1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 static DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 void audit_free_parent(struct inotify_watch *i_watch) 99 { 100 struct audit_parent *parent; 101 102 parent = container_of(i_watch, struct audit_parent, wdata); 103 WARN_ON(!list_empty(&parent->watches)); 104 kfree(parent); 105 } 106 107 static inline void audit_get_watch(struct audit_watch *watch) 108 { 109 atomic_inc(&watch->count); 110 } 111 112 static void audit_put_watch(struct audit_watch *watch) 113 { 114 if (atomic_dec_and_test(&watch->count)) { 115 WARN_ON(watch->parent); 116 WARN_ON(!list_empty(&watch->rules)); 117 kfree(watch->path); 118 kfree(watch); 119 } 120 } 121 122 static void audit_remove_watch(struct audit_watch *watch) 123 { 124 list_del(&watch->wlist); 125 put_inotify_watch(&watch->parent->wdata); 126 watch->parent = NULL; 127 audit_put_watch(watch); /* match initial get */ 128 } 129 130 static inline void audit_free_rule(struct audit_entry *e) 131 { 132 int i; 133 134 /* some rules don't have associated watches */ 135 if (e->rule.watch) 136 audit_put_watch(e->rule.watch); 137 if (e->rule.fields) 138 for (i = 0; i < e->rule.field_count; i++) { 139 struct audit_field *f = &e->rule.fields[i]; 140 kfree(f->se_str); 141 selinux_audit_rule_free(f->se_rule); 142 } 143 kfree(e->rule.fields); 144 kfree(e->rule.filterkey); 145 kfree(e); 146 } 147 148 static inline void audit_free_rule_rcu(struct rcu_head *head) 149 { 150 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 151 audit_free_rule(e); 152 } 153 154 /* Initialize a parent watch entry. */ 155 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 156 { 157 struct audit_parent *parent; 158 s32 wd; 159 160 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 161 if (unlikely(!parent)) 162 return ERR_PTR(-ENOMEM); 163 164 INIT_LIST_HEAD(&parent->watches); 165 parent->flags = 0; 166 167 inotify_init_watch(&parent->wdata); 168 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 169 get_inotify_watch(&parent->wdata); 170 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 171 AUDIT_IN_WATCH); 172 if (wd < 0) { 173 audit_free_parent(&parent->wdata); 174 return ERR_PTR(wd); 175 } 176 177 return parent; 178 } 179 180 /* Initialize a watch entry. */ 181 static struct audit_watch *audit_init_watch(char *path) 182 { 183 struct audit_watch *watch; 184 185 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 186 if (unlikely(!watch)) 187 return ERR_PTR(-ENOMEM); 188 189 INIT_LIST_HEAD(&watch->rules); 190 atomic_set(&watch->count, 1); 191 watch->path = path; 192 watch->dev = (dev_t)-1; 193 watch->ino = (unsigned long)-1; 194 195 return watch; 196 } 197 198 /* Initialize an audit filterlist entry. */ 199 static inline struct audit_entry *audit_init_entry(u32 field_count) 200 { 201 struct audit_entry *entry; 202 struct audit_field *fields; 203 204 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 205 if (unlikely(!entry)) 206 return NULL; 207 208 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 209 if (unlikely(!fields)) { 210 kfree(entry); 211 return NULL; 212 } 213 entry->rule.fields = fields; 214 215 return entry; 216 } 217 218 /* Unpack a filter field's string representation from user-space 219 * buffer. */ 220 static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 221 { 222 char *str; 223 224 if (!*bufp || (len == 0) || (len > *remain)) 225 return ERR_PTR(-EINVAL); 226 227 /* Of the currently implemented string fields, PATH_MAX 228 * defines the longest valid length. 