1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 extern int audit_enabled; 99 100 void audit_free_parent(struct inotify_watch *i_watch) 101 { 102 struct audit_parent *parent; 103 104 parent = container_of(i_watch, struct audit_parent, wdata); 105 WARN_ON(!list_empty(&parent->watches)); 106 kfree(parent); 107 } 108 109 static inline void audit_get_watch(struct audit_watch *watch) 110 { 111 atomic_inc(&watch->count); 112 } 113 114 static void audit_put_watch(struct audit_watch *watch) 115 { 116 if (atomic_dec_and_test(&watch->count)) { 117 WARN_ON(watch->parent); 118 WARN_ON(!list_empty(&watch->rules)); 119 kfree(watch->path); 120 kfree(watch); 121 } 122 } 123 124 static void audit_remove_watch(struct audit_watch *watch) 125 { 126 list_del(&watch->wlist); 127 put_inotify_watch(&watch->parent->wdata); 128 watch->parent = NULL; 129 audit_put_watch(watch); /* match initial get */ 130 } 131 132 static inline void audit_free_rule(struct audit_entry *e) 133 { 134 int i; 135 136 /* some rules don't have associated watches */ 137 if (e->rule.watch) 138 audit_put_watch(e->rule.watch); 139 if (e->rule.fields) 140 for (i = 0; i < e->rule.field_count; i++) { 141 struct audit_field *f = &e->rule.fields[i]; 142 kfree(f->se_str); 143 selinux_audit_rule_free(f->se_rule); 144 } 145 kfree(e->rule.fields); 146 kfree(e->rule.filterkey); 147 kfree(e); 148 } 149 150 void audit_free_rule_rcu(struct rcu_head *head) 151 { 152 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 153 audit_free_rule(e); 154 } 155 156 /* Initialize a parent watch entry. */ 157 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 158 { 159 struct audit_parent *parent; 160 s32 wd; 161 162 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 163 if (unlikely(!parent)) 164 return ERR_PTR(-ENOMEM); 165 166 INIT_LIST_HEAD(&parent->watches); 167 parent->flags = 0; 168 169 inotify_init_watch(&parent->wdata); 170 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 171 get_inotify_watch(&parent->wdata); 172 wd = inotify_add_watch(audit_ih, &parent->wdata, 173 ndp->path.dentry->d_inode, AUDIT_IN_WATCH); 174 if (wd < 0) { 175 audit_free_parent(&parent->wdata); 176 return ERR_PTR(wd); 177 } 178 179 return parent; 180 } 181 182 /* Initialize a watch entry. */ 183 static struct audit_watch *audit_init_watch(char *path) 184 { 185 struct audit_watch *watch; 186 187 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 188 if (unlikely(!watch)) 189 return ERR_PTR(-ENOMEM); 190 191 INIT_LIST_HEAD(&watch->rules); 192 atomic_set(&watch->count, 1); 193 watch->path = path; 194 watch->dev = (dev_t)-1; 195 watch->ino = (unsigned long)-1; 196 197 return watch; 198 } 199 200 /* Initialize an audit filterlist entry. */ 201 static inline struct audit_entry *audit_init_entry(u32 field_count) 202 { 203 struct audit_entry *entry; 204 struct audit_field *fields; 205 206 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 207 if (unlikely(!entry)) 208 return NULL; 209 210 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 211 if (unlikely(!fields)) { 212 kfree(entry); 213 return NULL; 214 } 215 entry->rule.fields = fields; 216 217 return entry; 218 } 219 220 /* Unpack a filter field's string representation from user-space 221 * buffer. */ 222 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 223 { 224 char *str; 225 226 if (!*bufp || (len == 0) || (len > *remain)) 227 return ERR_PTR(-EINVAL); 228 229 /* Of the currently implemented string fields, PATH_MAX 230 * defines the longest valid length. 231 */ 232 if (len > PATH_MAX) 233 return ERR_PTR(-ENAMETOOLONG); 234 235 str = kmalloc(len + 1, GFP_KERNEL); 236 if (unlikely(!str)) 237 return ERR_PTR(-ENOMEM); 238 239 memcpy(str, *bufp, len); 240 str[len] = 0; 241 *bufp += len; 242 *remain -= len; 243 244 return str; 245 } 246 247 /* Translate an inode field to kernel respresentation. */ 248 static inline int audit_to_inode(struct audit_krule *krule, 249 struct audit_field *f) 250 { 251 if (krule->listnr != AUDIT_FILTER_EXIT || 252 krule->watch || krule->inode_f || krule->tree) 253 return -EINVAL; 254 255 krule->inode_f = f; 256 return 0; 257 } 258 259 /* Translate a watch string to kernel respresentation. */ 260 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 261 u32 op) 262 { 263 struct audit_watch *watch; 264 265 if (!audit_ih) 266 return -EOPNOTSUPP; 267 268 if (path[0] != '/' || path[len-1] == '/' || 269 krule->listnr != AUDIT_FILTER_EXIT || 270 op & ~AUDIT_EQUAL || 271 krule->inode_f || krule->watch || krule->tree) 272 return -EINVAL; 273 274 watch = audit_init_watch(path); 275 if (unlikely(IS_ERR(watch))) 276 return PTR_ERR(watch); 277 278 audit_get_watch(watch); 279 krule->watch = watch; 280 281 return 0; 282 } 283 284 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 285 286 int __init audit_register_class(int class, unsigned *list) 287 { 288 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 289 if (!p) 290 return -ENOMEM; 291 while (*list != ~0U) { 292 unsigned n = *list++; 293 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 294 kfree(p); 295 return -EINVAL; 296 } 297 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 298 } 299 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 300 kfree(p); 301 return -EINVAL; 302 } 303 classes[class] = p; 304 return 0; 305 } 306 307 int audit_match_class(int class, unsigned syscall) 308 { 309 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 310 return 0; 311 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 312 return 0; 313 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 314 } 315 316 #ifdef CONFIG_AUDITSYSCALL 317 static inline int audit_match_class_bits(int class, u32 *mask) 318 { 319 int i; 320 321 if (classes[class]) { 322 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 323 if (mask[i] & classes[class][i]) 324 return 0; 325 } 326 return 1; 327 } 328 329 static int audit_match_signal(struct audit_entry *entry) 330 { 331 struct audit_field *arch = entry->rule.arch_f; 332 333 