1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 90 LIST_HEAD_INIT(audit_rules_list[0]), 91 LIST_HEAD_INIT(audit_rules_list[1]), 92 LIST_HEAD_INIT(audit_rules_list[2]), 93 LIST_HEAD_INIT(audit_rules_list[3]), 94 LIST_HEAD_INIT(audit_rules_list[4]), 95 LIST_HEAD_INIT(audit_rules_list[5]), 96 }; 97 98 DEFINE_MUTEX(audit_filter_mutex); 99 100 /* Inotify events we care about. */ 101 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 102 103 void audit_free_parent(struct inotify_watch *i_watch) 104 { 105 struct audit_parent *parent; 106 107 parent = container_of(i_watch, struct audit_parent, wdata); 108 WARN_ON(!list_empty(&parent->watches)); 109 kfree(parent); 110 } 111 112 static inline void audit_get_watch(struct audit_watch *watch) 113 { 114 atomic_inc(&watch->count); 115 } 116 117 static void audit_put_watch(struct audit_watch *watch) 118 { 119 if (atomic_dec_and_test(&watch->count)) { 120 WARN_ON(watch->parent); 121 WARN_ON(!list_empty(&watch->rules)); 122 kfree(watch->path); 123 kfree(watch); 124 } 125 } 126 127 static void audit_remove_watch(struct audit_watch *watch) 128 { 129 list_del(&watch->wlist); 130 put_inotify_watch(&watch->parent->wdata); 131 watch->parent = NULL; 132 audit_put_watch(watch); /* match initial get */ 133 } 134 135 static inline void audit_free_rule(struct audit_entry *e) 136 { 137 int i; 138 struct audit_krule *erule = &e->rule; 139 /* some rules don't have associated watches */ 140 if (erule->watch) 141 audit_put_watch(erule->watch); 142 if (erule->fields) 143 for (i = 0; i < erule->field_count; i++) { 144 struct audit_field *f = &erule->fields[i]; 145 kfree(f->lsm_str); 146 security_audit_rule_free(f->lsm_rule); 147 } 148 kfree(erule->fields); 149 kfree(erule->filterkey); 150 kfree(e); 151 } 152 153 void audit_free_rule_rcu(struct rcu_head *head) 154 { 155 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 156 audit_free_rule(e); 157 } 158 159 /* Initialize a parent watch entry. */ 160 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 161 { 162 struct audit_parent *parent; 163 s32 wd; 164 165 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 166 if (unlikely(!parent)) 167 return ERR_PTR(-ENOMEM); 168 169 INIT_LIST_HEAD(&parent->watches); 170 parent->flags = 0; 171 172 inotify_init_watch(&parent->wdata); 173 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 174 get_inotify_watch(&parent->wdata); 175 wd = inotify_add_watch(audit_ih, &parent->wdata, 176 ndp->path.dentry->d_inode, AUDIT_IN_WATCH); 177 if (wd < 0) { 178 audit_free_parent(&parent->wdata); 179 return ERR_PTR(wd); 180 } 181 182 return parent; 183 } 184 185 /* Initialize a watch entry. */ 186 static struct audit_watch *audit_init_watch(char *path) 187 { 188 struct audit_watch *watch; 189 190 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 191 if (unlikely(!watch)) 192 return ERR_PTR(-ENOMEM); 193 194 INIT_LIST_HEAD(&watch->rules); 195 atomic_set(&watch->count, 1); 196 watch->path = path; 197 watch->dev = (dev_t)-1; 198 watch->ino = (unsigned long)-1; 199 200 return watch; 201 } 202 203 /* Initialize an audit filterlist entry. */ 204 static inline struct audit_entry *audit_init_entry(u32 field_count) 205 { 206 struct audit_entry *entry; 207 struct audit_field *fields; 208 209 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 210 if (unlikely(!entry)) 211 return NULL; 212 213 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 214 if (unlikely(!fields)) { 215 kfree(entry); 216 return NULL; 217 } 218 entry->rule.fields = fields; 219 220 return entry; 221 } 222 223 /* Unpack a filter field's string representation from user-space 224 * buffer. */ 225 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 226 { 227 char *str; 228 229 if (!*bufp || (len == 0) || (len > *remain)) 230 return ERR_PTR(-EINVAL); 231 232 /* Of the currently implemented string fields, PATH_MAX 233 * defines the longest valid length. 234 */ 235 if (len > PATH_MAX) 236 return ERR_PTR(-ENAMETOOLONG); 237 238 str = kmalloc(len + 1, GFP_KERNEL); 239 if (unlikely(!str)) 240 return ERR_PTR(-ENOMEM); 241 242 memcpy(str, *bufp, len); 243 str[len] = 0; 244 *bufp += len; 245 *remain -= len; 246 247 return str; 248 } 249 250 /* Translate an inode field to kernel respresentation. */ 251 static inline int audit_to_inode(struct audit_krule *krule, 252 struct audit_field *f) 253 { 254 if (krule->listnr != AUDIT_FILTER_EXIT || 255 krule->watch || krule->inode_f || krule->tree || 256 (f->op != Audit_equal && f->op != Audit_not_equal)) 257 return -EINVAL; 258 259 krule->inode_f = f; 260 return 0; 261 } 262 263 /* Translate a watch string to kernel respresentation. */ 264 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 265 u32 op) 266 { 267 struct audit_watch *watch; 268 269 if (!audit_ih) 270 return -EOPNOTSUPP; 271 272 if (path[0] != '/' || path[len-1] == '/' || 273 krule->listnr != AUDIT_FILTER_EXIT || 274 op != Audit_equal || 275 krule->inode_f || krule->watch || krule->tree) 276 return -EINVAL; 277 278 watch = audit_init_watch(path); 279 if (IS_ERR(watch)) 280 return PTR_ERR(watch); 281 282 audit_get_watch(watch); 283 krule->watch = watch; 284 285 return 0; 286 } 287 288 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 289 290 int __init audit_register_class(int class, unsigned *list) 291 { 292 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 293 if (!p) 294 return -ENOMEM; 295 while (*list != ~0U) { 296 unsigned n = *list++; 297 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 298 kfree(p); 299 return -EINVAL; 300 } 301 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 302 } 303 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 304 kfree(p); 305 return -EINVAL; 306 } 307 classes[class] = p; 308 return 0; 309 } 310 311 int audit_match_class(int class, unsigned syscall) 312 { 313 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 314 return 0; 315 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 316 return 0; 317 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 318 } 319 320 #ifdef