1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 23 24 #include <linux/kernel.h> 25 #include <linux/audit.h> 26 #include <linux/kthread.h> 27 #include <linux/mutex.h> 28 #include <linux/fs.h> 29 #include <linux/namei.h> 30 #include <linux/netlink.h> 31 #include <linux/sched.h> 32 #include <linux/slab.h> 33 #include <linux/security.h> 34 #include <net/net_namespace.h> 35 #include <net/sock.h> 36 #include "audit.h" 37 38 /* 39 * Locking model: 40 * 41 * audit_filter_mutex: 42 * Synchronizes writes and blocking reads of audit's filterlist 43 * data. Rcu is used to traverse the filterlist and access 44 * contents of structs audit_entry, audit_watch and opaque 45 * LSM rules during filtering. If modified, these structures 46 * must be copied and replace their counterparts in the filterlist. 47 * An audit_parent struct is not accessed during filtering, so may 48 * be written directly provided audit_filter_mutex is held. 49 */ 50 51 /* Audit filter lists, defined in <linux/audit.h> */ 52 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 53 LIST_HEAD_INIT(audit_filter_list[0]), 54 LIST_HEAD_INIT(audit_filter_list[1]), 55 LIST_HEAD_INIT(audit_filter_list[2]), 56 LIST_HEAD_INIT(audit_filter_list[3]), 57 LIST_HEAD_INIT(audit_filter_list[4]), 58 LIST_HEAD_INIT(audit_filter_list[5]), 59 #if AUDIT_NR_FILTERS != 6 60 #error Fix audit_filter_list initialiser 61 #endif 62 }; 63 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 64 LIST_HEAD_INIT(audit_rules_list[0]), 65 LIST_HEAD_INIT(audit_rules_list[1]), 66 LIST_HEAD_INIT(audit_rules_list[2]), 67 LIST_HEAD_INIT(audit_rules_list[3]), 68 LIST_HEAD_INIT(audit_rules_list[4]), 69 LIST_HEAD_INIT(audit_rules_list[5]), 70 }; 71 72 DEFINE_MUTEX(audit_filter_mutex); 73 74 static inline void audit_free_rule(struct audit_entry *e) 75 { 76 int i; 77 struct audit_krule *erule = &e->rule; 78 79 /* some rules don't have associated watches */ 80 if (erule->watch) 81 audit_put_watch(erule->watch); 82 if (erule->fields) 83 for (i = 0; i < erule->field_count; i++) { 84 struct audit_field *f = &erule->fields[i]; 85 kfree(f->lsm_str); 86 security_audit_rule_free(f->lsm_rule); 87 } 88 kfree(erule->fields); 89 kfree(erule->filterkey); 90 kfree(e); 91 } 92 93 void audit_free_rule_rcu(struct rcu_head *head) 94 { 95 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 96 audit_free_rule(e); 97 } 98 99 /* Initialize an audit filterlist entry. */ 100 static inline struct audit_entry *audit_init_entry(u32 field_count) 101 { 102 struct audit_entry *entry; 103 struct audit_field *fields; 104 105 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 106 if (unlikely(!entry)) 107 return NULL; 108 109 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 110 if (unlikely(!fields)) { 111 kfree(entry); 112 return NULL; 113 } 114 entry->rule.fields = fields; 115 116 return entry; 117 } 118 119 /* Unpack a filter field's string representation from user-space 120 * buffer. */ 121 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 122 { 123 char *str; 124 125 if (!*bufp || (len == 0) || (len > *remain)) 126 return ERR_PTR(-EINVAL); 127 128 /* Of the currently implemented string fields, PATH_MAX 129 * defines the longest valid length. 130 */ 131 if (len > PATH_MAX) 132 return ERR_PTR(-ENAMETOOLONG); 133 134 str = kmalloc(len + 1, GFP_KERNEL); 135 if (unlikely(!str)) 136 return ERR_PTR(-ENOMEM); 137 138 memcpy(str, *bufp, len); 139 str[len] = 0; 140 *bufp += len; 141 *remain -= len; 142 143 return str; 144 } 145 146 /* Translate an inode field to kernel respresentation. */ 147 static inline int audit_to_inode(struct audit_krule *krule, 148 struct audit_field *f) 149 { 150 if (krule->listnr != AUDIT_FILTER_EXIT || 151 krule->watch || krule->inode_f || krule->tree || 152 (f->op != Audit_equal && f->op != Audit_not_equal)) 153 return -EINVAL; 154 155 krule->inode_f = f; 156 return 0; 157 } 158 159 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 160 161 int __init audit_register_class(int class, unsigned *list) 162 { 163 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 164 if (!p) 165 return -ENOMEM; 166 while (*list != ~0U) { 167 unsigned n = *list++; 168 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 169 kfree(p); 170 return -EINVAL; 171 } 172 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 173 } 174 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 175 kfree(p); 176 return -EINVAL; 177 } 178 classes[class] = p; 179 return 0; 180 } 181 182 int audit_match_class(int class, unsigned syscall) 183 { 184 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 185 return 0; 186 