if (!arch) { 334 /* When arch is unspecified, we must check both masks on biarch 335 * as syscall number alone is ambiguous. */ 336 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 337 entry->rule.mask) && 338 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 339 entry->rule.mask)); 340 } 341 342 switch(audit_classify_arch(arch->val)) { 343 case 0: /* native */ 344 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 345 entry->rule.mask)); 346 case 1: /* 32bit on biarch */ 347 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 348 entry->rule.mask)); 349 default: 350 return 1; 351 } 352 } 353 #endif 354 355 /* Common user-space to kernel rule translation. */ 356 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 357 { 358 unsigned listnr; 359 struct audit_entry *entry; 360 int i, err; 361 362 err = -EINVAL; 363 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 364 switch(listnr) { 365 default: 366 goto exit_err; 367 case AUDIT_FILTER_USER: 368 case AUDIT_FILTER_TYPE: 369 #ifdef CONFIG_AUDITSYSCALL 370 case AUDIT_FILTER_ENTRY: 371 case AUDIT_FILTER_EXIT: 372 case AUDIT_FILTER_TASK: 373 #endif 374 ; 375 } 376 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 377 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 378 goto exit_err; 379 } 380 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 381 goto exit_err; 382 if (rule->field_count > AUDIT_MAX_FIELDS) 383 goto exit_err; 384 385 err = -ENOMEM; 386 entry = audit_init_entry(rule->field_count); 387 if (!entry) 388 goto exit_err; 389 390 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 391 entry->rule.listnr = listnr; 392 entry->rule.action = rule->action; 393 entry->rule.field_count = rule->field_count; 394 395 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 396 entry->rule.mask[i] = rule->mask[i]; 397 398 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 399 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 400 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 401 __u32 *class; 402 403 if (!(*p & AUDIT_BIT(bit))) 404 continue; 405 *p &= ~AUDIT_BIT(bit); 406 class = classes[i]; 407 if (class) { 408 int j; 409 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 410 entry->rule.mask[j] |= class[j]; 411 } 412 } 413 414 return entry; 415 416 exit_err: 417 return ERR_PTR(err); 418 } 419 420 /* Translate struct audit_rule to kernel's rule respresentation. 421 * Exists for backward compatibility with userspace. */ 422 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 423 { 424 struct audit_entry *entry; 425 struct audit_field *f; 426 int err = 0; 427 int i; 428 429 entry = audit_to_entry_common(rule); 430 if (IS_ERR(entry)) 431 goto exit_nofree; 432 433 for (i = 0; i < rule->field_count; i++) { 434 struct audit_field *f = &entry->rule.fields[i]; 435 436 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 437 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 438 f->val = rule->values[i]; 439 440 err = -EINVAL; 441 switch(f->type) { 442 default: 443 goto exit_free; 444 case AUDIT_PID: 445 case AUDIT_UID: 446 case AUDIT_EUID: 447 case AUDIT_SUID: 448 case AUDIT_FSUID: 449 case AUDIT_GID: 450 case AUDIT_EGID: 451 case AUDIT_SGID: 452 case AUDIT_FSGID: 453 case AUDIT_LOGINUID: 454 case AUDIT_PERS: 455 case AUDIT_MSGTYPE: 456 case AUDIT_PPID: 457 case AUDIT_DEVMAJOR: 458 case AUDIT_DEVMINOR: 459 case AUDIT_EXIT: 460 case AUDIT_SUCCESS: 461 /* bit ops are only useful on syscall args */ 462 if (f->op == AUDIT_BIT_MASK || 463 f->op == AUDIT_BIT_TEST) { 464 err = -EINVAL; 465 goto exit_free; 466 } 467 break; 468 case AUDIT_ARG0: 469 case AUDIT_ARG1: 470 case AUDIT_ARG2: 471 case AUDIT_ARG3: 472 break; 473 /* arch is only allowed to be = or != */ 474 case AUDIT_ARCH: 475 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 476 && (f->op != AUDIT_NEGATE) && (f->op)) { 477 err = -EINVAL; 478 goto exit_free; 479 } 480 entry->rule.arch_f = f; 481 break; 482 case AUDIT_PERM: 483 if (f->val & ~15) 484 goto exit_free; 485 break; 486 case AUDIT_INODE: 487 err = audit_to_inode(&entry->rule, f); 488 if (err) 489 goto exit_free; 490 break; 491 } 492 493 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 494 495 /* Support for legacy operators where 496 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 497 if (f->op & AUDIT_NEGATE) 498 f->op = AUDIT_NOT_EQUAL; 499 else if (!f->op) 500 f->op = AUDIT_EQUAL; 501 else if (f->op == AUDIT_OPERATORS) { 502 err = -EINVAL; 503 goto exit_free; 504 } 505 } 506 507 f = entry->rule.inode_f; 508 if (f) { 509 switch(f->op) { 510 case AUDIT_NOT_EQUAL: 511 entry->rule.inode_f = NULL; 512 case AUDIT_EQUAL: 513 break; 514 default: 515 err = -EINVAL; 516 goto exit_free; 517 } 518 } 519 520 exit_nofree: 521 return entry; 522 523 exit_free: 524 audit_free_rule(entry); 525 return ERR_PTR(err); 526 } 527 528 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 529 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 530 size_t datasz) 531 { 532 int err = 0; 533 struct audit_entry *entry; 534 struct audit_field *f; 535 void *bufp; 536 size_t remain = datasz - sizeof(struct audit_rule_data); 537 int i; 538 char *str; 539 540 entry = audit_to_entry_common((struct audit_rule *)data); 541 if (IS_ERR(entry)) 542 goto exit_nofree; 543 544 bufp = data->buf; 545 entry->rule.vers_ops = 2; 546 for (i = 0; i < data->field_count; i++) { 547 struct audit_field *f = &entry->rule.fields[i]; 548 549 err = -EINVAL; 550 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 551 data->fieldflags[i] & ~AUDIT_OPERATORS) 552 goto exit_free; 553 554 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 555 f->type = data->fields[i]; 556 f->val = data->values[i]; 557 f->se_str = NULL; 558 f->se_rule = NULL; 559 switch(f->type) { 560 case AUDIT_PID: 561 case AUDIT_UID: 562 case AUDIT_EUID: 563 case AUDIT_SUID: 564 case AUDIT_FSUID: 565 case AUDIT_GID: 566 case AUDIT_EGID: 567 case AUDIT_SGID: 568 case AUDIT_FSGID: 569 case AUDIT_LOGINUID: 570 case AUDIT_PERS: 571 