1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* Audit filter lists, defined in <linux/audit.h> */ 48 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 49 LIST_HEAD_INIT(audit_filter_list[0]), 50 LIST_HEAD_INIT(audit_filter_list[1]), 51 LIST_HEAD_INIT(audit_filter_list[2]), 52 LIST_HEAD_INIT(audit_filter_list[3]), 53 LIST_HEAD_INIT(audit_filter_list[4]), 54 LIST_HEAD_INIT(audit_filter_list[5]), 55 #if AUDIT_NR_FILTERS != 6 56 #error Fix audit_filter_list initialiser 57 #endif 58 }; 59 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 60 LIST_HEAD_INIT(audit_rules_list[0]), 61 LIST_HEAD_INIT(audit_rules_list[1]), 62 LIST_HEAD_INIT(audit_rules_list[2]), 63 LIST_HEAD_INIT(audit_rules_list[3]), 64 LIST_HEAD_INIT(audit_rules_list[4]), 65 LIST_HEAD_INIT(audit_rules_list[5]), 66 }; 67 68 DEFINE_MUTEX(audit_filter_mutex); 69 70 static inline void audit_free_rule(struct audit_entry *e) 71 { 72 int i; 73 struct audit_krule *erule = &e->rule; 74 75 /* some rules don't have associated watches */ 76 if (erule->watch) 77 audit_put_watch(erule->watch); 78 if (erule->fields) 79 for (i = 0; i < erule->field_count; i++) { 80 struct audit_field *f = &erule->fields[i]; 81 kfree(f->lsm_str); 82 security_audit_rule_free(f->lsm_rule); 83 } 84 kfree(erule->fields); 85 kfree(erule->filterkey); 86 kfree(e); 87 } 88 89 void audit_free_rule_rcu(struct rcu_head *head) 90 { 91 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 92 audit_free_rule(e); 93 } 94 95 /* Initialize an audit filterlist entry. */ 96 static inline struct audit_entry *audit_init_entry(u32 field_count) 97 { 98 struct audit_entry *entry; 99 struct audit_field *fields; 100 101 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 102 if (unlikely(!entry)) 103 return NULL; 104 105 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 106 if (unlikely(!fields)) { 107 kfree(entry); 108 return NULL; 109 } 110 entry->rule.fields = fields; 111 112 return entry; 113 } 114 115 /* Unpack a filter field's string representation from user-space 116 * buffer. */ 117 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 118 { 119 char *str; 120 121 if (!*bufp || (len == 0) || (len > *remain)) 122 return ERR_PTR(-EINVAL); 123 124 /* Of the currently implemented string fields, PATH_MAX 125 * defines the longest valid length. 126 */ 127 if (len > PATH_MAX) 128 return ERR_PTR(-ENAMETOOLONG); 129 130 str = kmalloc(len + 1, GFP_KERNEL); 131 if (unlikely(!str)) 132 return ERR_PTR(-ENOMEM); 133 134 memcpy(str, *bufp, len); 135 str[len] = 0; 136 *bufp += len; 137 *remain -= len; 138 139 return str; 140 } 141 142 /* Translate an inode field to kernel respresentation. */ 143 static inline int audit_to_inode(struct audit_krule *krule, 144 struct audit_field *f) 145 { 146 if (krule->listnr != AUDIT_FILTER_EXIT || 147 krule->watch || krule->inode_f || krule->tree || 148 (f->op != Audit_equal && f->op != Audit_not_equal)) 149 return -EINVAL; 150 151 krule->inode_f = f; 152 return 0; 153 } 154 155 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 156 157 int __init audit_register_class(int class, unsigned *list) 158 { 159 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 160 if (!p) 161 return -ENOMEM; 162 while (*list != ~0U) { 163 unsigned n = *list++; 164 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 165 kfree(p); 166 return -EINVAL; 167 } 168 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 169 } 170 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 171 kfree(p); 172 return -EINVAL; 173 } 174 classes[class] = p; 175 return 0; 176 } 177 178 int audit_match_class(int class, unsigned syscall) 179 { 180 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 181 return 0; 182 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 183 return 0; 184 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 185 } 186 187 #ifdef CONFIG_AUDITSYSCALL 188 static inline int audit_match_class_bits(int class, u32 *mask) 189 { 190 int i; 191 192 if (classes[class]) { 193 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 194 if (mask[i] & classes[class][i]) 195 return 0; 196 } 197 return 1; 198 } 199 200 static int audit_match_signal(struct audit_entry *entry) 201 { 202 struct audit_field *arch = entry->rule.arch_f; 203 204 if (!arch) { 205 /* When arch is unspecified, we must check both masks on biarch 206 * as syscall number alone is ambiguous. */ 207 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 208 entry->rule.mask) && 209 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 210 entry->rule.mask)); 211 } 212 213 switch(audit_classify_arch(arch->val)) { 214 case 0: /* native */ 215 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 216 entry->rule.mask)); 217 case 1: /* 32bit on biarch */ 218 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 219 entry->rule.mask)); 220 default: 221 return 1; 222 } 223 } 224 #endif 225 226 /* Common user-space to kernel rule