xref: /openbmc/linux/kernel/audit_tree.c (revision e368cd72)
1 // SPDX-License-Identifier: GPL-2.0
2 #include "audit.h"
3 #include <linux/fsnotify_backend.h>
4 #include <linux/namei.h>
5 #include <linux/mount.h>
6 #include <linux/kthread.h>
7 #include <linux/refcount.h>
8 #include <linux/slab.h>
9 
10 struct audit_tree;
11 struct audit_chunk;
12 
13 struct audit_tree {
14 	refcount_t count;
15 	int goner;
16 	struct audit_chunk *root;
17 	struct list_head chunks;
18 	struct list_head rules;
19 	struct list_head list;
20 	struct list_head same_root;
21 	struct rcu_head head;
22 	char pathname[];
23 };
24 
25 struct audit_chunk {
26 	struct list_head hash;
27 	unsigned long key;
28 	struct fsnotify_mark *mark;
29 	struct list_head trees;		/* with root here */
30 	int count;
31 	atomic_long_t refs;
32 	struct rcu_head head;
33 	struct node {
34 		struct list_head list;
35 		struct audit_tree *owner;
36 		unsigned index;		/* index; upper bit indicates 'will prune' */
37 	} owners[];
38 };
39 
40 struct audit_tree_mark {
41 	struct fsnotify_mark mark;
42 	struct audit_chunk *chunk;
43 };
44 
45 static LIST_HEAD(tree_list);
46 static LIST_HEAD(prune_list);
47 static struct task_struct *prune_thread;
48 
49 /*
50  * One struct chunk is attached to each inode of interest through
51  * audit_tree_mark (fsnotify mark). We replace struct chunk on tagging /
52  * untagging, the mark is stable as long as there is chunk attached. The
53  * association between mark and chunk is protected by hash_lock and
54  * audit_tree_group->mark_mutex. Thus as long as we hold
55  * audit_tree_group->mark_mutex and check that the mark is alive by
56  * FSNOTIFY_MARK_FLAG_ATTACHED flag check, we are sure the mark points to
57  * the current chunk.
58  *
59  * Rules have pointer to struct audit_tree.
60  * Rules have struct list_head rlist forming a list of rules over
61  * the same tree.
62  * References to struct chunk are collected at audit_inode{,_child}()
63  * time and used in AUDIT_TREE rule matching.
64  * These references are dropped at the same time we are calling
65  * audit_free_names(), etc.
66  *
67  * Cyclic lists galore:
68  * tree.chunks anchors chunk.owners[].list			hash_lock
69  * tree.rules anchors rule.rlist				audit_filter_mutex
70  * chunk.trees anchors tree.same_root				hash_lock
71  * chunk.hash is a hash with middle bits of watch.inode as
72  * a hash function.						RCU, hash_lock
73  *
74  * tree is refcounted; one reference for "some rules on rules_list refer to
75  * it", one for each chunk with pointer to it.
76  *
77  * chunk is refcounted by embedded .refs. Mark associated with the chunk holds
78  * one chunk reference. This reference is dropped either when a mark is going
79  * to be freed (corresponding inode goes away) or when chunk attached to the
80  * mark gets replaced. This reference must be dropped using
81  * audit_mark_put_chunk() to make sure the reference is dropped only after RCU
82  * grace period as it protects RCU readers of the hash table.
83  *
84  * node.index allows to get from node.list to containing chunk.
85  * MSB of that sucker is stolen to mark taggings that we might have to
86  * revert - several operations have very unpleasant cleanup logics and
87  * that makes a difference.  Some.
88  */
89 
90 static struct fsnotify_group *audit_tree_group;
91 static struct kmem_cache *audit_tree_mark_cachep __read_mostly;
92 
93 static struct audit_tree *alloc_tree(const char *s)
94 {
95 	struct audit_tree *tree;
96 
97 	tree = kmalloc(sizeof(struct audit_tree) + strlen(s) + 1, GFP_KERNEL);
98 	if (tree) {
99 		refcount_set(&tree->count, 1);
100 		tree->goner = 0;
101 		INIT_LIST_HEAD(&tree->chunks);
102 		INIT_LIST_HEAD(&tree->rules);
103 		INIT_LIST_HEAD(&tree->list);
104 		INIT_LIST_HEAD(&tree->same_root);
105 		tree->root = NULL;
106 		strcpy(tree->pathname, s);
107 	}
108 	return tree;
109 }
110 
111 static inline void get_tree(struct audit_tree *tree)
112 {
113 	refcount_inc(&tree->count);
114 }
115 
116 static inline void put_tree(struct audit_tree *tree)
117 {
118 	if (refcount_dec_and_test(&tree->count))
119 		kfree_rcu(tree, head);
120 }
121 
122 /* to avoid bringing the entire thing in audit.h */
123 const char *audit_tree_path(struct audit_tree *tree)
124 {
125 	return tree->pathname;
126 }
127 
128 static void free_chunk(struct audit_chunk *chunk)
129 {
130 	int i;
131 
132 	for (i = 0; i < chunk->count; i++) {
133 		if (chunk->owners[i].owner)
134 			put_tree(chunk->owners[i].owner);
135 	}
136 	kfree(chunk);
137 }
138 
139 void audit_put_chunk(struct audit_chunk *chunk)
140 {
141 	if (atomic_long_dec_and_test(&chunk->refs))
142 		free_chunk(chunk);
143 }
144 
145 static void __put_chunk(struct rcu_head *rcu)
146 {
147 	struct audit_chunk *chunk = container_of(rcu, struct audit_chunk, head);
148 	audit_put_chunk(chunk);
149 }
150 
151 /*
152  * Drop reference to the chunk that was held by the mark. This is the reference
153  * that gets dropped after we've removed the chunk from the hash table and we
154  * use it to make sure chunk cannot be freed before RCU grace period expires.
