chunk(chunk);
157 }
158 
159 enum {HASH_SIZE = 128};
160 static struct list_head chunk_hash_heads[HASH_SIZE];
161 static __cacheline_aligned_in_smp DEFINE_SPINLOCK(hash_lock);
162 
163 static inline struct list_head *chunk_hash(const struct inode *inode)
164 {
165 	unsigned long n = (unsigned long)inode / L1_CACHE_BYTES;
166 	return chunk_hash_heads + n % HASH_SIZE;
167 }
168 
169 /* hash_lock is held by caller */
170 static void insert_hash(struct audit_chunk *chunk)
171 {
172 	struct list_head *list = chunk_hash(chunk->watch.inode);
173 	list_add_rcu(&chunk->hash, list);
174 }
175 
176 /* called under rcu_read_lock */
177 struct audit_chunk *audit_tree_lookup(const struct inode *inode)
178 {
179 	struct list_head *list = chunk_hash(inode);
180 	struct audit_chunk *p;
181 
182 	list_for_each_entry_rcu(p, list, hash) {
183 		if (p->watch.inode == inode) {
184 			atomic_long_inc(&p->refs);
185 			return p;
186 		}
187 	}
188 	return NULL;
189 }
190 
191 int audit_tree_match(struct audit_chunk *chunk, struct audit_tree *tree)
192 {
193 	int n;
194 	for (n = 0; n < chunk->count; n++)
195 		if (chunk->owners[n].owner == tree)
196 			return 1;
197 	return 0;
198 }
199 
200 /* tagging and untagging inodes with trees */
201 
202 static struct audit_chunk *find_chunk(struct node *p)
203 {
204 	int index = p->index & ~(1U<<31);
205 	p -= index;
206 	return container_of(p, struct audit_chunk, owners[0]);
207 }
208 
209 static void untag_chunk(struct node *p)
210 {
211 	struct audit_chunk *chunk = find_chunk(p);
212 	struct audit_chunk *new;
213 	struct audit_tree *owner;
214 	int size = chunk->count - 1;
215 	int i, j;
216 
217 	if (!pin_inotify_watch(&chunk->watch)) {
218 		/*
219 		 * Filesystem is shutting down; all watches are getting
220 		 * evicted, just take it off the node list for this
221 		 * tree and let the eviction logics take care of the
222 		 * rest.
223 		 */
224 		owner = p->owner;
225 		if (owner->root == chunk) {
226 			list_del_init(&owner->same_root);
227 			owner->root = NULL;
228 		}
229 		list_del_init(&p->list);
230 		p->owner = NULL;
231 		put_tree(owner);
232 		return;
233 	}
234 
235 	spin_unlock(&hash_lock);
236 
237 	/*
238 	 * pin_inotify_watch() succeeded, so the watch won't go away
239 	 * from under us.
