1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* Audit filter lists, defined in <linux/audit.h> */ 48 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 49 LIST_HEAD_INIT(audit_filter_list[0]), 50 LIST_HEAD_INIT(audit_filter_list[1]), 51 LIST_HEAD_INIT(audit_filter_list[2]), 52 LIST_HEAD_INIT(audit_filter_list[3]), 53 LIST_HEAD_INIT(audit_filter_list[4]), 54 LIST_HEAD_INIT(audit_filter_list[5]), 55 #if AUDIT_NR_FILTERS != 6 56 #error Fix audit_filter_list initialiser 57 #endif 58 }; 59 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 60 LIST_HEAD_INIT(audit_rules_list[0]), 61 LIST_HEAD_INIT(audit_rules_list[1]), 62 LIST_HEAD_INIT(audit_rules_list[2]), 63 LIST_HEAD_INIT(audit_rules_list[3]), 64 LIST_HEAD_INIT(audit_rules_list[4]), 65 LIST_HEAD_INIT(audit_rules_list[5]), 66 }; 67 68 DEFINE_MUTEX(audit_filter_mutex); 69 70 static inline void audit_free_rule(struct audit_entry *e) 71 { 72 int i; 73 struct audit_krule *erule = &e->rule; 74 /* some rules don't have associated watches */ 75 if (erule->watch) 76 audit_put_watch(erule->watch); 77 if (erule->fields) 78 for (i = 0; i < erule->field_count; i++) { 79 struct audit_field *f = &erule->fields[i]; 80 kfree(f->lsm_str); 81 security_audit_rule_free(f->lsm_rule); 82 } 83 kfree(erule->fields); 84 kfree(erule->filterkey); 85 kfree(e); 86 } 87 88 void audit_free_rule_rcu(struct rcu_head *head) 89 { 90 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 91 audit_free_rule(e); 92 } 93 94 /* Initialize an audit filterlist entry. */ 95 static inline struct audit_entry *audit_init_entry(u32 field_count) 96 { 97 struct audit_entry *entry; 98 struct audit_field *fields; 99 100 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 101 if (unlikely(!entry)) 102 return NULL; 103 104 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 105 if (unlikely(!fields)) { 106 kfree(entry); 107 return NULL; 108 } 109 entry->rule.fields = fields; 110 111 return entry; 112 } 113 114 /* Unpack a filter field's string representation from user-space 115 * buffer. */ 116 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 117 { 118 char *str; 119 120 if (!*bufp || (len == 0) || (len > *remain)) 121 return ERR_PTR(-EINVAL); 122 123 /* Of the currently implemented string fields, PATH_MAX 124 * defines the longest valid length. 125 */ 126 if (len > PATH_MAX) 127 return ERR_PTR(-ENAMETOOLONG); 128 129 str = kmalloc(len + 1, GFP_KERNEL); 130 if (unlikely(!str)) 131 return ERR_PTR(-ENOMEM); 132 133 memcpy(str, *bufp, len); 134 str[len] = 0; 135 *bufp += len; 136 *remain -= len; 137 138 return str; 139 } 140 141 /* Translate an inode field to kernel respresentation. */ 142 static inline int audit_to_inode(struct audit_krule *krule, 143 struct audit_field *f) 144 { 145 if (krule->listnr != AUDIT_FILTER_EXIT || 146 krule->watch || krule->inode_f || krule->tree || 147 (f->op != Audit_equal && f->op != Audit_not_equal)) 148 return -EINVAL; 149 150 krule->inode_f = f; 151 return 0; 152 } 153 154 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 155 156 int __init audit_register_class(int class, unsigned *list) 157 { 158 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 159 if (!p) 160 return -ENOMEM; 161 while (*list != ~0U) { 162 unsigned n = *list++; 163 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 164 kfree(p); 165 return -EINVAL; 166 } 167 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 168 } 169 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 170 kfree(p); 171 return -EINVAL; 172 } 173 classes[class] = p; 174 return 0; 175 } 176 177 int audit_match_class(int class, unsigned syscall) 178 { 179 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 180 return 0; 181 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 182 return 0; 183 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 184 } 185 186 #ifdef CONFIG_AUDITSYSCALL 187 static inline int audit_match_class_bits(int class, u32 *mask) 188 { 189 int i; 190 191 if (classes[class]) { 192 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 193 if (mask[i] & classes[class][i]) 194 return 0; 195 } 196 return 1; 197 } 198 199 static int audit_match_signal(struct audit_entry *entry) 200 { 201 struct audit_field *arch = entry->rule.arch_f; 202 203 if (!arch) { 204 /* When arch is unspecified, we must check both masks on biarch 205 * as syscall number alone is ambiguous. */ 206 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 207 entry->rule.mask) && 