CONFIG_AUDITSYSCALL 321 static inline int audit_match_class_bits(int class, u32 *mask) 322 { 323 int i; 324 325 if (classes[class]) { 326 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 327 if (mask[i] & classes[class][i]) 328 return 0; 329 } 330 return 1; 331 } 332 333 static int audit_match_signal(struct audit_entry *entry) 334 { 335 struct audit_field *arch = entry->rule.arch_f; 336 337 if (!arch) { 338 /* When arch is unspecified, we must check both masks on biarch 339 * as syscall number alone is ambiguous. */ 340 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 341 entry->rule.mask) && 342 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 343 entry->rule.mask)); 344 } 345 346 switch(audit_classify_arch(arch->val)) { 347 case 0: /* native */ 348 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 349 entry->rule.mask)); 350 case 1: /* 32bit on biarch */ 351 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 352 entry->rule.mask)); 353 default: 354 return 1; 355 } 356 } 357 #endif 358 359 /* Common user-space to kernel rule translation. */ 360 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 361 { 362 unsigned listnr; 363 struct audit_entry *entry; 364 int i, err; 365 366 err = -EINVAL; 367 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 368 switch(listnr) { 369 default: 370 goto exit_err; 371 case AUDIT_FILTER_USER: 372 case AUDIT_FILTER_TYPE: 373 #ifdef CONFIG_AUDITSYSCALL 374 case AUDIT_FILTER_ENTRY: 375 case AUDIT_FILTER_EXIT: 376 case AUDIT_FILTER_TASK: 377 #endif 378 ; 379 } 380 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 381 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 382 goto exit_err; 383 } 384 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 385 goto exit_err; 386 if (rule->field_count > AUDIT_MAX_FIELDS) 387 goto exit_err; 388 389 err = -ENOMEM; 390 entry = audit_init_entry(rule->field_count); 391 if (!entry) 392 goto exit_err; 393 394 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 395 entry->rule.listnr = listnr; 396 entry->rule.action = rule->action; 397 entry->rule.field_count = rule->field_count; 398 399 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 400 entry->rule.mask[i] = rule->mask[i]; 401 402 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 403 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 404 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 405 __u32 *class; 406 407 if (!(*p & AUDIT_BIT(bit))) 408 continue; 409 *p &= ~AUDIT_BIT(bit); 410 class = classes[i]; 411 if (class) { 412 int j; 413 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 414 entry->rule.mask[j] |= class[j]; 415 } 416 } 417 418 return entry; 419 420 exit_err: 421 return ERR_PTR(err); 422 } 423 424 static u32 audit_ops[] = 425 { 426 [Audit_equal] = AUDIT_EQUAL, 427 [Audit_not_equal] = AUDIT_NOT_EQUAL, 428 [Audit_bitmask] = AUDIT_BIT_MASK, 429 [Audit_bittest] = AUDIT_BIT_TEST, 430 [Audit_lt] = AUDIT_LESS_THAN, 431 [Audit_gt] = AUDIT_GREATER_THAN, 432 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 433 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 434 }; 435 436 static u32 audit_to_op(u32 op) 437 { 438 u32 n; 439 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 440 ; 441 return n; 442 } 443 444 445 /* Translate struct audit_rule to kernel's rule respresentation. 446 * Exists for backward compatibility with userspace. */ 447 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 448 { 449 struct audit_entry *entry; 450 int err = 0; 451 int i; 452 453 entry = audit_to_entry_common(rule); 454 if (IS_ERR(entry)) 455 goto exit_nofree; 456 457 for (i = 0; i < rule->field_count; i++) { 458 struct audit_field *f = &entry->rule.fields[i]; 459 u32 n; 460 461 n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 462 463 /* Support for legacy operators where 464 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 465 if (n & AUDIT_NEGATE) 466 f->op = Audit_not_equal; 467 else if (!n) 468 f->op = Audit_equal; 469 else 470 f->op = audit_to_op(n); 471 472 entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1; 473 474 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 475 f->val = rule->values[i]; 476 477 err = -EINVAL; 478 if (f->op == Audit_bad) 479 goto exit_free; 480 481 switch(f->type) { 482 default: 483 goto exit_free; 484 case AUDIT_PID: 485 case AUDIT_UID: 486 case AUDIT_EUID: 487 case AUDIT_SUID: 488 case AUDIT_FSUID: 489 case AUDIT_GID: 490 case AUDIT_EGID: 491 case AUDIT_SGID: 492 case AUDIT_FSGID: 493 case AUDIT_LOGINUID: 494 case AUDIT_PERS: 495 case AUDIT_MSGTYPE: 496 case AUDIT_PPID: 497 case AUDIT_DEVMAJOR: 498 case AUDIT_DEVMINOR: 499 case AUDIT_EXIT: 500 case AUDIT_SUCCESS: 501 /* bit ops are only useful on syscall args */ 502 if (f->op == Audit_bitmask || f->op == Audit_bittest) 503 goto exit_free; 504 break; 505 case AUDIT_ARG0: 506 case AUDIT_ARG1: 507 case AUDIT_ARG2: 508 case AUDIT_ARG3: 509 break; 510 /* arch is only allowed to be = or != */ 511 case AUDIT_ARCH: 512 if (f->op != Audit_not_equal && f->op != Audit_equal) 513 goto exit_free; 514 entry->rule.arch_f = f; 515 break; 516 case AUDIT_PERM: 517 if (f->val & ~15) 518 goto exit_free; 519 break; 520 case AUDIT_FILETYPE: 521 if ((f->val & ~S_IFMT) > S_IFMT) 522 goto exit_free; 523 break; 524 case AUDIT_INODE: 525 err = audit_to_inode(&entry->rule, f); 526 if (err) 527 goto exit_free; 528 break; 529 } 530 } 531 532 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 533 entry->rule.inode_f = NULL; 534 535 exit_nofree: 536 return entry; 537 538 exit_free: 539 audit_free_rule(entry); 540 return ERR_PTR(err); 541 } 542 543 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 544 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 545 size_t datasz) 546 { 547 int err = 0; 548 struct audit_entry *entry; 549 void *bufp; 550 size_t remain = datasz - sizeof(struct audit_rule_data); 551 int i; 552 char *str; 553 554 entry = audit_to_entry_common((struct audit_rule *)data); 555 if (IS_ERR(entry)) 556 goto exit_nofree; 557 558 bufp = data->buf; 559 entry->rule.vers_ops = 2; 560 for (i = 0; i < data->field_count; i++) { 561 struct audit_field *f = &entry->rule.fields[i]; 562 563 err = -EINVAL; 564 565 f->op = audit_to_op(data->fieldflags[i]); 566 if (f->op == Audit_bad) 567 goto exit_free; 568 569 f->type = data->fields[i]; 570 f->val = data->values[i]; 571 f->lsm_str = NULL; 572 f->lsm_rule = NULL; 573 switch(f->type) { 574 case AUDIT_PID: 575 case AUDIT_UID: 576 case AUDIT_EUID: 577 case AUDIT_SUID: 578 case AUDIT_FSUID: 579 case AUDIT_GID: 580 case AUDIT_EGID: 581 case AUDIT_SGID: 582 case AUDIT_FSGID: 583 case AUDIT_LOGINUID: 584 case AUDIT_PERS: 585 case AUDIT_MSGTYPE: 586 case AUDIT_PPID: 587 case AUDIT_DEVMAJOR: 588 case AUDIT_DEVMINOR: 589 case AUDIT_EXIT: 590 case AUDIT_SUCCESS: 591 case AUDIT_ARG0: 592 case AUDIT_ARG1: 593 case AUDIT_ARG2: 594 case AUDIT_ARG3: 595 break; 596 case AUDIT_ARCH: 597 entry->rule.arch_f = f; 598 break; 599 case AUDIT_SUBJ_USER: 600 case AUDIT_SUBJ_ROLE: 601 case AUDIT_SUBJ_TYPE: 602 case AUDIT_SUBJ_SEN: 603 case AUDIT_SUBJ_CLR: 604 case AUDIT_OBJ_USER: 605 case AUDIT_OBJ_ROLE: 606 case AUDIT_OBJ_TYPE: 607 case AUDIT_OBJ_LEV_LOW: 608 case AUDIT_OBJ_LEV_HIGH: 609 str = audit_unpack_string(&bufp, &remain, f->val); 610 if (IS_ERR(str)) 611 goto exit_free; 612 entry->rule.buflen += f->val; 613 614 err = security_audit_rule_init(f->type, f->op, str, 615 (void **)&f->lsm_rule); 616 /* Keep currently invalid fields around in case they 617 * become valid after a policy reload. */ 618 if (err == -EINVAL) { 619 printk(KERN_WARNING "audit rule for LSM " 620 "\'%s\' is invalid\n", str); 621 err = 0; 622 } 623 if (err) { 624 kfree(str); 625 goto exit_free; 626 } else 627 f->lsm_str = str; 628 break; 629 case AUDIT_WATCH: 630 str = audit_unpack_string(&bufp, &remain, f->val); 631 if (IS_ERR(str)) 632 goto exit_free; 633 entry->rule.buflen += f->val; 634 635 err = audit_to_watch(&entry->rule, str, f->val, f->op); 636 if (err) { 637 kfree(str); 638 goto exit_free; 639 } 640 break; 641 case AUDIT_DIR: 642 str = audit_unpack_string(&bufp, &remain, f->val); 643 if (IS_ERR(str)) 644 goto exit_free; 645 entry->rule.buflen += f->val; 646 647 err = audit_make_tree(&entry->rule, str, f->op); 648 kfree(str); 649 if (err) 650 goto exit_free; 651 break; 652 case AUDIT_INODE: 653 err = audit_to_inode(&entry->rule, f); 654 if (err) 655 goto exit_free; 656 break; 657 case AUDIT_FILTERKEY: 658 err = -EINVAL; 659 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 660 goto exit_free; 661 str = audit_unpack_string(&bufp, &remain, f->val); 662 if (IS_ERR(str)) 663 goto exit_free; 664 entry->rule.buflen += f->val; 665 entry->rule.filterkey = str; 666 break; 667 case AUDIT_PERM: 668 if (f->val & ~15) 669 goto exit_free; 670 break; 671 case AUDIT_FILETYPE: 672 if ((f->val & ~S_IFMT) > S_IFMT) 673 goto exit_free; 674 break; 675 default: 676 goto exit_free; 677 } 678 } 679 680 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 681 entry->rule.inode_f = NULL; 682 683 exit_nofree: 684 return entry; 685 686 exit_free: 687 audit_free_rule(entry); 688 return ERR_PTR(err); 689 } 690 691 /* Pack a filter field's string representation into data block. */ 692 static inline size_t audit_pack_string(void **bufp, const char *str) 693 { 694 size_t len = strlen(str); 695 696 memcpy(*bufp, str, len); 697 *bufp += len; 698 699 return len; 700 } 701 702 /* Translate kernel rule respresentation to struct audit_rule. 703 * Exists for backward compatibility with userspace. */ 704 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 705 { 706 struct audit_rule *rule; 707 int i; 708 709 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 710 if (unlikely(!rule)) 711 return NULL; 712 713 rule->flags = krule->flags | krule->listnr; 714 rule->action = krule->action; 715 rule->field_count = krule->field_count; 716 for (i = 0; i < rule->field_count; i++) { 717 rule->values[i] = krule->fields[i].val; 718 rule->fields[i] = krule->fields[i].type; 719 720 if (krule->vers_ops == 1) { 721 if (krule->fields[i].op == Audit_not_equal) 722 rule->fields[i] |= AUDIT_NEGATE; 723 } else { 724 rule->fields[i] |= audit_ops[krule->fields[i].op]; 725 } 726 } 727 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 728 729 return rule; 730 } 731 732 /* Translate kernel rule respresentation to struct audit_rule_data. */ 733 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 734 { 735 struct audit_rule_data *data; 736 void *bufp; 737 int i; 738 739 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 740 if (unlikely(!data)) 741 return NULL; 742 memset(data, 0, sizeof(*data)); 743 744 data->flags = krule->flags | krule->listnr; 745 data->action = krule->action; 746 data->field_count = krule->field_count; 747 bufp = data->buf; 748 for (i = 0; i < data->field_count; i++) { 749 struct audit_field *f = &krule->fields[i]; 750 751 data->fields[i] = f->type; 752 data->fieldflags[i] = audit_ops[f->op]; 753 switch(f->type) { 754 case AUDIT_SUBJ_USER: 755 case AUDIT_SUBJ_ROLE: 756 case AUDIT_SUBJ_TYPE: 757 case AUDIT_SUBJ_SEN: 758 case AUDIT_SUBJ_CLR: 759 case AUDIT_OBJ_USER: 760 case AUDIT_OBJ_ROLE: 761 case AUDIT_OBJ_TYPE: 762 case AUDIT_OBJ_LEV_LOW: 763 case AUDIT_OBJ_LEV_HIGH: 764 data->buflen += data->values[i] = 765 audit_pack_string(&bufp, f->lsm_str); 766 break; 767 case AUDIT_WATCH: 768 data->buflen += data->values[i] = 769 audit_pack_string(&bufp, krule->watch->path); 770 break; 771 case AUDIT_DIR: 772 data->buflen += data->values[i] = 773 audit_pack_string(&bufp, 774 audit_tree_path(krule->tree)); 775 break; 776 case AUDIT_FILTERKEY: 777 data->buflen += data->values[i] = 778 audit_pack_string(&bufp, krule->filterkey); 779 break; 780 default: 781 data->values[i] = f->val; 782 } 783 } 784 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 785 786 return data; 787 } 788 789 /* Compare two rules in kernel format. Considered success if rules 790 * don't match. */ 791 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 792 { 793 int i; 794 795 if (a->flags != b->flags || 796 a->listnr != b->listnr || 797 a->action != b->action || 798 a->field_count != b->field_count) 799 return 1; 800 801 for (i = 0; i < a->field_count; i++) { 802 if (a->fields[i].type != b->fields[i].type || 803 a->fields[i].op != b->fields[i].op) 804 return 1; 805 806 switch(a->fields[i].type) { 807 case AUDIT_SUBJ_USER: 808 case AUDIT_SUBJ_ROLE: 809 case AUDIT_SUBJ_TYPE: 810 case AUDIT_SUBJ_SEN: 811 case AUDIT_SUBJ_CLR: 812 case AUDIT_OBJ_USER: 813 case AUDIT_OBJ_ROLE: 814 case AUDIT_OBJ_TYPE: 815 case AUDIT_OBJ_LEV_LOW: 816 case AUDIT_OBJ_LEV_HIGH: 817 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 818 return 1; 819 break; 820 case AUDIT_WATCH: 821 if (strcmp(a->watch->path, b->watch->path)) 822 return 1; 823 break; 824 case AUDIT_DIR: 825 if (strcmp(audit_tree_path(a->tree), 826 audit_tree_path(b->tree))) 827 return 1; 828 break; 829 case AUDIT_FILTERKEY: 830 /* both filterkeys exist based on above type compare */ 831 if (strcmp(a->filterkey, b->filterkey)) 832 return 1; 833 break; 834 default: 835 if (a->fields[i].val != b->fields[i].val) 836 return 1; 837 } 838 } 839 840 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 841 if (a->mask[i] != b->mask[i]) 842 return 1; 843 844 return 0; 845 } 846 847 /* Duplicate the given audit watch. The new watch's rules list is initialized 848 * to an empty list and wlist is undefined. */ 849 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 850 { 851 char *path; 852 struct audit_watch *new; 853 854 path = kstrdup(old->path, GFP_KERNEL); 855 if (unlikely(!path)) 856 return ERR_PTR(-ENOMEM); 857 858 new = audit_init_watch(path); 859 if (IS_ERR(new)) { 860 kfree(path); 861 goto out; 862 } 863 864 new->dev = old->dev; 865 new->ino = old->ino; 866 get_inotify_watch(&old->parent->wdata); 867 new->parent = old->parent; 868 869 out: 870 return new; 871 } 872 873 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 874 * re-initialized. */ 875 static inline int audit_dupe_lsm_field(struct audit_field *df, 876 struct audit_field *sf) 877 { 878 int ret = 0; 879 char *lsm_str; 880 881 /* our own copy of lsm_str */ 882 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 883 if (unlikely(!lsm_str)) 884 return -ENOMEM; 885 df->lsm_str = lsm_str; 886 887 /* our own (refreshed) copy of lsm_rule */ 888 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 889 (void **)&df->lsm_rule); 890 /* Keep currently invalid fields around in case they 891 * become valid after a policy reload. */ 892 if (ret == -EINVAL) { 893 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 894 "invalid\n", df->lsm_str); 895 ret = 0; 896 } 897 898 return ret; 899 } 900 901 /* Duplicate an audit rule. This will be a deep copy with the exception 902 * of the watch - that pointer is carried over. The LSM specific fields 903 * will be updated in the copy. The point is to be able to replace the old 904 * rule with the new rule in the filterlist, then free the old rule. 905 * The rlist element is undefined; list manipulations are handled apart from 906 * the initial copy. */ 907 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 908 struct audit_watch *watch) 909 { 910 u32 fcount = old->field_count; 911 struct audit_entry *entry; 912 struct audit_krule *new; 913 char *fk; 914 int i, err = 0; 915 916 entry = audit_init_entry(fcount); 917 if (unlikely(!entry)) 918 return ERR_PTR(-ENOMEM); 919 920 new = &entry->rule; 921 new->vers_ops = old->vers_ops; 922 new->flags = old->flags; 923 new->listnr = old->listnr; 924 new->action = old->action; 925 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 926 new->mask[i] = old->mask[i]; 927 new->prio = old->prio; 928 new->buflen = old->buflen; 929 new->inode_f = old->inode_f; 930 new->watch = NULL; 931 new->field_count = old->field_count; 932 /* 933 * note that we are OK with not refcounting here; audit_match_tree() 934 * never dereferences tree and we can't get false positives there 935 * since we'd have to have rule gone from the list *and* removed 936 * before the chunks found by lookup had been allocated, i.e. before 937 * the beginning of list scan. 938 */ 939 new->tree = old->tree; 940 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 941 942 /* deep copy this information, updating the lsm_rule fields, because 943 * the originals will all be freed when the old rule is freed. */ 944 for (i = 0; i < fcount; i++) { 945 switch (new->fields[i].type) { 946 case AUDIT_SUBJ_USER: 947 case AUDIT_SUBJ_ROLE: 948 case AUDIT_SUBJ_TYPE: 949 case AUDIT_SUBJ_SEN: 950 case AUDIT_SUBJ_CLR: 951 case AUDIT_OBJ_USER: 952 case AUDIT_OBJ_ROLE: 953 case AUDIT_OBJ_TYPE: 954 case AUDIT_OBJ_LEV_LOW: 955 case AUDIT_OBJ_LEV_HIGH: 956 err = audit_dupe_lsm_field(&new->fields[i], 957 &old->fields[i]); 958 break; 959 case AUDIT_FILTERKEY: 960 fk = kstrdup(old->filterkey, GFP_KERNEL); 961 if (unlikely(!fk)) 962 err = -ENOMEM; 963 else 964 new->filterkey = fk; 965 } 966 if (err) { 967 audit_free_rule(entry); 968 return ERR_PTR(err); 969 } 970 } 971 972 if (watch) { 973 audit_get_watch(watch); 974 new->watch = watch; 975 } 976 977 return entry; 978 } 979 980 /* Update inode info in audit rules based on filesystem event. */ 981 static void audit_update_watch(struct audit_parent *parent, 982 const char *dname, dev_t dev, 983 unsigned long ino, unsigned invalidating) 984 { 985 struct audit_watch *owatch, *nwatch, *nextw; 986 struct audit_krule *r, *nextr; 987 struct audit_entry *oentry, *nentry; 988 989 mutex_lock(&audit_filter_mutex); 990 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 991 if (audit_compare_dname_path(dname, owatch->path, NULL)) 992 continue; 993 994 /* If the update involves invalidating rules, do the inode-based 995 * filtering now, so we don't omit records. */ 996 if (invalidating && current->audit_context) 997 audit_filter_inodes(current, current->audit_context); 998 999 nwatch = audit_dupe_watch(owatch); 1000 if (IS_ERR(nwatch)) { 1001 mutex_unlock(&audit_filter_mutex); 1002 audit_panic("error updating watch, skipping"); 1003 