155  */
156 static void audit_mark_put_chunk(struct audit_chunk *chunk)
157 {
158 	call_rcu(&chunk->head, __put_chunk);
159 }
160 
161 static inline struct audit_tree_mark *audit_mark(struct fsnotify_mark *mark)
162 {
163 	return container_of(mark, struct audit_tree_mark, mark);
164 }
165 
166 static struct audit_chunk *mark_chunk(struct fsnotify_mark *mark)
167 {
168 	return audit_mark(mark)->chunk;
169 }
170 
171 static void audit_tree_destroy_watch(struct fsnotify_mark *mark)
172 {
173 	kmem_cache_free(audit_tree_mark_cachep, audit_mark(mark));
174 }
175 
176 static struct fsnotify_mark *alloc_mark(void)
177 {
178 	struct audit_tree_mark *amark;
179 
180 	amark = kmem_cache_zalloc(audit_tree_mark_cachep, GFP_KERNEL);
181 	if (!amark)
182 		return NULL;
183 	fsnotify_init_mark(&amark->mark, audit_tree_group);
184 	amark->mark.mask = FS_IN_IGNORED;
185 	return &amark->mark;
186 }
187 
188 static struct audit_chunk *alloc_chunk(int count)
189 {
190 	struct audit_chunk *chunk;
191 	int i;
192 
193 	chunk = kzalloc(struct_size(chunk, owners, count), GFP_KERNEL);
194 	if (!chunk)
195 		return NULL;
196 
197 	INIT_LIST_HEAD(&chunk->hash);
198 	INIT_LIST_HEAD(&chunk->trees);
199 	chunk->count = count;
200 	atomic_long_set(&chunk->refs, 1);
201 	for (i = 0; i < count; i++) {
202 		INIT_LIST_HEAD(&chunk->owners[i].list);
203 		chunk->owners[i].index = i;
204 	}
205 	return chunk;
206 }
207 
208 enum {HASH_SIZE = 128};
209 static struct list_head chunk_hash_heads[HASH_SIZE];
210 static __cacheline_aligned_in_smp DEFINE_SPINLOCK(hash_lock);
211 
212 /* Function to return search key in our hash from inode. */
213 static unsigned long inode_to_key(const struct inode *inode)
214 {
215 	/* Use address pointed to by connector->obj as the key */
216 	return (unsigned long)&inode->i_fsnotify_marks;
217 }
218 
219 static inline struct list_head *chunk_hash(unsigned long key)
220 {
221 	unsigned long n = key / L1_CACHE_BYTES;
222 	return chunk_hash_heads + n % HASH_SIZE;
223 }
224 
225 /* hash_lock & mark->group->mark_mutex is held by caller */
226 static void insert_hash(struct audit_chunk *chunk)
227 {
228 	struct list_head *list;
229 
230 	/*
231 	 * Make sure chunk is fully initialized before making it visible in the
232 	 * hash. Pairs with a data dependency barrier in READ_ONCE() in
233 	 * audit_tree_lookup().
234 	 */
235 	smp_wmb();
236 	WARN_ON_ONCE(!chunk->key);
237 	list = chunk_hash(chunk->key);
238 	list_add_rcu(&chunk->hash, list);
239 }
240 
241 /* called under rcu_read_lock */
242 struct audit_chunk *audit_tree_lookup(const struct inode *inode)
243 {
244 	unsigned long key = inode_to_key(inode);
245 	struct list_head *list = chunk_hash(key);
246 	struct audit_chunk *p;
247 
248 	list_for_each_entry_rcu(p, list, hash) {
249 		/*
250 		 * We use a data dependency barrier in READ_ONCE() to make sure
251 		 * the chunk we see is fully initialized.