208 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 209 entry->rule.mask)); 210 } 211 212 switch(audit_classify_arch(arch->val)) { 213 case 0: /* native */ 214 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 215 entry->rule.mask)); 216 case 1: /* 32bit on biarch */ 217 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 218 entry->rule.mask)); 219 default: 220 return 1; 221 } 222 } 223 #endif 224 225 /* Common user-space to kernel rule translation. */ 226 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 227 { 228 unsigned listnr; 229 struct audit_entry *entry; 230 int i, err; 231 232 err = -EINVAL; 233 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 234 switch(listnr) { 235 default: 236 goto exit_err; 237 case AUDIT_FILTER_USER: 238 case AUDIT_FILTER_TYPE: 239 #ifdef CONFIG_AUDITSYSCALL 240 case AUDIT_FILTER_ENTRY: 241 case AUDIT_FILTER_EXIT: 242 case AUDIT_FILTER_TASK: 243 #endif 244 ; 245 } 246 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 247 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 248 goto exit_err; 249 } 250 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 251 goto exit_err; 252 if (rule->field_count > AUDIT_MAX_FIELDS) 253 goto exit_err; 254 255 err = -ENOMEM; 256 entry = audit_init_entry(rule->field_count); 257 if (!entry) 258 goto exit_err; 259 260 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 261 entry->rule.listnr = listnr; 262 entry->rule.action = rule->action; 263 entry->rule.field_count = rule->field_count; 264 265 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 266 entry->rule.mask[i] = rule->mask[i]; 267 268 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 269 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 270 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 271 __u32 *class; 272 273 if (!(*p & AUDIT_BIT(bit))) 274 continue; 275 *p &= ~AUDIT_BIT(bit); 276 class = classes[i]; 277 if (class) { 278 int j; 279 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 280 entry->rule.mask[j] |= class[j]; 281 } 282 } 283 284 return entry; 285 286 exit_err: 287 return ERR_PTR(err); 288 } 289 290 static u32 audit_ops[] = 291 { 292 [Audit_equal] = AUDIT_EQUAL, 293 [Audit_not_equal] = AUDIT_NOT_EQUAL, 294 [Audit_bitmask] = AUDIT_BIT_MASK, 295 [Audit_bittest] = AUDIT_BIT_TEST, 296 [Audit_lt] = AUDIT_LESS_THAN, 297 [Audit_gt] = AUDIT_GREATER_THAN, 298 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 299 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 300 }; 301 302 static u32 audit_to_op(u32 op) 303 { 304 u32 n; 305 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 306 ; 307 return n; 308 } 309 310 311 /* Translate struct audit_rule to kernel's rule respresentation. 312 * Exists for backward compatibility with userspace. */ 313 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 314 { 315 struct audit_entry *entry; 316 int err = 0; 317 int i; 318 319 entry = audit_to_entry_common(rule); 320 if (IS_ERR(entry)) 321 goto exit_nofree; 322 323 for (i = 0; i < rule->field_count; i++) { 324 struct audit_field *f = &entry->rule.fields[i]; 325 u32 n; 326 327 n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 328 329 /* Support for legacy operators where 330 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 331 if (n & AUDIT_NEGATE) 332 f->op = Audit_not_equal; 333 else if (!n) 334 f->op = Audit_equal; 335 else 336 f->op = audit_to_op(n); 337 338 entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1; 339 340 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 341 f->val = rule->values[i]; 342 343 err = -EINVAL; 344 if (f->op == Audit_bad) 345 goto exit_free; 346 347 switch(f->type) { 348 default: 349 goto exit_free; 350 case AUDIT_PID: 351 case AUDIT_UID: 352 case AUDIT_EUID: 353 case AUDIT_SUID: 354 case AUDIT_FSUID: 355 case AUDIT_GID: 356 case AUDIT_EGID: 357 case AUDIT_SGID: 358 case AUDIT_FSGID: 359 case AUDIT_LOGINUID: 360 case AUDIT_PERS: 361 case AUDIT_MSGTYPE: 362 case AUDIT_PPID: 363 case AUDIT_DEVMAJOR: 364 case AUDIT_DEVMINOR: 365 case AUDIT_EXIT: 366 case AUDIT_SUCCESS: 367 /* bit ops are only useful on syscall args */ 368 if (f->op == Audit_bitmask || f->op == Audit_bittest) 369 goto exit_free; 370 break; 371 case AUDIT_ARG0: 372 case AUDIT_ARG1: 373 case AUDIT_ARG2: 374 case AUDIT_ARG3: 375 break; 376 /* arch is only allowed to be = or != */ 377 case AUDIT_ARCH: 378 if (f->op != Audit_not_equal && f->op != Audit_equal) 379 goto exit_free; 