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 187 return 0; 188 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 189 } 190 191 #ifdef CONFIG_AUDITSYSCALL 192 static inline int audit_match_class_bits(int class, u32 *mask) 193 { 194 int i; 195 196 if (classes[class]) { 197 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 198 if (mask[i] & classes[class][i]) 199 return 0; 200 } 201 return 1; 202 } 203 204 static int audit_match_signal(struct audit_entry *entry) 205 { 206 struct audit_field *arch = entry->rule.arch_f; 207 208 if (!arch) { 209 /* When arch is unspecified, we must check both masks on biarch 210 * as syscall number alone is ambiguous. */ 211 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 212 entry->rule.mask) && 213 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 214 entry->rule.mask)); 215 } 216 217 switch(audit_classify_arch(arch->val)) { 218 case 0: /* native */ 219 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 220 entry->rule.mask)); 221 case 1: /* 32bit on biarch */ 222 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 223 entry->rule.mask)); 224 default: 225 return 1; 226 } 227 } 228 #endif 229 230 /* Common user-space to kernel rule translation. */ 231 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule) 232 { 233 unsigned listnr; 234 struct audit_entry *entry; 235 int i, err; 236 237 err = -EINVAL; 238 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 239 switch(listnr) { 240 default: 241 goto exit_err; 242 #ifdef CONFIG_AUDITSYSCALL 243 case AUDIT_FILTER_ENTRY: 244 if (rule->action == AUDIT_ALWAYS) 245 goto exit_err; 246 case AUDIT_FILTER_EXIT: 247 case AUDIT_FILTER_TASK: 248 #endif 249 case AUDIT_FILTER_USER: 250 case AUDIT_FILTER_TYPE: 251 ; 252 } 253 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 254 pr_err("AUDIT_POSSIBLE is deprecated\n"); 255 goto exit_err; 256 } 257 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 258 goto exit_err; 259 if (rule->field_count > AUDIT_MAX_FIELDS) 260 goto exit_err; 261 262 err = -ENOMEM; 263 entry = audit_init_entry(rule->field_count); 264 if (!entry) 265 goto exit_err; 266 267 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 268 entry->rule.listnr = listnr; 269 entry->rule.action = rule->action; 270 entry->rule.field_count = rule->field_count; 271 272 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 273 entry->rule.mask[i] = rule->mask[i]; 274 275 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 276 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 277 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 278 __u32 *class; 279 280 if (!(*p & AUDIT_BIT(bit))) 281 continue; 282 *p &= ~AUDIT_BIT(bit); 283 class = classes[i]; 284 if (class) { 285 int j; 286 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 287 entry->rule.mask[j] |= class[j]; 288 } 289 } 290 291 return entry; 292 293 exit_err: 294 return ERR_PTR(err); 295 } 296 297 static u32 audit_ops[] = 298 { 299 [Audit_equal] = AUDIT_EQUAL, 300 [Audit_not_equal] = AUDIT_NOT_EQUAL, 301 [Audit_bitmask] = AUDIT_BIT_MASK, 302 [Audit_bittest] = AUDIT_BIT_TEST, 303 [Audit_lt] = AUDIT_LESS_THAN, 304 [Audit_gt] = AUDIT_GREATER_THAN, 305 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 306 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 307 }; 308 309 static u32 audit_to_op(u32 op) 310 { 311 u32 n; 312 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 313 ; 314 return n; 315 } 316 317 /* check if an audit field is valid */ 318 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) 319 { 320 switch(f->type) { 321 case AUDIT_MSGTYPE: 322 if (entry->rule.listnr != AUDIT_FILTER_TYPE && 323 entry->rule.listnr != AUDIT_FILTER_USER) 324 return -EINVAL; 325 break; 326 }; 327 328 switch(f->type) { 329 default: 330 return -EINVAL; 331 case AUDIT_UID: 332 case AUDIT_EUID: 333 case AUDIT_SUID: 334 case AUDIT_FSUID: 335 case AUDIT_LOGINUID: 336 case AUDIT_OBJ_UID: 337 case AUDIT_GID: 338 case AUDIT_EGID: 339 case AUDIT_SGID: 340 case AUDIT_FSGID: 341 case AUDIT_OBJ_GID: 342 case AUDIT_PID: 343 case AUDIT_PERS: 344 case AUDIT_MSGTYPE: 345 case AUDIT_PPID: 346 case AUDIT_DEVMAJOR: 347 case AUDIT_DEVMINOR: 348 case AUDIT_EXIT: 349 case AUDIT_SUCCESS: 350 case AUDIT_INODE: 351 /* bit ops are only useful on syscall args */ 352 if (f->op == Audit_bitmask || f->op == Audit_bittest) 353 return -EINVAL; 354 break; 355 case AUDIT_ARG0: 356 case AUDIT_ARG1: 357 case AUDIT_ARG2: 358 case AUDIT_ARG3: 359 case AUDIT_SUBJ_USER: 360 case AUDIT_SUBJ_ROLE: 361 case AUDIT_SUBJ_TYPE: 362 case AUDIT_SUBJ_SEN: 363 case AUDIT_SUBJ_CLR: 364 case AUDIT_OBJ_USER: 365 