252 		 */
253 		if (READ_ONCE(p->key) == key) {
254 			atomic_long_inc(&p->refs);
255 			return p;
256 		}
257 	}
258 	return NULL;
259 }
260 
261 bool audit_tree_match(struct audit_chunk *chunk, struct audit_tree *tree)
262 {
263 	int n;
264 	for (n = 0; n < chunk->count; n++)
265 		if (chunk->owners[n].owner == tree)
266 			return true;
267 	return false;
268 }
269 
270 /* tagging and untagging inodes with trees */
271 
272 static struct audit_chunk *find_chunk(struct node *p)
273 {
274 	int index = p->index & ~(1U<<31);
275 	p -= index;
276 	return container_of(p, struct audit_chunk, owners[0]);
277 }
278 
279 static void replace_mark_chunk(struct fsnotify_mark *mark,
280 			       struct audit_chunk *chunk)
281 {
282 	struct audit_chunk *old;
283 
284 	assert_spin_locked(&hash_lock);
285 	old = mark_chunk(mark);
286 	audit_mark(mark)->chunk = chunk;
287 	if (chunk)
288 		chunk->mark = mark;
289 	if (old)
290 		old->mark = NULL;
291 }
292 
293 static void replace_chunk(struct audit_chunk *new, struct audit_chunk *old)
294 {
295 	struct audit_tree *owner;
296 	int i, j;
297 
298 	new->key = old->key;
299 	list_splice_init(&old->trees, &new->trees);
300 	list_for_each_entry(owner, &new->trees, same_root)
301 		owner->root = new;
302 	for (i = j = 0; j < old->count; i++, j++) {
303 		if (!old->owners[j].owner) {
304 			i--;
305 			continue;
306 		}
307 		owner = old->owners[j].owner;
308 		new->owners[i].owner = owner;
309 		new->owners[i].index = old->owners[j].index - j + i;
310 		if (!owner) /* result of earlier fallback */
311 			continue;
312 		get_tree(owner);
313 		list_replace_init(&old->owners[j].list, &new->owners[i].list);
314 	}
315 	replace_mark_chunk(old->mark, new);
316 	/*
317 	 * Make sure chunk is fully initialized before making it visible in the
318 	 * hash. Pairs with a data dependency barrier in READ_ONCE() in
319 	 * audit_tree_lookup().
320 	 */
321 	smp_wmb();
322 	list_replace_rcu(&old->hash, &new->hash);
323 }
324 
325 static void remove_chunk_node(struct audit_chunk *chunk, struct node *p)
326 {
327 	struct audit_tree *owner = p->owner;
328 
329 	if (owner->root == chunk) {
330 		list_del_init(&owner->same_root);
331 		owner->root = NULL;
332 	}
333 	list_del_init(&p->list);
334 	p->owner = NULL;
335 	put_tree(owner);
336 }
337 
338 static int chunk_count_trees(struct audit_chunk *chunk)
339 {
340 	int i;
341 	int ret = 0;
342 
343 	for (i = 0; i < chunk->count; i++)
344 		if (chunk->owners[i].owner)
345 			ret++;
346 	return ret;
347 }
348 
349 static void untag_chunk(struct audit_chunk *chunk, struct fsnotify_mark *mark)
350 {
351 	struct audit_chunk *new;
352 	int size;
353 
354 	mutex_lock(&audit_tree_group->mark_mutex);
355 	/*
356 	 * mark_mutex stabilizes chunk attached to the mark so we can check
357 	 * whether it didn't change while we've dropped hash_lock.
358 	 */
359 	if (!(mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) ||
360 	    mark_chunk(mark) != chunk)
361 		goto out_mutex;
362 
363 	size = chunk_count_trees(chunk);
364 	if (!size) {
365 		spin_lock(&hash_lock);
366 		list_del_init(&chunk->trees);
367 		list_del_rcu(&chunk->hash);
368 		replace_mark_chunk(mark, NULL);
369 		spin_unlock(&hash_lock);
370 		fsnotify_detach_mark(mark);
371 		mutex_unlock(&audit_tree_group->mark_mutex);
372 		audit_mark_put_chunk(chunk);
373 		fsnotify_free_mark(mark);
374 		return;
375 	}
376 
377 	new = alloc_chunk(size);
378 	if (!new)
379 		goto out_mutex;
380 
381 	spin_lock(&hash_lock);
382 	/*
383 	 * This has to go last when updating chunk as once replace_chunk() is
384 	 * called, new RCU readers can see the new chunk.