380 entry->rule.arch_f = f; 381 break; 382 case AUDIT_PERM: 383 if (f->val & ~15) 384 goto exit_free; 385 break; 386 case AUDIT_FILETYPE: 387 if ((f->val & ~S_IFMT) > S_IFMT) 388 goto exit_free; 389 break; 390 case AUDIT_INODE: 391 err = audit_to_inode(&entry->rule, f); 392 if (err) 393 goto exit_free; 394 break; 395 } 396 } 397 398 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 399 entry->rule.inode_f = NULL; 400 401 exit_nofree: 402 return entry; 403 404 exit_free: 405 audit_free_rule(entry); 406 return ERR_PTR(err); 407 } 408 409 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 410 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 411 size_t datasz) 412 { 413 int err = 0; 414 struct audit_entry *entry; 415 void *bufp; 416 size_t remain = datasz - sizeof(struct audit_rule_data); 417 int i; 418 char *str; 419 420 entry = audit_to_entry_common((struct audit_rule *)data); 421 if (IS_ERR(entry)) 422 goto exit_nofree; 423 424 bufp = data->buf; 425 entry->rule.vers_ops = 2; 426 for (i = 0; i < data->field_count; i++) { 427 struct audit_field *f = &entry->rule.fields[i]; 428 429 err = -EINVAL; 430 431 f->op = audit_to_op(data->fieldflags[i]); 432 if (f->op == Audit_bad) 433 goto exit_free; 434 435 f->type = data->fields[i]; 436 f->val = data->values[i]; 437 f->lsm_str = NULL; 438 f->lsm_rule = NULL; 439 switch(f->type) { 440 case AUDIT_PID: 441 case AUDIT_UID: 442 case AUDIT_EUID: 443 case AUDIT_SUID: 444 case AUDIT_FSUID: 445 case AUDIT_GID: 446 case AUDIT_EGID: 447 case AUDIT_SGID: 448 case AUDIT_FSGID: 449 case AUDIT_LOGINUID: 450 case AUDIT_PERS: 451 case AUDIT_MSGTYPE: 452 case AUDIT_PPID: 453 case AUDIT_DEVMAJOR: 454 case AUDIT_DEVMINOR: 455 case AUDIT_EXIT: 456 case AUDIT_SUCCESS: 457 case AUDIT_ARG0: 458 case AUDIT_ARG1: 459 case AUDIT_ARG2: 460 case AUDIT_ARG3: 461 break; 462 case AUDIT_ARCH: 463 entry->rule.arch_f = f; 464 break; 465 case AUDIT_SUBJ_USER: 466 case AUDIT_SUBJ_ROLE: 467 case AUDIT_SUBJ_TYPE: 468 case AUDIT_SUBJ_SEN: 469 case AUDIT_SUBJ_CLR: 470 case AUDIT_OBJ_USER: 471 case AUDIT_OBJ_ROLE: 472 case AUDIT_OBJ_TYPE: 473 case AUDIT_OBJ_LEV_LOW: 474 case AUDIT_OBJ_LEV_HIGH: 475 str = audit_unpack_string(&bufp, &remain, f->val); 476 if (IS_ERR(str)) 477 goto exit_free; 478 entry->rule.buflen += f->val; 479 480 err = security_audit_rule_init(f->type, f->op, str, 481 (void **)&f->lsm_rule); 482 /* Keep currently invalid fields around in case they 483 * become valid after a policy reload. */ 484 if (err == -EINVAL) { 485 printk(KERN_WARNING "audit rule for LSM " 486 "\'%s\' is invalid\n", str); 487 err = 0; 488 } 489 if (err) { 490 kfree(str); 491 goto exit_free; 492 } else 493 f->lsm_str = str; 494 break; 495 case AUDIT_WATCH: 496 str = audit_unpack_string(&bufp, &remain, f->val); 497 if (IS_ERR(str)) 498 goto exit_free; 499 entry->rule.buflen += f->val; 500 501 err = audit_to_watch(&entry->rule, str, f->val, f->op); 502 if (err) { 503 kfree(str); 504 goto exit_free; 505 } 506 break; 507 case AUDIT_DIR: 508 str = audit_unpack_string(&bufp, &remain, f->val); 509 if (IS_ERR(str)) 510 goto exit_free; 511 entry->rule.buflen += f->val; 512 513 err = audit_make_tree(&entry->rule, str, f->op); 514 kfree(str); 515 if (err) 516 goto exit_free; 517 break; 518 case AUDIT_INODE: 519 err = audit_to_inode(&entry->rule, f); 520 if (err) 521 goto exit_free; 522 break; 523 case AUDIT_FILTERKEY: 524 err = -EINVAL; 525 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 526 goto exit_free; 527 str = audit_unpack_string(&bufp, &remain, f->val); 528 if (IS_ERR(str)) 529 goto exit_free; 530 entry->rule.buflen += f->val; 531 entry->rule.filterkey = str; 532 break; 533 case AUDIT_PERM: 534 if (f->val & ~15) 535 goto exit_free; 536 break; 537 case AUDIT_FILETYPE: 538 if ((f->val & ~S_IFMT) > S_IFMT) 539 goto exit_free; 540 break; 541 default: 542 goto exit_free; 543 } 544 } 545 546 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 547 entry->rule.inode_f = NULL; 548 549 exit_nofree: 550 return entry; 551 552 exit_free: 553 audit_free_rule(entry); 554 return ERR_PTR(err); 555 } 556 557 /* Pack a filter field's string representation into data block. */ 558 static inline size_t audit_pack_string(void **bufp, const char *str) 559 { 560 size_t len = strlen(str); 561 562 memcpy(*bufp, str, len); 563 *bufp += len; 564 565 return len; 566 } 567 568 /* Translate kernel rule respresentation to struct audit_rule. 569 * Exists for backward compatibility with