translation. */ 227 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 228 { 229 unsigned listnr; 230 struct audit_entry *entry; 231 int i, err; 232 233 err = -EINVAL; 234 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 235 switch(listnr) { 236 default: 237 goto exit_err; 238 #ifdef CONFIG_AUDITSYSCALL 239 case AUDIT_FILTER_ENTRY: 240 if (rule->action == AUDIT_ALWAYS) 241 goto exit_err; 242 case AUDIT_FILTER_EXIT: 243 case AUDIT_FILTER_TASK: 244 #endif 245 case AUDIT_FILTER_USER: 246 case AUDIT_FILTER_TYPE: 247 ; 248 } 249 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 250 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 251 goto exit_err; 252 } 253 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 254 goto exit_err; 255 if (rule->field_count > AUDIT_MAX_FIELDS) 256 goto exit_err; 257 258 err = -ENOMEM; 259 entry = audit_init_entry(rule->field_count); 260 if (!entry) 261 goto exit_err; 262 263 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 264 entry->rule.listnr = listnr; 265 entry->rule.action = rule->action; 266 entry->rule.field_count = rule->field_count; 267 268 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 269 entry->rule.mask[i] = rule->mask[i]; 270 271 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 272 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 273 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 274 __u32 *class; 275 276 if (!(*p & AUDIT_BIT(bit))) 277 continue; 278 *p &= ~AUDIT_BIT(bit); 279 class = classes[i]; 280 if (class) { 281 int j; 282 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 283 entry->rule.mask[j] |= class[j]; 284 } 285 } 286 287 return entry; 288 289 exit_err: 290 return ERR_PTR(err); 291 } 292 293 static u32 audit_ops[] = 294 { 295 [Audit_equal] = AUDIT_EQUAL, 296 [Audit_not_equal] = AUDIT_NOT_EQUAL, 297 [Audit_bitmask] = AUDIT_BIT_MASK, 298 [Audit_bittest] = AUDIT_BIT_TEST, 299 [Audit_lt] = AUDIT_LESS_THAN, 300 [Audit_gt] = AUDIT_GREATER_THAN, 301 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 302 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 303 }; 304 305 static u32 audit_to_op(u32 op) 306 { 307 u32 n; 308 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 309 ; 310 return n; 311 } 312 313 /* check if a field is valid for a given list */ 314 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) 315 { 316 switch(f->type) { 317 case AUDIT_MSGTYPE: 318 if (entry->rule.listnr != AUDIT_FILTER_TYPE && 319 entry->rule.listnr != AUDIT_FILTER_USER) 320 return -EINVAL; 321 break; 322 }; 323 return 0; 324 } 325 326 /* Translate struct audit_rule to kernel's rule respresentation. 327 * Exists for backward compatibility with userspace. */ 328 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 329 { 330 struct audit_entry *entry; 331 int err = 0; 332 int i; 333 334 entry = audit_to_entry_common(rule); 335 if (IS_ERR(entry)) 336 goto exit_nofree; 337 338 for (i = 0; i < rule->field_count; i++) { 339 struct audit_field *f = &entry->rule.fields[i]; 340 u32 n; 341 342 n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 343 344 /* Support for legacy operators where 345 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 346 if (n & AUDIT_NEGATE) 347 f->op = Audit_not_equal; 348 else if (!n) 349 f->op = Audit_equal; 350 else 351 f->op = audit_to_op(n); 352 353 entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1; 354 355 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 356 f->val = rule->values[i]; 357 f->uid = INVALID_UID; 358 f->gid = INVALID_GID; 359 360 err = -EINVAL; 361 if (f->op == Audit_bad) 362 goto exit_free; 363 364 switch(f->type) { 365 default: 366 goto exit_free; 367 case AUDIT_UID: 368 case AUDIT_EUID: 369 case AUDIT_SUID: 370 case AUDIT_FSUID: 371 case AUDIT_LOGINUID: 372 /* bit ops not implemented for uid comparisons */ 373 if (f->op == Audit_bitmask || f->op == Audit_bittest) 374 goto exit_free; 375 376 f->uid = make_kuid(current_user_ns(), f->val); 377 if (!uid_valid(f->uid)) 378 goto exit_free; 379 break; 380 case AUDIT_GID: 381 case AUDIT_EGID: 382 case AUDIT_SGID: 383 case AUDIT_FSGID: 384 /* bit ops not implemented for gid comparisons */ 385 if (f->op == Audit_bitmask || f->op == Audit_bittest) 386 goto exit_free; 387 388 f->gid = make_kgid(current_user_ns(), f->val); 389 if (!gid_valid(f->gid)) 390 goto exit_free; 391 break; 392 case AUDIT_PID: 393 case AUDIT_PERS: 394 case AUDIT_MSGTYPE: 395 case AUDIT_PPID: 396 case AUDIT_DEVMAJOR: 397 case AUDIT_DEVMINOR: 398 case AUDIT_EXIT: 399 case AUDIT_SUCCESS: 400 /* bit ops are only useful on syscall args */ 401 if (f->op == Audit_bitmask || f->op == Audit_bittest) 402 goto exit_free; 403 break; 404 case AUDIT_ARG0: 405 case AUDIT_ARG1: 406 case AUDIT_ARG2: 407 case AUDIT_ARG3: 408 break; 409 /* arch is only allowed to be = or != */ 410 case AUDIT_ARCH: 411 if (f->op != Audit_not_equal && f->op != Audit_equal) 412 goto exit_free; 413 