385 	 */
386 	replace_chunk(new, chunk);
387 	spin_unlock(&hash_lock);
388 	mutex_unlock(&audit_tree_group->mark_mutex);
389 	audit_mark_put_chunk(chunk);
390 	return;
391 
392 out_mutex:
393 	mutex_unlock(&audit_tree_group->mark_mutex);
394 }
395 
396 /* Call with group->mark_mutex held, releases it */
397 static int create_chunk(struct inode *inode, struct audit_tree *tree)
398 {
399 	struct fsnotify_mark *mark;
400 	struct audit_chunk *chunk = alloc_chunk(1);
401 
402 	if (!chunk) {
403 		mutex_unlock(&audit_tree_group->mark_mutex);
404 		return -ENOMEM;
405 	}
406 
407 	mark = alloc_mark();
408 	if (!mark) {
409 		mutex_unlock(&audit_tree_group->mark_mutex);
410 		kfree(chunk);
411 		return -ENOMEM;
412 	}
413 
414 	if (fsnotify_add_inode_mark_locked(mark, inode, 0)) {
415 		mutex_unlock(&audit_tree_group->mark_mutex);
416 		fsnotify_put_mark(mark);
417 		kfree(chunk);
418 		return -ENOSPC;
419 	}
420 
421 	spin_lock(&hash_lock);
422 	if (tree->goner) {
423 		spin_unlock(&hash_lock);
424 		fsnotify_detach_mark(mark);
425 		mutex_unlock(&audit_tree_group->mark_mutex);
426 		fsnotify_free_mark(mark);
427 		fsnotify_put_mark(mark);
428 		kfree(chunk);
429 		return 0;
430 	}
431 	replace_mark_chunk(mark, chunk);
432 	chunk->owners[0].index = (1U << 31);
433 	chunk->owners[0].owner = tree;
434 	get_tree(tree);
435 	list_add(&chunk->owners[0].list, &tree->chunks);
436 	if (!tree->root) {
437 		tree->root = chunk;
438 		list_add(&tree->same_root, &chunk->trees);
439 	}
440 	chunk->key = inode_to_key(inode);
441 	/*
442 	 * Inserting into the hash table has to go last as once we do that RCU
443 	 * readers can see the chunk.
444 	 */
445 	insert_hash(chunk);
446 	spin_unlock(&hash_lock);
447 	mutex_unlock(&audit_tree_group->mark_mutex);
448 	/*
449 	 * Drop our initial reference. When mark we point to is getting freed,
450 	 * we get notification through ->freeing_mark callback and cleanup
451 	 * chunk pointing to this mark.
452 	 */
453 	fsnotify_put_mark(mark);
454 	return 0;
455 }
456 
457 /* the first tagged inode becomes root of tree */
458 static int tag_chunk(struct inode *inode, struct audit_tree *tree)
459 {
460 	struct fsnotify_mark *mark;
461 	struct audit_chunk *chunk, *old;
462 	struct node *p;
463 	int n;
464 
465 	mutex_lock(&audit_tree_group->mark_mutex);
466 	mark = fsnotify_find_mark(&inode->i_fsnotify_marks, audit_tree_group);
467 	if (!mark)
468 		return create_chunk(inode, tree);
469 
470 	/*
471 	 * Found mark is guaranteed to be attached and mark_mutex protects mark
472 	 * from getting detached and thus it makes sure there is chunk attached
473 	 * to the mark.
474 	 */
475 	/* are we already there? */
476 	spin_lock(&hash_lock);
477 	old = mark_chunk(mark);
478 	for (n = 0; n < old->count; n++) {
479 		if (old->owners[n].owner == tree) {
480 			spin_unlock(&hash_lock);
481 			mutex_unlock(&audit_tree_group->mark_mutex);
482 			fsnotify_put_mark(mark);
483 			return 0;
484 		}
485 	}
486 	spin_unlock(&hash_lock);
487 
488 	chunk = alloc_chunk(old->count + 1);
489 	if (!chunk) {
490 		mutex_unlock(&audit_tree_group->mark_mutex);
491 		fsnotify_put_mark(mark);
492 		return -ENOMEM;
493 	}
494 
495 	spin_lock(&hash_lock);
496 	if (tree->goner) {
497 		spin_unlock(&hash_lock);
498 		mutex_unlock(&audit_tree_group->mark_mutex);
499 		fsnotify_put_mark(mark);
500 		kfree(chunk);
501 		return 0;
502 	}
503 	p = &chunk->owners[chunk->count - 1];
504 	p->index = (chunk->count - 1) | (1U<<31);
505 	p->owner = tree;
506 	get_tree(tree);
507 	list_add(&p->list, &tree->chunks);
508 	if (!tree->root) {
509 		tree->root = chunk;
510 		list_add(&tree->same_root, &chunk->trees);
511 	}
512 	/*
513 	 * This has to go last when updating chunk as once replace_chunk() is
514 	 * called, new RCU readers can see the new chunk.
