1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify events we care about. */ 93 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 94 95 void audit_free_parent(struct inotify_watch *i_watch) 96 { 97 struct audit_parent *parent; 98 99 parent = container_of(i_watch, struct audit_parent, wdata); 100 WARN_ON(!list_empty(&parent->watches)); 101 kfree(parent); 102 } 103 104 static inline void audit_get_watch(struct audit_watch *watch) 105 { 106 atomic_inc(&watch->count); 107 } 108 109 static void audit_put_watch(struct audit_watch *watch) 110 { 111 if (atomic_dec_and_test(&watch->count)) { 112 WARN_ON(watch->parent); 113 WARN_ON(!list_empty(&watch->rules)); 114 kfree(watch->path); 115 kfree(watch); 116 } 117 } 118 119 static void audit_remove_watch(struct audit_watch *watch) 120 { 121 list_del(&watch->wlist); 122 put_inotify_watch(&watch->parent->wdata); 123 watch->parent = NULL; 124 audit_put_watch(watch); /* match initial get */ 125 } 126 127 static inline void audit_free_rule(struct audit_entry *e) 128 { 129 int i; 130 131 /* some rules don't have associated watches */ 132 if (e->rule.watch) 133 audit_put_watch(e->rule.watch); 134 if (e->rule.fields) 135 for (i = 0; i < e->rule.field_count; i++) { 136 struct audit_field *f = &e->rule.fields[i]; 137 kfree(f->lsm_str); 138 security_audit_rule_free(f->lsm_rule); 139 } 140 kfree(e->rule.fields); 141 kfree(e->rule.filterkey); 142 kfree(e); 143 } 144 145 void audit_free_rule_rcu(struct rcu_head *head) 146 { 147 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 148 audit_free_rule(e); 149 } 150 151 /* Initialize a parent watch entry. */ 152 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 153 { 154 struct audit_parent *parent; 155 s32 wd; 156 157 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 158 if (unlikely(!parent)) 159 return ERR_PTR(-ENOMEM); 160 161 INIT_LIST_HEAD(&parent->watches); 162 parent->flags = 0; 163 164 inotify_init_watch(&parent->wdata); 165 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 166 get_inotify_watch(&parent->wdata); 167 wd = inotify_add_watch(audit_ih, &parent->wdata, 168 ndp->path.dentry->d_inode, AUDIT_IN_WATCH); 169 if (wd < 0) { 170 audit_free_parent(&parent->wdata); 171 return ERR_PTR(wd); 172 } 173 174 return parent; 175 } 176 177 /* Initialize a watch entry. */ 178 static struct audit_watch *audit_init_watch(char *path) 179 { 180 struct audit_watch *watch; 181 182 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 183 if (unlikely(!watch)) 184 return ERR_PTR(-ENOMEM); 185 186 INIT_LIST_HEAD(&watch->rules); 187 atomic_set(&watch->count, 1); 188 watch->path = path; 189 watch->dev = (dev_t)-1; 190 watch->ino = (unsigned long)-1; 191 192 return watch; 193 } 194 195 /* Initialize an audit filterlist entry. */ 196 static inline struct audit_entry *audit_init_entry(u32 field_count) 197 { 198 struct audit_entry *entry; 199 struct audit_field *fields; 200 201 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 202 if (unlikely(!entry)) 203 return NULL; 204 205 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 206 if (unlikely(!fields)) { 207 kfree(entry); 208 return NULL; 209 } 210 entry->rule.fields = fields; 211 212 return entry; 213 } 214 215 /* Unpack a filter field's string representation from user-space 216 * buffer. */ 217 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 218 { 219 char *str; 220 221 if (!*bufp || (len == 0) || (len > *remain)) 222 return ERR_PTR(-EINVAL); 223 224 /* Of the currently implemented string fields, PATH_MAX 225 * defines the longest valid length. 226 */ 227 if (len > PATH_MAX) 228 return ERR_PTR(-ENAMETOOLONG); 229 230 str = kmalloc(len + 1, GFP_KERNEL); 231 if (unlikely(!str)) 232 return ERR_PTR(-ENOMEM); 233 234 memcpy(str, *bufp, len); 235 str[len] = 0; 236 *bufp += len; 237 *remain -= len; 238 239 return str; 240 } 241 242 /* Translate an inode field to kernel respresentation. */ 243 static inline int audit_to_inode(struct audit_krule *krule, 244 struct audit_field *f) 245 { 246 if (krule->listnr != AUDIT_FILTER_EXIT || 247 krule->watch || krule->inode_f || krule->tree) 248 return -EINVAL; 249 250 krule->inode_f = f; 251 return 0; 252 } 253 254 /* Translate a watch string to kernel respresentation. */ 255 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 256 u32 op) 257 { 258 struct audit_watch *watch; 259 260 if (!audit_ih) 261 return -EOPNOTSUPP; 262 263 if (path[0] != '/' || path[len-1] == '/' || 264 krule->listnr != AUDIT_FILTER_EXIT || 265 op & ~AUDIT_EQUAL || 266 krule->inode_f || krule->watch || krule->tree) 267 return -EINVAL; 268 269 watch = audit_init_watch(path); 270 if (IS_ERR(watch)) 271 return PTR_ERR(watch); 272 273 audit_get_watch(watch); 274 krule->watch = watch; 275 276 return 0; 277 } 278 279 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 280 281 int __init audit_register_class(int class, unsigned *list) 282 { 283 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 284 if (!p) 285 return -ENOMEM; 286 while (*list != ~0U) { 287 unsigned n = *list++; 288 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 289 kfree(p); 290 return -EINVAL; 291 } 292 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 293 } 294 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 295 kfree(p); 296 return -EINVAL; 297 } 298 classes[class] = p; 299 return 0; 300 } 301 302 int audit_match_class(int class, unsigned syscall) 303 { 304 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 305 return 0; 306 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 307 return 0; 308 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 309 } 310 311 #ifdef CONFIG_AUDITSYSCALL 312 static inline int audit_match_class_bits(int class, u32 *mask) 313 { 314 int i; 315 316 if (classes[class]) { 317 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 318 if (mask[i] & classes[class][i]) 319 return 0; 320 } 321 return 1; 322 } 323 324 static int audit_match_signal(struct audit_entry *entry) 325 { 326 struct