return; 1004 } 1005 nwatch->dev = dev; 1006 nwatch->ino = ino; 1007 1008 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 1009 1010 oentry = container_of(r, struct audit_entry, rule); 1011 list_del(&oentry->rule.rlist); 1012 list_del_rcu(&oentry->list); 1013 1014 nentry = audit_dupe_rule(&oentry->rule, nwatch); 1015 if (IS_ERR(nentry)) { 1016 list_del(&oentry->rule.list); 1017 audit_panic("error updating watch, removing"); 1018 } else { 1019 int h = audit_hash_ino((u32)ino); 1020 list_add(&nentry->rule.rlist, &nwatch->rules); 1021 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 1022 list_replace(&oentry->rule.list, 1023 &nentry->rule.list); 1024 } 1025 1026 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1027 } 1028 1029 if (audit_enabled) { 1030 struct audit_buffer *ab; 1031 ab = audit_log_start(NULL, GFP_NOFS, 1032 AUDIT_CONFIG_CHANGE); 1033 audit_log_format(ab, "auid=%u ses=%u", 1034 audit_get_loginuid(current), 1035 audit_get_sessionid(current)); 1036 audit_log_format(ab, 1037 " op=updated rules specifying path="); 1038 audit_log_untrustedstring(ab, owatch->path); 1039 audit_log_format(ab, " with dev=%u ino=%lu\n", 1040 dev, ino); 1041 audit_log_format(ab, " list=%d res=1", r->listnr); 1042 audit_log_end(ab); 1043 } 1044 audit_remove_watch(owatch); 1045 goto add_watch_to_parent; /* event applies to a single watch */ 1046 } 1047 mutex_unlock(&audit_filter_mutex); 1048 return; 1049 1050 add_watch_to_parent: 1051 list_add(&nwatch->wlist, &parent->watches); 1052 mutex_unlock(&audit_filter_mutex); 1053 return; 1054 } 1055 1056 /* Remove all watches & rules associated with a parent that is going away. */ 1057 static void audit_remove_parent_watches(struct audit_parent *parent) 1058 { 1059 struct audit_watch *w, *nextw; 1060 struct audit_krule *r, *nextr; 1061 struct audit_entry *e; 1062 1063 mutex_lock(&audit_filter_mutex); 1064 parent->flags |= AUDIT_PARENT_INVALID; 1065 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1066 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1067 e = container_of(r, struct audit_entry, rule); 1068 if (audit_enabled) { 1069 struct audit_buffer *ab; 1070 ab = audit_log_start(NULL, GFP_NOFS, 1071 AUDIT_CONFIG_CHANGE); 1072 audit_log_format(ab, "auid=%u ses=%u", 1073 audit_get_loginuid(current), 1074 audit_get_sessionid(current)); 1075 audit_log_format(ab, " op=remove rule path="); 1076 audit_log_untrustedstring(ab, w->path); 1077 if (r->filterkey) { 1078 audit_log_format(ab, " key="); 1079 audit_log_untrustedstring(ab, 1080 r->filterkey); 1081 } else 1082 audit_log_format(ab, " key=(null)"); 1083 audit_log_format(ab, " list=%d res=1", 1084 r->listnr); 1085 audit_log_end(ab); 1086 } 1087 list_del(&r->rlist); 1088 list_del(&r->list); 1089 list_del_rcu(&e->list); 1090 call_rcu(&e->rcu, audit_free_rule_rcu); 1091 } 1092 audit_remove_watch(w); 1093 } 1094 mutex_unlock(&audit_filter_mutex); 1095 } 1096 1097 /* Unregister inotify watches for parents on in_list. 1098 * Generates an IN_IGNORED event. */ 1099 static void audit_inotify_unregister(struct list_head *in_list) 1100 { 1101 struct audit_parent *p, *n; 1102 1103 list_for_each_entry_safe(p, n, in_list, ilist) { 1104 list_del(&p->ilist); 1105 inotify_rm_watch(audit_ih, &p->wdata); 1106 /* the unpin matching the pin in audit_do_del_rule() */ 1107 unpin_inotify_watch(&p->wdata); 1108 } 1109 } 1110 1111 /* Find an existing audit rule. 1112 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1113 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1114 struct list_head **p) 1115 { 1116 struct audit_entry *e, *found = NULL; 1117 struct list_head *list; 1118 int h; 1119 1120 if (entry->rule.inode_f) { 1121 h = audit_hash_ino(entry->rule.inode_f->val); 1122 *p = list = &audit_inode_hash[h]; 1123 } else if (entry->rule.watch) { 1124 /* we don't know the inode number, so must walk entire hash */ 1125 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1126 list = &audit_inode_hash[h]; 1127 list_for_each_entry(e, list, list) 1128 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1129 found = e; 1130 goto out; 1131 } 1132 } 1133 goto out; 1134 } else { 1135 *p = list = &audit_filter_list[entry->rule.listnr]; 1136 } 1137 1138 list_for_each_entry(e, list, list) 1139 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1140 found = e; 1141 goto out; 1142 } 1143 1144 out: 1145 return found; 1146 } 1147 1148 /* Get path information necessary for adding watches. */ 1149 static int audit_get_nd(char *path, struct nameidata **ndp, 1150 struct nameidata **ndw) 1151 { 1152 struct nameidata *ndparent, *ndwatch; 1153 int err; 1154 1155 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1156 if (unlikely(!ndparent)) 1157 return -ENOMEM; 1158 1159 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1160 if (unlikely(!ndwatch)) { 1161 kfree(ndparent); 1162 return -ENOMEM; 1163 } 1164 1165 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1166 if (err) { 1167 kfree(ndparent); 1168 kfree(ndwatch); 1169 return err; 1170 } 1171 1172 err = path_lookup(path, 0, ndwatch); 1173 if (err) { 1174 kfree(ndwatch); 1175 ndwatch = NULL; 1176 } 1177 1178 *ndp = ndparent; 1179 *ndw = ndwatch; 1180 1181 return 0; 1182 } 1183 1184 /* Release resources used for watch path information. */ 1185 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1186 { 1187 if (ndp) { 1188 path_put(&ndp->path); 1189 kfree(ndp); 1190 } 1191 if (ndw) { 1192 path_put(&ndw->path); 1193 kfree(ndw); 1194 } 1195 } 1196 1197 /* Associate the given rule with an existing parent inotify_watch. 