case AUDIT_MSGTYPE: 572 case AUDIT_PPID: 573 case AUDIT_DEVMAJOR: 574 case AUDIT_DEVMINOR: 575 case AUDIT_EXIT: 576 case AUDIT_SUCCESS: 577 case AUDIT_ARG0: 578 case AUDIT_ARG1: 579 case AUDIT_ARG2: 580 case AUDIT_ARG3: 581 break; 582 case AUDIT_ARCH: 583 entry->rule.arch_f = f; 584 break; 585 case AUDIT_SUBJ_USER: 586 case AUDIT_SUBJ_ROLE: 587 case AUDIT_SUBJ_TYPE: 588 case AUDIT_SUBJ_SEN: 589 case AUDIT_SUBJ_CLR: 590 case AUDIT_OBJ_USER: 591 case AUDIT_OBJ_ROLE: 592 case AUDIT_OBJ_TYPE: 593 case AUDIT_OBJ_LEV_LOW: 594 case AUDIT_OBJ_LEV_HIGH: 595 str = audit_unpack_string(&bufp, &remain, f->val); 596 if (IS_ERR(str)) 597 goto exit_free; 598 entry->rule.buflen += f->val; 599 600 err = selinux_audit_rule_init(f->type, f->op, str, 601 &f->se_rule); 602 /* Keep currently invalid fields around in case they 603 * become valid after a policy reload. */ 604 if (err == -EINVAL) { 605 printk(KERN_WARNING "audit rule for selinux " 606 "\'%s\' is invalid\n", str); 607 err = 0; 608 } 609 if (err) { 610 kfree(str); 611 goto exit_free; 612 } else 613 f->se_str = str; 614 break; 615 case AUDIT_WATCH: 616 str = audit_unpack_string(&bufp, &remain, f->val); 617 if (IS_ERR(str)) 618 goto exit_free; 619 entry->rule.buflen += f->val; 620 621 err = audit_to_watch(&entry->rule, str, f->val, f->op); 622 if (err) { 623 kfree(str); 624 goto exit_free; 625 } 626 break; 627 case AUDIT_DIR: 628 str = audit_unpack_string(&bufp, &remain, f->val); 629 if (IS_ERR(str)) 630 goto exit_free; 631 entry->rule.buflen += f->val; 632 633 err = audit_make_tree(&entry->rule, str, f->op); 634 kfree(str); 635 if (err) 636 goto exit_free; 637 break; 638 case AUDIT_INODE: 639 err = audit_to_inode(&entry->rule, f); 640 if (err) 641 goto exit_free; 642 break; 643 case AUDIT_FILTERKEY: 644 err = -EINVAL; 645 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 646 goto exit_free; 647 str = audit_unpack_string(&bufp, &remain, f->val); 648 if (IS_ERR(str)) 649 goto exit_free; 650 entry->rule.buflen += f->val; 651 entry->rule.filterkey = str; 652 break; 653 case AUDIT_PERM: 654 if (f->val & ~15) 655 goto exit_free; 656 break; 657 default: 658 goto exit_free; 659 } 660 } 661 662 f = entry->rule.inode_f; 663 if (f) { 664 switch(f->op) { 665 case AUDIT_NOT_EQUAL: 666 entry->rule.inode_f = NULL; 667 case AUDIT_EQUAL: 668 break; 669 default: 670 err = -EINVAL; 671 goto exit_free; 672 } 673 } 674 675 exit_nofree: 676 return entry; 677 678 exit_free: 679 audit_free_rule(entry); 680 return ERR_PTR(err); 681 } 682 683 /* Pack a filter field's string representation into data block. */ 684 static inline size_t audit_pack_string(void **bufp, const char *str) 685 { 686 size_t len = strlen(str); 687 688 memcpy(*bufp, str, len); 689 *bufp += len; 690 691 return len; 692 } 693 694 /* Translate kernel rule respresentation to struct audit_rule. 695 * Exists for backward compatibility with userspace. */ 696 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 697 { 698 struct audit_rule *rule; 699 int i; 700 701 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 702 if (unlikely(!rule)) 703 return NULL; 704 705 rule->flags = krule->flags | krule->listnr; 706 rule->action = krule->action; 707 rule->field_count = krule->field_count; 708 for (i = 0; i < rule->field_count; i++) { 709 rule->values[i] = krule->fields[i].val; 710 rule->fields[i] = krule->fields[i].type; 711 712 if (krule->vers_ops == 1) { 713 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 714 rule->fields[i] |= AUDIT_NEGATE; 715 } else { 716 rule->fields[i] |= krule->fields[i].op; 717 } 718 } 719 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 720 721 return rule; 722 } 723 724 /* Translate kernel rule respresentation to struct audit_rule_data. */ 725 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 726 { 727 struct audit_rule_data *data; 728 void *bufp; 729 int i; 730 731 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 732 if (unlikely(!data)) 733 return NULL; 734 memset(data, 0, sizeof(*data)); 735 736 data->flags = krule->flags | krule->listnr; 737 data->action = krule->action; 738 data->field_count = krule->field_count; 739 bufp = data->buf; 740 for (i = 0; i < data->field_count; i++) { 741 struct audit_field *f = &krule->fields[i]; 742 743 data->fields[i] = f->type; 744 data->fieldflags[i] = f->op; 745 switch(f->type) { 746 case AUDIT_SUBJ_USER: 747 case AUDIT_SUBJ_ROLE: 748 case AUDIT_SUBJ_TYPE: 749 case AUDIT_SUBJ_SEN: 750 case AUDIT_SUBJ_CLR: 751 case AUDIT_OBJ_USER: 752 case AUDIT_OBJ_ROLE: 753 case AUDIT_OBJ_TYPE: 754 case AUDIT_OBJ_LEV_LOW: 755 case AUDIT_OBJ_LEV_HIGH: 756 data->buflen += data->values[i] = 757 audit_pack_string(&bufp, f->se_str); 758 break; 759 case AUDIT_WATCH: 760 data->buflen += data->values[i] = 761 audit_pack_string(&bufp, krule->watch->path); 762 break; 763 case AUDIT_DIR: 764 data->buflen += data->values[i] = 765 audit_pack_string(&bufp, 766 audit_tree_path(krule->tree)); 767 break; 768 case AUDIT_FILTERKEY: 769 data->buflen += data->values[i] = 770 audit_pack_string(&bufp, krule->filterkey); 771 break; 772 default: 773 data->values[i] = f->val; 774 } 775 } 776 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 777 778 return data; 779 } 780 781 /* Compare two rules in kernel format. Considered success if rules 782 * don't match. */ 783 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 784 { 785 int i; 786 787 if (a->flags != b->flags || 788 a->listnr != b->listnr || 789 a->action != b->action || 790 a->field_count != b->field_count) 791 return 1; 792 793 for (i = 0; i < a->field_count; i++) { 794 if (a->fields[i].type != b->fields[i].type || 795 a->fields[i].op != b->fields[i].op) 796 return 1; 797 798 switch(a->fields[i].type) { 799 case AUDIT_SUBJ_USER: 800 case AUDIT_SUBJ_ROLE: 801 case AUDIT_SUBJ_TYPE: 802 case AUDIT_SUBJ_SEN: 803 case AUDIT_SUBJ_CLR: 804 case AUDIT_OBJ_USER: 805 case AUDIT_OBJ_ROLE: 806 case AUDIT_OBJ_TYPE: 807 case AUDIT_OBJ_LEV_LOW: 808 case AUDIT_OBJ_LEV_HIGH: 809 