1 /* audit_watch.c -- watching inodes 2 * 3 * Copyright 2003-2009 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Reference counting: 36 * 37 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 38 * event. Each audit_watch holds a reference to its associated parent. 39 * 40 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 41 * audit_remove_watch(). Additionally, an audit_watch may exist 42 * temporarily to assist in searching existing filter data. Each 43 * audit_krule holds a reference to its associated watch. 44 */ 45 46 struct audit_watch { 47 atomic_t count; /* reference count */ 48 dev_t dev; /* associated superblock device */ 49 char *path; /* insertion path */ 50 unsigned long ino; /* associated inode number */ 51 struct audit_parent *parent; /* associated parent */ 52 struct list_head wlist; /* entry in parent->watches list */ 53 struct list_head rules; /* associated rules */ 54 }; 55 56 struct audit_parent { 57 struct list_head ilist; /* entry in inotify registration list */ 58 struct list_head watches; /* associated watches */ 59 struct inotify_watch wdata; /* inotify watch data */ 60 unsigned flags; /* status flags */ 61 }; 62 63 /* Inotify handle. */ 64 struct inotify_handle *audit_ih; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Inotify events we care about. */ 78 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 79 80 static void audit_free_parent(struct inotify_watch *i_watch) 81 { 82 struct audit_parent *parent; 83 84 parent = container_of(i_watch, struct audit_parent, wdata); 85 WARN_ON(!list_empty(&parent->watches)); 86 kfree(parent); 87 } 88 89 void audit_get_watch(struct audit_watch *watch) 90 { 91 atomic_inc(&watch->count); 92 } 93 94 void audit_put_watch(struct audit_watch *watch) 95 { 96 if (atomic_dec_and_test(&watch->count)) { 97 WARN_ON(watch->parent); 98 WARN_ON(!list_empty(&watch->rules)); 99 kfree(watch->path); 100 kfree(watch); 101 } 102 } 103 104 void audit_remove_watch(struct audit_watch *watch) 105 { 106 list_del(&watch->wlist); 107 put_inotify_watch(&watch->parent->wdata); 108 watch->parent = NULL; 109 audit_put_watch(watch); /* match initial get */ 110 } 111 112 char *audit_watch_path(struct audit_watch *watch) 113 { 114 return watch->path; 115 } 116 117 struct list_head *audit_watch_rules(struct audit_watch *watch) 118 { 119 return &watch->rules; 120 } 121 122 unsigned long audit_watch_inode(struct audit_watch *watch) 123 { 124 return watch->ino; 125 } 126 127 dev_t audit_watch_dev(struct audit_watch *watch) 128 { 129 return watch->dev; 130 } 131 132 /* Initialize a parent watch entry. */ 133 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 134 { 135 struct audit_parent *parent; 136 s32 wd; 137 138 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 139 if (unlikely(!parent)) 140 return ERR_PTR(-ENOMEM); 141 142 INIT_LIST_HEAD(&parent->watches); 143 parent->flags = 0; 144 145 inotify_init_watch(&parent->wdata); 146 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 147 get_inotify_watch(&parent->wdata); 148 wd = inotify_add_watch(audit_ih, &parent->wdata, 149 ndp->path.dentry->d_inode, AUDIT_IN_WATCH); 150 if (wd < 0) { 151 audit_free_parent(&parent->wdata); 152 return ERR_PTR(wd); 153 } 154 155 return parent; 156 } 157 158 /* Initialize a watch entry. */ 159 static struct audit_watch *audit_init_watch(char *path) 160 { 161 struct audit_watch *watch; 162 163 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 164 if (unlikely(!watch)) 165 return ERR_PTR(-ENOMEM); 166 167 INIT_LIST_HEAD(&watch->rules); 168 atomic_set(&watch->count, 1); 169 watch->path = path; 