1198 * Caller must hold audit_filter_mutex. */ 1199 static void audit_add_to_parent(struct audit_krule *krule, 1200 struct audit_parent *parent) 1201 { 1202 struct audit_watch *w, *watch = krule->watch; 1203 int watch_found = 0; 1204 1205 list_for_each_entry(w, &parent->watches, wlist) { 1206 if (strcmp(watch->path, w->path)) 1207 continue; 1208 1209 watch_found = 1; 1210 1211 /* put krule's and initial refs to temporary watch */ 1212 audit_put_watch(watch); 1213 audit_put_watch(watch); 1214 1215 audit_get_watch(w); 1216 krule->watch = watch = w; 1217 break; 1218 } 1219 1220 if (!watch_found) { 1221 get_inotify_watch(&parent->wdata); 1222 watch->parent = parent; 1223 1224 list_add(&watch->wlist, &parent->watches); 1225 } 1226 list_add(&krule->rlist, &watch->rules); 1227 } 1228 1229 /* Find a matching watch entry, or add this one. 1230 * Caller must hold audit_filter_mutex. */ 1231 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1232 struct nameidata *ndw) 1233 { 1234 struct audit_watch *watch = krule->watch; 1235 struct inotify_watch *i_watch; 1236 struct audit_parent *parent; 1237 int ret = 0; 1238 1239 /* update watch filter fields */ 1240 if (ndw) { 1241 watch->dev = ndw->path.dentry->d_inode->i_sb->s_dev; 1242 watch->ino = ndw->path.dentry->d_inode->i_ino; 1243 } 1244 1245 /* The audit_filter_mutex must not be held during inotify calls because 1246 * we hold it during inotify event callback processing. If an existing 1247 * inotify watch is found, inotify_find_watch() grabs a reference before 1248 * returning. 1249 */ 1250 mutex_unlock(&audit_filter_mutex); 1251 1252 if (inotify_find_watch(audit_ih, ndp->path.dentry->d_inode, 1253 &i_watch) < 0) { 1254 parent = audit_init_parent(ndp); 1255 if (IS_ERR(parent)) { 1256 /* caller expects mutex locked */ 1257 mutex_lock(&audit_filter_mutex); 1258 return PTR_ERR(parent); 1259 } 1260 } else 1261 parent = container_of(i_watch, struct audit_parent, wdata); 1262 1263 mutex_lock(&audit_filter_mutex); 1264 1265 /* parent was moved before we took audit_filter_mutex */ 1266 if (parent->flags & AUDIT_PARENT_INVALID) 1267 ret = -ENOENT; 1268 else 1269 audit_add_to_parent(krule, parent); 1270 1271 /* match get in audit_init_parent or inotify_find_watch */ 1272 put_inotify_watch(&parent->wdata); 1273 return ret; 1274 } 1275 1276 static u64 prio_low = ~0ULL/2; 1277 static u64 prio_high = ~0ULL/2 - 1; 1278 1279 /* Add rule to given filterlist if not a duplicate. */ 1280 static inline int audit_add_rule(struct audit_entry *entry) 1281 { 1282 struct audit_entry *e; 1283 struct audit_watch *watch = entry->rule.watch; 1284 struct audit_tree *tree = entry->rule.tree; 1285 struct nameidata *ndp = NULL, *ndw = NULL; 1286 struct list_head *list; 1287 int h, err; 1288 #ifdef CONFIG_AUDITSYSCALL 1289 int dont_count = 0; 1290 1291 /* If either of these, don't count towards total */ 1292 if (entry->rule.listnr == AUDIT_FILTER_USER || 1293 entry->rule.listnr == AUDIT_FILTER_TYPE) 1294 dont_count = 1; 1295 #endif 1296 1297 mutex_lock(&audit_filter_mutex); 1298 e = audit_find_rule(entry, &list); 1299 mutex_unlock(&audit_filter_mutex); 1300 if (e) { 1301 err = -EEXIST; 1302 /* normally audit_add_tree_rule() will free it on failure */ 1303 if (tree) 1304 audit_put_tree(tree); 1305 goto error; 1306 } 1307 1308 /* Avoid calling path_lookup under audit_filter_mutex. */ 1309 if (watch) { 1310 err = audit_get_nd(watch->path, &ndp, &ndw); 1311 if (err) 1312 goto error; 1313 } 1314 1315 mutex_lock(&audit_filter_mutex); 1316 if (watch) { 1317 /* audit_filter_mutex is dropped and re-taken during this call */ 1318 err = audit_add_watch(&entry->rule, ndp, ndw); 1319 if (err) { 1320 mutex_unlock(&audit_filter_mutex); 1321 goto error; 1322 } 1323 h = audit_hash_ino((u32)watch->ino); 1324 list = &audit_inode_hash[h]; 1325 } 1326 if (tree) { 1327 err = audit_add_tree_rule(&entry->rule); 1328 if (err) { 1329 mutex_unlock(&audit_filter_mutex); 1330 goto error; 1331 } 1332 } 1333 1334 entry->rule.prio = ~0ULL; 1335 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 1336 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 1337 entry->rule.prio = ++prio_high; 1338 else 1339 entry->rule.prio = --prio_low; 1340 } 1341 1342 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1343 list_add(&entry->rule.list, 1344 &audit_rules_list[entry->rule.listnr]); 1345 list_add_rcu(&entry->list, list); 1346 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1347 } else { 1348 list_add_tail(&entry->rule.list, 1349 &audit_rules_list[entry->rule.listnr]); 1350 list_add_tail_rcu(&entry->list, list); 1351 } 1352 #ifdef CONFIG_AUDITSYSCALL 1353 if (!dont_count) 1354 audit_n_rules++; 1355 1356 if (!audit_match_signal(entry)) 1357 audit_signals++; 1358 #endif 1359 mutex_unlock(&audit_filter_mutex); 1360 1361 audit_put_nd(ndp, ndw); /* NULL args OK */ 1362 return 0; 1363 1364 error: 1365 audit_put_nd(ndp, ndw); /* NULL args OK */ 1366 if (watch) 1367 audit_put_watch(watch); /* tmp watch, matches initial get */ 1368 return err; 1369 } 1370 1371 /* Remove an existing rule from filterlist. */ 1372 static inline int audit_del_rule(struct audit_entry *entry) 1373 { 1374 struct audit_entry *e; 1375 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1376 struct audit_tree *tree = entry->rule.tree; 1377 struct list_head *list; 1378 LIST_HEAD(inotify_list); 1379 int ret = 0; 1380 #ifdef CONFIG_AUDITSYSCALL 1381 int dont_count = 0; 1382 1383 /* If either of these, don't count towards total */ 1384 if (entry->rule.listnr == AUDIT_FILTER_USER || 1385 entry->rule.listnr == AUDIT_FILTER_TYPE) 1386 dont_count = 1; 1387 #endif 1388 1389 mutex_lock(&audit_filter_mutex); 1390 e = audit_find_rule(entry, &list); 1391 if (!e) { 1392 mutex_unlock(&audit_filter_mutex); 1393 ret = -ENOENT; 1394 goto out; 1395 } 1396 1397 watch = e->rule.watch; 1398 if (watch) { 1399 struct audit_parent *parent = watch->parent; 1400 1401 list_del(&e->rule.rlist); 1402 1403 if (list_empty(&watch->rules)) { 1404 audit_remove_watch(watch); 1405 1406 if (list_empty(&parent->watches)) { 1407 /* Put parent on the inotify un-registration 1408 * list. Grab a reference before releasing 1409 * audit_filter_mutex, to be released in 1410 * audit_inotify_unregister(). 