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 810 return 1; 811 break; 812 case AUDIT_WATCH: 813 if (strcmp(a->watch->path, b->watch->path)) 814 return 1; 815 break; 816 case AUDIT_DIR: 817 if (strcmp(audit_tree_path(a->tree), 818 audit_tree_path(b->tree))) 819 return 1; 820 break; 821 case AUDIT_FILTERKEY: 822 /* both filterkeys exist based on above type compare */ 823 if (strcmp(a->filterkey, b->filterkey)) 824 return 1; 825 break; 826 default: 827 if (a->fields[i].val != b->fields[i].val) 828 return 1; 829 } 830 } 831 832 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 833 if (a->mask[i] != b->mask[i]) 834 return 1; 835 836 return 0; 837 } 838 839 /* Duplicate the given audit watch. The new watch's rules list is initialized 840 * to an empty list and wlist is undefined. */ 841 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 842 { 843 char *path; 844 struct audit_watch *new; 845 846 path = kstrdup(old->path, GFP_KERNEL); 847 if (unlikely(!path)) 848 return ERR_PTR(-ENOMEM); 849 850 new = audit_init_watch(path); 851 if (unlikely(IS_ERR(new))) { 852 kfree(path); 853 goto out; 854 } 855 856 new->dev = old->dev; 857 new->ino = old->ino; 858 get_inotify_watch(&old->parent->wdata); 859 new->parent = old->parent; 860 861 out: 862 return new; 863 } 864 865 /* Duplicate selinux field information. The se_rule is opaque, so must be 866 * re-initialized. */ 867 static inline int audit_dupe_selinux_field(struct audit_field *df, 868 struct audit_field *sf) 869 { 870 int ret = 0; 871 char *se_str; 872 873 /* our own copy of se_str */ 874 se_str = kstrdup(sf->se_str, GFP_KERNEL); 875 if (unlikely(!se_str)) 876 return -ENOMEM; 877 df->se_str = se_str; 878 879 /* our own (refreshed) copy of se_rule */ 880 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 881 &df->se_rule); 882 /* Keep currently invalid fields around in case they 883 * become valid after a policy reload. */ 884 if (ret == -EINVAL) { 885 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 886 "invalid\n", df->se_str); 887 ret = 0; 888 } 889 890 return ret; 891 } 892 893 /* Duplicate an audit rule. This will be a deep copy with the exception 894 * of the watch - that pointer is carried over. The selinux specific fields 895 * will be updated in the copy. The point is to be able to replace the old 896 * rule with the new rule in the filterlist, then free the old rule. 897 * The rlist element is undefined; list manipulations are handled apart from 898 * the initial copy. */ 899 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 900 struct audit_watch *watch) 901 { 902 u32 fcount = old->field_count; 903 struct audit_entry *entry; 904 struct audit_krule *new; 905 char *fk; 906 int i, err = 0; 907 908 entry = audit_init_entry(fcount); 909 if (unlikely(!entry)) 910 return ERR_PTR(-ENOMEM); 911 912 new = &entry->rule; 913 new->vers_ops = old->vers_ops; 914 new->flags = old->flags; 915 new->listnr = old->listnr; 916 new->action = old->action; 917 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 918 new->mask[i] = old->mask[i]; 919 new->buflen = old->buflen; 920 new->inode_f = old->inode_f; 921 new->watch = NULL; 922 new->field_count = old->field_count; 923 /* 924 * note that we are OK with not refcounting here; audit_match_tree() 925 * never dereferences tree and we can't get false positives there 926 * since we'd have to have rule gone from the list *and* removed 927 * before the chunks found by lookup had been allocated, i.e. before 928 * the beginning of list scan. 929 */ 930 new->tree = old->tree; 931 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 932 933 /* deep copy this information, updating the se_rule fields, because 934 * the originals will all be freed when the old rule is freed. */ 935 for (i = 0; i < fcount; i++) { 936 switch (new->fields[i].type) { 937 case AUDIT_SUBJ_USER: 938 case AUDIT_SUBJ_ROLE: 939 case AUDIT_SUBJ_TYPE: 940 case AUDIT_SUBJ_SEN: 941 case AUDIT_SUBJ_CLR: 942 case AUDIT_OBJ_USER: 943 case AUDIT_OBJ_ROLE: 944 case AUDIT_OBJ_TYPE: 945 case AUDIT_OBJ_LEV_LOW: 946 case AUDIT_OBJ_LEV_HIGH: 947 err = audit_dupe_selinux_field(&new->fields[i], 948 &old->fields[i]); 949 break; 950 case AUDIT_FILTERKEY: 951 fk = kstrdup(old->filterkey, GFP_KERNEL); 952 if (unlikely(!fk)) 953 err = -ENOMEM; 954 else 955 new->filterkey = fk; 956 } 957 if (err) { 958 audit_free_rule(entry); 959 return ERR_PTR(err); 960 } 961 } 962 963 if (watch) { 964 audit_get_watch(watch); 965 new->watch = watch; 966 } 967 968 return entry; 969 } 970 971 /* Update inode info in audit rules based on filesystem event. */ 972 static void audit_update_watch(struct audit_parent *parent, 973 const char *dname, dev_t dev, 974 unsigned long ino, unsigned invalidating) 975 { 976 struct audit_watch *owatch, *nwatch, *nextw; 977 struct audit_krule *r, *nextr; 978 struct audit_entry *oentry, *nentry; 979 980 mutex_lock(&audit_filter_mutex); 981 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 982 if (audit_compare_dname_path(dname, owatch->path, NULL)) 983 continue; 984 985 /* If the update involves invalidating rules, do the inode-based 986 * filtering now, so we don't omit records. */ 987 if (invalidating && current->audit_context && 988 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 989 audit_set_auditable(current->audit_context); 990 991 nwatch = audit_dupe_watch(owatch); 992 if (unlikely(IS_ERR(nwatch))) { 993 mutex_unlock(&audit_filter_mutex); 994 audit_panic("error updating watch, skipping"); 995 return; 996 } 997 nwatch->dev = dev; 998 nwatch->ino = ino; 999 1000 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 1001 1002 oentry = container_of(r, struct audit_entry, rule); 1003 list_del(&oentry->rule.rlist); 1004 list_del_rcu(&oentry->list); 1005 1006 nentry = audit_dupe_rule(&oentry->rule, nwatch); 1007 if (unlikely(IS_ERR(nentry))) 1008 audit_panic("error updating watch, removing"); 1009 else { 1010 int h = audit_hash_ino((u32)ino); 1011 list_add(&nentry->rule.rlist, &nwatch->rules); 