userspace. */ 570 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 571 { 572 struct audit_rule *rule; 573 int i; 574 575 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 576 if (unlikely(!rule)) 577 return NULL; 578 579 rule->flags = krule->flags | krule->listnr; 580 rule->action = krule->action; 581 rule->field_count = krule->field_count; 582 for (i = 0; i < rule->field_count; i++) { 583 rule->values[i] = krule->fields[i].val; 584 rule->fields[i] = krule->fields[i].type; 585 586 if (krule->vers_ops == 1) { 587 if (krule->fields[i].op == Audit_not_equal) 588 rule->fields[i] |= AUDIT_NEGATE; 589 } else { 590 rule->fields[i] |= audit_ops[krule->fields[i].op]; 591 } 592 } 593 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 594 595 return rule; 596 } 597 598 /* Translate kernel rule respresentation to struct audit_rule_data. */ 599 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 600 { 601 struct audit_rule_data *data; 602 void *bufp; 603 int i; 604 605 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 606 if (unlikely(!data)) 607 return NULL; 608 memset(data, 0, sizeof(*data)); 609 610 data->flags = krule->flags | krule->listnr; 611 data->action = krule->action; 612 data->field_count = krule->field_count; 613 bufp = data->buf; 614 for (i = 0; i < data->field_count; i++) { 615 struct audit_field *f = &krule->fields[i]; 616 617 data->fields[i] = f->type; 618 data->fieldflags[i] = audit_ops[f->op]; 619 switch(f->type) { 620 case AUDIT_SUBJ_USER: 621 case AUDIT_SUBJ_ROLE: 622 case AUDIT_SUBJ_TYPE: 623 case AUDIT_SUBJ_SEN: 624 case AUDIT_SUBJ_CLR: 625 case AUDIT_OBJ_USER: 626 case AUDIT_OBJ_ROLE: 627 case AUDIT_OBJ_TYPE: 628 case AUDIT_OBJ_LEV_LOW: 629 case AUDIT_OBJ_LEV_HIGH: 630 data->buflen += data->values[i] = 631 audit_pack_string(&bufp, f->lsm_str); 632 break; 633 case AUDIT_WATCH: 634 data->buflen += data->values[i] = 635 audit_pack_string(&bufp, 636 audit_watch_path(krule->watch)); 637 break; 638 case AUDIT_DIR: 639 data->buflen += data->values[i] = 640 audit_pack_string(&bufp, 641 audit_tree_path(krule->tree)); 642 break; 643 case AUDIT_FILTERKEY: 644 data->buflen += data->values[i] = 645 audit_pack_string(&bufp, krule->filterkey); 646 break; 647 default: 648 data->values[i] = f->val; 649 } 650 } 651 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 652 653 return data; 654 } 655 656 /* Compare two rules in kernel format. Considered success if rules 657 * don't match. */ 658 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 659 { 660 int i; 661 662 if (a->flags != b->flags || 663 a->listnr != b->listnr || 664 a->action != b->action || 665 a->field_count != b->field_count) 666 return 1; 667 668 for (i = 0; i < a->field_count; i++) { 669 if (a->fields[i].type != b->fields[i].type || 670 a->fields[i].op != b->fields[i].op) 671 return 1; 672 673 switch(a->fields[i].type) { 674 case AUDIT_SUBJ_USER: 675 case AUDIT_SUBJ_ROLE: 676 case AUDIT_SUBJ_TYPE: 677 case AUDIT_SUBJ_SEN: 678 case AUDIT_SUBJ_CLR: 679 case AUDIT_OBJ_USER: 680 case AUDIT_OBJ_ROLE: 681 case AUDIT_OBJ_TYPE: 682 case AUDIT_OBJ_LEV_LOW: 683 case AUDIT_OBJ_LEV_HIGH: 684 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 685 return 1; 686 break; 687 case AUDIT_WATCH: 688 if (strcmp(audit_watch_path(a->watch), 689 audit_watch_path(b->watch))) 690 return 1; 691 break; 692 case AUDIT_DIR: 693 if (strcmp(audit_tree_path(a->tree), 694 audit_tree_path(b->tree))) 695 return 1; 696 break; 697 case AUDIT_FILTERKEY: 698 /* both filterkeys exist based on above type compare */ 699 if (strcmp(a->filterkey, b->filterkey)) 700 return 1; 701 break; 702 default: 703 if (a->fields[i].val != b->fields[i].val) 704 return 1; 705 } 706 } 707 708 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 709 if (a->mask[i] != b->mask[i]) 710 return 1; 711 712 return 0; 713 } 714 715 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 716 * re-initialized. */ 717 static inline int audit_dupe_lsm_field(struct audit_field *df, 718 struct audit_field *sf) 719 { 720 int ret = 0; 721 char *lsm_str; 722 723 /* our own copy of lsm_str */ 724 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 725 if (unlikely(!lsm_str)) 726 return -ENOMEM; 727 df->lsm_str = lsm_str; 728 729 /* our own (refreshed) copy of lsm_rule */ 730 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 731 (void **)&df->lsm_rule); 732 /* Keep currently invalid fields around in case they 733 * become valid after a policy