515 	 */
516 	replace_chunk(chunk, old);
517 	spin_unlock(&hash_lock);
518 	mutex_unlock(&audit_tree_group->mark_mutex);
519 	fsnotify_put_mark(mark); /* pair to fsnotify_find_mark */
520 	audit_mark_put_chunk(old);
521 
522 	return 0;
523 }
524 
525 static void audit_tree_log_remove_rule(struct audit_context *context,
526 				       struct audit_krule *rule)
527 {
528 	struct audit_buffer *ab;
529 
530 	if (!audit_enabled)
531 		return;
532 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
533 	if (unlikely(!ab))
534 		return;
535 	audit_log_format(ab, "op=remove_rule dir=");
536 	audit_log_untrustedstring(ab, rule->tree->pathname);
537 	audit_log_key(ab, rule->filterkey);
538 	audit_log_format(ab, " list=%d res=1", rule->listnr);
539 	audit_log_end(ab);
540 }
541 
542 static void kill_rules(struct audit_context *context, struct audit_tree *tree)
543 {
544 	struct audit_krule *rule, *next;
545 	struct audit_entry *entry;
546 
547 	list_for_each_entry_safe(rule, next, &tree->rules, rlist) {
548 		entry = container_of(rule, struct audit_entry, rule);
549 
550 		list_del_init(&rule->rlist);
551 		if (rule->tree) {
552 			/* not a half-baked one */
553 			audit_tree_log_remove_rule(context, rule);
554 			if (entry->rule.exe)
555 				audit_remove_mark(entry->rule.exe);
556 			rule->tree = NULL;
557 			list_del_rcu(&entry->list);
558 			list_del(&entry->rule.list);
559 			call_rcu(&entry->rcu, audit_free_rule_rcu);
560 		}
561 	}
562 }
563 
564 /*
565  * Remove tree from chunks. If 'tagged' is set, remove tree only from tagged
566  * chunks. The function expects tagged chunks are all at the beginning of the
567  * chunks list.
568  */
569 static void prune_tree_chunks(struct audit_tree *victim, bool tagged)
570 {
571 	spin_lock(&hash_lock);
572 	while (!list_empty(&victim->chunks)) {
573 		struct node *p;
574 		struct audit_chunk *chunk;
575 		struct fsnotify_mark *mark;
576 
577 		p = list_first_entry(&victim->chunks, struct node, list);
578 		/* have we run out of marked? */
579 		if (tagged && !(p->index & (1U<<31)))
580 			break;
581 		chunk = find_chunk(p);
582 		mark = chunk->mark;
583 		remove_chunk_node(chunk, p);
584 		/* Racing with audit_tree_freeing_mark()? */
585 		if (!mark)
586 			continue;
587 		fsnotify_get_mark(mark);
588 		spin_unlock(&hash_lock);
589 
590 		untag_chunk(chunk, mark);
591 		fsnotify_put_mark(mark);
592 
593 		spin_lock(&hash_lock);
594 	}
595 	spin_unlock(&hash_lock);
596 }
597 
598 /*
599  * finish killing struct audit_tree
600  */
601 static void prune_one(struct audit_tree *victim)
602 {
603 	prune_tree_chunks(victim, false);
604 	put_tree(victim);
605 }
606 
607 /* trim the uncommitted chunks from tree */
608 
609 static void trim_marked(struct audit_tree *tree)
610 {
611 	struct list_head *p, *q;
612 	spin_lock(&hash_lock);
613 	if (tree->goner) {
614 		spin_unlock(&hash_lock);
615 		return;
616 	}
617 	/* reorder */
618 	for (p = tree->chunks.next; p != &tree->chunks; p = q) {
619 		struct node *node = list_entry(p, struct node, list);
620 		q = p->next;
621 		if (node->index & (1U<<31)) {
622 			list_del_init(p);
623 			list_add(p, &tree->chunks);
624 		}
625 	}
626 	spin_unlock(&hash_lock);
627 
628 	prune_tree_chunks(tree, true);
629 
630 	spin_lock(&hash_lock);
631 	if (!tree->root && !tree->goner) {
632 		tree->goner = 1;
633 		spin_unlock(&hash_lock);
634 		mutex_lock(&audit_filter_mutex);
635 		kill_rules(audit_context(), tree);
636 		list_del_init(&tree->list);
637 		mutex_unlock(&audit_filter_mutex);
638 		prune_one(tree);
639 	} else {
640 		spin_unlock(&hash_lock);
641 	}
642 }
643 
644 static void audit_schedule_prune(void);
645 
646 /* called with audit_filter_mutex */
647 int audit_remove_tree_rule(struct audit_krule *rule)
648 {
649 	struct audit_tree *tree;
650 	tree = rule->tree;
651 	if (tree) {
652 		spin_lock(&hash_lock);
653 		list_del_init(&rule->rlist);
654 		if (list_empty(&tree->rules) && !tree->goner) {