240 	 */
241 	mutex_lock(&chunk->watch.inode->inotify_mutex);
242 	if (chunk->dead) {
243 		mutex_unlock(&chunk->watch.inode->inotify_mutex);
244 		goto out;
245 	}
246 
247 	owner = p->owner;
248 
249 	if (!size) {
250 		chunk->dead = 1;
251 		spin_lock(&hash_lock);
252 		list_del_init(&chunk->trees);
253 		if (owner->root == chunk)
254 			owner->root = NULL;
255 		list_del_init(&p->list);
256 		list_del_rcu(&chunk->hash);
257 		spin_unlock(&hash_lock);
258 		inotify_evict_watch(&chunk->watch);
259 		mutex_unlock(&chunk->watch.inode->inotify_mutex);
260 		put_inotify_watch(&chunk->watch);
261 		goto out;
262 	}
263 
264 	new = alloc_chunk(size);
265 	if (!new)
266 		goto Fallback;
267 	if (inotify_clone_watch(&chunk->watch, &new->watch) < 0) {
268 		free_chunk(new);
269 		goto Fallback;
270 	}
271 
272 	chunk->dead = 1;
273 	spin_lock(&hash_lock);
274 	list_replace_init(&chunk->trees, &new->trees);
275 	if (owner->root == chunk) {
276 		list_del_init(&owner->same_root);
277 		owner->root = NULL;
278 	}
279 
280 	for (i = j = 0; j <= size; i++, j++) {
281 		struct audit_tree *s;
282 		if (&chunk->owners[j] == p) {
283 			list_del_init(&p->list);
284 			i--;
285 			continue;
286 		}
287 		s = chunk->owners[j].owner;
288 		new->owners[i].owner = s;
289 		new->owners[i].index = chunk->owners[j].index - j + i;
290 		if (!s) /* result of earlier fallback */
291 			continue;
292 		get_tree(s);
293 		list_replace_init(&chunk->owners[j].list, &new->owners[i].list);
294 	}
295 
296 	list_replace_rcu(&chunk->hash, &new->hash);
297 	list_for_each_entry(owner, &new->trees, same_root)
298 		owner->root = new;
299 	spin_unlock(&hash_lock);
300 	inotify_evict_watch(&chunk->watch);
301 	mutex_unlock(&chunk->watch.inode->inotify_mutex);
302 	put_inotify_watch(&chunk->watch);
303 	goto out;
304 
305 Fallback:
306 	// do the best we can
307 	spin_lock(&hash_lock);
308 	if (owner->root == chunk) {
309 		list_del_init(&owner->same_root);
310 		owner->root = NULL;
311 	}
312 	list_del_init(&p->list);
313 	p->owner = NULL;
314 	put_tree(owner);
315 	spin_unlock(&hash_lock);
316 	mutex_unlock(&chunk->watch.inode->inotify_mutex);
317 out:
318 	unpin_inotify_watch(&chunk->watch);
319 	spin_lock(&hash_lock);
320 }
321 
322 static int create_chunk(struct inode *inode, struct audit_tree *tree)
323 {
324 	struct audit_chunk *chunk = alloc_chunk(1);
325 	if (!chunk)
326 		return -ENOMEM;
327 
328 	if (inotify_add_watch(rtree_ih, &chunk->watch, inode, IN_IGNORED | IN_DELETE_SELF) < 0) {
329 		free_chunk(chunk);
330 		return -ENOSPC;
331 	}
332 
333 	mutex_lock(&inode->inotify_mutex);
334 	spin_lock(&hash_lock);
335 	if (tree->goner) {
336 		spin_unlock(&hash_lock);
337 		chunk->dead = 1;
338 		inotify_evict_watch(&chunk->watch);
339 		mutex_unlock(&inode->inotify_mutex);
340 		put_inotify_watch(&chunk->watch);
341 		return 0;
342 	}
343 	chunk->owners[0].index = (1U << 31);
344 	chunk->owners[0].owner = tree;
345 	get_tree(tree);
346 	list_add(&chunk->owners[0].list, &tree->chunks);
347 	if (!tree->root) {
348 		tree->root = chunk;
349 		list_add(&tree->same_root, &chunk->trees);
350 	}
351 	insert_hash(chunk);
352 	spin_unlock(&hash_lock);