reload. */ 734 if (ret == -EINVAL) { 735 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 736 "invalid\n", df->lsm_str); 737 ret = 0; 738 } 739 740 return ret; 741 } 742 743 /* Duplicate an audit rule. This will be a deep copy with the exception 744 * of the watch - that pointer is carried over. The LSM specific fields 745 * will be updated in the copy. The point is to be able to replace the old 746 * rule with the new rule in the filterlist, then free the old rule. 747 * The rlist element is undefined; list manipulations are handled apart from 748 * the initial copy. */ 749 struct audit_entry *audit_dupe_rule(struct audit_krule *old, 750 struct audit_watch *watch) 751 { 752 u32 fcount = old->field_count; 753 struct audit_entry *entry; 754 struct audit_krule *new; 755 char *fk; 756 int i, err = 0; 757 758 entry = audit_init_entry(fcount); 759 if (unlikely(!entry)) 760 return ERR_PTR(-ENOMEM); 761 762 new = &entry->rule; 763 new->vers_ops = old->vers_ops; 764 new->flags = old->flags; 765 new->listnr = old->listnr; 766 new->action = old->action; 767 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 768 new->mask[i] = old->mask[i]; 769 new->prio = old->prio; 770 new->buflen = old->buflen; 771 new->inode_f = old->inode_f; 772 new->watch = NULL; 773 new->field_count = old->field_count; 774 /* 775 * note that we are OK with not refcounting here; audit_match_tree() 776 * never dereferences tree and we can't get false positives there 777 * since we'd have to have rule gone from the list *and* removed 778 * before the chunks found by lookup had been allocated, i.e. before 779 * the beginning of list scan. 780 */ 781 new->tree = old->tree; 782 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 783 784 /* deep copy this information, updating the lsm_rule fields, because 785 * the originals will all be freed when the old rule is freed. */ 786 for (i = 0; i < fcount; i++) { 787 switch (new->fields[i].type) { 788 case AUDIT_SUBJ_USER: 789 case AUDIT_SUBJ_ROLE: 790 case AUDIT_SUBJ_TYPE: 791 case AUDIT_SUBJ_SEN: 792 case AUDIT_SUBJ_CLR: 793 case AUDIT_OBJ_USER: 794 case AUDIT_OBJ_ROLE: 795 case AUDIT_OBJ_TYPE: 796 case AUDIT_OBJ_LEV_LOW: 797 case AUDIT_OBJ_LEV_HIGH: 798 err = audit_dupe_lsm_field(&new->fields[i], 799 &old->fields[i]); 800 break; 801 case AUDIT_FILTERKEY: 802 fk = kstrdup(old->filterkey, GFP_KERNEL); 803 if (unlikely(!fk)) 804 err = -ENOMEM; 805 else 806 new->filterkey = fk; 807 } 808 if (err) { 809 audit_free_rule(entry); 810 return ERR_PTR(err); 811 } 812 } 813 814 if (watch) { 815 audit_get_watch(watch); 816 new->watch = watch; 817 } 818 819 return entry; 820 } 821 822 /* Find an existing audit rule. 823 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 824 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 825 struct list_head **p) 826 { 827 struct audit_entry *e, *found = NULL; 828 struct list_head *list; 829 int h; 830 831 if (entry->rule.inode_f) { 832 h = audit_hash_ino(entry->rule.inode_f->val); 833 *p = list = &audit_inode_hash[h]; 834 } else if (entry->rule.watch) { 835 /* we don't know the inode number, so must walk entire hash */ 836 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 837 list = &audit_inode_hash[h]; 838 list_for_each_entry(e, list, list) 839 if (!audit_compare_rule(&entry->rule, &e->rule)) { 840 found = e; 841 goto out; 842 } 843 } 844 goto out; 845 } else { 846 *p = list = &audit_filter_list[entry->rule.listnr]; 847 } 848 849 list_for_each_entry(e, list, list) 850 if (!audit_compare_rule(&entry->rule, &e->rule)) { 851 found = e; 852 goto out; 853 } 854 855 out: 856 return found; 857 } 858 859 static u64 prio_low = ~0ULL/2; 860 static u64 prio_high = ~0ULL/2 - 1; 861 862 /* Add rule to given filterlist if not a duplicate. */ 863 static inline int audit_add_rule(struct audit_entry *entry) 864 { 865 struct audit_entry *e; 866 struct audit_watch *watch = entry->rule.watch; 867 struct audit_tree *tree = entry->rule.tree; 868 struct list_head *list; 869 int h, err; 870 #ifdef CONFIG_AUDITSYSCALL 871 int dont_count = 0; 872 873 /* If either of these, don't count towards total */ 874 if (entry->rule.listnr == AUDIT_FILTER_USER || 875 entry->rule.listnr == AUDIT_FILTER_TYPE) 876 dont_count = 1; 877 #endif 878 879 mutex_lock(&audit_filter_mutex); 880 e = audit_find_rule(entry, &list); 881 if (e) { 882 mutex_unlock(&audit_filter_mutex); 883 err = -EEXIST; 884 /* normally audit_add_tree_rule() will free it on failure */ 