audit_field *arch = entry->rule.arch_f; 327 328 if (!arch) { 329 /* When arch is unspecified, we must check both masks on biarch 330 * as syscall number alone is ambiguous. */ 331 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 332 entry->rule.mask) && 333 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 334 entry->rule.mask)); 335 } 336 337 switch(audit_classify_arch(arch->val)) { 338 case 0: /* native */ 339 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 340 entry->rule.mask)); 341 case 1: /* 32bit on biarch */ 342 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 343 entry->rule.mask)); 344 default: 345 return 1; 346 } 347 } 348 #endif 349 350 /* Common user-space to kernel rule translation. */ 351 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 352 { 353 unsigned listnr; 354 struct audit_entry *entry; 355 int i, err; 356 357 err = -EINVAL; 358 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 359 switch(listnr) { 360 default: 361 goto exit_err; 362 case AUDIT_FILTER_USER: 363 case AUDIT_FILTER_TYPE: 364 #ifdef CONFIG_AUDITSYSCALL 365 case AUDIT_FILTER_ENTRY: 366 case AUDIT_FILTER_EXIT: 367 case AUDIT_FILTER_TASK: 368 #endif 369 ; 370 } 371 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 372 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 373 goto exit_err; 374 } 375 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 376 goto exit_err; 377 if (rule->field_count > AUDIT_MAX_FIELDS) 378 goto exit_err; 379 380 err = -ENOMEM; 381 entry = audit_init_entry(rule->field_count); 382 if (!entry) 383 goto exit_err; 384 385 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 386 entry->rule.listnr = listnr; 387 entry->rule.action = rule->action; 388 entry->rule.field_count = rule->field_count; 389 390 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 391 entry->rule.mask[i] = rule->mask[i]; 392 393 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 394 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 395 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 396 __u32 *class; 397 398 if (!(*p & AUDIT_BIT(bit))) 399 continue; 400 *p &= ~AUDIT_BIT(bit); 401 class = classes[i]; 402 if (class) { 403 int j; 404 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 405 entry->rule.mask[j] |= class[j]; 406 } 407 } 408 409 return entry; 410 411 exit_err: 412 return ERR_PTR(err); 413 } 414 415 /* Translate struct audit_rule to kernel's rule respresentation. 416 * Exists for backward compatibility with userspace. */ 417 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 418 { 419 struct audit_entry *entry; 420 struct audit_field *ino_f; 421 int err = 0; 422 int i; 423 424 entry = audit_to_entry_common(rule); 425 if (IS_ERR(entry)) 426 goto exit_nofree; 427 428 for (i = 0; i < rule->field_count; i++) { 429 struct audit_field *f = &entry->rule.fields[i]; 430 431 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 432 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 433 f->val = rule->values[i]; 434 435 err = -EINVAL; 436 switch(f->type) { 437 default: 438 goto exit_free; 439 case AUDIT_PID: 440 case AUDIT_UID: 441 case AUDIT_EUID: 442 case AUDIT_SUID: 443 case AUDIT_FSUID: 444 case AUDIT_GID: 445 case AUDIT_EGID: 446 case AUDIT_SGID: 447 case AUDIT_FSGID: 448 case AUDIT_LOGINUID: 449 case AUDIT_PERS: 450 case AUDIT_MSGTYPE: 451 case AUDIT_PPID: 452 case AUDIT_DEVMAJOR: 453 case AUDIT_DEVMINOR: 454 case AUDIT_EXIT: 455 case AUDIT_SUCCESS: 456 /* bit ops are only useful on syscall args */ 457 if (f->op == AUDIT_BIT_MASK || 458 f->op == AUDIT_BIT_TEST) { 459 err = -EINVAL; 460 goto exit_free; 461 } 462 break; 463 case AUDIT_ARG0: 464 case AUDIT_ARG1: 465 case AUDIT_ARG2: 466 case AUDIT_ARG3: 467 break; 468 /* arch is only allowed to be = or != */ 469 case AUDIT_ARCH: 470 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 471 && (f->op != AUDIT_NEGATE) && (f->op)) { 472 err = -EINVAL; 473 goto exit_free; 474 } 475 entry->rule.arch_f = f; 476 break; 477 case AUDIT_PERM: 478 if (f->val & ~15) 479 goto exit_free; 480 break; 481 case AUDIT_FILETYPE: 482 if ((f->val & ~S_IFMT) > S_IFMT) 483 goto exit_free; 484 break; 485 case AUDIT_INODE: 486 err = audit_to_inode(&entry->rule, f); 487 if (err) 488 goto exit_free; 489 break; 490 } 491 492 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 493 494 /* Support for legacy operators where 495 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 496 if (f->op & AUDIT_NEGATE) 497 f->op = AUDIT_NOT_EQUAL; 498 else if (!f->op) 499 f->op = AUDIT_EQUAL; 500 else if (f->op == AUDIT_OPERATORS) { 501 err = -EINVAL; 502 goto exit_free; 503 } 504 } 505 506 ino_f = entry->rule.inode_f; 507 if (ino_f) { 508 switch(ino_f->op) { 509 case AUDIT_NOT_EQUAL: 510 entry->rule.inode_f = NULL; 511 case AUDIT_EQUAL: 512 break; 513 default: 514 err = -EINVAL; 515 goto exit_free; 516 } 517 } 518 519 exit_nofree: 520 return entry; 521 522 exit_free: 523 audit_free_rule(entry); 524 return ERR_PTR(err); 525 } 526 527 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 528 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 529 size_t datasz) 530 { 531 int err = 0; 532 struct audit_entry *entry; 533 struct audit_field *ino_f; 534 void *bufp; 535 size_t remain = datasz - sizeof(struct audit_rule_data); 536 int i; 537 char *str; 538 539 entry = audit_to_entry_common((struct audit_rule *)data); 540 if (IS_ERR(entry)) 541 goto exit_nofree; 542 543 bufp = data->buf; 544 entry->rule.vers_ops = 2; 545 for (i = 0; i < data->field_count; i++) { 546 struct audit_field *f = &entry->rule.fields[i]; 547 548 err = -EINVAL; 549 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 550 data->fieldflags[i] & ~AUDIT_OPERATORS) 551 goto exit_free; 552 553 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 554 f->type = data->fields[i]; 555 f->val = data->values[i]; 556 f->lsm_str = NULL; 557 f->lsm_rule = NULL; 558 switch(f->type) { 559 case AUDIT_PID: 560 case AUDIT_UID: 561 case AUDIT_EUID: 562 case