170 watch->dev = (dev_t)-1; 171 watch->ino = (unsigned long)-1; 172 173 return watch; 174 } 175 176 /* Translate a watch string to kernel respresentation. */ 177 int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op) 178 { 179 struct audit_watch *watch; 180 181 if (!audit_ih) 182 return -EOPNOTSUPP; 183 184 if (path[0] != '/' || path[len-1] == '/' || 185 krule->listnr != AUDIT_FILTER_EXIT || 186 op != Audit_equal || 187 krule->inode_f || krule->watch || krule->tree) 188 return -EINVAL; 189 190 watch = audit_init_watch(path); 191 if (IS_ERR(watch)) 192 return PTR_ERR(watch); 193 194 audit_get_watch(watch); 195 krule->watch = watch; 196 197 return 0; 198 } 199 200 /* Duplicate the given audit watch. The new watch's rules list is initialized 201 * to an empty list and wlist is undefined. */ 202 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 203 { 204 char *path; 205 struct audit_watch *new; 206 207 path = kstrdup(old->path, GFP_KERNEL); 208 if (unlikely(!path)) 209 return ERR_PTR(-ENOMEM); 210 211 new = audit_init_watch(path); 212 if (IS_ERR(new)) { 213 kfree(path); 214 goto out; 215 } 216 217 new->dev = old->dev; 218 new->ino = old->ino; 219 get_inotify_watch(&old->parent->wdata); 220 new->parent = old->parent; 221 222 out: 223 return new; 224 } 225 226 static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op) 227 { 228 if (audit_enabled) { 229 struct audit_buffer *ab; 230 ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); 231 audit_log_format(ab, "auid=%u ses=%u op=", 232 audit_get_loginuid(current), 233 audit_get_sessionid(current)); 234 audit_log_string(ab, op); 235 audit_log_format(ab, " path="); 236 audit_log_untrustedstring(ab, w->path); 237 audit_log_key(ab, r->filterkey); 238 audit_log_format(ab, " list=%d res=1", r->listnr); 239 audit_log_end(ab); 240 } 241 } 242 243 /* Update inode info in audit rules based on filesystem event. */ 244 static void audit_update_watch(struct audit_parent *parent, 245 const char *dname, dev_t dev, 246 unsigned long ino, unsigned invalidating) 247 { 248 struct audit_watch *owatch, *nwatch, *nextw; 249 struct audit_krule *r, *nextr; 250 struct audit_entry *oentry, *nentry; 251 252 mutex_lock(&audit_filter_mutex); 253 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 254 if (audit_compare_dname_path(dname, owatch->path, NULL)) 255 continue; 256 257 /* If the update involves invalidating rules, do the inode-based 258 * filtering now, so we don't omit records. */ 259 if (invalidating && current->audit_context) 260 audit_filter_inodes(current, current->audit_context); 261 262 nwatch = audit_dupe_watch(owatch); 263 if (IS_ERR(nwatch)) { 264 mutex_unlock(&audit_filter_mutex); 265 audit_panic("error updating watch, skipping"); 266 return; 267 } 268 nwatch->dev = dev; 269 nwatch->ino = ino; 270 271 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 272 273 oentry = container_of(r, struct audit_entry, rule); 274 list_del(&oentry->rule.rlist); 275 list_del_rcu(&oentry->list); 276 277 nentry = audit_dupe_rule(&oentry->rule, nwatch); 278 if (IS_ERR(nentry)) { 279 list_del(&oentry->rule.list); 280 audit_panic("error updating watch, removing"); 281 } else { 282 int h = audit_hash_ino((u32)ino); 283 list_add(&nentry->rule.rlist, &nwatch->rules); 284 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 285 list_replace(&oentry->rule.list, 286 &nentry->rule.list); 287 } 288 289 audit_watch_log_rule_change(r, owatch, "updated rules"); 290 291 call_rcu(&oentry->rcu, audit_free_rule_rcu); 292 } 293 294 audit_remove_watch(owatch); 295 goto add_watch_to_parent; /* event applies to a