885 if (tree) 886 audit_put_tree(tree); 887 goto error; 888 } 889 890 if (watch) { 891 /* audit_filter_mutex is dropped and re-taken during this call */ 892 err = audit_add_watch(&entry->rule); 893 if (err) { 894 mutex_unlock(&audit_filter_mutex); 895 goto error; 896 } 897 /* entry->rule.watch may have changed during audit_add_watch() */ 898 watch = entry->rule.watch; 899 h = audit_hash_ino((u32)audit_watch_inode(watch)); 900 list = &audit_inode_hash[h]; 901 } 902 if (tree) { 903 err = audit_add_tree_rule(&entry->rule); 904 if (err) { 905 mutex_unlock(&audit_filter_mutex); 906 goto error; 907 } 908 } 909 910 entry->rule.prio = ~0ULL; 911 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 912 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 913 entry->rule.prio = ++prio_high; 914 else 915 entry->rule.prio = --prio_low; 916 } 917 918 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 919 list_add(&entry->rule.list, 920 &audit_rules_list[entry->rule.listnr]); 921 list_add_rcu(&entry->list, list); 922 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 923 } else { 924 list_add_tail(&entry->rule.list, 925 &audit_rules_list[entry->rule.listnr]); 926 list_add_tail_rcu(&entry->list, list); 927 } 928 #ifdef CONFIG_AUDITSYSCALL 929 if (!dont_count) 930 audit_n_rules++; 931 932 if (!audit_match_signal(entry)) 933 audit_signals++; 934 #endif 935 mutex_unlock(&audit_filter_mutex); 936 937 return 0; 938 939 error: 940 if (watch) 941 audit_put_watch(watch); /* tmp watch, matches initial get */ 942 return err; 943 } 944 945 /* Remove an existing rule from filterlist. */ 946 static inline int audit_del_rule(struct audit_entry *entry) 947 { 948 struct audit_entry *e; 949 struct audit_watch *watch = entry->rule.watch; 950 struct audit_tree *tree = entry->rule.tree; 951 struct list_head *list; 952 LIST_HEAD(inotify_list); 953 int ret = 0; 954 #ifdef CONFIG_AUDITSYSCALL 955 int dont_count = 0; 956 957 /* If either of these, don't count towards total */ 958 if (entry->rule.listnr == AUDIT_FILTER_USER || 959 entry->rule.listnr == AUDIT_FILTER_TYPE) 960 dont_count = 1; 961 #endif 962 963 mutex_lock(&audit_filter_mutex); 964 e = audit_find_rule(entry, &list); 965 if (!e) { 966 mutex_unlock(&audit_filter_mutex); 967 ret = -ENOENT; 968 goto out; 969 } 970 971 if (e->rule.watch) 972 audit_remove_watch_rule(&e->rule, &inotify_list); 973 974 if (e->rule.tree) 975 audit_remove_tree_rule(&e->rule); 976 977 list_del_rcu(&e->list); 978 list_del(&e->rule.list); 979 call_rcu(&e->rcu, audit_free_rule_rcu); 980 981 #ifdef CONFIG_AUDITSYSCALL 982 if (!dont_count) 983 audit_n_rules--; 984 985 if (!audit_match_signal(entry)) 986 audit_signals--; 987 #endif 988 mutex_unlock(&audit_filter_mutex); 989 990 if (!list_empty(&inotify_list)) 991 audit_inotify_unregister(&inotify_list); 992 993 out: 994 if (watch) 995 audit_put_watch(watch); /* match initial get */ 996 if (tree) 997 audit_put_tree(tree); /* that's the temporary one */ 998 999 return ret; 1000 } 1001 1002 /* List rules using struct audit_rule. Exists for backward 1003 * compatibility with userspace. */ 1004 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1005 { 1006 struct sk_buff *skb; 1007 struct audit_krule *r; 1008 int i; 1009 1010 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1011 * iterator to sync with list writers. */ 1012 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1013 list_for_each_entry(r, &audit_rules_list[i], list) { 1014 struct audit_rule *rule; 1015 1016 rule = audit_krule_to_rule(r); 1017 if (unlikely(!rule)) 1018 break; 1019 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1020 rule, sizeof(*rule)); 1021 if (skb) 1022 skb_queue_tail(q, skb); 1023 kfree(rule); 1024 } 1025 } 1026 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1027 if (skb) 1028 skb_queue_tail(q, skb); 1029 } 1030 1031 /* List rules using struct audit_rule_data. */ 1032 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1033 { 1034 struct sk_buff *skb; 1035 struct audit_krule *r; 1036 int i; 1037 1038 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1039 * iterator to sync with list writers. */ 1040 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1041 list_for_each_entry(r, &audit_rules_list[i], list) { 1042 struct audit_rule_data *data; 1043 1044 data = audit_krule_to_data(r); 1045 if (unlikely(!data)) 1046 break; 1047 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1048 data, sizeof(*data) + data->buflen); 