1 /* audit_fsnotify.c -- tracking inodes 2 * 3 * Copyright 2003-2009,2014-2015 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 */ 17 18 #include <linux/kernel.h> 19 #include <linux/audit.h> 20 #include <linux/kthread.h> 21 #include <linux/mutex.h> 22 #include <linux/fs.h> 23 #include <linux/fsnotify_backend.h> 24 #include <linux/namei.h> 25 #include <linux/netlink.h> 26 #include <linux/sched.h> 27 #include <linux/slab.h> 28 #include <linux/security.h> 29 #include "audit.h" 30 31 /* 32 * this mark lives on the parent directory of the inode in question. 33 * but dev, ino, and path are about the child 34 */ 35 struct audit_fsnotify_mark { 36 dev_t dev; /* associated superblock device */ 37 unsigned long ino; /* associated inode number */ 38 char *path; /* insertion path */ 39 struct fsnotify_mark mark; /* fsnotify mark on the inode */ 40 struct audit_krule *rule; 41 }; 42 43 /* fsnotify handle. */ 44 static struct fsnotify_group *audit_fsnotify_group; 45 46 /* fsnotify events we care about. */ 47 #define AUDIT_FS_EVENTS (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\ 48 FS_MOVE_SELF | FS_EVENT_ON_CHILD) 49 50 static void audit_fsnotify_mark_free(struct audit_fsnotify_mark *audit_mark) 51 { 52 kfree(audit_mark->path); 53 kfree(audit_mark); 54 } 55 56 static void audit_fsnotify_free_mark(struct fsnotify_mark *mark) 57 { 58 struct audit_fsnotify_mark *audit_mark; 59 60 audit_mark = container_of(mark, struct audit_fsnotify_mark, mark); 61 audit_fsnotify_mark_free(audit_mark); 62 } 63 64 char *audit_mark_path(struct audit_fsnotify_mark *mark) 65 { 66 return mark->path; 67 } 68 69 int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev) 70 { 71 if (mark->ino == AUDIT_INO_UNSET) 72 return 0; 73 return (mark->ino == ino) && (mark->dev == dev); 74 } 75 76 static void audit_update_mark(struct audit_fsnotify_mark *audit_mark, 77 const struct inode *inode) 78 { 79 audit_mark->dev = inode ? inode->i_sb->s_dev : AUDIT_DEV_UNSET; 80 audit_mark->ino = inode ? inode->i_ino : AUDIT_INO_UNSET; 81 } 82 83 struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len) 84 { 85 struct audit_fsnotify_mark *audit_mark; 86 struct path path; 87 struct dentry *dentry; 88 struct inode *inode; 89 int ret; 90 91 if (pathname[0] != '/' || pathname[len-1] == '/') 92 return ERR_PTR(-EINVAL); 93 94 dentry = kern_path_locked(pathname, &path); 95 if (IS_ERR(dentry)) 96 return (void *)dentry; /* returning an error */ 97 inode = path.dentry->d_inode; 98 inode_unlock(inode); 99 100 audit_mark = kzalloc(sizeof(*audit_mark), GFP_KERNEL); 101 if (unlikely(!audit_mark)) { 102 audit_mark = ERR_PTR(-ENOMEM); 103 goto out; 104 } 105 106 fsnotify_init_mark(&audit_mark->mark, audit_fsnotify_group); 107 audit_mark->mark.mask = AUDIT_FS_EVENTS; 108 audit_mark->path = pathname; 109 audit_update_mark(audit_mark, dentry->d_inode); 110 audit_mark->rule = krule; 111 112 ret = fsnotify_add_inode_mark(&audit_mark->mark, inode, true); 113 if (ret < 0) { 114 fsnotify_put_mark(&audit_mark->mark); 115 audit_mark = ERR_PTR(ret); 116 } 117 out: 118 dput(dentry); 119 path_put(&path); 120 return audit_mark; 121 } 122 123 static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, char *op) 124 { 125 struct audit_buffer *ab; 126 struct audit_krule *rule = audit_mark->rule; 127 128 if (!audit_enabled) 129 return; 130 ab = audit_log_start(audit_context(), GFP_NOFS, AUDIT_CONFIG_CHANGE); 131 if (unlikely(!ab)) 132 return; 133 audit_log_session_info(ab); 134 audit_log_format(ab, " op=%s path=", op); 135 audit_log_untrustedstring(ab, audit_mark->path); 136 audit_log_key(ab, rule->filterkey); 137 audit_log_format(ab, " list=%d res=1", rule->listnr); 138 audit_log_end(ab); 139 } 140 141 void audit_remove_mark(struct audit_fsnotify_mark *audit_mark) 142 { 143 fsnotify_destroy_mark(&audit_mark->mark, audit_fsnotify_group); 144 fsnotify_put_mark(&audit_mark->mark); 145 } 146 147 void audit_remove_mark_rule(struct audit_krule *krule) 148 { 149 struct audit_fsnotify_mark *mark = krule->exe; 150 151 audit_remove_mark(mark); 152 } 153 154 static void audit_autoremove_mark_rule(struct audit_fsnotify_mark *audit_mark) 155 { 156 struct audit_krule *rule = audit_mark->rule; 157 struct audit_entry *entry = container_of(rule, struct audit_entry, rule); 158 159 audit_mark_log_rule_change(audit_mark, "autoremove_rule"); 160 audit_del_rule(entry); 161 } 162 163 /* Update mark data in audit rules based on fsnotify events. */ 164 static int audit_mark_handle_event(struct fsnotify_group *group, 165 struct inode *to_tell, 166 u32 mask, const void *data, int data_type, 167 const unsigned char *dname, u32 cookie, 168 struct fsnotify_iter_info *iter_info) 169 { 170 struct fsnotify_mark *inode_mark = fsnotify_iter_inode_mark(iter_info); 171 struct audit_fsnotify_mark *audit_mark; 172 const struct inode *inode = NULL; 173 174 audit_mark = container_of(inode_mark, struct audit_fsnotify_mark, mark); 175 176 BUG_ON(group != audit_fsnotify_group); 177 178 switch (data_type) { 179 case (FSNOTIFY_EVENT_PATH): 180 inode = ((const struct path *)data)->dentry->d_inode; 181 break; 182 case (FSNOTIFY_EVENT_INODE): 183 inode = (const struct inode *)data; 184 break; 185 default: 186 BUG(); 187 return 0; 188 } 189 190 if (mask & (FS_CREATE|FS_MOVED_TO|FS_DELETE|FS_MOVED_FROM)) { 191 if (audit_compare_dname_path(dname, audit_mark->path, AUDIT_NAME_FULL)) 192 return 0; 193 audit_update_mark(audit_mark, inode); 194 } else if (mask & (FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF)) 195 audit_autoremove_mark_rule(audit_mark); 196 197 return 0; 198 } 199 200 static const struct fsnotify_ops audit_mark_fsnotify_ops = { 201 .handle_event = audit_mark_handle_event, 202 .free_mark = audit_fsnotify_free_mark, 203 }; 204 205 static int __init audit_fsnotify_init(void) 206 { 207 audit_fsnotify_group = fsnotify_alloc_group(&audit_mark_fsnotify_ops); 208 if (IS_ERR(audit_fsnotify_group)) { 209 audit_fsnotify_group = NULL; 210 audit_panic("cannot create audit fsnotify group"); 211 } 212 return 0; 213 } 214 device_initcall(audit_fsnotify_init); 215