single watch */ 296 } 297 mutex_unlock(&audit_filter_mutex); 298 return; 299 300 add_watch_to_parent: 301 list_add(&nwatch->wlist, &parent->watches); 302 mutex_unlock(&audit_filter_mutex); 303 return; 304 } 305 306 /* Remove all watches & rules associated with a parent that is going away. */ 307 static void audit_remove_parent_watches(struct audit_parent *parent) 308 { 309 struct audit_watch *w, *nextw; 310 struct audit_krule *r, *nextr; 311 struct audit_entry *e; 312 313 mutex_lock(&audit_filter_mutex); 314 parent->flags |= AUDIT_PARENT_INVALID; 315 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 316 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 317 e = container_of(r, struct audit_entry, rule); 318 audit_watch_log_rule_change(r, w, "remove rule"); 319 list_del(&r->rlist); 320 list_del(&r->list); 321 list_del_rcu(&e->list); 322 call_rcu(&e->rcu, audit_free_rule_rcu); 323 } 324 audit_remove_watch(w); 325 } 326 mutex_unlock(&audit_filter_mutex); 327 } 328 329 /* Unregister inotify watches for parents on in_list. 330 * Generates an IN_IGNORED event. */ 331 void audit_inotify_unregister(struct list_head *in_list) 332 { 333 struct audit_parent *p, *n; 334 335 list_for_each_entry_safe(p, n, in_list, ilist) { 336 list_del(&p->ilist); 337 inotify_rm_watch(audit_ih, &p->wdata); 338 /* the unpin matching the pin in audit_do_del_rule() */ 339 unpin_inotify_watch(&p->wdata); 340 } 341 } 342 343 /* Get path information necessary for adding watches. */ 344 static int audit_get_nd(char *path, struct nameidata **ndp, struct nameidata **ndw) 345 { 346 struct nameidata *ndparent, *ndwatch; 347 int err; 348 349 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 350 if (unlikely(!ndparent)) 351 return -ENOMEM; 352 353 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 354 if (unlikely(!ndwatch)) { 355 kfree(ndparent); 356 return -ENOMEM; 357 } 358 359 err = path_lookup(path, LOOKUP_PARENT, ndparent); 360 if (err) { 361 kfree(ndparent); 362 kfree(ndwatch); 363 return err; 364 } 365 366 err = path_lookup(path, 0, ndwatch); 367 if (err) { 368 kfree(ndwatch); 369 ndwatch = NULL; 370 } 371 372 *ndp = ndparent; 373 *ndw = ndwatch; 374 375 return 0; 376 } 377 378 /* Release resources used for watch path information. */ 379 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 380 { 381 if (ndp) { 382 path_put(&ndp->path); 383 kfree(ndp); 384 } 385 if (ndw) { 386 path_put(&ndw->path); 387 kfree(ndw); 388 } 389 } 390 391 /* Associate the given rule with an existing parent inotify_watch. 392 * Caller must hold audit_filter_mutex. */ 393 static void audit_add_to_parent(struct audit_krule *krule, 394 struct audit_parent *parent) 395 { 396 struct audit_watch *w, *watch = krule->watch; 397 int watch_found = 0; 398 399 list_for_each_entry(w, &parent->watches, wlist) { 400 if (strcmp(watch->path, w->path)) 401 continue; 402 403 watch_found = 1; 404 405 /* put krule's and initial refs to temporary watch */ 406 audit_put_watch(watch); 407 audit_put_watch(watch); 408 409 audit_get_watch(w); 410 krule->watch = watch = w; 411 break; 412 } 413 414 if (!watch_found) { 415 get_inotify_watch(&parent->wdata); 416 watch->parent = parent; 417 418 list_add(&watch->wlist, &parent->watches); 419 } 420 list_add(&krule->rlist, &watch->rules); 421 } 422 423 /* Find a matching watch entry, or add this one. 424 * Caller must hold audit_filter_mutex. */ 425 int audit_add_watch(struct audit_krule *krule) 426 { 427 struct audit_watch *watch = krule->watch; 428 struct inotify_watch *i_watch; 429 struct audit_parent *parent; 430 struct nameidata *ndp = NULL, *ndw = NULL; 