1049 if (skb) 1050 skb_queue_tail(q, skb); 1051 kfree(data); 1052 } 1053 } 1054 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1055 if (skb) 1056 skb_queue_tail(q, skb); 1057 } 1058 1059 /* Log rule additions and removals */ 1060 static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, 1061 char *action, struct audit_krule *rule, 1062 int res) 1063 { 1064 struct audit_buffer *ab; 1065 1066 if (!audit_enabled) 1067 return; 1068 1069 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1070 if (!ab) 1071 return; 1072 audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid); 1073 if (sid) { 1074 char *ctx = NULL; 1075 u32 len; 1076 if (security_secid_to_secctx(sid, &ctx, &len)) 1077 audit_log_format(ab, " ssid=%u", sid); 1078 else { 1079 audit_log_format(ab, " subj=%s", ctx); 1080 security_release_secctx(ctx, len); 1081 } 1082 } 1083 audit_log_format(ab, " op="); 1084 audit_log_string(ab, action); 1085 audit_log_key(ab, rule->filterkey); 1086 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1087 audit_log_end(ab); 1088 } 1089 1090 /** 1091 * audit_receive_filter - apply all rules to the specified message type 1092 * @type: audit message type 1093 * @pid: target pid for netlink audit messages 1094 * @uid: target uid for netlink audit messages 1095 * @seq: netlink audit message sequence (serial) number 1096 * @data: payload data 1097 * @datasz: size of payload data 1098 * @loginuid: loginuid of sender 1099 * @sessionid: sessionid for netlink audit message 1100 * @sid: SE Linux Security ID of sender 1101 */ 1102 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1103 size_t datasz, uid_t loginuid, u32 sessionid, u32 sid) 1104 { 1105 struct task_struct *tsk; 1106 struct audit_netlink_list *dest; 1107 int err = 0; 1108 struct audit_entry *entry; 1109 1110 switch (type) { 1111 case AUDIT_LIST: 1112 case AUDIT_LIST_RULES: 1113 /* We can't just spew out the rules here because we might fill 1114 * the available socket buffer space and deadlock waiting for 1115 * auditctl to read from it... which isn't ever going to 1116 * happen if we're actually running in the context of auditctl 1117 * trying to _send_ the stuff */ 1118 1119 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1120 if (!dest) 1121 return -ENOMEM; 1122 dest->pid = pid; 1123 skb_queue_head_init(&dest->q); 1124 1125 mutex_lock(&audit_filter_mutex); 1126 if (type == AUDIT_LIST) 1127 audit_list(pid, seq, &dest->q); 1128 else 1129 audit_list_rules(pid, seq, &dest->q); 1130 mutex_unlock(&audit_filter_mutex); 1131 1132 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1133 if (IS_ERR(tsk)) { 1134 skb_queue_purge(&dest->q); 1135 kfree(dest); 1136 err = PTR_ERR(tsk); 1137 } 1138 break; 1139 case AUDIT_ADD: 1140 case AUDIT_ADD_RULE: 1141 if (type == AUDIT_ADD) 1142 entry = audit_rule_to_entry(data); 1143 else 1144 entry = audit_data_to_entry(data, datasz); 1145 if (IS_ERR(entry)) 1146 return PTR_ERR(entry); 1147 1148 err = audit_add_rule(entry); 1149 audit_log_rule_change(loginuid, sessionid, sid, "add rule", 1150 &entry->rule, !err); 1151 1152 if (err) 1153 audit_free_rule(entry); 1154 break; 1155 case AUDIT_DEL: 1156 case AUDIT_DEL_RULE: 1157 if (type == AUDIT_DEL) 1158 entry = audit_rule_to_entry(data); 1159 else 1160 entry = audit_data_to_entry(data, datasz); 1161 if (IS_ERR(entry)) 1162 return PTR_ERR(entry); 1163 1164 err = audit_del_rule(entry); 1165 audit_log_rule_change(loginuid, sessionid, sid, "remove rule", 1166 &entry->rule, !err); 1167 1168 audit_free_rule(entry); 1169 break; 1170 default: 1171 return -EINVAL; 1172 } 1173 1174 return err; 1175 } 1176 1177 int audit_comparator(u32 left, u32 op, u32 right) 1178 { 1179 switch (op) { 1180 case Audit_equal: 1181 return (left == right); 1182 case Audit_not_equal: 1183 return (left != right); 1184 case Audit_lt: 1185 return (left < right); 1186 case Audit_le: 1187 return (left <= right); 1188 case Audit_gt: 1189 return (left > right); 1190 case Audit_ge: 1191 return (left >= right); 1192 case Audit_bitmask: 1193 return (left & right); 1194 case Audit_bittest: 1195 return ((left & right) == right); 1196 default: 1197 BUG(); 1198 return 0; 1199 } 1200 } 1201 1202 /* Compare given dentry name with last component in given path, 1203 * return of 0 indicates a match. */ 1204 int audit_compare_dname_path(const char *dname, const char *path, 1205 int *dirlen) 1206 { 1207 int dlen, plen; 1208 const char *p; 1209 1210 if (!dname || !path) 