655 			tree->root = NULL;
656 			list_del_init(&tree->same_root);
657 			tree->goner = 1;
658 			list_move(&tree->list, &prune_list);
659 			rule->tree = NULL;
660 			spin_unlock(&hash_lock);
661 			audit_schedule_prune();
662 			return 1;
663 		}
664 		rule->tree = NULL;
665 		spin_unlock(&hash_lock);
666 		return 1;
667 	}
668 	return 0;
669 }
670 
671 static int compare_root(struct vfsmount *mnt, void *arg)
672 {
673 	return inode_to_key(d_backing_inode(mnt->mnt_root)) ==
674 	       (unsigned long)arg;
675 }
676 
677 void audit_trim_trees(void)
678 {
679 	struct list_head cursor;
680 
681 	mutex_lock(&audit_filter_mutex);
682 	list_add(&cursor, &tree_list);
683 	while (cursor.next != &tree_list) {
684 		struct audit_tree *tree;
685 		struct path path;
686 		struct vfsmount *root_mnt;
687 		struct node *node;
688 		int err;
689 
690 		tree = container_of(cursor.next, struct audit_tree, list);
691 		get_tree(tree);
692 		list_move(&cursor, &tree->list);
693 		mutex_unlock(&audit_filter_mutex);
694 
695 		err = kern_path(tree->pathname, 0, &path);
696 		if (err)
697 			goto skip_it;
698 
699 		root_mnt = collect_mounts(&path);
700 		path_put(&path);
701 		if (IS_ERR(root_mnt))
702 			goto skip_it;
703 
704 		spin_lock(&hash_lock);
705 		list_for_each_entry(node, &tree->chunks, list) {
706 			struct audit_chunk *chunk = find_chunk(node);
707 			/* this could be NULL if the watch is dying else where... */
708 			node->index |= 1U<<31;
709 			if (iterate_mounts(compare_root,
710 					   (void *)(chunk->key),
711 					   root_mnt))
712 				node->index &= ~(1U<<31);
713 		}
714 		spin_unlock(&hash_lock);
715 		trim_marked(tree);
716 		drop_collected_mounts(root_mnt);
717 skip_it:
718 		put_tree(tree);
719 		mutex_lock(&audit_filter_mutex);
720 	}
721 	list_del(&cursor);
722 	mutex_unlock(&audit_filter_mutex);
723 }
724 
725 int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op)
726 {
727 
728 	if (pathname[0] != '/' ||
729 	    rule->listnr != AUDIT_FILTER_EXIT ||
730 	    op != Audit_equal ||
731 	    rule->inode_f || rule->watch || rule->tree)
732 		return -EINVAL;
733 	rule->tree = alloc_tree(pathname);
734 	if (!rule->tree)
735 		return -ENOMEM;
736 	return 0;
737 }
738 
739 void audit_put_tree(struct audit_tree *tree)
740 {
741 	put_tree(tree);
742 }
743 
744 static int tag_mount(struct vfsmount *mnt, void *arg)
745 {
746 	return tag_chunk(d_backing_inode(mnt->mnt_root), arg);
747 }
748 
749 /*
750  * That gets run when evict_chunk() ends up needing to kill audit_tree.
751  * Runs from a separate thread.
752  */
753 static int prune_tree_thread(void *unused)
754 {
755 	for (;;) {
756 		if (list_empty(&prune_list)) {
757 			set_current_state(TASK_INTERRUPTIBLE);
758 			schedule();
759 		}
760 
761 		audit_ctl_lock();
762 		mutex_lock(&audit_filter_mutex);
763 
764 		while (!list_empty(&prune_list)) {
765 			struct audit_tree *victim;
766 
767 			victim = list_entry(prune_list.next,
768 					struct audit_tree, list);
769 			list_del_init(&victim->list);
770 
771 			mutex_unlock(&audit_filter_mutex);
772 
773 			prune_one(victim);
774 
775 			mutex_lock(&audit_filter_mutex);
776 		}
777 
778 		mutex_unlock(&audit_filter_mutex);
779 		audit_ctl_unlock();
780 	}
781 	return 0;
782 }
783 
784 static int audit_launch_prune(void)
785 {
786 	if (prune_thread)
787 		return 0;
788 	prune_thread = kthread_run(prune_tree_thread, NULL,
789 				"audit_prune_tree");
790 	if (IS_ERR(prune_thread)) {
791 		pr_err("cannot start thread audit_prune_tree");
792 		prune_thread = NULL;
793 		return -ENOMEM;
794 	}
795 	return 0;
796 }
797 
798 /* called with audit_filter_mutex */
799 int audit_add_tree_rule(struct audit_krule *rule)
800 {
801 	struct audit_tree *seed = rule->tree, *tree;
802 	struct path path;
803 	struct vfsmount *mnt;
804 	int err;
805 
806 	rule->tree = NULL;
807 	list_for_each_entry(tree, &tree_list, list) {