353 	mutex_unlock(&inode->inotify_mutex);
354 	return 0;
355 }
356 
357 /* the first tagged inode becomes root of tree */
358 static int tag_chunk(struct inode *inode, struct audit_tree *tree)
359 {
360 	struct inotify_watch *watch;
361 	struct audit_tree *owner;
362 	struct audit_chunk *chunk, *old;
363 	struct node *p;
364 	int n;
365 
366 	if (inotify_find_watch(rtree_ih, inode, &watch) < 0)
367 		return create_chunk(inode, tree);
368 
369 	old = container_of(watch, struct audit_chunk, watch);
370 
371 	/* are we already there? */
372 	spin_lock(&hash_lock);
373 	for (n = 0; n < old->count; n++) {
374 		if (old->owners[n].owner == tree) {
375 			spin_unlock(&hash_lock);
376 			put_inotify_watch(&old->watch);
377 			return 0;
378 		}
379 	}
380 	spin_unlock(&hash_lock);
381 
382 	chunk = alloc_chunk(old->count + 1);
383 	if (!chunk) {
384 		put_inotify_watch(&old->watch);
385 		return -ENOMEM;
386 	}
387 
388 	mutex_lock(&inode->inotify_mutex);
389 	if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {
390 		mutex_unlock(&inode->inotify_mutex);
391 		put_inotify_watch(&old->watch);
392 		free_chunk(chunk);
393 		return -ENOSPC;
394 	}
395 	spin_lock(&hash_lock);
396 	if (tree->goner) {
397 		spin_unlock(&hash_lock);
398 		chunk->dead = 1;
399 		inotify_evict_watch(&chunk->watch);
400 		mutex_unlock(&inode->inotify_mutex);
401 		put_inotify_watch(&old->watch);
402 		put_inotify_watch(&chunk->watch);
403 		return 0;
404 	}
405 	list_replace_init(&old->trees, &chunk->trees);
406 	for (n = 0, p = chunk->owners; n < old->count; n++, p++) {
407 		struct audit_tree *s = old->owners[n].owner;
408 		p->owner = s;
409 		p->index = old->owners[n].index;
410 		if (!s) /* result of fallback in untag */
411 			continue;
412 		get_tree(s);
413 		list_replace_init(&old->owners[n].list, &p->list);
414 	}
415 	p->index = (chunk->count - 1) | (1U<<31);
416 	p->owner = tree;
417 	get_tree(tree);
418 	list_add(&p->list, &tree->chunks);
419 	list_replace_rcu(&old->hash, &chunk->hash);
420 	list_for_each_entry(owner, &chunk->trees, same_root)
421 		owner->root = chunk;
422 	old->dead = 1;
423 	if (!tree->root) {
424 		tree->root = chunk;
425 		list_add(&tree->same_root, &chunk->trees);
426 	}
427 	spin_unlock(&hash_lock);
428 	inotify_evict_watch(&old->watch);
429 	mutex_unlock(&inode->inotify_mutex);
430 	put_inotify_watch(&old->watch); /* pair to inotify_find_watch */
431 	put_inotify_watch(&old->watch); /* and kill it */
432 	return 0;
433 }
434 
435 static void kill_rules(struct audit_tree *tree)
436 {
437 	struct audit_krule *rule, *next;
438 	struct audit_entry *entry;
439 	struct audit_buffer *ab;
440 
441 	list_for_each_entry_safe(rule, next, &tree->rules, rlist) {
442 		entry = container_of(rule, struct audit_entry, rule);
443 
444 		list_del_init(&rule->rlist);
445 		if (rule->tree) {
446 			/* not a half-baked one */
447 			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
448 			audit_log_format(ab, "op=");
449 			audit_log_string(ab, "remove rule");
450 			audit_log_format(ab, " dir=");
451 			audit_log_untrustedstring(ab, rule->tree->pathname);
452 			audit_log_key(ab, rule->filterkey);