AUDIT_SUID: 563 case AUDIT_FSUID: 564 case AUDIT_GID: 565 case AUDIT_EGID: 566 case AUDIT_SGID: 567 case AUDIT_FSGID: 568 case AUDIT_LOGINUID: 569 case AUDIT_PERS: 570 case AUDIT_MSGTYPE: 571 case AUDIT_PPID: 572 case AUDIT_DEVMAJOR: 573 case AUDIT_DEVMINOR: 574 case AUDIT_EXIT: 575 case AUDIT_SUCCESS: 576 case AUDIT_ARG0: 577 case AUDIT_ARG1: 578 case AUDIT_ARG2: 579 case AUDIT_ARG3: 580 break; 581 case AUDIT_ARCH: 582 entry->rule.arch_f = f; 583 break; 584 case AUDIT_SUBJ_USER: 585 case AUDIT_SUBJ_ROLE: 586 case AUDIT_SUBJ_TYPE: 587 case AUDIT_SUBJ_SEN: 588 case AUDIT_SUBJ_CLR: 589 case AUDIT_OBJ_USER: 590 case AUDIT_OBJ_ROLE: 591 case AUDIT_OBJ_TYPE: 592 case AUDIT_OBJ_LEV_LOW: 593 case AUDIT_OBJ_LEV_HIGH: 594 str = audit_unpack_string(&bufp, &remain, f->val); 595 if (IS_ERR(str)) 596 goto exit_free; 597 entry->rule.buflen += f->val; 598 599 err = security_audit_rule_init(f->type, f->op, str, 600 (void **)&f->lsm_rule); 601 /* Keep currently invalid fields around in case they 602 * become valid after a policy reload. */ 603 if (err == -EINVAL) { 604 printk(KERN_WARNING "audit rule for LSM " 605 "\'%s\' is invalid\n", str); 606 err = 0; 607 } 608 if (err) { 609 kfree(str); 610 goto exit_free; 611 } else 612 f->lsm_str = str; 613 break; 614 case AUDIT_WATCH: 615 str = audit_unpack_string(&bufp, &remain, f->val); 616 if (IS_ERR(str)) 617 goto exit_free; 618 entry->rule.buflen += f->val; 619 620 err = audit_to_watch(&entry->rule, str, f->val, f->op); 621 if (err) { 622 kfree(str); 623 goto exit_free; 624 } 625 break; 626 case AUDIT_DIR: 627 str = audit_unpack_string(&bufp, &remain, f->val); 628 if (IS_ERR(str)) 629 goto exit_free; 630 entry->rule.buflen += f->val; 631 632 err = audit_make_tree(&entry->rule, str, f->op); 633 kfree(str); 634 if (err) 635 goto exit_free; 636 break; 637 case AUDIT_INODE: 638 err = audit_to_inode(&entry->rule, f); 639 if (err) 640 goto exit_free; 641 break; 642 case AUDIT_FILTERKEY: 643 err = -EINVAL; 644 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 645 goto exit_free; 646 str = audit_unpack_string(&bufp, &remain, f->val); 647 if (IS_ERR(str)) 648 goto exit_free; 649 entry->rule.buflen += f->val; 650 entry->rule.filterkey = str; 651 break; 652 case AUDIT_PERM: 653 if (f->val & ~15) 654 goto exit_free; 655 break; 656 case AUDIT_FILETYPE: 657 if ((f->val & ~S_IFMT) > S_IFMT) 658 goto exit_free; 659 break; 660 default: 661 goto exit_free; 662 } 663 } 664 665 ino_f = entry->rule.inode_f; 666 if (ino_f) { 667 switch(ino_f->op) { 668 case AUDIT_NOT_EQUAL: 669 entry->rule.inode_f = NULL; 670 case AUDIT_EQUAL: 671 break; 672 default: 673 err = -EINVAL; 674 goto exit_free; 675 } 676 } 677 678 exit_nofree: 679 return entry; 680 681 exit_free: 682 audit_free_rule(entry); 683 return ERR_PTR(err); 684 } 685 686 /* Pack a filter field's string representation into data block. */ 687 static inline size_t audit_pack_string(void **bufp, const char *str) 688 { 689 size_t len = strlen(str); 690 691 memcpy(*bufp, str, len); 692 *bufp += len; 693 694 return len; 695 } 696 697 /* Translate kernel rule respresentation to struct audit_rule. 698 * Exists for backward compatibility with userspace. */ 699 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 700 { 701 struct audit_rule *rule; 702 int i; 703 704 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 705 if (unlikely(!rule)) 706 return NULL; 707 708 rule->flags = krule->flags | krule->listnr; 709 rule->action = krule->action; 710 rule->field_count = krule->field_count; 711 for (i = 0; i < rule->field_count; i++) { 712 rule->values[i] = krule->fields[i].val; 713 rule->fields[i] = krule->fields[i].type; 714 715 if (krule->vers_ops == 1) { 716 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 717 rule->fields[i] |= AUDIT_NEGATE; 718 } else { 719 rule->fields[i] |= krule->fields[i].op; 720 } 721 } 722 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 723 724 return rule; 725 } 726 727 /* Translate kernel rule respresentation to struct audit_rule_data. */ 728 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 729 { 730 struct audit_rule_data *data; 731 void *bufp; 732 int i; 733 734 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 735 if (unlikely(!data)) 736 return NULL; 737 memset(data, 0, sizeof(*data)); 738 739 data->flags = krule->flags | krule->listnr; 740 data->action = krule->action; 741 data->field_count = krule->field_count; 742 bufp = data->buf; 743 for (i = 0; i < data->field_count; i++) { 744 struct audit_field *f = &krule->fields[i]; 745 746 data->fields[i] = f->type; 747 data->fieldflags[i] = f->op; 748 switch(f->type) { 749 case AUDIT_SUBJ_USER: 750 case AUDIT_SUBJ_ROLE: 751 case AUDIT_SUBJ_TYPE: 752 case AUDIT_SUBJ_SEN: 753 case AUDIT_SUBJ_CLR: 754 case AUDIT_OBJ_USER: 755 case AUDIT_OBJ_ROLE: 756 case AUDIT_OBJ_TYPE: 757 case AUDIT_OBJ_LEV_LOW: 758 case AUDIT_OBJ_LEV_HIGH: 759 data->buflen += data->values[i] = 760 audit_pack_string(&bufp, f->lsm_str); 761 break; 762 case AUDIT_WATCH: 763 data->buflen += data->values[i] = 764 audit_pack_string(&bufp, krule->watch->path); 765 break; 766 case AUDIT_DIR: 767 data->buflen += data->values[i] = 768 audit_pack_string(&bufp, 769 audit_tree_path(krule->tree)); 770 break; 771 case AUDIT_FILTERKEY: 772 data->buflen += data->values[i] = 773 audit_pack_string(&bufp, krule->filterkey); 774 break; 775 default: 776 data->values[i] = f->val; 777 } 778 } 779 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 780 781 return data; 782 } 783 784 /* Compare two rules in kernel format. Considered success if rules 785 * don't match. */ 786 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 787 { 788 int i; 789 790 if (a->flags != b->flags || 791 a->listnr != b->listnr || 792 a->action != b->action || 793 a->field_count != b->field_count) 794 return 1; 795 796 for (i = 0; i < a->field_count; i++) { 797 if (a->fields[i].type != b->fields[i].type || 798 a->fields[i].op != b->fields[i].op) 799 return 1; 800 801 switch(a->fields[i].type) { 