entry->rule.arch_f = f; 414 break; 415 case AUDIT_PERM: 416 if (f->val & ~15) 417 goto exit_free; 418 break; 419 case AUDIT_FILETYPE: 420 if (f->val & ~S_IFMT) 421 goto exit_free; 422 break; 423 case AUDIT_INODE: 424 err = audit_to_inode(&entry->rule, f); 425 if (err) 426 goto exit_free; 427 break; 428 } 429 } 430 431 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 432 entry->rule.inode_f = NULL; 433 434 exit_nofree: 435 return entry; 436 437 exit_free: 438 audit_free_rule(entry); 439 return ERR_PTR(err); 440 } 441 442 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 443 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 444 size_t datasz) 445 { 446 int err = 0; 447 struct audit_entry *entry; 448 void *bufp; 449 size_t remain = datasz - sizeof(struct audit_rule_data); 450 int i; 451 char *str; 452 453 entry = audit_to_entry_common((struct audit_rule *)data); 454 if (IS_ERR(entry)) 455 goto exit_nofree; 456 457 bufp = data->buf; 458 entry->rule.vers_ops = 2; 459 for (i = 0; i < data->field_count; i++) { 460 struct audit_field *f = &entry->rule.fields[i]; 461 462 err = -EINVAL; 463 464 f->op = audit_to_op(data->fieldflags[i]); 465 if (f->op == Audit_bad) 466 goto exit_free; 467 468 f->type = data->fields[i]; 469 f->val = data->values[i]; 470 f->uid = INVALID_UID; 471 f->gid = INVALID_GID; 472 f->lsm_str = NULL; 473 f->lsm_rule = NULL; 474 475 err = audit_field_valid(entry, f); 476 if (err) 477 goto exit_free; 478 479 err = -EINVAL; 480 481 switch(f->type) { 482 case AUDIT_UID: 483 case AUDIT_EUID: 484 case AUDIT_SUID: 485 case AUDIT_FSUID: 486 case AUDIT_LOGINUID: 487 case AUDIT_OBJ_UID: 488 /* bit ops not implemented for uid comparisons */ 489 if (f->op == Audit_bitmask || f->op == Audit_bittest) 490 goto exit_free; 491 492 f->uid = make_kuid(current_user_ns(), f->val); 493 if (!uid_valid(f->uid)) 494 goto exit_free; 495 break; 496 case AUDIT_GID: 497 case AUDIT_EGID: 498 case AUDIT_SGID: 499 case AUDIT_FSGID: 500 case AUDIT_OBJ_GID: 501 /* bit ops not implemented for gid comparisons */ 502 if (f->op == Audit_bitmask || f->op == Audit_bittest) 503 goto exit_free; 504 505 f->gid = make_kgid(current_user_ns(), f->val); 506 if (!gid_valid(f->gid)) 507 goto exit_free; 508 break; 509 case AUDIT_PID: 510 case AUDIT_PERS: 511 case AUDIT_MSGTYPE: 512 case AUDIT_PPID: 513 case AUDIT_DEVMAJOR: 514 case AUDIT_DEVMINOR: 515 case AUDIT_EXIT: 516 case AUDIT_SUCCESS: 517 case AUDIT_ARG0: 518 case AUDIT_ARG1: 519 case AUDIT_ARG2: 520 case AUDIT_ARG3: 521 break; 522 case AUDIT_ARCH: 523 entry->rule.arch_f = f; 524 break; 525 case AUDIT_SUBJ_USER: 526 case AUDIT_SUBJ_ROLE: 527 case AUDIT_SUBJ_TYPE: 528 case AUDIT_SUBJ_SEN: 529 case AUDIT_SUBJ_CLR: 530 case AUDIT_OBJ_USER: 531 case AUDIT_OBJ_ROLE: 532 case AUDIT_OBJ_TYPE: 533 case AUDIT_OBJ_LEV_LOW: 534 case AUDIT_OBJ_LEV_HIGH: 535 str = audit_unpack_string(&bufp, &remain, f->val); 536 if (IS_ERR(str)) 537 goto exit_free; 538 entry->rule.buflen += f->val; 539 540 err = security_audit_rule_init(f->type, f->op, str, 541 (void **)&f->lsm_rule); 542 /* Keep currently invalid fields around in case they 543 * become valid after a policy reload. */ 544 if (err == -EINVAL) { 545 printk(KERN_WARNING "audit rule for LSM " 546 "\'%s\' is invalid\n", str); 547 err = 0; 548 } 549 if (err) { 550 kfree(str); 551 goto exit_free; 552 } else 553 f->lsm_str = str; 554 break; 555 case AUDIT_WATCH: 556 str = audit_unpack_string(&bufp, &remain, f->val); 557 if (IS_ERR(str)) 558 goto exit_free; 559 entry->rule.buflen += f->val; 560 561 err = audit_to_watch(&entry->rule, str, f->val, f->op); 562 if (err) { 563 kfree(str); 564 goto exit_free; 565 } 566 break; 567 case AUDIT_DIR: 568 str = audit_unpack_string(&bufp, &remain, f->val); 569 if (IS_ERR(str)) 570 goto exit_free; 571 entry->rule.buflen += f->val; 572 573 err = audit_make_tree(&entry->rule, str, f->op); 574 kfree(str); 575 if (err) 576 goto exit_free; 577 break; 578 case AUDIT_INODE: 579 err = audit_to_inode(&entry->rule, f); 580 if (err) 581 goto exit_free; 582 break; 583 case AUDIT_FILTERKEY: 584 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 585 goto exit_free; 586 str = audit_unpack_string(&bufp, &remain, f->val); 587 if (IS_ERR(str)) 588 goto exit_free; 589 entry->rule.buflen += f->val; 590 entry->rule.filterkey = str; 591 break; 592 case AUDIT_PERM: 593 if (f->val & ~15) 594 goto exit_free; 595 break; 596 case AUDIT_FILETYPE: 597 if (f->val & ~S_IFMT) 598 goto exit_free; 599 break; 600 case AUDIT_FIELD_COMPARE: 601 if (f->val > AUDIT_MAX_FIELD_COMPARE) 602 goto exit_free; 603 break; 604 default: 605 goto exit_free; 606 } 607 } 608 609 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 610 entry->rule.inode_f = NULL; 611 612 exit_nofree: 613 return entry; 614 615 exit_free: 616 audit_free_rule(entry); 617 return ERR_PTR(err); 618 } 619 620 /* Pack a filter field's string representation into data block. */ 621 static inline size_t