453 			audit_log_format(ab, " list=%d res=1", rule->listnr);
454 			audit_log_end(ab);
455 			rule->tree = NULL;
456 			list_del_rcu(&entry->list);
457 			list_del(&entry->rule.list);
458 			call_rcu(&entry->rcu, audit_free_rule_rcu);
459 		}
460 	}
461 }
462 
463 /*
464  * finish killing struct audit_tree
465  */
466 static void prune_one(struct audit_tree *victim)
467 {
468 	spin_lock(&hash_lock);
469 	while (!list_empty(&victim->chunks)) {
470 		struct node *p;
471 
472 		p = list_entry(victim->chunks.next, struct node, list);
473 
474 		untag_chunk(p);
475 	}
476 	spin_unlock(&hash_lock);
477 	put_tree(victim);
478 }
479 
480 /* trim the uncommitted chunks from tree */
481 
482 static void trim_marked(struct audit_tree *tree)
483 {
484 	struct list_head *p, *q;
485 	spin_lock(&hash_lock);
486 	if (tree->goner) {
487 		spin_unlock(&hash_lock);
488 		return;
489 	}
490 	/* reorder */
491 	for (p = tree->chunks.next; p != &tree->chunks; p = q) {
492 		struct node *node = list_entry(p, struct node, list);
493 		q = p->next;
494 		if (node->index & (1U<<31)) {
495 			list_del_init(p);
496 			list_add(p, &tree->chunks);
497 		}
498 	}
499 
500 	while (!list_empty(&tree->chunks)) {
501 		struct node *node;
502 
503 		node = list_entry(tree->chunks.next, struct node, list);
504 
505 		/* have we run out of marked? */
506 		if (!(node->index & (1U<<31)))
507 			break;
508 
509 		untag_chunk(node);
510 	}
511 	if (!tree->root && !tree->goner) {
512 		tree->goner = 1;
513 		spin_unlock(&hash_lock);
514 		mutex_lock(&audit_filter_mutex);
515 		kill_rules(tree);
516 		list_del_init(&tree->list);
517 		mutex_unlock(&audit_filter_mutex);
518 		prune_one(tree);
519 	} else {
520 		spin_unlock(&hash_lock);
521 	}
522 }
523 
524 static void audit_schedule_prune(void);
525 
526 /* called with audit_filter_mutex */
527 int audit_remove_tree_rule(struct audit_krule *rule)
528 {
529 	struct audit_tree *tree;
530 	tree = rule->tree;
531 	if (tree) {
532 		spin_lock(&hash_lock);
533 		list_del_init(&rule->rlist);
534 		if (list_empty(&tree->rules) && !tree->goner) {
535 			tree->root = NULL;
536 			list_del_init(&tree->same_root);
537 			tree->goner = 1;
538 			list_move(&tree->list, &prune_list);
539 			rule->tree = NULL;
540 			spin_unlock(&hash_lock);
541 			audit_schedule_prune();
542 			return 1;
543 		}
544 		rule->tree = NULL;
545 		spin_unlock(&hash_lock);
546 		return 1;
547 	}
548 	return 0;
549 }
550 
551 void audit_trim_trees(void)
552 {
553 	struct list_head cursor;
554 
555 	mutex_lock(&audit_filter_mutex);
556 	list_add(&cursor, &tree_list);
557 	while (cursor.next != &tree_list) {
558 		struct audit_tree *tree;
559 		struct path path;
560 		struct vfsmount *root_mnt;
561 		struct node *node;
562 		struct list_head list;
563 		int err;
564 
565 		tree = container_of(cursor.next, struct audit_tree, list);
566 		get_tree(tree);
567 		list_del(&cursor);
568 		list_add(&cursor, &tree->list);
569 		mutex_unlock(&audit_filter_mutex);
570 
571 		err = kern_path(tree->pathname, 0, &path);
572 		if (err)
573 			goto skip_it;
574 
575 		root_mnt = collect_mounts(&path);
576 		path_put(&path);
577 		if (!root_mnt)
578 			goto skip_it;