802 case AUDIT_SUBJ_USER: 803 case AUDIT_SUBJ_ROLE: 804 case AUDIT_SUBJ_TYPE: 805 case AUDIT_SUBJ_SEN: 806 case AUDIT_SUBJ_CLR: 807 case AUDIT_OBJ_USER: 808 case AUDIT_OBJ_ROLE: 809 case AUDIT_OBJ_TYPE: 810 case AUDIT_OBJ_LEV_LOW: 811 case AUDIT_OBJ_LEV_HIGH: 812 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 813 return 1; 814 break; 815 case AUDIT_WATCH: 816 if (strcmp(a->watch->path, b->watch->path)) 817 return 1; 818 break; 819 case AUDIT_DIR: 820 if (strcmp(audit_tree_path(a->tree), 821 audit_tree_path(b->tree))) 822 return 1; 823 break; 824 case AUDIT_FILTERKEY: 825 /* both filterkeys exist based on above type compare */ 826 if (strcmp(a->filterkey, b->filterkey)) 827 return 1; 828 break; 829 default: 830 if (a->fields[i].val != b->fields[i].val) 831 return 1; 832 } 833 } 834 835 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 836 if (a->mask[i] != b->mask[i]) 837 return 1; 838 839 return 0; 840 } 841 842 /* Duplicate the given audit watch. The new watch's rules list is initialized 843 * to an empty list and wlist is undefined. */ 844 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 845 { 846 char *path; 847 struct audit_watch *new; 848 849 path = kstrdup(old->path, GFP_KERNEL); 850 if (unlikely(!path)) 851 return ERR_PTR(-ENOMEM); 852 853 new = audit_init_watch(path); 854 if (IS_ERR(new)) { 855 kfree(path); 856 goto out; 857 } 858 859 new->dev = old->dev; 860 new->ino = old->ino; 861 get_inotify_watch(&old->parent->wdata); 862 new->parent = old->parent; 863 864 out: 865 return new; 866 } 867 868 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 869 * re-initialized. */ 870 static inline int audit_dupe_lsm_field(struct audit_field *df, 871 struct audit_field *sf) 872 { 873 int ret = 0; 874 char *lsm_str; 875 876 /* our own copy of lsm_str */ 877 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 878 if (unlikely(!lsm_str)) 879 return -ENOMEM; 880 df->lsm_str = lsm_str; 881 882 /* our own (refreshed) copy of lsm_rule */ 883 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 884 (void **)&df->lsm_rule); 885 /* Keep currently invalid fields around in case they 886 * become valid after a policy reload. */ 887 if (ret == -EINVAL) { 888 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 889 "invalid\n", df->lsm_str); 890 ret = 0; 891 } 892 893 return ret; 894 } 895 896 /* Duplicate an audit rule. This will be a deep copy with the exception 897 * of the watch - that pointer is carried over. The LSM specific fields 898 * will be updated in the copy. The point is to be able to replace the old 899 * rule with the new rule in the filterlist, then free the old rule. 900 * The rlist element is undefined; list manipulations are handled apart from 901 * the initial copy. */ 902 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 903 struct audit_watch *watch) 904 { 905 u32 fcount = old->field_count; 906 struct audit_entry *entry; 907 struct audit_krule *new; 908 char *fk; 909 int i, err = 0; 910 911 entry = audit_init_entry(fcount); 912 if (unlikely(!entry)) 913 return ERR_PTR(-ENOMEM); 914 915 new = &entry->rule; 916 new->vers_ops = old->vers_ops; 917 new->flags = old->flags; 918 new->listnr = old->listnr; 919 new->action = old->action; 920 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 921 new->mask[i] = old->mask[i]; 922 new->buflen = old->buflen; 923 new->inode_f = old->inode_f; 924 new->watch = NULL; 925 new->field_count = old->field_count; 926 /* 927 * note that we are OK with not refcounting here; audit_match_tree() 928 * never dereferences tree and we can't get false positives there 929 * since we'd have to have rule gone from the list *and* removed 930 * before the chunks found by lookup had been allocated, i.e. before 931 * the beginning of list scan. 932 */ 933 new->tree = old->tree; 934 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 935 936 /* deep copy this information, updating the lsm_rule fields, because 937 * the originals will all be freed when the old rule is freed. */ 938 for (i = 0; i < fcount; i++) { 939 switch (new->fields[i].type) { 940 case AUDIT_SUBJ_USER: 941 case AUDIT_SUBJ_ROLE: 942 case AUDIT_SUBJ_TYPE: 943 case AUDIT_SUBJ_SEN: 944 case AUDIT_SUBJ_CLR: 945 case AUDIT_OBJ_USER: 946 case AUDIT_OBJ_ROLE: 947 case AUDIT_OBJ_TYPE: 948 case AUDIT_OBJ_LEV_LOW: 949 case AUDIT_OBJ_LEV_HIGH: 950 err = audit_dupe_lsm_field(&new->fields[i], 951 &old->fields[i]); 952 break; 953 case AUDIT_FILTERKEY: 954 fk = kstrdup(old->filterkey, GFP_KERNEL); 955 if (unlikely(!fk)) 956 err = -ENOMEM; 957 else 958 new->filterkey = fk; 959 } 960 if (err) { 961 audit_free_rule(entry); 962 return ERR_PTR(err); 963 } 964 } 965 966 if (watch) { 967 audit_get_watch(watch); 968 new->watch = watch; 969 } 970 971 return entry; 972 } 973 974 /* Update inode info in audit rules based on filesystem event. */ 975 static void audit_update_watch(struct audit_parent *parent, 976 const char *dname, dev_t dev, 977 unsigned long ino, unsigned invalidating) 978 { 979 struct audit_watch *owatch, *nwatch, *nextw; 980 struct audit_krule *r, *nextr; 981 struct audit_entry *oentry, *nentry; 982 983 mutex_lock(&audit_filter_mutex); 984 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 985 if (audit_compare_dname_path(dname, owatch->path, NULL)) 986 continue; 987 988 /* If the update involves invalidating rules, do the inode-based 989 * filtering now, so we don't omit records. */ 990 if (invalidating && current->audit_context && 991 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 992 audit_set_auditable(current->audit_context); 993 994 nwatch = audit_dupe_watch(owatch); 995 if (IS_ERR(nwatch)) { 996 mutex_unlock(&audit_filter_mutex); 997 audit_panic("error updating watch, skipping"); 998 return; 999 } 1000 nwatch->dev = dev; 1001 nwatch->ino = ino; 1002 1003 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 1004 1005 oentry = container_of(r, struct audit_entry, rule); 1006 list_del(&oentry->rule.rlist); 1007 