audit_pack_string(void **bufp, const char *str) 622 { 623 size_t len = strlen(str); 624 625 memcpy(*bufp, str, len); 626 *bufp += len; 627 628 return len; 629 } 630 631 /* Translate kernel rule respresentation to struct audit_rule. 632 * Exists for backward compatibility with userspace. */ 633 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 634 { 635 struct audit_rule *rule; 636 int i; 637 638 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 639 if (unlikely(!rule)) 640 return NULL; 641 642 rule->flags = krule->flags | krule->listnr; 643 rule->action = krule->action; 644 rule->field_count = krule->field_count; 645 for (i = 0; i < rule->field_count; i++) { 646 rule->values[i] = krule->fields[i].val; 647 rule->fields[i] = krule->fields[i].type; 648 649 if (krule->vers_ops == 1) { 650 if (krule->fields[i].op == Audit_not_equal) 651 rule->fields[i] |= AUDIT_NEGATE; 652 } else { 653 rule->fields[i] |= audit_ops[krule->fields[i].op]; 654 } 655 } 656 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 657 658 return rule; 659 } 660 661 /* Translate kernel rule respresentation to struct audit_rule_data. */ 662 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 663 { 664 struct audit_rule_data *data; 665 void *bufp; 666 int i; 667 668 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 669 if (unlikely(!data)) 670 return NULL; 671 memset(data, 0, sizeof(*data)); 672 673 data->flags = krule->flags | krule->listnr; 674 data->action = krule->action; 675 data->field_count = krule->field_count; 676 bufp = data->buf; 677 for (i = 0; i < data->field_count; i++) { 678 struct audit_field *f = &krule->fields[i]; 679 680 data->fields[i] = f->type; 681 data->fieldflags[i] = audit_ops[f->op]; 682 switch(f->type) { 683 case AUDIT_SUBJ_USER: 684 case AUDIT_SUBJ_ROLE: 685 case AUDIT_SUBJ_TYPE: 686 case AUDIT_SUBJ_SEN: 687 case AUDIT_SUBJ_CLR: 688 case AUDIT_OBJ_USER: 689 case AUDIT_OBJ_ROLE: 690 case AUDIT_OBJ_TYPE: 691 case AUDIT_OBJ_LEV_LOW: 692 case AUDIT_OBJ_LEV_HIGH: 693 data->buflen += data->values[i] = 694 audit_pack_string(&bufp, f->lsm_str); 695 break; 696 case AUDIT_WATCH: 697 data->buflen += data->values[i] = 698 audit_pack_string(&bufp, 699 audit_watch_path(krule->watch)); 700 break; 701 case AUDIT_DIR: 702 data->buflen += data->values[i] = 703 audit_pack_string(&bufp, 704 audit_tree_path(krule->tree)); 705 break; 706 case AUDIT_FILTERKEY: 707 data->buflen += data->values[i] = 708 audit_pack_string(&bufp, krule->filterkey); 709 break; 710 default: 711 data->values[i] = f->val; 712 } 713 } 714 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 715 716 return data; 717 } 718 719 /* Compare two rules in kernel format. Considered success if rules 720 * don't match. */ 721 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 722 { 723 int i; 724 725 if (a->flags != b->flags || 726 a->listnr != b->listnr || 727 a->action != b->action || 728 a->field_count != b->field_count) 729 return 1; 730 731 for (i = 0; i < a->field_count; i++) { 732 if (a->fields[i].type != b->fields[i].type || 733 a->fields[i].op != b->fields[i].op) 734 return 1; 735 736 switch(a->fields[i].type) { 737 case AUDIT_SUBJ_USER: 738 case AUDIT_SUBJ_ROLE: 739 case AUDIT_SUBJ_TYPE: 740 case AUDIT_SUBJ_SEN: 741 case AUDIT_SUBJ_CLR: 742 case AUDIT_OBJ_USER: 743 case AUDIT_OBJ_ROLE: 744 case AUDIT_OBJ_TYPE: 745 case AUDIT_OBJ_LEV_LOW: 746 case AUDIT_OBJ_LEV_HIGH: 747 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 748 return 1; 749 break; 750 case AUDIT_WATCH: 751 if (strcmp(audit_watch_path(a->watch), 752 audit_watch_path(b->watch))) 753 return 1; 754 break; 755 case AUDIT_DIR: 756 if (strcmp(audit_tree_path(a->tree), 757 audit_tree_path(b->tree))) 758 return 1; 759 break; 760 case AUDIT_FILTERKEY: 761 /* both filterkeys exist based on above type compare */ 762 if (strcmp(a->filterkey, b->filterkey)) 763 return 1; 764 break; 765 case AUDIT_UID: 766 case AUDIT_EUID: 767 case AUDIT_SUID: 768 case AUDIT_FSUID: 769 case AUDIT_LOGINUID: 770 case AUDIT_OBJ_UID: 771 if (!uid_eq(a->fields[i].uid, b->fields[i].uid)) 772 return 1; 773 break; 774 case AUDIT_GID: 775 case AUDIT_EGID: 776 case AUDIT_SGID: 777 case AUDIT_FSGID: 778 case AUDIT_OBJ_GID: 779 if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) 780 return 1; 781 break; 782 default: 783 if (a->fields[i].val != b->fields[i].val) 784 return 1; 785 } 786 } 787 788 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 789 if (a->mask[i] != b->mask[i]) 790 return 1; 791 792 return 0; 793 } 794 795 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 796 * re-initialized. */ 797 static inline int audit_dupe_lsm_field(struct audit_field *df, 798 struct audit_field *sf) 799 { 800 int ret = 0; 801 char *lsm_str; 802 803 /* our own copy of lsm_str */ 804 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 805 if (unlikely(!lsm_str)) 806 return -ENOMEM; 807 df->lsm_str = lsm_str; 808 809 /* our