case AUDIT_OBJ_ROLE: 366 case AUDIT_OBJ_TYPE: 367 case AUDIT_OBJ_LEV_LOW: 368 case AUDIT_OBJ_LEV_HIGH: 369 case AUDIT_WATCH: 370 case AUDIT_DIR: 371 case AUDIT_FILTERKEY: 372 break; 373 case AUDIT_LOGINUID_SET: 374 if ((f->val != 0) && (f->val != 1)) 375 return -EINVAL; 376 /* FALL THROUGH */ 377 case AUDIT_ARCH: 378 if (f->op != Audit_not_equal && f->op != Audit_equal) 379 return -EINVAL; 380 break; 381 case AUDIT_PERM: 382 if (f->val & ~15) 383 return -EINVAL; 384 break; 385 case AUDIT_FILETYPE: 386 if (f->val & ~S_IFMT) 387 return -EINVAL; 388 break; 389 case AUDIT_FIELD_COMPARE: 390 if (f->val > AUDIT_MAX_FIELD_COMPARE) 391 return -EINVAL; 392 break; 393 }; 394 return 0; 395 } 396 397 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 398 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 399 size_t datasz) 400 { 401 int err = 0; 402 struct audit_entry *entry; 403 void *bufp; 404 size_t remain = datasz - sizeof(struct audit_rule_data); 405 int i; 406 char *str; 407 408 entry = audit_to_entry_common(data); 409 if (IS_ERR(entry)) 410 goto exit_nofree; 411 412 bufp = data->buf; 413 entry->rule.vers_ops = 2; 414 for (i = 0; i < data->field_count; i++) { 415 struct audit_field *f = &entry->rule.fields[i]; 416 417 err = -EINVAL; 418 419 f->op = audit_to_op(data->fieldflags[i]); 420 if (f->op == Audit_bad) 421 goto exit_free; 422 423 f->type = data->fields[i]; 424 f->val = data->values[i]; 425 f->uid = INVALID_UID; 426 f->gid = INVALID_GID; 427 f->lsm_str = NULL; 428 f->lsm_rule = NULL; 429 430 /* Support legacy tests for a valid loginuid */ 431 if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { 432 f->type = AUDIT_LOGINUID_SET; 433 f->val = 0; 434 } 435 436 if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) { 437 struct pid *pid; 438 rcu_read_lock(); 439 pid = find_vpid(f->val); 440 if (!pid) { 441 rcu_read_unlock(); 442 err = -ESRCH; 443 goto exit_free; 444 } 445 f->val = pid_nr(pid); 446 rcu_read_unlock(); 447 } 448 449 err = audit_field_valid(entry, f); 450 if (err) 451 goto exit_free; 452 453 err = -EINVAL; 454 switch (f->type) { 455 case AUDIT_LOGINUID: 456 case AUDIT_UID: 457 case AUDIT_EUID: 458 case AUDIT_SUID: 459 case AUDIT_FSUID: 460 case AUDIT_OBJ_UID: 461 f->uid = make_kuid(current_user_ns(), f->val); 462 if (!uid_valid(f->uid)) 463 goto exit_free; 464 break; 465 case AUDIT_GID: 466 case AUDIT_EGID: 467 case AUDIT_SGID: 468 case AUDIT_FSGID: 469 case AUDIT_OBJ_GID: 470 f->gid = make_kgid(current_user_ns(), f->val); 471 if (!gid_valid(f->gid)) 472 goto exit_free; 473 break; 474 case AUDIT_ARCH: 475 entry->rule.arch_f = f; 476 break; 477 case AUDIT_SUBJ_USER: 478 case AUDIT_SUBJ_ROLE: 479 case AUDIT_SUBJ_TYPE: 480 case AUDIT_SUBJ_SEN: 481 case AUDIT_SUBJ_CLR: 482 case AUDIT_OBJ_USER: 483 case AUDIT_OBJ_ROLE: 484 case AUDIT_OBJ_TYPE: 485 case AUDIT_OBJ_LEV_LOW: 486 case AUDIT_OBJ_LEV_HIGH: 487 str = audit_unpack_string(&bufp, &remain, f->val); 488 if (IS_ERR(str)) 489 goto exit_free; 490 entry->rule.buflen += f->val; 491 492 err = security_audit_rule_init(f->type, f->op, str, 493 (void **)&f->lsm_rule); 494 /* Keep currently invalid fields around in case they 495 * become valid after a policy reload. */ 496 if (err == -EINVAL) { 497 pr_warn("audit rule for LSM \'%s\' is invalid\n", 498 str); 499 err = 0; 500 } 501 if (err) { 502 kfree(str); 503 goto exit_free; 504 } else 505 f->lsm_str = str; 506 break; 507 case AUDIT_WATCH: 508 str = audit_unpack_string(&bufp, &remain, f->val); 509 if (IS_ERR(str)) 510 goto exit_free; 511 entry->rule.buflen += f->val; 512 513 err = audit_to_watch(&entry->rule, str, f->val, f->op); 514 if (err) { 515 kfree(str); 516 goto exit_free; 517 } 518 break; 519 case AUDIT_DIR: 520 str = audit_unpack_string(&bufp, &remain, f->val); 521 if (IS_ERR(str)) 522 goto exit_free; 523 entry->rule.buflen += f->val; 524 525 err = audit_make_tree(&entry->rule, str, f->op); 526 kfree(str); 527 if (err) 528 goto exit_free; 529 break; 530 case AUDIT_INODE: 531 err = audit_to_inode(&entry->rule, f); 532 if (err) 533 goto exit_free; 534 break; 535 case AUDIT_FILTERKEY: 536 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 537 goto exit_free; 538 str = audit_unpack_string(&bufp, &remain, f->val); 539 if (IS_ERR(str)) 540 goto exit_free; 541 entry->rule.buflen += f->val; 542 entry->rule.filterkey = str; 543 break; 544 } 545 } 546 547 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 548 entry->rule.inode_f = NULL; 549 550 exit_nofree: 551 return entry; 552 553 exit_free: 554 if (entry->rule.watch) 555 audit_put_watch(entry->rule.watch); /* matches initial get */ 556 if (entry->rule.tree) 557 audit_put_tree(entry->rule.tree); /* that's the temporary one */ 558 audit_free_rule(entry); 559 return ERR_PTR(err); 560 } 561 562 /* Pack a filter field's string representation into data block. */ 563 static inline size_t audit_pack_string(void **bufp, const char *str) 564 { 565 size_t len = strlen(str); 566 567 memcpy(*bufp, str, len); 568 *bufp += len; 569 570 return len; 571 } 572 573 /* Translate kernel rule respresentation to struct audit_rule_data. */ 574 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 575 { 576 struct audit_rule_data *data; 577 void *bufp; 578 int i; 579 580 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 581 if (unlikely(!data)) 582 return NULL; 583 memset(data, 0, sizeof(*data)); 584 585 data->flags = krule->flags | krule->listnr; 586 data->action = krule->action; 587 data->field_count = krule->field_count; 588 bufp = data->buf; 589 for (i = 0; i < data->field_count; i++) { 590 struct audit_field *f = &krule->fields[i]; 591 592 data->fields[i] = f->type; 593 data->fieldflags[i] = audit_ops[f->op]; 594 switch(f->type) { 595 case AUDIT_SUBJ_USER: 596 case AUDIT_SUBJ_ROLE: 597 case AUDIT_SUBJ_TYPE: 598 case AUDIT_SUBJ_SEN: 599 case AUDIT_SUBJ_CLR: 600 case AUDIT_OBJ_USER: 601 case AUDIT_OBJ_ROLE: 602 case AUDIT_OBJ_TYPE: 603 case AUDIT_OBJ_LEV_LOW: 604 case AUDIT_OBJ_LEV_HIGH: 605 data->buflen += data->values[i] = 606 audit_pack_string(&bufp, f->lsm_str); 607 break; 608 case AUDIT_WATCH: 609 data->buflen += data->values[i] = 610 audit_pack_string(&bufp, 611 audit_watch_path(krule->watch)); 612 break; 613 case AUDIT_DIR: 614 data->buflen += data->values[i] = 615 audit_pack_string(&bufp, 616 audit_tree_path(krule->tree)); 617 break; 618 case AUDIT_FILTERKEY: 619 data->buflen += data->values[i] = 620 audit_pack_string(&bufp, krule->filterkey); 621 break; 622 default: 623 data->values[i] = f->val; 624 } 625 } 626 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 627 628 return data; 629 } 630 631 /* Compare two rules in kernel format. Considered success if rules 632 * don't match. */ 633 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 634 { 635 int i; 636 637 if (a->flags != b->flags || 638 a->listnr != b->listnr || 639 a->action != b->action || 640 a->field_count != b->field_count) 641 return 1; 642 643 for (i = 0; i < a->field_count; i++) { 644 if (a->fields[i].type != b->fields[i].type || 645 a->fields[i].op != b->fields[i].op) 646 return 1; 647 648 switch(a->fields[i].type) { 649 case AUDIT_SUBJ_USER: 650 case AUDIT_SUBJ_ROLE: 651 case AUDIT_SUBJ_TYPE: 652 case AUDIT_SUBJ_SEN: 653 case AUDIT_SUBJ_CLR: 654 case AUDIT_OBJ_USER: 655 case AUDIT_OBJ_ROLE: 656 case AUDIT_OBJ_TYPE: 657 case AUDIT_OBJ_LEV_LOW: 658 case AUDIT_OBJ_LEV_HIGH: 659 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 660 return 1; 661 break; 662 case AUDIT_WATCH: 663 if (strcmp(audit_watch_path(a->watch), 664 audit_watch_path(b->watch))) 665 return 1; 666 break; 667 case AUDIT_DIR: 668 if (strcmp(audit_tree_path(a->tree), 669 audit_tree_path(b->tree))) 670 return 1; 671 break; 672 case AUDIT_FILTERKEY: 673 /* both filterkeys exist based on above type compare */ 674 if (strcmp(a->filterkey, b->filterkey)) 675 return 1; 676 break; 677 case AUDIT_UID: 678 case AUDIT_EUID: 679 case AUDIT_SUID: 680 case AUDIT_FSUID: 681 case AUDIT_LOGINUID: 682 case AUDIT_OBJ_UID: 683 if (!uid_eq(a->fields[i].uid, b->fields[i].uid)) 684 return 1; 685 break; 686 case AUDIT_GID: 687 case AUDIT_EGID: 688 case AUDIT_SGID: 689 case AUDIT_FSGID: 690 case AUDIT_OBJ_GID: 691 if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) 692 return 1; 693 break; 694 default: 695 if (a->fields[i].val != b->fields[i].val) 696 return 1; 697 } 698 } 699 700 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 701 if (a->mask[i] != b->mask[i]) 702 return 1; 703 704 return 0; 705 } 706 707 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 708 * re-initialized. */ 709 static inline int audit_dupe_lsm_field(struct audit_field *df, 710 struct audit_field *sf) 711 { 712 int ret = 0; 713 char *lsm_str; 714 715 /* our own copy of lsm_str */ 716 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 717 if (unlikely(!lsm_str)) 718 return -ENOMEM; 719 df->lsm_str = lsm_str; 720 721 /* our own (refreshed) copy of lsm_rule */ 722 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 723 (void **)&df->lsm_rule); 724 /* Keep currently invalid fields around in case they 725 * become valid after a policy reload. */ 726 if (ret == -EINVAL) { 727 pr_warn("audit rule for LSM \'%s\' is invalid\n", 728 df->lsm_str); 729 ret = 0; 730 } 731 