1012 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 1013 } 1014 1015 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1016 } 1017 1018 if (audit_enabled) { 1019 struct audit_buffer *ab; 1020 ab = audit_log_start(NULL, GFP_KERNEL, 1021 AUDIT_CONFIG_CHANGE); 1022 audit_log_format(ab, 1023 "op=updated rules specifying path="); 1024 audit_log_untrustedstring(ab, owatch->path); 1025 audit_log_format(ab, " with dev=%u ino=%lu\n", 1026 dev, ino); 1027 audit_log_format(ab, " list=%d res=1", r->listnr); 1028 audit_log_end(ab); 1029 } 1030 audit_remove_watch(owatch); 1031 goto add_watch_to_parent; /* event applies to a single watch */ 1032 } 1033 mutex_unlock(&audit_filter_mutex); 1034 return; 1035 1036 add_watch_to_parent: 1037 list_add(&nwatch->wlist, &parent->watches); 1038 mutex_unlock(&audit_filter_mutex); 1039 return; 1040 } 1041 1042 /* Remove all watches & rules associated with a parent that is going away. */ 1043 static void audit_remove_parent_watches(struct audit_parent *parent) 1044 { 1045 struct audit_watch *w, *nextw; 1046 struct audit_krule *r, *nextr; 1047 struct audit_entry *e; 1048 1049 mutex_lock(&audit_filter_mutex); 1050 parent->flags |= AUDIT_PARENT_INVALID; 1051 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1052 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1053 e = container_of(r, struct audit_entry, rule); 1054 if (audit_enabled) { 1055 struct audit_buffer *ab; 1056 ab = audit_log_start(NULL, GFP_KERNEL, 1057 AUDIT_CONFIG_CHANGE); 1058 audit_log_format(ab, "op=remove rule path="); 1059 audit_log_untrustedstring(ab, w->path); 1060 if (r->filterkey) { 1061 audit_log_format(ab, " key="); 1062 audit_log_untrustedstring(ab, 1063 r->filterkey); 1064 } else 1065 audit_log_format(ab, " key=(null)"); 1066 audit_log_format(ab, " list=%d res=1", 1067 r->listnr); 1068 audit_log_end(ab); 1069 } 1070 list_del(&r->rlist); 1071 list_del_rcu(&e->list); 1072 call_rcu(&e->rcu, audit_free_rule_rcu); 1073 } 1074 audit_remove_watch(w); 1075 } 1076 mutex_unlock(&audit_filter_mutex); 1077 } 1078 1079 /* Unregister inotify watches for parents on in_list. 1080 * Generates an IN_IGNORED event. */ 1081 static void audit_inotify_unregister(struct list_head *in_list) 1082 { 1083 struct audit_parent *p, *n; 1084 1085 list_for_each_entry_safe(p, n, in_list, ilist) { 1086 list_del(&p->ilist); 1087 inotify_rm_watch(audit_ih, &p->wdata); 1088 /* the put matching the get in audit_do_del_rule() */ 1089 put_inotify_watch(&p->wdata); 1090 } 1091 } 1092 1093 /* Find an existing audit rule. 1094 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1095 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1096 struct list_head *list) 1097 { 1098 struct audit_entry *e, *found = NULL; 1099 int h; 1100 1101 if (entry->rule.watch) { 1102 /* we don't know the inode number, so must walk entire hash */ 1103 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1104 list = &audit_inode_hash[h]; 1105 list_for_each_entry(e, list, list) 1106 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1107 found = e; 1108 goto out; 1109 } 1110 } 1111 goto out; 1112 } 1113 1114 list_for_each_entry(e, list, list) 1115 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1116 found = e; 1117 goto out; 1118 } 1119 1120 out: 1121 return found; 1122 } 1123 1124 /* Get path information necessary for adding watches. */ 1125 static int audit_get_nd(char *path, struct nameidata **ndp, 1126 struct nameidata **ndw) 1127 { 1128 struct nameidata *ndparent, *ndwatch; 1129 int err; 1130 1131 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1132 if (unlikely(!ndparent)) 1133 return -ENOMEM; 1134 1135 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1136 if (unlikely(!ndwatch)) { 1137 kfree(ndparent); 1138 return -ENOMEM; 1139 } 1140 1141 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1142 if (err) { 1143 kfree(ndparent); 1144 kfree(ndwatch); 1145 return err; 1146 } 1147 1148 err = path_lookup(path, 0, ndwatch); 1149 if (err) { 1150 kfree(ndwatch); 1151 ndwatch = NULL; 1152 } 1153 1154 *ndp = ndparent; 1155 *ndw = ndwatch; 1156 1157 return 0; 1158 } 1159 1160 /* Release resources used for watch path information. */ 1161 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1162 { 1163 if (ndp) { 1164 path_put(&ndp->path); 1165 kfree(ndp); 1166 } 1167 if (ndw) { 1168 path_put(&ndw->path); 1169 kfree(ndw); 1170 } 1171 } 1172 1173 /* Associate the given rule with an existing parent inotify_watch. 1174 * Caller must hold audit_filter_mutex. */ 1175 static void audit_add_to_parent(struct audit_krule *krule, 1176 struct audit_parent *parent) 1177 { 1178 struct audit_watch *w, *watch = krule->watch; 1179 int watch_found = 0; 1180 1181 list_for_each_entry(w, &parent->watches, wlist) { 1182 if (strcmp(watch->path, w->path)) 1183 continue; 1184 1185 watch_found = 1; 1186 1187 /* put krule's and initial refs to temporary watch */ 1188 audit_put_watch(watch); 1189 audit_put_watch(watch); 1190 1191 audit_get_watch(w); 1192 krule->watch = watch = w; 1193 break; 1194 } 1195 1196 if (!watch_found) { 1197 get_inotify_watch(&parent->wdata); 1198 watch->parent = parent; 1199 1200 list_add(&watch->wlist, &parent->watches); 1201 } 1202 list_add(&krule->rlist, &watch->rules); 1203 } 1204 1205 /* Find a matching watch entry, or add this one. 1206 * Caller must hold audit_filter_mutex. */ 1207 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1208 struct nameidata *ndw) 1209 { 1210 struct audit_watch *watch = krule->watch; 1211 struct inotify_watch *i_watch; 1212 struct audit_parent *parent; 1213 int ret = 0; 1214 1215 /* update watch filter fields */ 1216 if (ndw) { 1217 watch->dev = ndw->path.dentry->d_inode->i_sb->s_dev; 1218 watch->ino = ndw->path.dentry->d_inode->i_ino; 1219 } 1220 1221 /* The audit_filter_mutex must not be held during inotify calls because 1222 * we hold it during inotify event callback processing. If an existing 1223 * inotify watch is found, inotify_find_watch() grabs a reference before 1224 * returning. 