1411 * If filesystem is going away, just leave 1412 * the sucker alone, eviction will take 1413 * care of it. 1414 */ 1415 if (pin_inotify_watch(&parent->wdata)) 1416 list_add(&parent->ilist, &inotify_list); 1417 } 1418 } 1419 } 1420 1421 if (e->rule.tree) 1422 audit_remove_tree_rule(&e->rule); 1423 1424 list_del_rcu(&e->list); 1425 list_del(&e->rule.list); 1426 call_rcu(&e->rcu, audit_free_rule_rcu); 1427 1428 #ifdef CONFIG_AUDITSYSCALL 1429 if (!dont_count) 1430 audit_n_rules--; 1431 1432 if (!audit_match_signal(entry)) 1433 audit_signals--; 1434 #endif 1435 mutex_unlock(&audit_filter_mutex); 1436 1437 if (!list_empty(&inotify_list)) 1438 audit_inotify_unregister(&inotify_list); 1439 1440 out: 1441 if (tmp_watch) 1442 audit_put_watch(tmp_watch); /* match initial get */ 1443 if (tree) 1444 audit_put_tree(tree); /* that's the temporary one */ 1445 1446 return ret; 1447 } 1448 1449 /* List rules using struct audit_rule. Exists for backward 1450 * compatibility with userspace. */ 1451 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1452 { 1453 struct sk_buff *skb; 1454 struct audit_krule *r; 1455 int i; 1456 1457 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1458 * iterator to sync with list writers. */ 1459 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1460 list_for_each_entry(r, &audit_rules_list[i], list) { 1461 struct audit_rule *rule; 1462 1463 rule = audit_krule_to_rule(r); 1464 if (unlikely(!rule)) 1465 break; 1466 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1467 rule, sizeof(*rule)); 1468 if (skb) 1469 skb_queue_tail(q, skb); 1470 kfree(rule); 1471 } 1472 } 1473 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1474 if (skb) 1475 skb_queue_tail(q, skb); 1476 } 1477 1478 /* List rules using struct audit_rule_data. */ 1479 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1480 { 1481 struct sk_buff *skb; 1482 struct audit_krule *r; 1483 int i; 1484 1485 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1486 * iterator to sync with list writers. */ 1487 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1488 list_for_each_entry(r, &audit_rules_list[i], list) { 1489 struct audit_rule_data *data; 1490 1491 data = audit_krule_to_data(r); 1492 if (unlikely(!data)) 1493 break; 1494 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1495 data, sizeof(*data) + data->buflen); 1496 if (skb) 1497 skb_queue_tail(q, skb); 1498 kfree(data); 1499 } 1500 } 1501 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1502 if (skb) 1503 skb_queue_tail(q, skb); 1504 } 1505 1506 /* Log rule additions and removals */ 1507 static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, 1508 char *action, struct audit_krule *rule, 1509 int res) 1510 { 1511 struct audit_buffer *ab; 1512 1513 if (!audit_enabled) 1514 return; 1515 1516 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1517 if (!ab) 1518 return; 1519 audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid); 1520 if (sid) { 1521 char *ctx = NULL; 1522 u32 len; 1523 if (security_secid_to_secctx(sid, &ctx, &len)) 1524 audit_log_format(ab, " ssid=%u", sid); 1525 else { 1526 audit_log_format(ab, " subj=%s", ctx); 1527 security_release_secctx(ctx, len); 1528 } 1529 } 1530 audit_log_format(ab, " op=%s rule key=", action); 1531 if (rule->filterkey) 1532 audit_log_untrustedstring(ab, rule->filterkey); 1533 else 1534 audit_log_format(ab, "(null)"); 1535 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1536 audit_log_end(ab); 1537 } 1538 1539 /** 1540 * audit_receive_filter - apply all rules to the specified message type 1541 * @type: audit message type 1542 * @pid: target pid for netlink audit messages 1543 * @uid: target uid for netlink audit messages 1544 * @seq: netlink audit message sequence (serial) number 1545 * @data: payload data 1546 * @datasz: size of payload data 1547 * @loginuid: loginuid of sender 1548 * @sessionid: sessionid for netlink audit message 1549 * @sid: SE Linux Security ID of sender 1550 */ 1551 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1552 size_t datasz, uid_t loginuid, u32 sessionid, u32 sid) 1553 { 1554 struct task_struct *tsk; 1555 struct audit_netlink_list *dest; 1556 int err = 0; 1557 struct audit_entry *entry; 1558 1559 switch (type) { 1560 case AUDIT_LIST: 1561 case AUDIT_LIST_RULES: 1562 /* We can't just spew out the rules here because we might fill 1563 * the available socket buffer space and deadlock waiting for 1564 * auditctl to read from it... which isn't ever going to 1565 * happen if we're actually running in the context of auditctl 1566 * trying to _send_ the stuff */ 1567 1568 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1569 if (!dest) 1570 return -ENOMEM; 1571 dest->pid = pid; 1572 skb_queue_head_init(&dest->q); 1573 1574 mutex_lock(&audit_filter_mutex); 1575 if (type == AUDIT_LIST) 1576 audit_list(pid, seq, &dest->q); 1577 else 1578 audit_list_rules(pid, seq, &dest->q); 1579 mutex_unlock(&audit_filter_mutex); 1580 1581 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1582 if (IS_ERR(tsk)) { 1583 skb_queue_purge(&dest->q); 1584 kfree(dest); 1585 err = PTR_ERR(tsk); 1586 } 1587 break; 1588 case AUDIT_ADD: 1589 case AUDIT_ADD_RULE: 1590 if (type == AUDIT_ADD) 1591 entry = audit_rule_to_entry(data); 1592 else 1593 entry = audit_data_to_entry(data, datasz); 1594 if (IS_ERR(entry)) 1595 return PTR_ERR(entry); 1596 1597 err = audit_add_rule(entry); 1598 audit_log_rule_change(loginuid, sessionid, sid, "add", 1599 &entry->rule, !err); 1600 1601 if (err) 1602 audit_free_rule(entry); 1603 break; 1604 case AUDIT_DEL: 1605 case AUDIT_DEL_RULE: 1606 if (type == AUDIT_DEL) 1607 entry = audit_rule_to_entry(data); 1608 else 1609 entry = audit_data_to_entry(data, datasz); 1610 if (IS_ERR(entry)) 1611 return PTR_ERR(entry); 1612 1613 err = audit_del_rule(entry); 1614 audit_log_rule_change(loginuid, sessionid, sid, "remove", 1615 &entry->rule, !err); 1616 1617 audit_free_rule(entry); 1618 break; 1619 default: 1620 return -EINVAL; 1621 } 1622 1623 return err; 1624 } 1625 1626 int audit_comparator(u32 left, u32 op, u32 right) 1627 { 1628 switch (op) { 1629 case Audit_equal: 1630 return (left == right); 1631 case Audit_not_equal: 1632 return (left != right); 1633 case Audit_lt: 1634 return (left < right); 1635 case Audit_le: 1636 