229 */ 230 if (len > PATH_MAX) 231 return ERR_PTR(-ENAMETOOLONG); 232 233 str = kmalloc(len + 1, GFP_KERNEL); 234 if (unlikely(!str)) 235 return ERR_PTR(-ENOMEM); 236 237 memcpy(str, *bufp, len); 238 str[len] = 0; 239 *bufp += len; 240 *remain -= len; 241 242 return str; 243 } 244 245 /* Translate an inode field to kernel respresentation. */ 246 static inline int audit_to_inode(struct audit_krule *krule, 247 struct audit_field *f) 248 { 249 if (krule->listnr != AUDIT_FILTER_EXIT || 250 krule->watch || krule->inode_f) 251 return -EINVAL; 252 253 krule->inode_f = f; 254 return 0; 255 } 256 257 /* Translate a watch string to kernel respresentation. */ 258 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 259 u32 op) 260 { 261 struct audit_watch *watch; 262 263 if (!audit_ih) 264 return -EOPNOTSUPP; 265 266 if (path[0] != '/' || path[len-1] == '/' || 267 krule->listnr != AUDIT_FILTER_EXIT || 268 op & ~AUDIT_EQUAL || 269 krule->inode_f || krule->watch) /* 1 inode # per rule, for hash */ 270 return -EINVAL; 271 272 watch = audit_init_watch(path); 273 if (unlikely(IS_ERR(watch))) 274 return PTR_ERR(watch); 275 276 audit_get_watch(watch); 277 krule->watch = watch; 278 279 return 0; 280 } 281 282 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 283 284 int __init audit_register_class(int class, unsigned *list) 285 { 286 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 287 if (!p) 288 return -ENOMEM; 289 while (*list != ~0U) { 290 unsigned n = *list++; 291 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 292 kfree(p); 293 return -EINVAL; 294 } 295 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 296 } 297 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 298 kfree(p); 299 return -EINVAL; 300 } 301 classes[class] = p; 302 return 0; 303 } 304 305 int audit_match_class(int class, unsigned syscall) 306 { 307 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 308 return 0; 309 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 310 return 0; 311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 312 } 313 314 #ifdef CONFIG_AUDITSYSCALL 315 static inline int audit_match_class_bits(int class, u32 *mask) 316 { 317 int i; 318 319 if (classes[class]) { 320 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 321 if (mask[i] & classes[class][i]) 322 return 0; 323 } 324 return 1; 325 } 326 327 static int audit_match_signal(struct audit_entry *entry) 328 { 329 struct audit_field *arch = entry->rule.arch_f; 330 331 if (!arch) { 332 /* When arch is unspecified, we must check both masks on biarch 333 * as syscall number alone is ambiguous. */ 334 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 335 entry->rule.mask) && 336 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 337 entry->rule.mask)); 338 } 339 340 switch(audit_classify_arch(arch->val)) { 341 case 0: /* native */ 342 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 343 entry->rule.mask)); 344 case 1: /* 32bit on biarch */ 345 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 346 entry->rule.mask)); 347 default: 348 return 1; 349 } 350 } 351 #endif 352 353 /* Common user-space to kernel rule translation. */ 354 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 355 { 356 unsigned listnr; 357 struct audit_entry *entry; 358 int i, err; 359 360 err = -EINVAL; 361 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 362 switch(listnr) { 363 default: 364 goto exit_err; 365 case AUDIT_FILTER_USER: 366 case AUDIT_FILTER_TYPE: 367 #ifdef CONFIG_AUDITSYSCALL 368 case AUDIT_FILTER_ENTRY: 369 case AUDIT_FILTER_EXIT: 370 case AUDIT_FILTER_TASK: 371 #endif 372 ; 373 } 374 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 375 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 376 goto exit_err; 377 } 378 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 379 goto exit_err; 380 if (rule->field_count > AUDIT_MAX_FIELDS) 381 goto exit_err; 382 383 err = -ENOMEM; 384 entry = audit_init_entry(rule->field_count); 385 if (!entry) 386 goto exit_err; 387 388 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 389 entry->rule.listnr = listnr; 390 entry->rule.action = rule->action; 391 entry->rule.field_count = rule->field_count; 392 393 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 394 entry->rule.mask[i] = rule->mask[i]; 395 396 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 397 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 398 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 399 __u32 *class; 400 401 if (!