own (refreshed) copy of lsm_rule */ 810 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 811 (void **)&df->lsm_rule); 812 /* Keep currently invalid fields around in case they 813 * become valid after a policy reload. */ 814 if (ret == -EINVAL) { 815 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 816 "invalid\n", df->lsm_str); 817 ret = 0; 818 } 819 820 return ret; 821 } 822 823 /* Duplicate an audit rule. This will be a deep copy with the exception 824 * of the watch - that pointer is carried over. The LSM specific fields 825 * will be updated in the copy. The point is to be able to replace the old 826 * rule with the new rule in the filterlist, then free the old rule. 827 * The rlist element is undefined; list manipulations are handled apart from 828 * the initial copy. */ 829 struct audit_entry *audit_dupe_rule(struct audit_krule *old) 830 { 831 u32 fcount = old->field_count; 832 struct audit_entry *entry; 833 struct audit_krule *new; 834 char *fk; 835 int i, err = 0; 836 837 entry = audit_init_entry(fcount); 838 if (unlikely(!entry)) 839 return ERR_PTR(-ENOMEM); 840 841 new = &entry->rule; 842 new->vers_ops = old->vers_ops; 843 new->flags = old->flags; 844 new->listnr = old->listnr; 845 new->action = old->action; 846 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 847 new->mask[i] = old->mask[i]; 848 new->prio = old->prio; 849 new->buflen = old->buflen; 850 new->inode_f = old->inode_f; 851 new->field_count = old->field_count; 852 853 /* 854 * note that we are OK with not refcounting here; audit_match_tree() 855 * never dereferences tree and we can't get false positives there 856 * since we'd have to have rule gone from the list *and* removed 857 * before the chunks found by lookup had been allocated, i.e. before 858 * the beginning of list scan. 859 */ 860 new->tree = old->tree; 861 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 862 863 /* deep copy this information, updating the lsm_rule fields, because 864 * the originals will all be freed when the old rule is freed. */ 865 for (i = 0; i < fcount; i++) { 866 switch (new->fields[i].type) { 867 case AUDIT_SUBJ_USER: 868 case AUDIT_SUBJ_ROLE: 869 case AUDIT_SUBJ_TYPE: 870 case AUDIT_SUBJ_SEN: 871 case AUDIT_SUBJ_CLR: 872 case AUDIT_OBJ_USER: 873 case AUDIT_OBJ_ROLE: 874 case AUDIT_OBJ_TYPE: 875 case AUDIT_OBJ_LEV_LOW: 876 case AUDIT_OBJ_LEV_HIGH: 877 err = audit_dupe_lsm_field(&new->fields[i], 878 &old->fields[i]); 879 break; 880 case AUDIT_FILTERKEY: 881 fk = kstrdup(old->filterkey, GFP_KERNEL); 882 if (unlikely(!fk)) 883 err = -ENOMEM; 884 else 885 new->filterkey = fk; 886 } 887 if (err) { 888 audit_free_rule(entry); 889 return ERR_PTR(err); 890 } 891 } 892 893 if (old->watch) { 894 audit_get_watch(old->watch); 895 new->watch = old->watch; 896 } 897 898 return entry; 899 } 900 901 /* Find an existing audit rule. 902 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 903 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 904 struct list_head **p) 905 { 906 struct audit_entry *e, *found = NULL; 907 struct list_head *list; 908 int h; 909 910 if (entry->rule.inode_f) { 911 h = audit_hash_ino(entry->rule.inode_f->val); 912 *p = list = &audit_inode_hash[h]; 913 } else if (entry->rule.watch) { 914 /* we don't know the inode number, so must walk entire hash */ 915 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 916 list = &audit_inode_hash[h]; 917 list_for_each_entry(e, list, list) 918 if (!audit_compare_rule(&entry->rule, &e->rule)) { 919 found = e; 920 goto out; 921 } 922 } 923 goto out; 924 } else { 925 *p = list = &audit_filter_list[entry->rule.listnr]; 926 } 927 928 list_for_each_entry(e, list, list) 929 if (!audit_compare_rule(&entry->rule, &e->rule)) { 930 found = e; 931 goto out; 932 } 933 934 out: 935 return found; 936 } 937 938 static u64 prio_low = ~0ULL/2; 939 static u64 prio_high = ~0ULL/2 - 1; 940 941 /* Add rule to given filterlist if not a duplicate. */ 942 static inline int audit_add_rule(struct audit_entry *entry) 943 { 944 struct audit_entry *e; 945 struct audit_watch *watch = entry->rule.watch; 946 struct audit_tree *tree = entry->rule.tree; 947 struct list_head *list; 948 int err; 949 #ifdef CONFIG_AUDITSYSCALL 950 int dont_count = 0; 951 952 /* If either of these, don't count towards total */ 953 if (entry->rule.listnr == AUDIT_FILTER_USER || 954 entry->rule.listnr == AUDIT_FILTER_TYPE) 955 dont_count = 1; 956 #endif 957 958 mutex_lock(&audit_filter_mutex); 959 e = audit_find_rule(entry, &list); 960 if (e) { 961 mutex_unlock(&audit_filter_mutex); 962 err = -EEXIST; 963 /* normally audit_add_tree_rule() will free it on failure */ 964 if (tree) 965 audit_put_tree(tree); 966 goto error; 967 } 968 969 if (watch) { 970 /* audit_filter_mutex is dropped and re-taken during this call */ 971 err = audit_add_watch(&entry->rule, &list); 972 if (err) { 973 mutex_unlock(&audit_filter_mutex); 974 goto error; 975 } 976 } 977 if (tree) { 978 err = audit_add_tree_rule(&entry->rule); 979 if (err) { 980 mutex_unlock(&audit_filter_mutex); 981 goto error; 982 } 983 } 984 985 entry->rule.prio = ~0ULL; 986 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 987 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 988 entry->rule.prio = ++prio_high; 989 else 990 entry->rule.prio = --prio_low; 991 } 992 993 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 994 list_add(&entry->rule.list, 995 &audit_rules_list[entry->rule.listnr]); 996 list_add_rcu(&entry->list, list); 997 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 998 } else { 999 list_add_tail(&entry->rule.list, 1000 &audit_rules_list[entry->rule.listnr]); 1001 list_add_tail_rcu(&entry->list, list); 1002 } 1003 #ifdef CONFIG_AUDITSYSCALL 1004 if (!dont_count) 1005 audit_n_rules++; 1006 1007 if (!audit_match_signal(entry)) 1008 audit_signals++; 1009 #endif 1010 mutex_unlock(&audit_filter_mutex); 1011 1012 return 0; 1013 1014 error: 1015 if (watch) 1016 audit_put_watch(watch); /* tmp watch, matches initial get */ 1017 return err; 1018 } 1019 1020 /* Remove an existing rule from filterlist. */ 1021 static inline int audit_del_rule(struct audit_entry *entry) 1022 { 1023 struct audit_entry *e; 1024 struct audit_watch *watch = entry->rule.watch; 1025 struct audit_tree *tree = entry->rule.tree; 1026 struct list_head *list; 1027 int ret = 0; 1028 #ifdef CONFIG_AUDITSYSCALL 1029 int dont_count = 0; 1030 1031 /* If either of these, don't count towards total */ 1032 if (entry->rule.listnr == AUDIT_FILTER_USER || 1033 entry->rule.listnr == AUDIT_FILTER_TYPE) 1034 dont_count = 1; 1035 #endif 1036 1037 mutex_lock(&audit_filter_mutex); 1038 e = audit_find_rule(entry, &list); 1039 if (!e) { 1040 mutex_unlock(&audit_filter_mutex); 1041 ret = -ENOENT; 1042 goto out; 1043 } 1044 1045 if (e->rule.watch) 1046 audit_remove_watch_rule(&e->rule); 1047 1048 if (e->rule.tree) 1049 audit_remove_tree_rule(&e->rule); 1050 1051 list_del_rcu(&e->list); 1052 list_del(&e->rule.list); 1053 call_rcu(&e->rcu, audit_free_rule_rcu); 1054 1055 #ifdef CONFIG_AUDITSYSCALL 1056 if (!dont_count) 1057 audit_n_rules--; 1058 1059 if (!audit_match_signal(entry)) 1060 audit_signals--; 1061 #endif 1062 mutex_unlock(&audit_filter_mutex); 1063 1064 out: 1065 if (watch) 1066 audit_put_watch(watch); /* match initial get */ 1067 if (tree) 1068 audit_put_tree(tree); /* that's the temporary one */ 1069 1070 return ret; 1071 } 1072 1073 /* List rules using struct audit_rule. Exists for backward 1074 * compatibility with userspace. */ 1075 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1076 { 1077 struct sk_buff *skb; 1078 struct audit_krule *r; 1079 int i; 1080 1081 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1082 * iterator to sync with list writers. */ 1083 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1084 list_for_each_entry(r, &audit_rules_list[i], list) { 1085 struct audit_rule *rule; 1086 1087 rule = audit_krule_to_rule(r); 1088 if (unlikely(!rule)) 1089 break; 1090 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1091 rule, sizeof(*rule)); 1092 if (skb) 1093 skb_queue_tail(q, skb); 1094 kfree(rule); 1095 } 1096 } 1097 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1098 if (skb) 1099 skb_queue_tail(q, skb); 1100 } 1101 1102 /* List rules using struct audit_rule_data. */ 1103 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1104 { 1105 struct sk_buff *skb; 1106 struct audit_krule *r; 1107 int i; 1108 1109 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1110 * iterator to sync with list writers. */ 1111 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1112 list_for_each_entry(r, &audit_rules_list[i], list) { 1113 struct audit_rule_data *data; 1114 1115 data = audit_krule_to_data(r); 1116 if (unlikely(!data)) 1117 break; 1118 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1119 data, sizeof(*data) + data->buflen); 1120 if (skb) 1121 skb_queue_tail(q, skb); 1122 kfree(data); 1123 } 1124 } 1125 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1126 if (skb) 1127 skb_queue_tail(q, skb); 1128 } 1129 1130 /* Log rule additions and removals */ 1131 static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid, 1132 char *action, struct audit_krule *rule, 1133 int res) 1134 { 1135 struct audit_buffer *ab; 1136 1137 if (!audit_enabled) 1138 return; 1139 1140 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1141 if (!ab) 1142 return; 1143 audit_log_format(ab, "auid=%u ses=%u", 1144 from_kuid(&init_user_ns, loginuid), sessionid); 1145 if (sid) { 1146 char *ctx = NULL; 1147 u32 len; 1148 if (security_secid_to_secctx(sid, &ctx, &len)) 1149 audit_log_format(ab, " ssid=%u", sid); 1150 else { 1151 audit_log_format(ab, " subj=%s", ctx); 1152 security_release_secctx(ctx, len); 1153 } 1154 } 1155 audit_log_format(ab, " op="); 1156 audit_log_string(ab, action); 1157 audit_log_key(ab, rule->filterkey); 