431 int ret = 0; 432 433 mutex_unlock(&audit_filter_mutex); 434 435 /* Avoid calling path_lookup under audit_filter_mutex. */ 436 ret = audit_get_nd(watch->path, &ndp, &ndw); 437 if (ret) { 438 /* caller expects mutex locked */ 439 mutex_lock(&audit_filter_mutex); 440 goto error; 441 } 442 443 /* update watch filter fields */ 444 if (ndw) { 445 watch->dev = ndw->path.dentry->d_inode->i_sb->s_dev; 446 watch->ino = ndw->path.dentry->d_inode->i_ino; 447 } 448 449 /* The audit_filter_mutex must not be held during inotify calls because 450 * we hold it during inotify event callback processing. If an existing 451 * inotify watch is found, inotify_find_watch() grabs a reference before 452 * returning. 453 */ 454 if (inotify_find_watch(audit_ih, ndp->path.dentry->d_inode, 455 &i_watch) < 0) { 456 parent = audit_init_parent(ndp); 457 if (IS_ERR(parent)) { 458 /* caller expects mutex locked */ 459 mutex_lock(&audit_filter_mutex); 460 ret = PTR_ERR(parent); 461 goto error; 462 } 463 } else 464 parent = container_of(i_watch, struct audit_parent, wdata); 465 466 mutex_lock(&audit_filter_mutex); 467 468 /* parent was moved before we took audit_filter_mutex */ 469 if (parent->flags & AUDIT_PARENT_INVALID) 470 ret = -ENOENT; 471 else 472 audit_add_to_parent(krule, parent); 473 474 /* match get in audit_init_parent or inotify_find_watch */ 475 put_inotify_watch(&parent->wdata); 476 477 error: 478 audit_put_nd(ndp, ndw); /* NULL args OK */ 479 return ret; 480 481 } 482 483 void audit_remove_watch_rule(struct audit_krule *krule, struct list_head *list) 484 { 485 struct audit_watch *watch = krule->watch; 486 struct audit_parent *parent = watch->parent; 487 488 list_del(&krule->rlist); 489 490 if (list_empty(&watch->rules)) { 491 audit_remove_watch(watch); 492 493 if (list_empty(&parent->watches)) { 494 /* Put parent on the inotify un-registration 495 * list. Grab a reference before releasing 496 * audit_filter_mutex, to be released in 497 * audit_inotify_unregister(). 498 * If filesystem is going away, just leave 499 * the sucker alone, eviction will take 500 * care of it. */ 501 if (pin_inotify_watch(&parent->wdata)) 502 list_add(&parent->ilist, list); 503 } 504 } 505 } 506 507 /* Update watch data in audit rules based on inotify events. */ 508 static void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 509 u32 cookie, const char *dname, struct inode *inode) 510 { 511 struct audit_parent *parent; 512 513 parent = container_of(i_watch, struct audit_parent, wdata); 514 515 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 516 audit_update_watch(parent, dname, inode->i_sb->s_dev, 517 inode->i_ino, 0); 518 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 519 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 520 /* inotify automatically removes the watch and sends IN_IGNORED */ 521 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 522 audit_remove_parent_watches(parent); 523 /* inotify does not remove the watch, so remove it manually */ 524 else if(mask & IN_MOVE_SELF) { 525 audit_remove_parent_watches(parent); 526 inotify_remove_watch_locked(audit_ih, i_watch); 527 } else if (mask & IN_IGNORED) 528 put_inotify_watch(i_watch); 529 } 530 531 static const struct inotify_operations audit_inotify_ops = { 532 .handle_event = audit_handle_ievent, 533 .destroy_watch = audit_free_parent, 534 }; 535 536 static int __init audit_watch_init(void) 537 { 538 audit_ih = inotify_init(&audit_inotify_ops); 539 if (IS_ERR(audit_ih)) 540 audit_panic("cannot initialize inotify handle"); 541 return 0; 542 } 543 subsys_initcall(audit_watch_init); 544