1211 return 1; 1212 1213 dlen = strlen(dname); 1214 plen = strlen(path); 1215 if (plen < dlen) 1216 return 1; 1217 1218 /* disregard trailing slashes */ 1219 p = path + plen - 1; 1220 while ((*p == '/') && (p > path)) 1221 p--; 1222 1223 /* find last path component */ 1224 p = p - dlen + 1; 1225 if (p < path) 1226 return 1; 1227 else if (p > path) { 1228 if (*--p != '/') 1229 return 1; 1230 else 1231 p++; 1232 } 1233 1234 /* return length of path's directory component */ 1235 if (dirlen) 1236 *dirlen = p - path; 1237 return strncmp(p, dname, dlen); 1238 } 1239 1240 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1241 struct audit_krule *rule, 1242 enum audit_state *state) 1243 { 1244 int i; 1245 1246 for (i = 0; i < rule->field_count; i++) { 1247 struct audit_field *f = &rule->fields[i]; 1248 int result = 0; 1249 1250 switch (f->type) { 1251 case AUDIT_PID: 1252 result = audit_comparator(cb->creds.pid, f->op, f->val); 1253 break; 1254 case AUDIT_UID: 1255 result = audit_comparator(cb->creds.uid, f->op, f->val); 1256 break; 1257 case AUDIT_GID: 1258 result = audit_comparator(cb->creds.gid, f->op, f->val); 1259 break; 1260 case AUDIT_LOGINUID: 1261 result = audit_comparator(cb->loginuid, f->op, f->val); 1262 break; 1263 } 1264 1265 if (!result) 1266 return 0; 1267 } 1268 switch (rule->action) { 1269 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1270 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1271 } 1272 return 1; 1273 } 1274 1275 int audit_filter_user(struct netlink_skb_parms *cb) 1276 { 1277 enum audit_state state = AUDIT_DISABLED; 1278 struct audit_entry *e; 1279 int ret = 1; 1280 1281 rcu_read_lock(); 1282 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1283 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1284 if (state == AUDIT_DISABLED) 1285 ret = 0; 1286 break; 1287 } 1288 } 1289 rcu_read_unlock(); 1290 1291 return ret; /* Audit by default */ 1292 } 1293 1294 int audit_filter_type(int type) 1295 { 1296 struct audit_entry *e; 1297 int result = 0; 1298 1299 rcu_read_lock(); 1300 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1301 goto unlock_and_return; 1302 1303 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1304 list) { 1305 int i; 1306 for (i = 0; i < e->rule.field_count; i++) { 1307 struct audit_field *f = &e->rule.fields[i]; 1308 if (f->type == AUDIT_MSGTYPE) { 1309 result = audit_comparator(type, f->op, f->val); 1310 if (!result) 1311 break; 1312 } 1313 } 1314 if (result) 1315 goto unlock_and_return; 1316 } 1317 unlock_and_return: 1318 rcu_read_unlock(); 1319 return result; 1320 } 1321 1322 static int update_lsm_rule(struct audit_krule *r) 1323 { 1324 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1325 struct audit_entry *nentry; 1326 struct audit_watch *watch; 1327 struct audit_tree *tree; 1328 int err = 0; 1329 1330 if (!security_audit_rule_known(r)) 1331 return 0; 1332 1333 watch = r->watch; 1334 tree = r->tree; 1335 nentry = audit_dupe_rule(r, watch); 1336 if (IS_ERR(nentry)) { 1337 /* save the first error encountered for the 1338 * return value */ 1339 err = PTR_ERR(nentry); 1340 audit_panic("error updating LSM filters"); 1341 if (watch) 1342 list_del(&r->rlist); 1343 list_del_rcu(&entry->list); 1344 list_del(&r->list); 1345 } else { 1346 if (watch) { 1347 list_add(&nentry->rule.rlist, audit_watch_rules(watch)); 1348 list_del(&r->rlist); 1349 } else if (tree) 1350 list_replace_init(&r->rlist, &nentry->rule.rlist); 1351 list_replace_rcu(&entry->list, &nentry->list); 1352 list_replace(&r->list, &nentry->rule.list); 1353 } 1354 call_rcu(&entry->rcu, audit_free_rule_rcu); 1355 1356 return err; 1357 } 1358 1359 /* This function will re-initialize the lsm_rule field of all applicable rules. 1360 * It will traverse the filter lists serarching for rules that contain LSM 1361 * specific filter fields. When such a rule is found, it is copied, the 1362 * LSM field is re-initialized, and the old rule is replaced with the 1363 * updated rule. */ 1364 int audit_update_lsm_rules(void) 1365 { 1366 struct audit_krule *r, *n; 1367 int i, err = 0; 1368 1369 /* audit_filter_mutex synchronizes the writers */ 1370 mutex_lock(&audit_filter_mutex); 1371 1372 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1373 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1374 int res = update_lsm_rule(r); 1375 if (!err) 1376 err = res; 1377 } 1378 } 1379 mutex_unlock(&audit_filter_mutex); 1380 1381 return err; 1382 } 1383