732 return ret; 733 } 734 735 /* Duplicate an audit rule. This will be a deep copy with the exception 736 * of the watch - that pointer is carried over. The LSM specific fields 737 * will be updated in the copy. The point is to be able to replace the old 738 * rule with the new rule in the filterlist, then free the old rule. 739 * The rlist element is undefined; list manipulations are handled apart from 740 * the initial copy. */ 741 struct audit_entry *audit_dupe_rule(struct audit_krule *old) 742 { 743 u32 fcount = old->field_count; 744 struct audit_entry *entry; 745 struct audit_krule *new; 746 char *fk; 747 int i, err = 0; 748 749 entry = audit_init_entry(fcount); 750 if (unlikely(!entry)) 751 return ERR_PTR(-ENOMEM); 752 753 new = &entry->rule; 754 new->vers_ops = old->vers_ops; 755 new->flags = old->flags; 756 new->listnr = old->listnr; 757 new->action = old->action; 758 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 759 new->mask[i] = old->mask[i]; 760 new->prio = old->prio; 761 new->buflen = old->buflen; 762 new->inode_f = old->inode_f; 763 new->field_count = old->field_count; 764 765 /* 766 * note that we are OK with not refcounting here; audit_match_tree() 767 * never dereferences tree and we can't get false positives there 768 * since we'd have to have rule gone from the list *and* removed 769 * before the chunks found by lookup had been allocated, i.e. before 770 * the beginning of list scan. 771 */ 772 new->tree = old->tree; 773 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 774 775 /* deep copy this information, updating the lsm_rule fields, because 776 * the originals will all be freed when the old rule is freed. */ 777 for (i = 0; i < fcount; i++) { 778 switch (new->fields[i].type) { 779 case AUDIT_SUBJ_USER: 780 case AUDIT_SUBJ_ROLE: 781 case AUDIT_SUBJ_TYPE: 782 case AUDIT_SUBJ_SEN: 783 case AUDIT_SUBJ_CLR: 784 case AUDIT_OBJ_USER: 785 case AUDIT_OBJ_ROLE: 786 case AUDIT_OBJ_TYPE: 787 case AUDIT_OBJ_LEV_LOW: 788 case AUDIT_OBJ_LEV_HIGH: 789 err = audit_dupe_lsm_field(&new->fields[i], 790 &old->fields[i]); 791 break; 792 case AUDIT_FILTERKEY: 793 fk = kstrdup(old->filterkey, GFP_KERNEL); 794 if (unlikely(!fk)) 795 err = -ENOMEM; 796 else 797 new->filterkey = fk; 798 } 799 if (err) { 800 audit_free_rule(entry); 801 return ERR_PTR(err); 802 } 803 } 804 805 if (old->watch) { 806 audit_get_watch(old->watch); 807 new->watch = old->watch; 808 } 809 810 return entry; 811 } 812 813 /* Find an existing audit rule. 814 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 815 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 816 struct list_head **p) 817 { 818 struct audit_entry *e, *found = NULL; 819 struct list_head *list; 820 int h; 821 822 if (entry->rule.inode_f) { 823 h = audit_hash_ino(entry->rule.inode_f->val); 824 *p = list = &audit_inode_hash[h]; 825 } else if (entry->rule.watch) { 826 /* we don't know the inode number, so must walk entire hash */ 827 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 828 list = &audit_inode_hash[h]; 829 list_for_each_entry(e, list, list) 830 if (!audit_compare_rule(&entry->rule, &e->rule)) { 831 found = e; 832 goto out; 833 } 834 } 835 goto out; 836 } else { 837 *p = list = &audit_filter_list[entry->rule.listnr]; 838 } 839 840 list_for_each_entry(e, list, list) 841 if (!audit_compare_rule(&entry->rule, &e->rule)) { 842 found = e; 843 goto out; 844 } 845 846 out: 847 return found; 848 } 849 850 static u64 prio_low = ~0ULL/2; 851 static u64 prio_high = ~0ULL/2 - 1; 852 853 /* Add rule to given filterlist if not a duplicate. */ 854 static inline int audit_add_rule(struct audit_entry *entry) 855 { 856 struct audit_entry *e; 857 struct audit_watch *watch = entry->rule.watch; 858 struct audit_tree *tree = entry->rule.tree; 859 struct list_head *list; 860 int err; 861 #ifdef CONFIG_AUDITSYSCALL 862 int dont_count = 0; 863 864 /* If either of these, don't count towards total */ 865 if (entry->rule.listnr == AUDIT_FILTER_USER || 866 entry->rule.listnr == AUDIT_FILTER_TYPE) 867 dont_count = 1; 868 #endif 869 870 mutex_lock(&audit_filter_mutex); 871 e = audit_find_rule(entry, &list); 872 if (e) { 873 mutex_unlock(&audit_filter_mutex); 874 err = -EEXIST; 875 /* normally audit_add_tree_rule() will free it on failure */ 876 if (tree) 877 audit_put_tree(tree); 878 goto error; 879 } 880 881 if (watch) { 882 /* audit_filter_mutex is dropped and re-taken during this call */ 883 err = audit_add_watch(&entry->rule, &list); 884 if (err) { 885 mutex_unlock(&audit_filter_mutex); 886 /* 887 * normally audit_add_tree_rule() will free it 888 * on failure 889 */ 890 if (tree) 