1158 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1159 audit_log_end(ab); 1160 } 1161 1162 /** 1163 * audit_receive_filter - apply all rules to the specified message type 1164 * @type: audit message type 1165 * @pid: target pid for netlink audit messages 1166 * @seq: netlink audit message sequence (serial) number 1167 * @data: payload data 1168 * @datasz: size of payload data 1169 * @loginuid: loginuid of sender 1170 * @sessionid: sessionid for netlink audit message 1171 * @sid: SE Linux Security ID of sender 1172 */ 1173 int audit_receive_filter(int type, int pid, int seq, void *data, 1174 size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid) 1175 { 1176 struct task_struct *tsk; 1177 struct audit_netlink_list *dest; 1178 int err = 0; 1179 struct audit_entry *entry; 1180 1181 switch (type) { 1182 case AUDIT_LIST: 1183 case AUDIT_LIST_RULES: 1184 /* We can't just spew out the rules here because we might fill 1185 * the available socket buffer space and deadlock waiting for 1186 * auditctl to read from it... which isn't ever going to 1187 * happen if we're actually running in the context of auditctl 1188 * trying to _send_ the stuff */ 1189 1190 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1191 if (!dest) 1192 return -ENOMEM; 1193 dest->pid = pid; 1194 skb_queue_head_init(&dest->q); 1195 1196 mutex_lock(&audit_filter_mutex); 1197 if (type == AUDIT_LIST) 1198 audit_list(pid, seq, &dest->q); 1199 else 1200 audit_list_rules(pid, seq, &dest->q); 1201 mutex_unlock(&audit_filter_mutex); 1202 1203 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1204 if (IS_ERR(tsk)) { 1205 skb_queue_purge(&dest->q); 1206 kfree(dest); 1207 err = PTR_ERR(tsk); 1208 } 1209 break; 1210 case AUDIT_ADD: 1211 case AUDIT_ADD_RULE: 1212 if (type == AUDIT_ADD) 1213 entry = audit_rule_to_entry(data); 1214 else 1215 entry = audit_data_to_entry(data, datasz); 1216 if (IS_ERR(entry)) 1217 return PTR_ERR(entry); 1218 1219 err = audit_add_rule(entry); 1220 audit_log_rule_change(loginuid, sessionid, sid, "add rule", 1221 &entry->rule, !err); 1222 1223 if (err) 1224 audit_free_rule(entry); 1225 break; 1226 case AUDIT_DEL: 1227 case AUDIT_DEL_RULE: 1228 if (type == AUDIT_DEL) 1229 entry = audit_rule_to_entry(data); 1230 else 1231 entry = audit_data_to_entry(data, datasz); 1232 if (IS_ERR(entry)) 1233 return PTR_ERR(entry); 1234 1235 err = audit_del_rule(entry); 1236 audit_log_rule_change(loginuid, sessionid, sid, "remove rule", 1237 &entry->rule, !err); 1238 1239 audit_free_rule(entry); 1240 break; 1241 default: 1242 return -EINVAL; 1243 } 1244 1245 return err; 1246 } 1247 1248 int audit_comparator(u32 left, u32 op, u32 right) 1249 { 1250 switch (op) { 1251 case Audit_equal: 1252 return (left == right); 1253 case Audit_not_equal: 1254 return (left != right); 1255 case Audit_lt: 1256 return (left < right); 1257 case Audit_le: 1258 return (left <= right); 1259 case Audit_gt: 1260 return (left > right); 1261 case Audit_ge: 1262 return (left >= right); 1263 case Audit_bitmask: 1264 return (left & right); 1265 case Audit_bittest: 1266 return ((left & right) == right); 1267 default: 1268 BUG(); 1269 return 0; 1270 } 1271 } 1272 1273 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) 1274 { 1275 switch (op) { 1276 case Audit_equal: 1277 return uid_eq(left, right); 1278 case Audit_not_equal: 1279 return !uid_eq(left, right); 1280 case Audit_lt: 1281 return uid_lt(left, right); 1282 case Audit_le: 1283 return uid_lte(left, right); 1284 case Audit_gt: 1285 return uid_gt(left, right); 1286 case Audit_ge: 1287 return uid_gte(left, right); 1288 case Audit_bitmask: 1289 case Audit_bittest: 1290 default: 1291 BUG(); 1292 return 0; 1293 } 1294 } 1295 1296 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right) 1297 { 1298 switch (op) { 1299 case Audit_equal: 1300 return gid_eq(left, right); 1301 case Audit_not_equal: 1302 return !gid_eq(left, right); 1303 case Audit_lt: 1304 return gid_lt(left, right); 1305 case Audit_le: 1306 return gid_lte(left, right); 1307 case Audit_gt: 1308 return gid_gt(left, right); 1309 case Audit_ge: 1310 return gid_gte(left, right); 1311 case Audit_bitmask: 1312 case Audit_bittest: 1313 default: 1314 BUG(); 1315 return 0; 1316 } 1317 } 1318 1319 /** 1320 * parent_len - find the length of the parent portion of a pathname 1321 * @path: pathname of which to determine length 1322 */ 1323 int parent_len(const char *path) 1324 { 1325 int plen; 1326 const char *p; 1327 1328 plen = strlen(path); 1329 1330 if (plen == 0) 1331 return plen; 1332 1333 /* disregard trailing slashes */ 1334 p = path + plen - 1; 1335 while ((*p == '/') && (p > path)) 1336 p--; 1337 1338 /* walk backward until we find the next slash or hit beginning */ 1339 while ((*p != '/') && (p > path)) 1340 p--; 1341 1342 /* did we find a slash? Then increment to include it in path */ 1343 if (*p == '/') 1344 p++; 1345 1346 return p - path; 1347 } 1348 1349 /** 1350 * audit_compare_dname_path - compare given dentry name with last component in 1351 * given path. Return of 0 indicates a match. 