list_del_rcu(&oentry->list); 1008 1009 nentry = audit_dupe_rule(&oentry->rule, nwatch); 1010 if (IS_ERR(nentry)) 1011 audit_panic("error updating watch, removing"); 1012 else { 1013 int h = audit_hash_ino((u32)ino); 1014 list_add(&nentry->rule.rlist, &nwatch->rules); 1015 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 1016 } 1017 1018 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1019 } 1020 1021 if (audit_enabled) { 1022 struct audit_buffer *ab; 1023 ab = audit_log_start(NULL, GFP_KERNEL, 1024 AUDIT_CONFIG_CHANGE); 1025 audit_log_format(ab, "auid=%u ses=%u", 1026 audit_get_loginuid(current), 1027 audit_get_sessionid(current)); 1028 audit_log_format(ab, 1029 " op=updated rules specifying path="); 1030 audit_log_untrustedstring(ab, owatch->path); 1031 audit_log_format(ab, " with dev=%u ino=%lu\n", 1032 dev, ino); 1033 audit_log_format(ab, " list=%d res=1", r->listnr); 1034 audit_log_end(ab); 1035 } 1036 audit_remove_watch(owatch); 1037 goto add_watch_to_parent; /* event applies to a single watch */ 1038 } 1039 mutex_unlock(&audit_filter_mutex); 1040 return; 1041 1042 add_watch_to_parent: 1043 list_add(&nwatch->wlist, &parent->watches); 1044 mutex_unlock(&audit_filter_mutex); 1045 return; 1046 } 1047 1048 /* Remove all watches & rules associated with a parent that is going away. */ 1049 static void audit_remove_parent_watches(struct audit_parent *parent) 1050 { 1051 struct audit_watch *w, *nextw; 1052 struct audit_krule *r, *nextr; 1053 struct audit_entry *e; 1054 1055 mutex_lock(&audit_filter_mutex); 1056 parent->flags |= AUDIT_PARENT_INVALID; 1057 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1058 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1059 e = container_of(r, struct audit_entry, rule); 1060 if (audit_enabled) { 1061 struct audit_buffer *ab; 1062 ab = audit_log_start(NULL, GFP_KERNEL, 1063 AUDIT_CONFIG_CHANGE); 1064 audit_log_format(ab, "auid=%u ses=%u", 1065 audit_get_loginuid(current), 1066 audit_get_sessionid(current)); 1067 audit_log_format(ab, " op=remove rule path="); 1068 audit_log_untrustedstring(ab, w->path); 1069 if (r->filterkey) { 1070 audit_log_format(ab, " key="); 1071 audit_log_untrustedstring(ab, 1072 r->filterkey); 1073 } else 1074 audit_log_format(ab, " key=(null)"); 1075 audit_log_format(ab, " list=%d res=1", 1076 r->listnr); 1077 audit_log_end(ab); 1078 } 1079 list_del(&r->rlist); 1080 list_del_rcu(&e->list); 1081 call_rcu(&e->rcu, audit_free_rule_rcu); 1082 } 1083 audit_remove_watch(w); 1084 } 1085 mutex_unlock(&audit_filter_mutex); 1086 } 1087 1088 /* Unregister inotify watches for parents on in_list. 1089 * Generates an IN_IGNORED event. */ 1090 static void audit_inotify_unregister(struct list_head *in_list) 1091 { 1092 struct audit_parent *p, *n; 1093 1094 list_for_each_entry_safe(p, n, in_list, ilist) { 1095 list_del(&p->ilist); 1096 inotify_rm_watch(audit_ih, &p->wdata); 1097 /* the put matching the get in audit_do_del_rule() */ 1098 put_inotify_watch(&p->wdata); 1099 } 1100 } 1101 1102 /* Find an existing audit rule. 1103 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1104 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1105 struct list_head *list) 1106 { 1107 struct audit_entry *e, *found = NULL; 1108 int h; 1109 1110 if (entry->rule.watch) { 1111 /* we don't know the inode number, so must walk entire hash */ 1112 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1113 list = &audit_inode_hash[h]; 1114 list_for_each_entry(e, list, list) 1115 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1116 found = e; 1117 goto out; 1118 } 1119 } 1120 goto out; 1121 } 1122 1123 list_for_each_entry(e, list, list) 1124 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1125 found = e; 1126 goto out; 1127 } 1128 1129 out: 1130 return found; 1131 } 1132 1133 /* Get path information necessary for adding watches. */ 1134 static int audit_get_nd(char *path, struct nameidata **ndp, 1135 struct nameidata **ndw) 1136 { 1137 struct nameidata *ndparent, *ndwatch; 1138 int err; 1139 1140 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1141 if (unlikely(!ndparent)) 1142 return -ENOMEM; 1143 1144 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1145 if (unlikely(!ndwatch)) { 1146 kfree(ndparent); 1147 return -ENOMEM; 1148 } 1149 1150 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1151 if (err) { 1152 kfree(ndparent); 1153 kfree(ndwatch); 1154 return err; 1155 } 1156 1157 err = path_lookup(path, 0, ndwatch); 1158 if (err) { 1159 kfree(ndwatch); 1160 ndwatch = NULL; 1161 } 1162 1163 *ndp = ndparent; 1164 *ndw = ndwatch; 1165 1166 return 0; 1167 } 1168 1169 /* Release resources used for watch path information. */ 1170 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1171 { 1172 if (ndp) { 1173 path_put(&ndp->path); 1174 kfree(ndp); 1175 } 1176 if (ndw) { 1177 path_put(&ndw->path); 1178 kfree(ndw); 1179 } 1180 } 1181 1182 /* Associate the given rule with an existing parent inotify_watch. 1183 * Caller must hold audit_filter_mutex. */ 1184 static void audit_add_to_parent(struct audit_krule *krule, 1185 struct audit_parent *parent) 1186 { 1187 struct audit_watch *w, *watch = krule->watch; 1188 int watch_found = 0; 1189 1190 list_for_each_entry(w, &parent->watches, wlist) { 1191 if (strcmp(watch->path, w->path)) 1192 continue; 1193 1194 watch_found = 1; 1195 1196 /* put krule's and initial refs to temporary watch */ 1197 audit_put_watch(watch); 1198 audit_put_watch(watch); 1199 1200 audit_get_watch(w); 1201 krule->watch = watch = w; 1202 break; 1203 } 1204 1205 if (!watch_found) { 1206 get_inotify_watch(&parent->wdata); 1207 watch->parent = parent; 1208 1209 list_add(&watch->wlist, &parent->watches); 1210 } 1211 list_add(&krule->rlist, &watch->rules); 1212 } 1213 1214 /* Find a matching watch entry, or add this one. 1215 * Caller must hold audit_filter_mutex. */ 1216 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1217 struct nameidata *ndw) 1218 { 1219 struct audit_watch *watch = krule->watch; 1220 struct inotify_watch *i_watch; 1221 struct audit_parent *parent; 1222 int ret = 0; 1223 1224 /* update watch filter fields */ 1225 if (ndw) { 1226 watch->dev = ndw->path.dentry->d_inode->i_sb->s_dev; 1227 watch->ino = ndw->path.dentry->d_inode->i_ino; 1228 } 1229 1230 /* The audit_filter_mutex must not be held during inotify calls because 1231 * we hold it during inotify event callback processing. If an existing 1232 * inotify watch is found, inotify_find_watch() grabs a reference before 1233 * returning. 