808 		if (!strcmp(seed->pathname, tree->pathname)) {
809 			put_tree(seed);
810 			rule->tree = tree;
811 			list_add(&rule->rlist, &tree->rules);
812 			return 0;
813 		}
814 	}
815 	tree = seed;
816 	list_add(&tree->list, &tree_list);
817 	list_add(&rule->rlist, &tree->rules);
818 	/* do not set rule->tree yet */
819 	mutex_unlock(&audit_filter_mutex);
820 
821 	if (unlikely(!prune_thread)) {
822 		err = audit_launch_prune();
823 		if (err)
824 			goto Err;
825 	}
826 
827 	err = kern_path(tree->pathname, 0, &path);
828 	if (err)
829 		goto Err;
830 	mnt = collect_mounts(&path);
831 	path_put(&path);
832 	if (IS_ERR(mnt)) {
833 		err = PTR_ERR(mnt);
834 		goto Err;
835 	}
836 
837 	get_tree(tree);
838 	err = iterate_mounts(tag_mount, tree, mnt);
839 	drop_collected_mounts(mnt);
840 
841 	if (!err) {
842 		struct node *node;
843 		spin_lock(&hash_lock);
844 		list_for_each_entry(node, &tree->chunks, list)
845 			node->index &= ~(1U<<31);
846 		spin_unlock(&hash_lock);
847 	} else {
848 		trim_marked(tree);
849 		goto Err;
850 	}
851 
852 	mutex_lock(&audit_filter_mutex);
853 	if (list_empty(&rule->rlist)) {
854 		put_tree(tree);
855 		return -ENOENT;
856 	}
857 	rule->tree = tree;
858 	put_tree(tree);
859 
860 	return 0;
861 Err:
862 	mutex_lock(&audit_filter_mutex);
863 	list_del_init(&tree->list);
864 	list_del_init(&tree->rules);
865 	put_tree(tree);
866 	return err;
867 }
868 
869 int audit_tag_tree(char *old, char *new)
870 {
871 	struct list_head cursor, barrier;
872 	int failed = 0;
873 	struct path path1, path2;
874 	struct vfsmount *tagged;
875 	int err;
876 
877 	err = kern_path(new, 0, &path2);
878 	if (err)
879 		return err;
880 	tagged = collect_mounts(&path2);
881 	path_put(&path2);
882 	if (IS_ERR(tagged))
883 		return PTR_ERR(tagged);
884 
885 	err = kern_path(old, 0, &path1);
886 	if (err) {
887 		drop_collected_mounts(tagged);
888 		return err;
889 	}
890 
891 	mutex_lock(&audit_filter_mutex);
892 	list_add(&barrier, &tree_list);
893 	list_add(&cursor, &barrier);
894 
895 	while (cursor.next != &tree_list) {
896 		struct audit_tree *tree;
897 		int good_one = 0;
898 
899 		tree = container_of(cursor.next, struct audit_tree, list);
900 		get_tree(tree);
901 		list_move(&cursor, &tree->list);
902 		mutex_unlock(&audit_filter_mutex);
903 
904 		err = kern_path(tree->pathname, 0, &path2);
905 		if (!err) {
906 			good_one = path_is_under(&path1, &path2);
907 			path_put(&path2);
908 		}
909 
910 		if (!good_one) {
911 			put_tree(tree);
912 			mutex_lock(&audit_filter_mutex);
913 			continue;
914 		}
915 
916 		failed = iterate_mounts(tag_mount, tree, tagged);
917 		if (failed) {
918 			put_tree(tree);
919 			mutex_lock(&audit_filter_mutex);
920 			break;
921 		}
922 
923 		mutex_lock(&audit_filter_mutex);
924 		spin_lock(&hash_lock);
925 		if (!tree->goner) {
926 			list_move(&tree->list, &tree_list);
927 		}
928 		spin_unlock(&hash_lock);
929 		put_tree(tree);
930 	}
931 
932 	while (barrier.prev != &tree_list) {
933 		struct audit_tree *tree;
934 
935 		tree = container_of(barrier.prev, struct audit_tree, list);
936 		get_tree(tree);
937 		list_move(&tree->list, &barrier);
938 		mutex_unlock(&audit_filter_mutex);
939 
940 		if (!failed) {
941 			struct node *node;
942 			spin_lock(&hash_lock);
943 			list_for_each_entry(node, &tree->chunks, list)
944 				node->index &= ~(1U<<31);
945 			spin_unlock(&hash_lock);
946 		} else {
947 			trim_marked(tree);
948 		}
949 
950 		put_tree(tree);
951 		mutex_lock(&audit_filter_mutex);
952 	}
953 	list_del(&barrier);
954 	list_del(&cursor);
955 	mutex_unlock(&audit_filter_mutex);
956 	path_put(&path1);
957 	drop_collected_mounts(tagged);
958 	return failed;
959 }
960 
961 
962 static void audit_schedule_prune(void)
963 {
964 	wake_up_process(prune_thread);
965 }
966 
967 /*
968  * ... and that one is done if evict_chunk() decides to delay until the end
969  * of syscall.  Runs synchronously.