579 
580 		list_add_tail(&list, &root_mnt->mnt_list);
581 		spin_lock(&hash_lock);
582 		list_for_each_entry(node, &tree->chunks, list) {
583 			struct audit_chunk *chunk = find_chunk(node);
584 			struct inode *inode = chunk->watch.inode;
585 			struct vfsmount *mnt;
586 			node->index |= 1U<<31;
587 			list_for_each_entry(mnt, &list, mnt_list) {
588 				if (mnt->mnt_root->d_inode == inode) {
589 					node->index &= ~(1U<<31);
590 					break;
591 				}
592 			}
593 		}
594 		spin_unlock(&hash_lock);
595 		trim_marked(tree);
596 		put_tree(tree);
597 		list_del_init(&list);
598 		drop_collected_mounts(root_mnt);
599 skip_it:
600 		mutex_lock(&audit_filter_mutex);
601 	}
602 	list_del(&cursor);
603 	mutex_unlock(&audit_filter_mutex);
604 }
605 
606 static int is_under(struct vfsmount *mnt, struct dentry *dentry,
607 		    struct path *path)
608 {
609 	if (mnt != path->mnt) {
610 		for (;;) {
611 			if (mnt->mnt_parent == mnt)
612 				return 0;
613 			if (mnt->mnt_parent == path->mnt)
614 					break;
615 			mnt = mnt->mnt_parent;
616 		}
617 		dentry = mnt->mnt_mountpoint;
618 	}
619 	return is_subdir(dentry, path->dentry);
620 }
621 
622 int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op)
623 {
624 
625 	if (pathname[0] != '/' ||
626 	    rule->listnr != AUDIT_FILTER_EXIT ||
627 	    op != Audit_equal ||
628 	    rule->inode_f || rule->watch || rule->tree)
629 		return -EINVAL;
630 	rule->tree = alloc_tree(pathname);
631 	if (!rule->tree)
632 		return -ENOMEM;
633 	return 0;
634 }
635 
636 void audit_put_tree(struct audit_tree *tree)
637 {
638 	put_tree(tree);
639 }
640 
641 /* called with audit_filter_mutex */
642 int audit_add_tree_rule(struct audit_krule *rule)
643 {
644 	struct audit_tree *seed = rule->tree, *tree;
645 	struct path path;
646 	struct vfsmount *mnt, *p;
647 	struct list_head list;
648 	int err;
649 
650 	list_for_each_entry(tree, &tree_list, list) {
651 		if (!strcmp(seed->pathname, tree->pathname)) {
652 			put_tree(seed);
653 			rule->tree = tree;
654 			list_add(&rule->rlist, &tree->rules);
655 			return 0;
656 		}
657 	}
658 	tree = seed;
659 	list_add(&tree->list, &tree_list);
660 	list_add(&rule->rlist, &tree->rules);
661 	/* do not set rule->tree yet */
662 	mutex_unlock(&audit_filter_mutex);
663 
664 	err = kern_path(tree->pathname, 0, &path);
665 	if (err)
666 		goto Err;
667 	mnt = collect_mounts(&path);
668 	path_put(&path);
669 	if (!mnt) {
670 		err = -ENOMEM;
671 		goto Err;
672 	}
673 	list_add_tail(&list, &mnt->mnt_list);
674 
675 	get_tree(tree);
676 	list_for_each_entry(p, &list, mnt_list) {
677 		err = tag_chunk(p->mnt_root->d_inode, tree);
678 		if (err)
679 			break;
680 	}
681 
682 	list_del(&list);
683 	drop_collected_mounts(mnt);
684 
685 	if (!err) {
686 		struct node *node;
687 		spin_lock(&hash_lock);
688 		list_for_each_entry(node, &tree->chunks, list)
689 			node->index &= ~(1U<<31);
690 		spin_unlock(&hash_lock);
691 	} else {
692 		trim_marked(tree);
693 		goto Err;
694 	}
695 
696 	mutex_lock(&audit_filter_mutex);
697 	if (list_empty(&rule->rlist)) {
698 		put_tree(tree);
699 		return -ENOENT;
700 	}
701 	rule->tree = tree;
702 	put_tree(tree);
703 