return (left <= right); 1637 case Audit_gt: 1638 return (left > right); 1639 case Audit_ge: 1640 return (left >= right); 1641 case Audit_bitmask: 1642 return (left & right); 1643 case Audit_bittest: 1644 return ((left & right) == right); 1645 default: 1646 BUG(); 1647 return 0; 1648 } 1649 } 1650 1651 /* Compare given dentry name with last component in given path, 1652 * return of 0 indicates a match. */ 1653 int audit_compare_dname_path(const char *dname, const char *path, 1654 int *dirlen) 1655 { 1656 int dlen, plen; 1657 const char *p; 1658 1659 if (!dname || !path) 1660 return 1; 1661 1662 dlen = strlen(dname); 1663 plen = strlen(path); 1664 if (plen < dlen) 1665 return 1; 1666 1667 /* disregard trailing slashes */ 1668 p = path + plen - 1; 1669 while ((*p == '/') && (p > path)) 1670 p--; 1671 1672 /* find last path component */ 1673 p = p - dlen + 1; 1674 if (p < path) 1675 return 1; 1676 else if (p > path) { 1677 if (*--p != '/') 1678 return 1; 1679 else 1680 p++; 1681 } 1682 1683 /* return length of path's directory component */ 1684 if (dirlen) 1685 *dirlen = p - path; 1686 return strncmp(p, dname, dlen); 1687 } 1688 1689 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1690 struct audit_krule *rule, 1691 enum audit_state *state) 1692 { 1693 int i; 1694 1695 for (i = 0; i < rule->field_count; i++) { 1696 struct audit_field *f = &rule->fields[i]; 1697 int result = 0; 1698 1699 switch (f->type) { 1700 case AUDIT_PID: 1701 result = audit_comparator(cb->creds.pid, f->op, f->val); 1702 break; 1703 case AUDIT_UID: 1704 result = audit_comparator(cb->creds.uid, f->op, f->val); 1705 break; 1706 case AUDIT_GID: 1707 result = audit_comparator(cb->creds.gid, f->op, f->val); 1708 break; 1709 case AUDIT_LOGINUID: 1710 result = audit_comparator(cb->loginuid, f->op, f->val); 1711 break; 1712 } 1713 1714 if (!result) 1715 return 0; 1716 } 1717 switch (rule->action) { 1718 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1719 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1720 } 1721 return 1; 1722 } 1723 1724 int audit_filter_user(struct netlink_skb_parms *cb) 1725 { 1726 enum audit_state state = AUDIT_DISABLED; 1727 struct audit_entry *e; 1728 int ret = 1; 1729 1730 rcu_read_lock(); 1731 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1732 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1733 if (state == AUDIT_DISABLED) 1734 ret = 0; 1735 break; 1736 } 1737 } 1738 rcu_read_unlock(); 1739 1740 return ret; /* Audit by default */ 1741 } 1742 1743 int audit_filter_type(int type) 1744 { 1745 struct audit_entry *e; 1746 int result = 0; 1747 1748 rcu_read_lock(); 1749 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1750 goto unlock_and_return; 1751 1752 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1753 list) { 1754 int i; 1755 for (i = 0; i < e->rule.field_count; i++) { 1756 struct audit_field *f = &e->rule.fields[i]; 1757 if (f->type == AUDIT_MSGTYPE) { 1758 result = audit_comparator(type, f->op, f->val); 1759 if (!result) 1760 break; 1761 } 1762 } 1763 if (result) 1764 goto unlock_and_return; 1765 } 1766 unlock_and_return: 1767 rcu_read_unlock(); 1768 return result; 1769 } 1770 1771 static int update_lsm_rule(struct audit_krule *r) 1772 { 1773 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1774 struct audit_entry *nentry; 1775 struct audit_watch *watch; 1776 struct audit_tree *tree; 1777 int err = 0; 1778 1779 if (!security_audit_rule_known(r)) 1780 return 0; 1781 1782 watch = r->watch; 1783 tree = r->tree; 1784 nentry = audit_dupe_rule(r, watch); 1785 if (IS_ERR(nentry)) { 1786 /* save the first error encountered for the 1787 * return value */ 1788 err = PTR_ERR(nentry); 1789 audit_panic("error updating LSM filters"); 1790 if (watch) 1791 list_del(&r->rlist); 1792 list_del_rcu(&entry->list); 1793 list_del(&r->list); 1794 } else { 1795 if (watch) { 1796 list_add(&nentry->rule.rlist, &watch->rules); 1797 list_del(&r->rlist); 1798 } else if (tree) 1799 list_replace_init(&r->rlist, &nentry->rule.rlist); 1800 list_replace_rcu(&entry->list, &nentry->list); 1801 list_replace(&r->list, &nentry->rule.list); 1802 } 1803 call_rcu(&entry->rcu, audit_free_rule_rcu); 1804 1805 return err; 1806 } 1807 1808 /* This function will re-initialize the lsm_rule field of all applicable rules. 1809 * It will traverse the filter lists serarching for rules that contain LSM 1810 * specific filter fields. When such a rule is found, it is copied, the 1811 * LSM field is re-initialized, and the old rule is replaced with the 1812 * updated rule. */ 1813 int audit_update_lsm_rules(void) 1814 { 1815 struct audit_krule *r, *n; 1816 int i, err = 0; 1817 1818 /* audit_filter_mutex synchronizes the writers */ 1819 mutex_lock(&audit_filter_mutex); 1820 1821 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1822 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1823 int res = update_lsm_rule(r); 1824 if (!err) 1825 err = res; 1826 } 1827 } 1828 mutex_unlock(&audit_filter_mutex); 1829 1830 return err; 1831 } 1832 1833 /* Update watch data in audit rules based on inotify events. */ 1834 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1835 u32 cookie, const char *dname, struct inode *inode) 1836 { 1837 struct audit_parent *parent; 1838 1839 parent = container_of(i_watch, struct audit_parent, wdata); 1840 1841 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1842 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1843 inode->i_ino, 0); 1844 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1845 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1846 /* inotify automatically removes the watch and sends IN_IGNORED */ 1847 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1848 audit_remove_parent_watches(parent); 1849 /* inotify does not remove the watch, so remove it manually */ 1850 else if(mask & IN_MOVE_SELF) { 1851 audit_remove_parent_watches(parent); 1852 inotify_remove_watch_locked(audit_ih, i_watch); 1853 } else if (mask & IN_IGNORED) 1854 put_inotify_watch(i_watch); 1855 } 1856