1225 */ 1226 mutex_unlock(&audit_filter_mutex); 1227 1228 if (inotify_find_watch(audit_ih, ndp->path.dentry->d_inode, 1229 &i_watch) < 0) { 1230 parent = audit_init_parent(ndp); 1231 if (IS_ERR(parent)) { 1232 /* caller expects mutex locked */ 1233 mutex_lock(&audit_filter_mutex); 1234 return PTR_ERR(parent); 1235 } 1236 } else 1237 parent = container_of(i_watch, struct audit_parent, wdata); 1238 1239 mutex_lock(&audit_filter_mutex); 1240 1241 /* parent was moved before we took audit_filter_mutex */ 1242 if (parent->flags & AUDIT_PARENT_INVALID) 1243 ret = -ENOENT; 1244 else 1245 audit_add_to_parent(krule, parent); 1246 1247 /* match get in audit_init_parent or inotify_find_watch */ 1248 put_inotify_watch(&parent->wdata); 1249 return ret; 1250 } 1251 1252 /* Add rule to given filterlist if not a duplicate. */ 1253 static inline int audit_add_rule(struct audit_entry *entry, 1254 struct list_head *list) 1255 { 1256 struct audit_entry *e; 1257 struct audit_field *inode_f = entry->rule.inode_f; 1258 struct audit_watch *watch = entry->rule.watch; 1259 struct audit_tree *tree = entry->rule.tree; 1260 struct nameidata *ndp = NULL, *ndw = NULL; 1261 int h, err; 1262 #ifdef CONFIG_AUDITSYSCALL 1263 int dont_count = 0; 1264 1265 /* If either of these, don't count towards total */ 1266 if (entry->rule.listnr == AUDIT_FILTER_USER || 1267 entry->rule.listnr == AUDIT_FILTER_TYPE) 1268 dont_count = 1; 1269 #endif 1270 1271 if (inode_f) { 1272 h = audit_hash_ino(inode_f->val); 1273 list = &audit_inode_hash[h]; 1274 } 1275 1276 mutex_lock(&audit_filter_mutex); 1277 e = audit_find_rule(entry, list); 1278 mutex_unlock(&audit_filter_mutex); 1279 if (e) { 1280 err = -EEXIST; 1281 /* normally audit_add_tree_rule() will free it on failure */ 1282 if (tree) 1283 audit_put_tree(tree); 1284 goto error; 1285 } 1286 1287 /* Avoid calling path_lookup under audit_filter_mutex. */ 1288 if (watch) { 1289 err = audit_get_nd(watch->path, &ndp, &ndw); 1290 if (err) 1291 goto error; 1292 } 1293 1294 mutex_lock(&audit_filter_mutex); 1295 if (watch) { 1296 /* audit_filter_mutex is dropped and re-taken during this call */ 1297 err = audit_add_watch(&entry->rule, ndp, ndw); 1298 if (err) { 1299 mutex_unlock(&audit_filter_mutex); 1300 goto error; 1301 } 1302 h = audit_hash_ino((u32)watch->ino); 1303 list = &audit_inode_hash[h]; 1304 } 1305 if (tree) { 1306 err = audit_add_tree_rule(&entry->rule); 1307 if (err) { 1308 mutex_unlock(&audit_filter_mutex); 1309 goto error; 1310 } 1311 } 1312 1313 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1314 list_add_rcu(&entry->list, list); 1315 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1316 } else { 1317 list_add_tail_rcu(&entry->list, list); 1318 } 1319 #ifdef CONFIG_AUDITSYSCALL 1320 if (!dont_count) 1321 audit_n_rules++; 1322 1323 if (!audit_match_signal(entry)) 1324 audit_signals++; 1325 #endif 1326 mutex_unlock(&audit_filter_mutex); 1327 1328 audit_put_nd(ndp, ndw); /* NULL args OK */ 1329 return 0; 1330 1331 error: 1332 audit_put_nd(ndp, ndw); /* NULL args OK */ 1333 if (watch) 1334 audit_put_watch(watch); /* tmp watch, matches initial get */ 1335 return err; 1336 } 1337 1338 /* Remove an existing rule from filterlist. */ 1339 static inline int audit_del_rule(struct audit_entry *entry, 1340 struct list_head *list) 1341 { 1342 struct audit_entry *e; 1343 struct audit_field *inode_f = entry->rule.inode_f; 1344 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1345 struct audit_tree *tree = entry->rule.tree; 1346 LIST_HEAD(inotify_list); 1347 int h, ret = 0; 1348 #ifdef CONFIG_AUDITSYSCALL 1349 int dont_count = 0; 1350 1351 /* If either of these, don't count towards total */ 1352 if (entry->rule.listnr == AUDIT_FILTER_USER || 1353 entry->rule.listnr == AUDIT_FILTER_TYPE) 1354 dont_count = 1; 1355 #endif 1356 1357 if (inode_f) { 1358 h = audit_hash_ino(inode_f->val); 1359 list = &audit_inode_hash[h]; 1360 } 1361 1362 mutex_lock(&audit_filter_mutex); 1363 e = audit_find_rule(entry, list); 1364 if (!e) { 1365 mutex_unlock(&audit_filter_mutex); 1366 ret = -ENOENT; 1367 goto out; 1368 } 1369 1370 watch = e->rule.watch; 1371 if (watch) { 1372 struct audit_parent *parent = watch->parent; 1373 1374 list_del(&e->rule.rlist); 1375 1376 if (list_empty(&watch->rules)) { 1377 audit_remove_watch(watch); 1378 1379 if (list_empty(&parent->watches)) { 1380 /* Put parent on the inotify un-registration 1381 * list. Grab a reference before releasing 1382 * audit_filter_mutex, to be released in 1383 * audit_inotify_unregister(). */ 1384 list_add(&parent->ilist, &inotify_list); 1385 get_inotify_watch(&parent->wdata); 1386 } 1387 } 1388 } 1389 1390 if (e->rule.tree) 1391 audit_remove_tree_rule(&e->rule); 1392 1393 list_del_rcu(&e->list); 1394 call_rcu(&e->rcu, audit_free_rule_rcu); 1395 1396 #ifdef CONFIG_AUDITSYSCALL 1397 if (!dont_count) 1398 audit_n_rules--; 1399 1400 if (!audit_match_signal(entry)) 1401 audit_signals--; 1402 #endif 1403 mutex_unlock(&audit_filter_mutex); 1404 1405 if (!list_empty(&inotify_list)) 1406 audit_inotify_unregister(&inotify_list); 1407 1408 out: 1409 if (tmp_watch) 1410 audit_put_watch(tmp_watch); /* match initial get */ 1411 if (tree) 1412 audit_put_tree(tree); /* that's the temporary one */ 1413 1414 return ret; 1415 } 1416 1417 /* List rules using struct audit_rule. Exists for backward 1418 * compatibility with userspace. */ 1419 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1420 { 1421 struct sk_buff *skb; 1422 struct audit_entry *entry; 1423 int i; 1424 1425 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1426 * iterator to sync with list writers. */ 1427 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1428 list_for_each_entry(entry, &audit_filter_list[i], list) { 1429 struct audit_rule *rule; 1430 1431 rule = audit_krule_to_rule(&entry->rule); 1432 if (unlikely(!rule)) 1433 break; 1434 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1435 rule, sizeof(*rule)); 1436 if (skb) 1437 skb_queue_tail(q, skb); 1438 kfree(rule); 1439 } 1440 } 1441 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1442 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1443 struct audit_rule *rule; 1444 1445 rule = audit_krule_to_rule(&entry->rule); 1446 if (unlikely(!rule)) 1447 break; 1448 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1449 rule, sizeof(*rule)); 1450 if (skb) 1451 skb_queue_tail(q, skb); 1452 kfree(rule); 1453 } 1454 } 1455 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1456 if (skb) 1457 skb_queue_tail(q, skb); 1458 } 1459 1460 /* List rules using struct audit_rule_data. */ 1461 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1462 { 1463 struct sk_buff *skb; 1464 struct audit_entry *e; 1465 int i; 1466 1467 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1468 * iterator to sync with list writers. */ 1469 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1470 list_for_each_entry(e, &audit_filter_list[i], list) { 1471 struct audit_rule_data *data; 1472 1473 data = audit_krule_to_data(&e->rule); 1474 if (unlikely(!data)) 1475 break; 1476 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1477 data, sizeof(*data) + data->buflen); 1478 if (skb) 1479 skb_queue_tail(q, skb); 1480 kfree(data); 1481 } 1482 } 1483 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1484 list_for_each_entry(e, &audit_inode_hash[i], list) { 1485 struct audit_rule_data *data; 1486 1487 data = audit_krule_to_data(&e->rule); 1488 if (unlikely(!data)) 1489 break; 1490 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1491 data, sizeof(*data) + data->buflen); 1492 if (skb) 1493 skb_queue_tail(q, skb); 1494 kfree(data); 1495 } 1496 } 1497 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1498 if (skb) 1499 skb_queue_tail(q, skb); 1500 } 1501 1502 /* Log rule additions and removals */ 1503 static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1504 struct audit_krule *rule, int res) 1505 { 1506 struct audit_buffer *ab; 1507 1508 if (!audit_enabled) 1509 return; 1510 1511 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1512 if (!ab) 1513 return; 1514 audit_log_format(ab, "auid=%u", loginuid); 1515 if (sid) { 1516 char *ctx = NULL; 1517 u32 len; 1518 if (selinux_sid_to_string(sid, &ctx, &len)) 1519 audit_log_format(ab, " ssid=%u", sid); 1520 else 1521 audit_log_format(ab, " subj=%s", ctx); 1522 kfree(ctx); 1523 } 1524 audit_log_format(ab, " op=%s rule key=", action); 1525 if (rule->filterkey) 1526 audit_log_untrustedstring(ab, rule->filterkey); 1527 else 1528 audit_log_format(ab, "(null)"); 1529 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1530 audit_log_end(ab); 1531 } 1532 1533 /** 1534 * audit_receive_filter - apply all rules to the specified message type 1535 * @type: audit message type 1536 * @pid: target pid for netlink audit messages 1537 * @uid: target uid for netlink audit messages 1538 * @seq: netlink audit message sequence (serial) number 1539 * @data: payload data 1540 * @datasz: size of payload data 1541 * @loginuid: loginuid of sender 1542 * @sid: SE Linux Security ID of sender 1543 */ 1544 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1545 size_t datasz, uid_t loginuid, u32 sid) 1546 { 1547 struct task_struct *tsk; 1548 struct audit_netlink_list *dest; 1549 int err = 0; 1550 struct audit_entry *entry; 1551 1552 switch (type) { 1553 case AUDIT_LIST: 1554 case AUDIT_LIST_RULES: 1555 /* We can't just spew out the rules here because we might fill 1556 * the available socket buffer space and deadlock waiting for 1557 * auditctl to read from it... which isn't ever going to 1558 * happen if we're actually running in the context of auditctl 1559 * trying to _send_ the stuff */ 1560 1561 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1562 if (!dest) 1563 return -ENOMEM; 1564 dest->pid = pid; 1565 skb_queue_head_init(&dest->q); 1566 1567 mutex_lock(&audit_filter_mutex); 1568 if (type == AUDIT_LIST) 1569 audit_list(pid, seq, &dest->q); 1570 else 1571 audit_list_rules(pid, seq, &dest->q); 1572 mutex_unlock(&audit_filter_mutex); 1573 1574 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1575 if (IS_ERR(tsk)) { 1576 skb_queue_purge(&dest->q); 1577 kfree(dest); 1578 err = PTR_ERR(tsk); 1579 } 1580 break; 1581 case AUDIT_ADD: 1582 case AUDIT_ADD_RULE: 1583 if (type == AUDIT_ADD) 1584 entry = audit_rule_to_entry(data); 1585 else 1586 entry = audit_data_to_entry(data, datasz); 1587 if (IS_ERR(entry)) 1588 return PTR_ERR(entry); 1589 1590 err = audit_add_rule(entry, 1591 &audit_filter_list[entry->rule.listnr]); 1592 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1593 1594 if (err) 1595 audit_free_rule(entry); 1596 break; 1597 case AUDIT_DEL: 1598 case AUDIT_DEL_RULE: 1599 if (type == AUDIT_DEL) 1600 entry = audit_rule_to_entry(data); 1601 else 1602 entry = audit_data_to_entry(data, datasz); 1603 if (IS_ERR(entry)) 1604 return PTR_ERR(entry); 1605 1606 err = audit_del_rule(entry, 1607 &audit_filter_list[entry->rule.listnr]); 1608 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1609 !err); 1610 1611 audit_free_rule(entry); 1612 break; 1613 default: 1614 return -EINVAL; 1615 } 1616 1617 return err; 1618 } 1619 1620 int audit_comparator(const u32 left, const u32 op, const u32 right) 1621 { 1622 switch (op) { 1623 case AUDIT_EQUAL: 1624 return (left == right); 1625 case AUDIT_NOT_EQUAL: 1626 return (left != right); 1627 case AUDIT_LESS_THAN: 1628 return (left < right); 1629 case AUDIT_LESS_THAN_OR_EQUAL: 1630 return (left <= right); 1631 case AUDIT_GREATER_THAN: 1632 return (left > right); 1633 case AUDIT_GREATER_THAN_OR_EQUAL: 1634 return (left >= right); 1635 case AUDIT_BIT_MASK: 1636 return (left & right); 1637 case AUDIT_BIT_TEST: 1638 return ((left & right) == right); 1639 } 1640 BUG(); 1641 return 0; 1642 } 1643 1644 /* Compare given dentry name with last component in given path, 1645 * return of 0 indicates a match. */ 1646 int audit_compare_dname_path(const char *dname, const char *path, 1647 int *dirlen) 1648 { 1649 int dlen, plen; 1650 const char *p; 1651 1652 if (!dname || !path) 1653 return 1; 1654 1655 dlen = strlen(dname); 1656 plen = strlen(path); 1657 if (plen < dlen) 1658 return 1; 1659 1660 /* disregard trailing slashes */ 1661 p = path + plen - 1; 1662 while ((*p == '/') && (p > path)) 1663 p--; 1664 1665 /* find last path component */ 1666 p = p - dlen + 1; 1667 if (p < path) 1668 return 1; 1669 else if (p > path) { 1670 if (*--p != '/') 1671 return 1; 1672 else 1673 p++; 1674 } 1675 1676 /* return length of path's directory component */ 1677 if (dirlen) 1678 *dirlen = p - path; 1679 return strncmp(p, dname, dlen); 1680 } 1681 1682 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1683 struct audit_krule *rule, 1684 enum audit_state *state) 1685 { 1686 int i; 1687 1688 for (i = 0; i < rule->field_count; i++) { 1689 struct audit_field *f = &rule->fields[i]; 1690 int result = 0; 1691 1692 switch (f->type) { 1693 case AUDIT_PID: 1694 result = audit_comparator(cb->creds.pid, f->op, f->val); 1695 break; 1696 case AUDIT_UID: 1697 result = audit_comparator(cb->creds.uid, f->op, f->val); 1698 break; 1699 case AUDIT_GID: 1700 result = audit_comparator(cb->creds.gid, f->op, f->val); 1701 break; 1702 case AUDIT_LOGINUID: 1703 result = audit_comparator(cb->loginuid, f->op, f->val); 1704 break; 1705 } 1706 1707 if (!result) 1708 return 0; 1709 } 1710 switch (rule->action) { 1711 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1712 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1713 } 1714 return 1; 1715 } 1716 1717 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1718 { 1719 enum audit_state state = AUDIT_DISABLED; 1720 struct audit_entry *e; 1721 int ret = 1; 1722 1723 rcu_read_lock(); 1724 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1725 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1726 if (state == AUDIT_DISABLED) 1727 ret = 0; 1728 break; 1729 } 1730 } 1731 rcu_read_unlock(); 1732 1733 return ret; /* Audit by default */ 1734 } 1735 1736 int audit_filter_type(int type) 1737 { 1738 struct audit_entry *e; 1739 int result = 0; 1740 1741 rcu_read_lock(); 1742 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1743 goto unlock_and_return; 1744 1745 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1746 list) { 1747 int i; 1748 for (i = 0; i < e->rule.field_count; i++) { 1749 struct audit_field *f = &e->rule.fields[i]; 1750 if (f->type == AUDIT_MSGTYPE) { 1751 result = audit_comparator(type, f->op, f->val); 1752 if (!result) 1753 break; 1754 } 1755 } 1756 if (result) 1757 goto unlock_and_return; 1758 } 1759 unlock_and_return: 1760 rcu_read_unlock(); 1761 return result; 1762 } 1763 1764 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1765 are selinux fields specified in the rule, 0 otherwise. */ 1766 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1767 { 1768 int i; 1769 1770 for (i = 0; i < rule->field_count; i++) { 1771 struct audit_field *f = &rule->fields[i]; 1772 switch (f->type) { 1773 case AUDIT_SUBJ_USER: 1774 case AUDIT_SUBJ_ROLE: 1775 case AUDIT_SUBJ_TYPE: 1776 case AUDIT_SUBJ_SEN: 1777 case AUDIT_SUBJ_CLR: 1778 case AUDIT_OBJ_USER: 1779 case AUDIT_OBJ_ROLE: 1780 case AUDIT_OBJ_TYPE: 1781 case AUDIT_OBJ_LEV_LOW: 1782 case AUDIT_OBJ_LEV_HIGH: 1783 return 1; 1784 } 1785 } 1786 1787 return 0; 1788 } 1789 1790 /* This function will re-initialize the se_rule field of all applicable rules. 1791 * It will traverse the filter lists serarching for rules that contain selinux 1792 * specific filter fields. When such a rule is found, it is copied, the 1793 * selinux field is re-initialized, and the old rule is replaced with the 1794 * updated rule. */ 1795 int selinux_audit_rule_update(void) 1796 { 1797 struct audit_entry *entry, *n, *nentry; 1798 struct audit_watch *watch; 1799 struct audit_tree *tree; 1800 int i, err = 0; 1801 1802 /* audit_filter_mutex synchronizes the writers */ 1803 mutex_lock(&audit_filter_mutex); 1804 1805 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1806 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1807 if (!audit_rule_has_selinux(&entry->rule)) 1808 continue; 1809 1810 watch = entry->rule.watch; 1811 tree = entry->rule.tree; 1812 nentry = audit_dupe_rule(&entry->rule, watch); 1813 if (unlikely(IS_ERR(nentry))) { 1814 /* save the first error encountered for the 1815 * return value */ 1816 if (!err) 1817 err = PTR_ERR(nentry); 1818 audit_panic("error updating selinux filters"); 1819 if (watch) 1820 list_del(&entry->rule.rlist); 1821 list_del_rcu(&entry->list); 1822 } else { 1823 if (watch) { 1824 list_add(&nentry->rule.rlist, 1825 &watch->rules); 1826 list_del(&entry->rule.rlist); 1827 } else if (tree) 1828 list_replace_init(&entry->rule.rlist, 1829 &nentry->rule.rlist); 1830 list_replace_rcu(&entry->list, &nentry->list); 1831 } 1832 call_rcu(&entry->rcu, audit_free_rule_rcu); 1833 } 1834 } 1835 1836 mutex_unlock(&audit_filter_mutex); 1837 1838 return err; 1839 } 1840 1841 /* Update watch data in audit rules based on inotify events. */ 1842 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1843 u32 cookie, const char *dname, struct inode *inode) 1844 { 1845 struct audit_parent *parent; 1846 1847 parent = container_of(i_watch, struct audit_parent, wdata); 1848 1849 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1850 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1851 inode->i_ino, 0); 1852 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1853 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1854 /* inotify automatically removes the watch and sends IN_IGNORED */ 1855 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1856 audit_remove_parent_watches(parent); 1857 /* inotify does not remove the watch, so remove it manually */ 1858 else if(mask & IN_MOVE_SELF) { 1859 audit_remove_parent_watches(parent); 1860 inotify_remove_watch_locked(audit_ih, i_watch); 1861 } else if (mask & IN_IGNORED) 1862 put_inotify_watch(i_watch); 1863 } 1864