704 	return 0;
705 Err:
706 	mutex_lock(&audit_filter_mutex);
707 	list_del_init(&tree->list);
708 	list_del_init(&tree->rules);
709 	put_tree(tree);
710 	return err;
711 }
712 
713 int audit_tag_tree(char *old, char *new)
714 {
715 	struct list_head cursor, barrier;
716 	int failed = 0;
717 	struct path path;
718 	struct vfsmount *tagged;
719 	struct list_head list;
720 	struct vfsmount *mnt;
721 	struct dentry *dentry;
722 	int err;
723 
724 	err = kern_path(new, 0, &path);
725 	if (err)
726 		return err;
727 	tagged = collect_mounts(&path);
728 	path_put(&path);
729 	if (!tagged)
730 		return -ENOMEM;
731 
732 	err = kern_path(old, 0, &path);
733 	if (err) {
734 		drop_collected_mounts(tagged);
735 		return err;
736 	}
737 	mnt = mntget(path.mnt);
738 	dentry = dget(path.dentry);
739 	path_put(&path);
740 
741 	list_add_tail(&list, &tagged->mnt_list);
742 
743 	mutex_lock(&audit_filter_mutex);
744 	list_add(&barrier, &tree_list);
745 	list_add(&cursor, &barrier);
746 
747 	while (cursor.next != &tree_list) {
748 		struct audit_tree *tree;
749 		struct vfsmount *p;
750 
751 		tree = container_of(cursor.next, struct audit_tree, list);
752 		get_tree(tree);
753 		list_del(&cursor);
754 		list_add(&cursor, &tree->list);
755 		mutex_unlock(&audit_filter_mutex);
756 
757 		err = kern_path(tree->pathname, 0, &path);
758 		if (err) {
759 			put_tree(tree);
760 			mutex_lock(&audit_filter_mutex);
761 			continue;
762 		}
763 
764 		spin_lock(&vfsmount_lock);
765 		if (!is_under(mnt, dentry, &path)) {
766 			spin_unlock(&vfsmount_lock);
767 			path_put(&path);
768 			put_tree(tree);
769 			mutex_lock(&audit_filter_mutex);
770 			continue;
771 		}
772 		spin_unlock(&vfsmount_lock);
773 		path_put(&path);
774 
775 		list_for_each_entry(p, &list, mnt_list) {
776 			failed = tag_chunk(p->mnt_root->d_inode, tree);
777 			if (failed)
778 				break;
779 		}
780 
781 		if (failed) {
782 			put_tree(tree);
783 			mutex_lock(&audit_filter_mutex);
784 			break;
785 		}
786 
787 		mutex_lock(&audit_filter_mutex);
788 		spin_lock(&hash_lock);
789 		if (!tree->goner) {
790 			list_del(&tree->list);
791 			list_add(&tree->list, &tree_list);
792 		}
793 		spin_unlock(&hash_lock);
794 		put_tree(tree);
795 	}
796 
797 	while (barrier.prev != &tree_list) {
798 		struct audit_tree *tree;
799 
800 		tree = container_of(barrier.prev, struct audit_tree, list);
801 		get_tree(tree);
802 		list_del(&tree->list);
803 		list_add(&tree->list, &barrier);
804 		mutex_unlock(&audit_filter_mutex);
805 
806 		if (!failed) {
807 			struct node *node;
808 			spin_lock(&hash_lock);
809 			list_for_each_entry(node, &tree->chunks, list)
810 				node->index &= ~(1U<<31);
811 			spin_unlock(&hash_lock);
812 		} else {
813 			trim_marked(tree);
814 		}
815 
816 		put_tree(tree);
817 		mutex_lock(&audit_filter_mutex);
818 	}
819 	list_del(&barrier);
820 	list_del(&cursor);
821 	list_del(&list);
822 	mutex_unlock(&audit_filter_mutex);
823 	dput(dentry);
824 	mntput(mnt);
825 	drop_collected_mounts(tagged);
826 	return failed;
827 }
828 
829 /*
830  * That gets run when evict_chunk() ends up needing to kill audit_tree.
831  * Runs from a separate thread.