(*p & AUDIT_BIT(bit))) 402 continue; 403 *p &= ~AUDIT_BIT(bit); 404 class = classes[i]; 405 if (class) { 406 int j; 407 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 408 entry->rule.mask[j] |= class[j]; 409 } 410 } 411 412 return entry; 413 414 exit_err: 415 return ERR_PTR(err); 416 } 417 418 /* Translate struct audit_rule to kernel's rule respresentation. 419 * Exists for backward compatibility with userspace. */ 420 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 421 { 422 struct audit_entry *entry; 423 struct audit_field *f; 424 int err = 0; 425 int i; 426 427 entry = audit_to_entry_common(rule); 428 if (IS_ERR(entry)) 429 goto exit_nofree; 430 431 for (i = 0; i < rule->field_count; i++) { 432 struct audit_field *f = &entry->rule.fields[i]; 433 434 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 435 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 436 f->val = rule->values[i]; 437 438 err = -EINVAL; 439 switch(f->type) { 440 default: 441 goto exit_free; 442 case AUDIT_PID: 443 case AUDIT_UID: 444 case AUDIT_EUID: 445 case AUDIT_SUID: 446 case AUDIT_FSUID: 447 case AUDIT_GID: 448 case AUDIT_EGID: 449 case AUDIT_SGID: 450 case AUDIT_FSGID: 451 case AUDIT_LOGINUID: 452 case AUDIT_PERS: 453 case AUDIT_MSGTYPE: 454 case AUDIT_PPID: 455 case AUDIT_DEVMAJOR: 456 case AUDIT_DEVMINOR: 457 case AUDIT_EXIT: 458 case AUDIT_SUCCESS: 459 /* bit ops are only useful on syscall args */ 460 if (f->op == AUDIT_BIT_MASK || 461 f->op == AUDIT_BIT_TEST) { 462 err = -EINVAL; 463 goto exit_free; 464 } 465 break; 466 case AUDIT_ARG0: 467 case AUDIT_ARG1: 468 case AUDIT_ARG2: 469 case AUDIT_ARG3: 470 break; 471 /* arch is only allowed to be = or != */ 472 case AUDIT_ARCH: 473 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 474 && (f->op != AUDIT_NEGATE) && (f->op)) { 475 err = -EINVAL; 476 goto exit_free; 477 } 478 entry->rule.arch_f = f; 479 break; 480 case AUDIT_PERM: 481 if (f->val & ~15) 482 goto exit_free; 483 break; 484 case AUDIT_INODE: 485 err = audit_to_inode(&entry->rule, f); 486 if (err) 487 goto exit_free; 488 break; 489 } 490 491 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 492 493 /* Support for legacy operators where 494 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 495 if (f->op & AUDIT_NEGATE) 496 f->op = AUDIT_NOT_EQUAL; 497 else if (!f->op) 498 f->op = AUDIT_EQUAL; 499 else if (f->op == AUDIT_OPERATORS) { 500 err = -EINVAL; 501 goto exit_free; 502 } 503 } 504 505 f = entry->rule.inode_f; 506 if (f) { 507 switch(f->op) { 508 case AUDIT_NOT_EQUAL: 509 entry->rule.inode_f = NULL; 510 case AUDIT_EQUAL: 511 break; 512 default: 513 err = -EINVAL; 514 goto exit_free; 515 } 516 } 517 518 exit_nofree: 519 return entry; 520 521 exit_free: 522 audit_free_rule(entry); 523 return ERR_PTR(err); 524 } 525 526 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 527 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 528 size_t datasz) 529 { 530 int err = 0; 531 struct audit_entry *entry; 532 struct audit_field *f; 533 void *bufp; 534 size_t remain = datasz - sizeof(struct audit_rule_data); 535 int i; 536 char *str; 537 538 entry = audit_to_entry_common((struct audit_rule *)data); 539 if (IS_ERR(entry)) 540 goto exit_nofree; 541 542 bufp = data->buf; 543 entry->rule.vers_ops = 2; 544 for (i = 0; i < data->field_count; i++) { 545 struct audit_field *f = &entry->rule.fields[i]; 546 547 err = -EINVAL; 548 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 549 data->fieldflags[i] & ~AUDIT_OPERATORS) 550 goto exit_free; 551 552 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 553 f->type = data->fields[i]; 554 f->val = data->values[i]; 555 f->se_str = NULL; 556 f->se_rule = NULL; 557 switch(f->type) { 558 case AUDIT_PID: 559 case AUDIT_UID: 560 case AUDIT_EUID: 561 case AUDIT_SUID: 562 case AUDIT_FSUID: 563 case AUDIT_GID: 564 case AUDIT_EGID: 565 case AUDIT_SGID: 566 case AUDIT_FSGID: 567 case AUDIT_LOGINUID: 568 case AUDIT_PERS: 569 case AUDIT_MSGTYPE: 570 case AUDIT_PPID: 571 case AUDIT_DEVMAJOR: 572 case AUDIT_DEVMINOR: 573 case AUDIT_EXIT: 574 case AUDIT_SUCCESS: 575 case AUDIT_ARG0: 576 case AUDIT_ARG1: 577 case AUDIT_ARG2: 578 case AUDIT_ARG3: 579 break; 580 case