1 /* audit_fsnotify.c -- tracking inodes 2 * 3 * Copyright 2003-2009,2014-2015 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 */ 17 18 #include <linux/kernel.h> 19 #include <linux/audit.h> 20 #include <linux/kthread.h> 21 #include <linux/mutex.h> 22 #include <linux/fs.h> 23 #include <linux/fsnotify_backend.h> 24 #include <linux/namei.h> 25 #include <linux/netlink.h> 26 #include <linux/sched.h> 27 #include <linux/slab.h> 28 #include <linux/security.h> 29 #include "audit.h" 30 31 /* 32 * this mark lives on the parent directory of the inode in question. 33 * but dev, ino, and path are about the child 34 */ 35 struct audit_fsnotify_mark { 36 dev_t dev; /* associated superblock device */ 37 unsigned long ino; /* associated inode number */ 38 char *path; /* insertion path */ 39 struct fsnotify_mark mark; /* fsnotify mark on the inode */ 40 struct audit_krule *rule; 41 }; 42 43 /* fsnotify handle. */ 44 static struct fsnotify_group *audit_fsnotify_group; 45 46 /* fsnotify events we care about. */ 47 #define AUDIT_FS_EVENTS (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\ 48 FS_MOVE_SELF | FS_EVENT_ON_CHILD) 49 50 static void audit_fsnotify_mark_free(struct audit_fsnotify_mark *audit_mark) 51 { 52 kfree(audit_mark->path); 53 kfree(audit_mark); 54 } 55 56 static void audit_fsnotify_free_mark(struct fsnotify_mark *mark) 57 { 58 struct audit_fsnotify_mark *audit_mark; 59 60 audit_mark = container_of(mark, struct audit_fsnotify_mark, mark); 61 audit_fsnotify_mark_free(audit_mark); 62 } 63 64 char *audit_mark_path(struct audit_fsnotify_mark *mark) 65 { 66 return mark->path; 67 } 68 69 int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev) 70 { 71 if (mark->ino == AUDIT_INO_UNSET) 72 return 0; 73 return (mark->ino == ino) && (mark->dev == dev); 74 } 75 76 static void audit_update_mark(struct audit_fsnotify_mark *audit_mark, 77 const struct inode *inode) 78 { 79 audit_mark->dev = inode ? inode->i_sb->s_dev : AUDIT_DEV_UNSET; 80 audit_mark->ino = inode ? inode->i_ino : AUDIT_INO_UNSET; 81 } 82 83 struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len) 84 { 85 struct audit_fsnotify_mark *audit_mark; 86 struct path path; 87 struct dentry *dentry; 88 struct inode *inode; 89 int ret; 90 91 if (pathname[0] != '/' || pathname[len-1] == '/') 92 return ERR_PTR(-EINVAL); 93 94 dentry = kern_path_locked(pathname, &path); 95 if (IS_ERR(dentry)) 96 return (void *)dentry; /* returning an error */ 97 inode = path.dentry->d_inode; 98 inode_unlock(inode); 99 100 audit_mark = kzalloc(sizeof(*audit_mark), GFP_KERNEL); 101 if (unlikely(!audit_mark)) { 102 audit_mark = ERR_PTR(-ENOMEM); 103 goto out; 104 } 105 106 fsnotify_init_mark(&audit_mark->mark, audit_fsnotify_group); 107 audit_mark->mark.mask = AUDIT_FS_EVENTS; 108 audit_mark->path = pathname; 109 audit_update_mark(audit_mark, dentry->d_inode); 110 audit_mark->rule = krule; 111 112 ret = fsnotify_add_inode_mark(&audit_mark->mark, inode, true); 113 if (ret < 0) { 114 fsnotify_put_mark(&audit_mark->mark); 115 audit_mark = ERR_PTR(ret); 116 } 117 out: 118 dput(dentry); 119 path_put(&path); 120 return audit_mark; 121 } 122 123 static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, char *op) 124 { 125 struct audit_buffer *ab; 126 struct audit_krule *rule = audit_mark->rule; 127 128 if (!audit_enabled) 129 return; 130 ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); 131 if (unlikely(!ab)) 132 return; 133 audit_log_format(ab, "auid=%u ses=%u op=%s", 134 from_kuid(&init_user_ns, audit_get_loginuid(current)), 135 audit_get_sessionid(current), op); 136 audit_log_format(ab, " path="); 137 audit_log_untrustedstring(ab, audit_mark->path); 138 audit_log_key(ab, rule->filterkey); 139 audit_log_format(ab, " list=%d res=1", rule->listnr); 140 audit_log_end(ab); 141 } 142 143 void audit_remove_mark(struct audit_fsnotify_mark *audit_mark) 144 { 145 fsnotify_destroy_mark(&audit_mark->mark, audit_fsnotify_group); 146 fsnotify_put_mark(&audit_mark->mark); 147 } 148 149 void audit_remove_mark_rule(struct audit_krule *krule) 150 { 151 struct audit_fsnotify_mark *mark = krule->exe; 152 153 audit_remove_mark(mark); 154 } 155 156 static void audit_autoremove_mark_rule(struct audit_fsnotify_mark *audit_mark) 157 { 158 struct audit_krule *rule = audit_mark->rule; 159 struct audit_entry *entry = container_of(rule, struct audit_entry, rule); 160 161 audit_mark_log_rule_change(audit_mark, "autoremove_rule"); 162 audit_del_rule(entry); 163 } 164 165 /* Update mark data in audit rules based on fsnotify events. */ 166 static int audit_mark_handle_event(struct fsnotify_group *group, 167 struct inode *to_tell, 168 u32 mask, const void *data, int data_type, 169 const unsigned char *dname, u32 cookie, 170 struct fsnotify_iter_info *iter_info) 171 { 172 struct fsnotify_mark *inode_mark = fsnotify_iter_inode_mark(iter_info); 173 struct audit_fsnotify_mark *audit_mark; 174 const struct inode *inode = NULL; 175 176 audit_mark = container_of(inode_mark, struct audit_fsnotify_mark, mark); 177 178 BUG_ON(group != audit_fsnotify_group); 179 180 switch (data_type) { 181 case (FSNOTIFY_EVENT_PATH): 182 inode = ((const struct path *)data)->dentry->d_inode; 183 break; 184 case (FSNOTIFY_EVENT_INODE): 185 inode = (const struct inode *)data; 186 break; 187 default: 188 BUG(); 189 return 0; 190 } 191 192 if (mask & (FS_CREATE|FS_MOVED_TO|FS_DELETE|FS_MOVED_FROM)) { 193 if (audit_compare_dname_path(dname, audit_mark->path, AUDIT_NAME_FULL)) 194 return 0; 195 audit_update_mark(audit_mark, inode); 196 } else if (mask & (FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF)) 197 audit_autoremove_mark_rule(audit_mark); 198 199 return 0; 200 } 201 202 static const struct fsnotify_ops audit_mark_fsnotify_ops = { 203 .handle_event = audit_mark_handle_event, 204 .free_mark = audit_fsnotify_free_mark, 205 }; 206 207 static int __init audit_fsnotify_init(void) 208 { 209 audit_fsnotify_group = fsnotify_alloc_group(&audit_mark_fsnotify_ops); 210 if (IS_ERR(audit_fsnotify_group)) { 211 audit_fsnotify_group = NULL; 212 audit_panic("cannot create audit fsnotify group"); 213 } 214 return 0; 215 } 216 device_initcall(audit_fsnotify_init); 217