832  */
833 static int prune_tree_thread(void *unused)
834 {
835 	mutex_lock(&audit_cmd_mutex);
836 	mutex_lock(&audit_filter_mutex);
837 
838 	while (!list_empty(&prune_list)) {
839 		struct audit_tree *victim;
840 
841 		victim = list_entry(prune_list.next, struct audit_tree, list);
842 		list_del_init(&victim->list);
843 
844 		mutex_unlock(&audit_filter_mutex);
845 
846 		prune_one(victim);
847 
848 		mutex_lock(&audit_filter_mutex);
849 	}
850 
851 	mutex_unlock(&audit_filter_mutex);
852 	mutex_unlock(&audit_cmd_mutex);
853 	return 0;
854 }
855 
856 static void audit_schedule_prune(void)
857 {
858 	kthread_run(prune_tree_thread, NULL, "audit_prune_tree");
859 }
860 
861 /*
862  * ... and that one is done if evict_chunk() decides to delay until the end
863  * of syscall.  Runs synchronously.
864  */
865 void audit_kill_trees(struct list_head *list)
866 {
867 	mutex_lock(&audit_cmd_mutex);
868 	mutex_lock(&audit_filter_mutex);
869 
870 	while (!list_empty(list)) {
871 		struct audit_tree *victim;
872 
873 		victim = list_entry(list->next, struct audit_tree, list);
874 		kill_rules(victim);
875 		list_del_init(&victim->list);
876 
877 		mutex_unlock(&audit_filter_mutex);
878 
879 		prune_one(victim);
880 
881 		mutex_lock(&audit_filter_mutex);
882 	}
883 
884 	mutex_unlock(&audit_filter_mutex);
885 	mutex_unlock(&audit_cmd_mutex);
886 }
887 
888 /*
889  *  Here comes the stuff asynchronous to auditctl operations
890  */
891 
892 /* inode->inotify_mutex is locked */
893 static void evict_chunk(struct audit_chunk *chunk)
894 {
895 	struct audit_tree *owner;
896 	struct list_head *postponed = audit_killed_trees();
897 	int need_prune = 0;
898 	int n;
899 
900 	if (chunk->dead)
901 		return;
902 
903 	chunk->dead = 1;
904 	mutex_lock(&audit_filter_mutex);
905 	spin_lock(&hash_lock);
906 	while (!list_empty(&chunk->trees)) {
907 		owner = list_entry(chunk->trees.next,
908 				   struct audit_tree, same_root);
909 		owner->goner = 1;
910 		owner->root = NULL;
911 		list_del_init(&owner->same_root);
912 		spin_unlock(&hash_lock);
913 		if (!postponed) {
914 			kill_rules(owner);
915 			list_move(&owner->list, &prune_list);
916 			need_prune = 1;
917 		} else {
918 			list_move(&owner->list, postponed);
919 		}
920 		spin_lock(&hash_lock);
921 	}
922 	list_del_rcu(&chunk->hash);
923 	for (n = 0; n < chunk->count; n++)
924 		list_del_init(&chunk->owners[n].list);
925 	spin_unlock(&hash_lock);
926 	if (need_prune)
927 		audit_schedule_prune();
928 	mutex_unlock(&audit_filter_mutex);
929 }
930 
931 static void handle_event(struct inotify_watch *watch, u32 wd, u32 mask,
932                          u32 cookie, const char *dname, struct inode *inode)
933 {
934 	struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch);
935 
936 	if (mask & IN_IGNORED) {
937 		evict_chunk(chunk);
938 		put_inotify_watch(watch);
939 	}
940 }
941 
942 static void destroy_watch(struct inotify_watch *watch)
943 {
944 	struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch);
945 	call_rcu(&chunk->head, __put_chunk);
946 }
947 
948 static const struct inotify_operations rtree_inotify_ops = {
949 	.handle_event	= handle_event,
950 	.destroy_watch	= destroy_watch,
951 };
952 
953 static int __init audit_tree_init(void)
954 {
955 	int i;
956 
957 	rtree_ih = inotify_init(&rtree_inotify_ops);
958 	if (IS_ERR(rtree_ih))
959 		audit_panic("cannot initialize inotify handle for rectree watches");
960 
961 	for (i = 0; i < HASH_SIZE; i++)
962 		INIT_LIST_HEAD(&chunk_hash_heads[i]);
963 
964 	return 0;
965 }
966 __initcall(audit_tree_init);
967