891 audit_put_tree(tree); 892 goto error; 893 } 894 } 895 if (tree) { 896 err = audit_add_tree_rule(&entry->rule); 897 if (err) { 898 mutex_unlock(&audit_filter_mutex); 899 goto error; 900 } 901 } 902 903 entry->rule.prio = ~0ULL; 904 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 905 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 906 entry->rule.prio = ++prio_high; 907 else 908 entry->rule.prio = --prio_low; 909 } 910 911 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 912 list_add(&entry->rule.list, 913 &audit_rules_list[entry->rule.listnr]); 914 list_add_rcu(&entry->list, list); 915 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 916 } else { 917 list_add_tail(&entry->rule.list, 918 &audit_rules_list[entry->rule.listnr]); 919 list_add_tail_rcu(&entry->list, list); 920 } 921 #ifdef CONFIG_AUDITSYSCALL 922 if (!dont_count) 923 audit_n_rules++; 924 925 if (!audit_match_signal(entry)) 926 audit_signals++; 927 #endif 928 mutex_unlock(&audit_filter_mutex); 929 930 return 0; 931 932 error: 933 if (watch) 934 audit_put_watch(watch); /* tmp watch, matches initial get */ 935 return err; 936 } 937 938 /* Remove an existing rule from filterlist. */ 939 static inline int audit_del_rule(struct audit_entry *entry) 940 { 941 struct audit_entry *e; 942 struct audit_watch *watch = entry->rule.watch; 943 struct audit_tree *tree = entry->rule.tree; 944 struct list_head *list; 945 int ret = 0; 946 #ifdef CONFIG_AUDITSYSCALL 947 int dont_count = 0; 948 949 /* If either of these, don't count towards total */ 950 if (entry->rule.listnr == AUDIT_FILTER_USER || 951 entry->rule.listnr == AUDIT_FILTER_TYPE) 952 dont_count = 1; 953 #endif 954 955 mutex_lock(&audit_filter_mutex); 956 e = audit_find_rule(entry, &list); 957 if (!e) { 958 mutex_unlock(&audit_filter_mutex); 959 ret = -ENOENT; 960 goto out; 961 } 962 963 if (e->rule.watch) 964 audit_remove_watch_rule(&e->rule); 965 966 if (e->rule.tree) 967 audit_remove_tree_rule(&e->rule); 968 969 list_del_rcu(&e->list); 970 list_del(&e->rule.list); 971 call_rcu(&e->rcu, audit_free_rule_rcu); 972 973 #ifdef CONFIG_AUDITSYSCALL 974 if (!dont_count) 975 audit_n_rules--; 976 977 if (!audit_match_signal(entry)) 978 audit_signals--; 979 #endif 980 mutex_unlock(&audit_filter_mutex); 981 982 out: 983 if (watch) 984 audit_put_watch(watch); /* match initial get */ 985 if (tree) 986 audit_put_tree(tree); /* that's the temporary one */ 987 988 return ret; 989 } 990 991 /* List rules using struct audit_rule_data. */ 992 static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q) 993 { 994 struct sk_buff *skb; 995 struct audit_krule *r; 996 int i; 997 998 /* This is a blocking read, so use audit_filter_mutex instead of rcu 999 * iterator to sync with list writers. */ 1000 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1001 list_for_each_entry(r, &audit_rules_list[i], list) { 1002 struct audit_rule_data *data; 1003 1004 data = audit_krule_to_data(r); 1005 if (unlikely(!data)) 1006 break; 1007 skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1008 0, 1, data, 1009 sizeof(*data) + data->buflen); 1010 if (skb) 1011 skb_queue_tail(q, skb); 1012 kfree(data); 1013 } 1014 } 1015 skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1016 if (skb) 1017 skb_queue_tail(q, skb); 1018 } 1019 1020 /* Log rule additions and removals */ 1021 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) 1022 { 1023 struct audit_buffer *ab; 1024 uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 1025 unsigned int sessionid = audit_get_sessionid(current); 1026 1027 if (!audit_enabled) 1028 return; 1029 1030 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1031 if (!ab) 1032 return; 1033 audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); 1034 audit_log_task_context(ab); 1035 audit_log_format(ab, " op="); 1036 audit_log_string(ab, action); 1037 audit_log_key(ab, rule->filterkey); 1038 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1039 audit_log_end(ab); 1040 } 1041 1042 /** 1043 * audit_rule_change - apply all rules to the specified message type 1044 * @type: audit message type 1045 * @portid: target port id for netlink audit messages 1046 * @seq: netlink audit message sequence (serial) number 1047 * @data: payload data 1048 * @datasz: size of payload data 1049 */ 1050 int audit_rule_change(int type, __u32 portid, int seq, void *data, 1051 size_t datasz) 1052 { 1053 int err = 0; 1054 struct audit_entry *entry; 1055 1056 switch (type) { 1057 case AUDIT_ADD_RULE: 1058 entry = audit_data_to_entry(data, datasz); 1059 if (IS_ERR(entry)) 1060 return PTR_ERR(entry); 1061 1062 err = audit_add_rule(entry); 1063 audit_log_rule_change("add rule", &entry->rule, !err); 1064 if (err) 1065 audit_free_rule(entry); 1066 break; 1067 case AUDIT_DEL_RULE: 1068 entry = audit_data_to_entry(data, datasz); 1069 if (IS_ERR(entry)) 1070 return PTR_ERR(entry); 1071 1072 err = audit_del_rule(entry); 1073 audit_log_rule_change("remove rule", &entry->rule, !err); 1074 audit_free_rule(entry); 1075 break; 1076 default: 1077 return -EINVAL; 1078 } 1079 1080 return err; 1081 } 1082 1083 /** 1084 * audit_list_rules_send - list the audit rules 1085 * @request_skb: skb of request we are replying to (used to target the reply) 1086 * @seq: netlink audit message sequence (serial) number 1087 */ 1088 int audit_list_rules_send(struct sk_buff *request_skb, int seq) 1089 { 1090 u32 portid = NETLINK_CB(request_skb).portid; 1091 struct net *net = sock_net(NETLINK_CB(request_skb).sk); 1092 struct task_struct *tsk; 1093 struct audit_netlink_list *dest; 1094 int err = 0; 1095 1096 /* We can't just spew out the rules here because we might fill 1097 * the available socket buffer space and deadlock waiting for 1098 * auditctl to read from it... which isn't ever going to 1099 * happen if we're actually running in the context of auditctl 1100 * trying to _send_ the stuff */ 1101 1102 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1103 if (!dest) 1104 return -ENOMEM; 1105 dest->net = get_net(net); 1106 dest->portid = portid; 1107 skb_queue_head_init(&dest->q); 1108 1109 mutex_lock(&audit_filter_mutex); 1110 audit_list_rules(portid, seq, &dest->q); 1111 mutex_unlock(&audit_filter_mutex); 1112 1113 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1114 if (IS_ERR(tsk)) { 1115 skb_queue_purge(&dest->q); 1116 kfree(dest); 1117 err = PTR_ERR(tsk); 1118 } 1119 1120 return err; 1121 } 1122 1123 int audit_comparator(u32 left, u32 op, u32 right) 1124 { 1125 switch (op) { 1126 case Audit_equal: 1127 return (left == right); 1128 case Audit_not_equal: 1129 return (left != right); 1130 case Audit_lt: 1131 return (left < right); 1132 case Audit_le: 1133 return (left <= right); 1134 case Audit_gt: 1135 return (left > right); 1136 case Audit_ge: 1137 return (left >= right); 1138 case Audit_bitmask: 1139 return (left & right); 1140 case Audit_bittest: 1141 return ((left & right) == right); 1142 default: 1143 BUG(); 1144 return 0; 1145 } 1146 } 1147 1148 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) 1149 { 1150 switch (op) { 1151 case Audit_equal: 1152 return uid_eq(left, right); 1153 case Audit_not_equal: 1154 return !uid_eq(left, right); 1155 case Audit_lt: 1156 return uid_lt(left, right); 1157 case Audit_le: 1158 return uid_lte(left, right); 1159 case Audit_gt: 1160 return uid_gt(left, right); 1161 case Audit_ge: 1162 return uid_gte(left, right); 1163 case Audit_bitmask: 1164 case Audit_bittest: 1165 default: 1166 BUG(); 1167 return 0; 1168 } 1169 } 1170 1171 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right) 1172 { 1173 switch (op) { 1174 case Audit_equal: 1175 return gid_eq(left, right); 1176 case Audit_not_equal: 1177 return !gid_eq(left, right); 1178 case Audit_lt: 1179 return gid_lt(left, right); 1180 case Audit_le: 1181 return gid_lte(left, right); 1182 case Audit_gt: 1183 return gid_gt(left, right); 1184 case Audit_ge: 1185 return gid_gte(left, right); 1186 case Audit_bitmask: 1187 case Audit_bittest: 1188 default: 1189 BUG(); 1190 return 0; 1191 } 1192 } 1193 1194 /** 1195 * parent_len - find the length of the parent portion of a pathname 1196 * @path: pathname of which to determine length 1197 */ 1198 int parent_len(const char *path) 1199 { 1200 int plen; 1201 const char *p; 1202 1203 plen = strlen(path); 1204 1205 if (plen == 0) 1206 return plen; 1207 1208 /* disregard trailing slashes */ 1209 p = path + plen - 1; 1210 while ((*p == '/') && (p > path)) 1211 p--; 1212 1213 /* walk backward until we find the next slash or hit beginning */ 1214 while ((*p != '/') && (p > path)) 1215 p--; 1216 1217 /* did we find a slash? Then increment to include it in path */ 1218 if (*p == '/') 1219 p++; 1220 1221 return p - path; 1222 } 1223 1224 /** 1225 * audit_compare_dname_path - compare given dentry name with last component in 1226 * given path. Return of 0 indicates a match. 1227 * @dname: dentry name that we're comparing 1228 * @path: full pathname that we're comparing 1229 * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL 1230 * here indicates that we must compute this value. 