1234 */ 1235 mutex_unlock(&audit_filter_mutex); 1236 1237 if (inotify_find_watch(audit_ih, ndp->path.dentry->d_inode, 1238 &i_watch) < 0) { 1239 parent = audit_init_parent(ndp); 1240 if (IS_ERR(parent)) { 1241 /* caller expects mutex locked */ 1242 mutex_lock(&audit_filter_mutex); 1243 return PTR_ERR(parent); 1244 } 1245 } else 1246 parent = container_of(i_watch, struct audit_parent, wdata); 1247 1248 mutex_lock(&audit_filter_mutex); 1249 1250 /* parent was moved before we took audit_filter_mutex */ 1251 if (parent->flags & AUDIT_PARENT_INVALID) 1252 ret = -ENOENT; 1253 else 1254 audit_add_to_parent(krule, parent); 1255 1256 /* match get in audit_init_parent or inotify_find_watch */ 1257 put_inotify_watch(&parent->wdata); 1258 return ret; 1259 } 1260 1261 /* Add rule to given filterlist if not a duplicate. */ 1262 static inline int audit_add_rule(struct audit_entry *entry, 1263 struct list_head *list) 1264 { 1265 struct audit_entry *e; 1266 struct audit_field *inode_f = entry->rule.inode_f; 1267 struct audit_watch *watch = entry->rule.watch; 1268 struct audit_tree *tree = entry->rule.tree; 1269 struct nameidata *ndp = NULL, *ndw = NULL; 1270 int h, err; 1271 #ifdef CONFIG_AUDITSYSCALL 1272 int dont_count = 0; 1273 1274 /* If either of these, don't count towards total */ 1275 if (entry->rule.listnr == AUDIT_FILTER_USER || 1276 entry->rule.listnr == AUDIT_FILTER_TYPE) 1277 dont_count = 1; 1278 #endif 1279 1280 if (inode_f) { 1281 h = audit_hash_ino(inode_f->val); 1282 list = &audit_inode_hash[h]; 1283 } 1284 1285 mutex_lock(&audit_filter_mutex); 1286 e = audit_find_rule(entry, list); 1287 mutex_unlock(&audit_filter_mutex); 1288 if (e) { 1289 err = -EEXIST; 1290 /* normally audit_add_tree_rule() will free it on failure */ 1291 if (tree) 1292 audit_put_tree(tree); 1293 goto error; 1294 } 1295 1296 /* Avoid calling path_lookup under audit_filter_mutex. */ 1297 if (watch) { 1298 err = audit_get_nd(watch->path, &ndp, &ndw); 1299 if (err) 1300 goto error; 1301 } 1302 1303 mutex_lock(&audit_filter_mutex); 1304 if (watch) { 1305 /* audit_filter_mutex is dropped and re-taken during this call */ 1306 err = audit_add_watch(&entry->rule, ndp, ndw); 1307 if (err) { 1308 mutex_unlock(&audit_filter_mutex); 1309 goto error; 1310 } 1311 h = audit_hash_ino((u32)watch->ino); 1312 list = &audit_inode_hash[h]; 1313 } 1314 if (tree) { 1315 err = audit_add_tree_rule(&entry->rule); 1316 if (err) { 1317 mutex_unlock(&audit_filter_mutex); 1318 goto error; 1319 } 1320 } 1321 1322 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1323 list_add_rcu(&entry->list, list); 1324 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1325 } else { 1326 list_add_tail_rcu(&entry->list, list); 1327 } 1328 #ifdef CONFIG_AUDITSYSCALL 1329 if (!dont_count) 1330 audit_n_rules++; 1331 1332 if (!audit_match_signal(entry)) 1333 audit_signals++; 1334 #endif 1335 mutex_unlock(&audit_filter_mutex); 1336 1337 audit_put_nd(ndp, ndw); /* NULL args OK */ 1338 return 0; 1339 1340 error: 1341 audit_put_nd(ndp, ndw); /* NULL args OK */ 1342 if (watch) 1343 audit_put_watch(watch); /* tmp watch, matches initial get */ 1344 return err; 1345 } 1346 1347 /* Remove an existing rule from filterlist. */ 1348 static inline int audit_del_rule(struct audit_entry *entry, 1349 struct list_head *list) 1350 { 1351 struct audit_entry *e; 1352 struct audit_field *inode_f = entry->rule.inode_f; 1353 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1354 struct audit_tree *tree = entry->rule.tree; 1355 LIST_HEAD(inotify_list); 1356 int h, ret = 0; 1357 #ifdef CONFIG_AUDITSYSCALL 1358 int dont_count = 0; 1359 1360 /* If either of these, don't count towards total */ 1361 if (entry->rule.listnr == AUDIT_FILTER_USER || 1362 entry->rule.listnr == AUDIT_FILTER_TYPE) 1363 dont_count = 1; 1364 #endif 1365 1366 if (inode_f) { 1367 h = audit_hash_ino(inode_f->val); 1368 list = &audit_inode_hash[h]; 1369 } 1370 1371 mutex_lock(&audit_filter_mutex); 1372 e = audit_find_rule(entry, list); 1373 if (!e) { 1374 mutex_unlock(&audit_filter_mutex); 1375 ret = -ENOENT; 1376 goto out; 1377 } 1378 1379 watch = e->rule.watch; 1380 if (watch) { 1381 struct audit_parent *parent = watch->parent; 1382 1383 list_del(&e->rule.rlist); 1384 1385 if (list_empty(&watch->rules)) { 1386 audit_remove_watch(watch); 1387 1388 if (list_empty(&parent->watches)) { 1389 /* Put parent on the inotify un-registration 1390 * list. Grab a reference before releasing 1391 * audit_filter_mutex, to be released in 1392 * audit_inotify_unregister(). */ 1393 list_add(&parent->ilist, &inotify_list); 1394 get_inotify_watch(&parent->wdata); 1395 } 1396 } 1397 } 1398 1399 if (e->rule.tree) 1400 audit_remove_tree_rule(&e->rule); 1401 1402 list_del_rcu(&e->list); 1403 call_rcu(&e->rcu, audit_free_rule_rcu); 1404 1405 #ifdef CONFIG_AUDITSYSCALL 1406 if (!dont_count) 1407 audit_n_rules--; 1408 1409 if (!audit_match_signal(entry)) 1410 audit_signals--; 1411 #endif 1412 mutex_unlock(&audit_filter_mutex); 1413 1414 if (!list_empty(&inotify_list)) 1415 audit_inotify_unregister(&inotify_list); 1416 1417 out: 1418 if (tmp_watch) 1419 audit_put_watch(tmp_watch); /* match initial get */ 1420 if (tree) 1421 audit_put_tree(tree); /* that's the temporary one */ 1422 1423 return ret; 1424 } 1425 1426 /* List rules using struct audit_rule. Exists for backward 1427 * compatibility with userspace. */ 1428 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1429 { 1430 struct sk_buff *skb; 1431 