1352 * @dname: dentry name that we're comparing 1353 * @path: full pathname that we're comparing 1354 * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL 1355 * here indicates that we must compute this value. 1356 */ 1357 int audit_compare_dname_path(const char *dname, const char *path, int parentlen) 1358 { 1359 int dlen, pathlen; 1360 const char *p; 1361 1362 dlen = strlen(dname); 1363 pathlen = strlen(path); 1364 if (pathlen < dlen) 1365 return 1; 1366 1367 parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen; 1368 if (pathlen - parentlen != dlen) 1369 return 1; 1370 1371 p = path + parentlen; 1372 1373 return strncmp(p, dname, dlen); 1374 } 1375 1376 static int audit_filter_user_rules(struct audit_krule *rule, int type, 1377 enum audit_state *state) 1378 { 1379 int i; 1380 1381 for (i = 0; i < rule->field_count; i++) { 1382 struct audit_field *f = &rule->fields[i]; 1383 int result = 0; 1384 u32 sid; 1385 1386 switch (f->type) { 1387 case AUDIT_PID: 1388 result = audit_comparator(task_pid_vnr(current), f->op, f->val); 1389 break; 1390 case AUDIT_UID: 1391 result = audit_uid_comparator(current_uid(), f->op, f->uid); 1392 break; 1393 case AUDIT_GID: 1394 result = audit_gid_comparator(current_gid(), f->op, f->gid); 1395 break; 1396 case AUDIT_LOGINUID: 1397 result = audit_uid_comparator(audit_get_loginuid(current), 1398 f->op, f->uid); 1399 break; 1400 case AUDIT_MSGTYPE: 1401 result = audit_comparator(type, f->op, f->val); 1402 break; 1403 case AUDIT_SUBJ_USER: 1404 case AUDIT_SUBJ_ROLE: 1405 case AUDIT_SUBJ_TYPE: 1406 case AUDIT_SUBJ_SEN: 1407 case AUDIT_SUBJ_CLR: 1408 if (f->lsm_rule) { 1409 security_task_getsecid(current, &sid); 1410 result = security_audit_rule_match(sid, 1411 f->type, 1412 f->op, 1413 f->lsm_rule, 1414 NULL); 1415 } 1416 break; 1417 } 1418 1419 if (!result) 1420 return 0; 1421 } 1422 switch (rule->action) { 1423 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1424 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1425 } 1426 return 1; 1427 } 1428 1429 int audit_filter_user(int type) 1430 { 1431 enum audit_state state = AUDIT_DISABLED; 1432 struct audit_entry *e; 1433 int ret = 1; 1434 1435 rcu_read_lock(); 1436 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1437 if (audit_filter_user_rules(&e->rule, type, &state)) { 1438 if (state == AUDIT_DISABLED) 1439 ret = 0; 1440 break; 1441 } 1442 } 1443 rcu_read_unlock(); 1444 1445 return ret; /* Audit by default */ 1446 } 1447 1448 int audit_filter_type(int type) 1449 { 1450 struct audit_entry *e; 1451 int result = 0; 1452 1453 rcu_read_lock(); 1454 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1455 goto unlock_and_return; 1456 1457 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1458 list) { 1459 int i; 1460 for (i = 0; i < e->rule.field_count; i++) { 1461 struct audit_field *f = &e->rule.fields[i]; 1462 if (f->type == AUDIT_MSGTYPE) { 1463 result = audit_comparator(type, f->op, f->val); 1464 if (!result) 1465 break; 1466 } 1467 } 1468 if (result) 1469 goto unlock_and_return; 1470 } 1471 unlock_and_return: 1472 rcu_read_unlock(); 1473 return result; 1474 } 1475 1476 static int update_lsm_rule(struct audit_krule *r) 1477 { 1478 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1479 struct audit_entry *nentry; 1480 int err = 0; 1481 1482 if (!security_audit_rule_known(r)) 1483 return 0; 1484 1485 nentry = audit_dupe_rule(r); 1486 if (IS_ERR(nentry)) { 1487 /* save the first error encountered for the 1488 * return value */ 1489 err = PTR_ERR(nentry); 1490 audit_panic("error updating LSM filters"); 1491 if (r->watch) 1492 list_del(&r->rlist); 1493 list_del_rcu(&entry->list); 1494 list_del(&r->list); 1495 } else { 1496 if (r->watch || r->tree) 1497 list_replace_init(&r->rlist, &nentry->rule.rlist); 1498 list_replace_rcu(&entry->list, &nentry->list); 1499 list_replace(&r->list, &nentry->rule.list); 1500 } 1501 call_rcu(&entry->rcu, audit_free_rule_rcu); 1502 1503 return err; 1504 } 1505 1506 /* This function will re-initialize the lsm_rule field of all applicable rules. 1507 * It will traverse the filter lists serarching for rules that contain LSM 1508 * specific filter fields. When such a rule is found, it is copied, the 1509 * LSM field is re-initialized, and the old rule is replaced with the 1510 * updated rule. */ 1511 int audit_update_lsm_rules(void) 1512 { 1513 struct audit_krule *r, *n; 1514 int i, err = 0; 1515 1516 /* audit_filter_mutex synchronizes the writers */ 1517 mutex_lock(&audit_filter_mutex); 1518 1519 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1520 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1521 int res = update_lsm_rule(r); 1522 if (!err) 1523 err = res; 1524 } 1525 } 1526 mutex_unlock(&audit_filter_mutex); 1527 1528 return err; 1529 } 1530