1231 */ 1232 int audit_compare_dname_path(const char *dname, const char *path, int parentlen) 1233 { 1234 int dlen, pathlen; 1235 const char *p; 1236 1237 dlen = strlen(dname); 1238 pathlen = strlen(path); 1239 if (pathlen < dlen) 1240 return 1; 1241 1242 parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen; 1243 if (pathlen - parentlen != dlen) 1244 return 1; 1245 1246 p = path + parentlen; 1247 1248 return strncmp(p, dname, dlen); 1249 } 1250 1251 static int audit_filter_user_rules(struct audit_krule *rule, int type, 1252 enum audit_state *state) 1253 { 1254 int i; 1255 1256 for (i = 0; i < rule->field_count; i++) { 1257 struct audit_field *f = &rule->fields[i]; 1258 pid_t pid; 1259 int result = 0; 1260 u32 sid; 1261 1262 switch (f->type) { 1263 case AUDIT_PID: 1264 pid = task_pid_nr(current); 1265 result = audit_comparator(pid, f->op, f->val); 1266 break; 1267 case AUDIT_UID: 1268 result = audit_uid_comparator(current_uid(), f->op, f->uid); 1269 break; 1270 case AUDIT_GID: 1271 result = audit_gid_comparator(current_gid(), f->op, f->gid); 1272 break; 1273 case AUDIT_LOGINUID: 1274 result = audit_uid_comparator(audit_get_loginuid(current), 1275 f->op, f->uid); 1276 break; 1277 case AUDIT_LOGINUID_SET: 1278 result = audit_comparator(audit_loginuid_set(current), 1279 f->op, f->val); 1280 break; 1281 case AUDIT_MSGTYPE: 1282 result = audit_comparator(type, f->op, f->val); 1283 break; 1284 case AUDIT_SUBJ_USER: 1285 case AUDIT_SUBJ_ROLE: 1286 case AUDIT_SUBJ_TYPE: 1287 case AUDIT_SUBJ_SEN: 1288 case AUDIT_SUBJ_CLR: 1289 if (f->lsm_rule) { 1290 security_task_getsecid(current, &sid); 1291 result = security_audit_rule_match(sid, 1292 f->type, 1293 f->op, 1294 f->lsm_rule, 1295 NULL); 1296 } 1297 break; 1298 } 1299 1300 if (!result) 1301 return 0; 1302 } 1303 switch (rule->action) { 1304 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1305 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1306 } 1307 return 1; 1308 } 1309 1310 int audit_filter_user(int type) 1311 { 1312 enum audit_state state = AUDIT_DISABLED; 1313 struct audit_entry *e; 1314 int rc, ret; 1315 1316 ret = 1; /* Audit by default */ 1317 1318 rcu_read_lock(); 1319 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1320 rc = audit_filter_user_rules(&e->rule, type, &state); 1321 if (rc) { 1322 if (rc > 0 && state == AUDIT_DISABLED) 1323 ret = 0; 1324 break; 1325 } 1326 } 1327 rcu_read_unlock(); 1328 1329 return ret; 1330 } 1331 1332 int audit_filter_type(int type) 1333 { 1334 struct audit_entry *e; 1335 int result = 0; 1336 1337 rcu_read_lock(); 1338 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1339 goto unlock_and_return; 1340 1341 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1342 list) { 1343 int i; 1344 for (i = 0; i < e->rule.field_count; i++) { 1345 struct audit_field *f = &e->rule.fields[i]; 1346 if (f->type == AUDIT_MSGTYPE) { 1347 result = audit_comparator(type, f->op, f->val); 1348 if (!result) 1349 break; 1350 } 1351 } 1352 if (result) 1353 goto unlock_and_return; 1354 } 1355 unlock_and_return: 1356 rcu_read_unlock(); 1357 return result; 1358 } 1359 1360 static int update_lsm_rule(struct audit_krule *r) 1361 { 1362 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1363 struct audit_entry *nentry; 1364 int err = 0; 1365 1366 if (!security_audit_rule_known(r)) 1367 return 0; 1368 1369 nentry = audit_dupe_rule(r); 1370 if (IS_ERR(nentry)) { 1371 /* save the first error encountered for the 1372 * return value */ 1373 err = PTR_ERR(nentry); 1374 audit_panic("error updating LSM filters"); 1375 if (r->watch) 1376 list_del(&r->rlist); 1377 list_del_rcu(&entry->list); 1378 list_del(&r->list); 1379 } else { 1380 if (r->watch || r->tree) 1381 list_replace_init(&r->rlist, &nentry->rule.rlist); 1382 list_replace_rcu(&entry->list, &nentry->list); 1383 list_replace(&r->list, &nentry->rule.list); 1384 } 1385 call_rcu(&entry->rcu, audit_free_rule_rcu); 1386 1387 return err; 1388 } 1389 1390 /* This function will re-initialize the lsm_rule field of all applicable rules. 1391 * It will traverse the filter lists serarching for rules that contain LSM 1392 * specific filter fields. When such a rule is found, it is copied, the 1393 * LSM field is re-initialized, and the old rule is replaced with the 1394 * updated rule. */ 1395 int audit_update_lsm_rules(void) 1396 { 1397 struct audit_krule *r, *n; 1398 int i, err = 0; 1399 1400 /* audit_filter_mutex synchronizes the writers */ 1401 mutex_lock(&audit_filter_mutex); 1402 1403 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1404 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1405 int res = update_lsm_rule(r); 1406 if (!err) 1407 err = res; 1408 } 1409 } 1410 mutex_unlock(&audit_filter_mutex); 1411 1412 return err; 1413 } 1414