struct audit_entry *entry; 1432 int i; 1433 1434 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1435 * iterator to sync with list writers. */ 1436 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1437 list_for_each_entry(entry, &audit_filter_list[i], list) { 1438 struct audit_rule *rule; 1439 1440 rule = audit_krule_to_rule(&entry->rule); 1441 if (unlikely(!rule)) 1442 break; 1443 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1444 rule, sizeof(*rule)); 1445 if (skb) 1446 skb_queue_tail(q, skb); 1447 kfree(rule); 1448 } 1449 } 1450 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1451 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1452 struct audit_rule *rule; 1453 1454 rule = audit_krule_to_rule(&entry->rule); 1455 if (unlikely(!rule)) 1456 break; 1457 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1458 rule, sizeof(*rule)); 1459 if (skb) 1460 skb_queue_tail(q, skb); 1461 kfree(rule); 1462 } 1463 } 1464 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1465 if (skb) 1466 skb_queue_tail(q, skb); 1467 } 1468 1469 /* List rules using struct audit_rule_data. */ 1470 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1471 { 1472 struct sk_buff *skb; 1473 struct audit_entry *e; 1474 int i; 1475 1476 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1477 * iterator to sync with list writers. */ 1478 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1479 list_for_each_entry(e, &audit_filter_list[i], list) { 1480 struct audit_rule_data *data; 1481 1482 data = audit_krule_to_data(&e->rule); 1483 if (unlikely(!data)) 1484 break; 1485 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1486 data, sizeof(*data) + data->buflen); 1487 if (skb) 1488 skb_queue_tail(q, skb); 1489 kfree(data); 1490 } 1491 } 1492 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1493 list_for_each_entry(e, &audit_inode_hash[i], list) { 1494 struct audit_rule_data *data; 1495 1496 data = audit_krule_to_data(&e->rule); 1497 if (unlikely(!data)) 1498 break; 1499 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1500 data, sizeof(*data) + data->buflen); 1501 if (skb) 1502 skb_queue_tail(q, skb); 1503 kfree(data); 1504 } 1505 } 1506 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1507 if (skb) 1508 skb_queue_tail(q, skb); 1509 } 1510 1511 /* Log rule additions and removals */ 1512 static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, 1513 char *action, struct audit_krule *rule, 1514 int res) 1515 { 1516 struct audit_buffer *ab; 1517 1518 if (!audit_enabled) 1519 return; 1520 1521 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1522 if (!ab) 1523 return; 1524 audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid); 1525 if (sid) { 1526 char *ctx = NULL; 1527 u32 len; 1528 if (security_secid_to_secctx(sid, &ctx, &len)) 1529 audit_log_format(ab, " ssid=%u", sid); 1530 else { 1531 audit_log_format(ab, " subj=%s", ctx); 1532 security_release_secctx(ctx, len); 1533 } 1534 } 1535 audit_log_format(ab, " op=%s rule key=", action); 1536 if (rule->filterkey) 1537 audit_log_untrustedstring(ab, rule->filterkey); 1538 else 1539 audit_log_format(ab, "(null)"); 1540 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1541 audit_log_end(ab); 1542 } 1543 1544 /** 1545 * audit_receive_filter - apply all rules to the specified message type 1546 * @type: audit message type 1547 * @pid: target pid for netlink audit messages 1548 * @uid: target uid for netlink audit messages 1549 * @seq: netlink audit message sequence (serial) number 1550 * @data: payload data 1551 * @datasz: size of payload data 1552 * @loginuid: loginuid of sender 1553 * @sessionid: sessionid for netlink audit message 1554 * @sid: SE Linux Security ID of sender 1555 */ 1556 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1557 size_t datasz, uid_t loginuid, u32 sessionid, u32 sid) 1558 { 1559 struct task_struct *tsk; 1560 struct audit_netlink_list *dest; 1561 int err = 0; 1562 struct audit_entry *entry; 1563 1564 switch (type) { 1565 case AUDIT_LIST: 1566 case AUDIT_LIST_RULES: 1567 /* We can't just spew out the rules here because we might fill 1568 * the available socket buffer space and deadlock waiting for 1569 * auditctl to read from it... which isn't ever going to 1570 * happen if we're actually running in the context of auditctl 1571 * trying to _send_ the stuff */ 1572 1573 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1574 if (!dest) 1575 return -ENOMEM; 1576 dest->pid = pid; 1577 skb_queue_head_init(&dest->q); 1578 1579 mutex_lock(&audit_filter_mutex); 1580 if (type == AUDIT_LIST) 1581 audit_list(pid, seq, &dest->q); 1582 else 1583 audit_list_rules(pid, seq, &dest->q); 1584 mutex_unlock(&audit_filter_mutex); 1585 1586 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1587 if (IS_ERR(tsk)) { 1588 skb_queue_purge(&dest->q); 1589 kfree(dest); 1590 err = PTR_ERR(tsk); 1591 } 1592 break; 1593 case AUDIT_ADD: 1594 case AUDIT_ADD_RULE: 1595 if (type == AUDIT_ADD) 1596 entry = audit_rule_to_entry(data); 1597 else 1598 entry = audit_data_to_entry(data, datasz); 1599 if (IS_ERR(entry)) 1600 return PTR_ERR(entry); 1601 1602 err = audit_add_rule(entry, 1603 &audit_filter_list[entry->rule.listnr]); 1604 audit_log_rule_change(loginuid, sessionid, sid, "add", 1605 &entry->rule, !err); 1606 1607 if (err) 1608 audit_free_rule(entry); 1609 break; 1610 case AUDIT_DEL: 1611 case AUDIT_DEL_RULE: 1612 if (type == AUDIT_DEL) 1613 entry = audit_rule_to_entry(data); 1614 else 1615 entry = audit_data_to_entry(data, datasz); 1616 if (IS_ERR(entry)) 1617 return PTR_ERR(entry); 1618 1619 err = audit_del_rule(entry, 1620 &audit_filter_list[entry->rule.listnr]); 1621 audit_log_rule_change(loginuid, sessionid, sid, "remove", 1622 &entry->rule, !err); 1623 1624 audit_free_rule(entry); 1625 break; 1626 default: 1627 return -EINVAL; 1628 } 1629 1630 return err; 1631 } 1632 1633 int audit_comparator(const u32 left, const u32 op, const u32 right) 1634 { 1635 switch (op) { 1636 case AUDIT_EQUAL: 