970  */
971 void audit_kill_trees(struct audit_context *context)
972 {
973 	struct list_head *list = &context->killed_trees;
974 
975 	audit_ctl_lock();
976 	mutex_lock(&audit_filter_mutex);
977 
978 	while (!list_empty(list)) {
979 		struct audit_tree *victim;
980 
981 		victim = list_entry(list->next, struct audit_tree, list);
982 		kill_rules(context, victim);
983 		list_del_init(&victim->list);
984 
985 		mutex_unlock(&audit_filter_mutex);
986 
987 		prune_one(victim);
988 
989 		mutex_lock(&audit_filter_mutex);
990 	}
991 
992 	mutex_unlock(&audit_filter_mutex);
993 	audit_ctl_unlock();
994 }
995 
996 /*
997  *  Here comes the stuff asynchronous to auditctl operations
998  */
999 
1000 static void evict_chunk(struct audit_chunk *chunk)
1001 {
1002 	struct audit_tree *owner;
1003 	struct list_head *postponed = audit_killed_trees();
1004 	int need_prune = 0;
1005 	int n;
1006 
1007 	mutex_lock(&audit_filter_mutex);
1008 	spin_lock(&hash_lock);
1009 	while (!list_empty(&chunk->trees)) {
1010 		owner = list_entry(chunk->trees.next,
1011 				   struct audit_tree, same_root);
1012 		owner->goner = 1;
1013 		owner->root = NULL;
1014 		list_del_init(&owner->same_root);
1015 		spin_unlock(&hash_lock);
1016 		if (!postponed) {
1017 			kill_rules(audit_context(), owner);
1018 			list_move(&owner->list, &prune_list);
1019 			need_prune = 1;
1020 		} else {
1021 			list_move(&owner->list, postponed);
1022 		}
1023 		spin_lock(&hash_lock);
1024 	}
1025 	list_del_rcu(&chunk->hash);
1026 	for (n = 0; n < chunk->count; n++)
1027 		list_del_init(&chunk->owners[n].list);
1028 	spin_unlock(&hash_lock);
1029 	mutex_unlock(&audit_filter_mutex);
1030 	if (need_prune)
1031 		audit_schedule_prune();
1032 }
1033 
1034 static int audit_tree_handle_event(struct fsnotify_mark *mark, u32 mask,
1035 				   struct inode *inode, struct inode *dir,
1036 				   const struct qstr *file_name, u32 cookie)
1037 {
1038 	return 0;
1039 }
1040 
1041 static void audit_tree_freeing_mark(struct fsnotify_mark *mark,
1042 				    struct fsnotify_group *group)
1043 {
1044 	struct audit_chunk *chunk;
1045 
1046 	mutex_lock(&mark->group->mark_mutex);
1047 	spin_lock(&hash_lock);
1048 	chunk = mark_chunk(mark);
1049 	replace_mark_chunk(mark, NULL);
1050 	spin_unlock(&hash_lock);
1051 	mutex_unlock(&mark->group->mark_mutex);
1052 	if (chunk) {
1053 		evict_chunk(chunk);
1054 		audit_mark_put_chunk(chunk);
1055 	}
1056 
1057 	/*
1058 	 * We are guaranteed to have at least one reference to the mark from
1059 	 * either the inode or the caller of fsnotify_destroy_mark().
1060 	 */
1061 	BUG_ON(refcount_read(&mark->refcnt) < 1);
1062 }
1063 
1064 static const struct fsnotify_ops audit_tree_ops = {
1065 	.handle_inode_event = audit_tree_handle_event,
1066 	.freeing_mark = audit_tree_freeing_mark,
1067 	.free_mark = audit_tree_destroy_watch,
1068 };
1069 
1070 static int __init audit_tree_init(void)
1071 {
1072 	int i;
1073 
1074 	audit_tree_mark_cachep = KMEM_CACHE(audit_tree_mark, SLAB_PANIC);
1075 
1076 	audit_tree_group = fsnotify_alloc_group(&audit_tree_ops);
1077 	if (IS_ERR(audit_tree_group))
1078 		audit_panic("cannot initialize fsnotify group for rectree watches");
1079 
1080 	for (i = 0; i < HASH_SIZE; i++)
1081 		INIT_LIST_HEAD(&chunk_hash_heads[i]);
1082 
1083 	return 0;
1084 }
1085 __initcall(audit_tree_init);
1086