1637 return (left == right); 1638 case AUDIT_NOT_EQUAL: 1639 return (left != right); 1640 case AUDIT_LESS_THAN: 1641 return (left < right); 1642 case AUDIT_LESS_THAN_OR_EQUAL: 1643 return (left <= right); 1644 case AUDIT_GREATER_THAN: 1645 return (left > right); 1646 case AUDIT_GREATER_THAN_OR_EQUAL: 1647 return (left >= right); 1648 case AUDIT_BIT_MASK: 1649 return (left & right); 1650 case AUDIT_BIT_TEST: 1651 return ((left & right) == right); 1652 } 1653 BUG(); 1654 return 0; 1655 } 1656 1657 /* Compare given dentry name with last component in given path, 1658 * return of 0 indicates a match. */ 1659 int audit_compare_dname_path(const char *dname, const char *path, 1660 int *dirlen) 1661 { 1662 int dlen, plen; 1663 const char *p; 1664 1665 if (!dname || !path) 1666 return 1; 1667 1668 dlen = strlen(dname); 1669 plen = strlen(path); 1670 if (plen < dlen) 1671 return 1; 1672 1673 /* disregard trailing slashes */ 1674 p = path + plen - 1; 1675 while ((*p == '/') && (p > path)) 1676 p--; 1677 1678 /* find last path component */ 1679 p = p - dlen + 1; 1680 if (p < path) 1681 return 1; 1682 else if (p > path) { 1683 if (*--p != '/') 1684 return 1; 1685 else 1686 p++; 1687 } 1688 1689 /* return length of path's directory component */ 1690 if (dirlen) 1691 *dirlen = p - path; 1692 return strncmp(p, dname, dlen); 1693 } 1694 1695 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1696 struct audit_krule *rule, 1697 enum audit_state *state) 1698 { 1699 int i; 1700 1701 for (i = 0; i < rule->field_count; i++) { 1702 struct audit_field *f = &rule->fields[i]; 1703 int result = 0; 1704 1705 switch (f->type) { 1706 case AUDIT_PID: 1707 result = audit_comparator(cb->creds.pid, f->op, f->val); 1708 break; 1709 case AUDIT_UID: 1710 result = audit_comparator(cb->creds.uid, f->op, f->val); 1711 break; 1712 case AUDIT_GID: 1713 result = audit_comparator(cb->creds.gid, f->op, f->val); 1714 break; 1715 case AUDIT_LOGINUID: 1716 result = audit_comparator(cb->loginuid, f->op, f->val); 1717 break; 1718 } 1719 1720 if (!result) 1721 return 0; 1722 } 1723 switch (rule->action) { 1724 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1725 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1726 } 1727 return 1; 1728 } 1729 1730 int audit_filter_user(struct netlink_skb_parms *cb) 1731 { 1732 enum audit_state state = AUDIT_DISABLED; 1733 struct audit_entry *e; 1734 int ret = 1; 1735 1736 rcu_read_lock(); 1737 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1738 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1739 if (state == AUDIT_DISABLED) 1740 ret = 0; 1741 break; 1742 } 1743 } 1744 rcu_read_unlock(); 1745 1746 return ret; /* Audit by default */ 1747 } 1748 1749 int audit_filter_type(int type) 1750 { 1751 struct audit_entry *e; 1752 int result = 0; 1753 1754 rcu_read_lock(); 1755 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1756 goto unlock_and_return; 1757 1758 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1759 list) { 1760 int i; 1761 for (i = 0; i < e->rule.field_count; i++) { 1762 struct audit_field *f = &e->rule.fields[i]; 1763 if (f->type == AUDIT_MSGTYPE) { 1764 result = audit_comparator(type, f->op, f->val); 1765 if (!result) 1766 break; 1767 } 1768 } 1769 if (result) 1770 goto unlock_and_return; 1771 } 1772 unlock_and_return: 1773 rcu_read_unlock(); 1774 return result; 1775 } 1776 1777 /* This function will re-initialize the lsm_rule field of all applicable rules. 1778 * It will traverse the filter lists serarching for rules that contain LSM 1779 * specific filter fields. When such a rule is found, it is copied, the 1780 * LSM field is re-initialized, and the old rule is replaced with the 1781 * updated rule. */ 1782 int audit_update_lsm_rules(void) 1783 { 1784 struct audit_entry *entry, *n, *nentry; 1785 struct audit_watch *watch; 1786 struct audit_tree *tree; 1787 int i, err = 0; 1788 1789 /* audit_filter_mutex synchronizes the writers */ 1790 mutex_lock(&audit_filter_mutex); 1791 1792 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1793 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1794 if (!security_audit_rule_known(&entry->rule)) 1795 continue; 1796 1797 watch = entry->rule.watch; 1798 tree = entry->rule.tree; 1799 nentry = audit_dupe_rule(&entry->rule, watch); 1800 if (IS_ERR(nentry)) { 1801 /* save the first error encountered for the 1802 * return value */ 1803 if (!err) 1804 err = PTR_ERR(nentry); 1805 audit_panic("error updating LSM filters"); 1806 if (watch) 1807 list_del(&entry->rule.rlist); 1808 list_del_rcu(&entry->list); 1809 } else { 1810 if (watch) { 1811 list_add(&nentry->rule.rlist, 1812 &watch->rules); 1813 list_del(&entry->rule.rlist); 1814 } else if (tree) 1815 list_replace_init(&entry->rule.rlist, 1816 &nentry->rule.rlist); 1817 list_replace_rcu(&entry->list, &nentry->list); 1818 } 1819 call_rcu(&entry->rcu, audit_free_rule_rcu); 1820 } 1821 } 1822 1823 mutex_unlock(&audit_filter_mutex); 1824 1825 return err; 1826 } 1827 1828 /* Update watch data in audit rules based on inotify events. */ 1829 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1830 u32 cookie, const char *dname, struct inode *inode) 1831 { 1832 struct audit_parent *parent; 1833 1834 parent = container_of(i_watch, struct audit_parent, wdata); 1835 1836 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1837 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1838 inode->i_ino, 0); 1839 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1840 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1841 /* inotify automatically removes the watch and sends IN_IGNORED */ 1842 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1843 audit_remove_parent_watches(parent); 1844 /* inotify does not remove the watch, so remove it manually */ 1845 else if(mask & IN_MOVE_SELF) { 1846 audit_remove_parent_watches(parent); 1847 inotify_remove_watch_locked(audit_ih, i_watch); 1848 } else if (mask & IN_IGNORED) 1849 put_inotify_watch(i_watch); 1850 } 1851