AUDIT_ARCH: 581 entry->rule.arch_f = f; 582 break; 583 case AUDIT_SUBJ_USER: 584 case AUDIT_SUBJ_ROLE: 585 case AUDIT_SUBJ_TYPE: 586 case AUDIT_SUBJ_SEN: 587 case AUDIT_SUBJ_CLR: 588 case AUDIT_OBJ_USER: 589 case AUDIT_OBJ_ROLE: 590 case AUDIT_OBJ_TYPE: 591 case AUDIT_OBJ_LEV_LOW: 592 case AUDIT_OBJ_LEV_HIGH: 593 str = audit_unpack_string(&bufp, &remain, f->val); 594 if (IS_ERR(str)) 595 goto exit_free; 596 entry->rule.buflen += f->val; 597 598 err = selinux_audit_rule_init(f->type, f->op, str, 599 &f->se_rule); 600 /* Keep currently invalid fields around in case they 601 * become valid after a policy reload. */ 602 if (err == -EINVAL) { 603 printk(KERN_WARNING "audit rule for selinux " 604 "\'%s\' is invalid\n", str); 605 err = 0; 606 } 607 if (err) { 608 kfree(str); 609 goto exit_free; 610 } else 611 f->se_str = str; 612 break; 613 case AUDIT_WATCH: 614 str = audit_unpack_string(&bufp, &remain, f->val); 615 if (IS_ERR(str)) 616 goto exit_free; 617 entry->rule.buflen += f->val; 618 619 err = audit_to_watch(&entry->rule, str, f->val, f->op); 620 if (err) { 621 kfree(str); 622 goto exit_free; 623 } 624 break; 625 case AUDIT_INODE: 626 err = audit_to_inode(&entry->rule, f); 627 if (err) 628 goto exit_free; 629 break; 630 case AUDIT_FILTERKEY: 631 err = -EINVAL; 632 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 633 goto exit_free; 634 str = audit_unpack_string(&bufp, &remain, f->val); 635 if (IS_ERR(str)) 636 goto exit_free; 637 entry->rule.buflen += f->val; 638 entry->rule.filterkey = str; 639 break; 640 case AUDIT_PERM: 641 if (f->val & ~15) 642 goto exit_free; 643 break; 644 default: 645 goto exit_free; 646 } 647 } 648 649 f = entry->rule.inode_f; 650 if (f) { 651 switch(f->op) { 652 case AUDIT_NOT_EQUAL: 653 entry->rule.inode_f = NULL; 654 case AUDIT_EQUAL: 655 break; 656 default: 657 err = -EINVAL; 658 goto exit_free; 659 } 660 } 661 662 exit_nofree: 663 return entry; 664 665 exit_free: 666 audit_free_rule(entry); 667 return ERR_PTR(err); 668 } 669 670 /* Pack a filter field's string representation into data block. */ 671 static inline size_t audit_pack_string(void **bufp, char *str) 672 { 673 size_t len = strlen(str); 674 675 memcpy(*bufp, str, len); 676 *bufp += len; 677 678 return len; 679 } 680 681 /* Translate kernel rule respresentation to struct audit_rule. 682 * Exists for backward compatibility with userspace. */ 683 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 684 { 685 struct audit_rule *rule; 686 int i; 687 688 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 689 if (unlikely(!rule)) 690 return NULL; 691 692 rule->flags = krule->flags | krule->listnr; 693 rule->action = krule->action; 694 rule->field_count = krule->field_count; 695 for (i = 0; i < rule->field_count; i++) { 696 rule->values[i] = krule->fields[i].val; 697 rule->fields[i] = krule->fields[i].type; 698 699 if (krule->vers_ops == 1) { 700 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 701 rule->fields[i] |= AUDIT_NEGATE; 702 } else { 703 rule->fields[i] |= krule->fields[i].op; 704 } 705 } 706 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 707 708 return rule; 709 } 710 711 /* Translate kernel rule respresentation to struct audit_rule_data. */ 712 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 713 { 714 struct audit_rule_data *data; 715 void *bufp; 716 int i; 717 718 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 719 if (unlikely(!data)) 720 return NULL; 721 memset(data, 0, sizeof(*data)); 722 723 data->flags = krule->flags | krule->listnr; 724 data->action = krule->action; 725 data->field_count = krule->field_count; 726 bufp = data->buf; 727 for (i = 0; i < data->field_count; i++) { 728 struct audit_field *f = &krule->fields[i]; 729 730 data->fields[i] = f->type; 731 data->fieldflags[i] = f->op; 732 switch(f->type) { 733 case AUDIT_SUBJ_USER: 734 case AUDIT_SUBJ_ROLE: 735 case AUDIT_SUBJ_TYPE: 736 case AUDIT_SUBJ_SEN: 737 case AUDIT_SUBJ_CLR: 738 case AUDIT_OBJ_USER: 739 case AUDIT_OBJ_ROLE: 740 case AUDIT_OBJ_TYPE: 741 case AUDIT_OBJ_LEV_LOW: 742 case AUDIT_OBJ_LEV_HIGH: 743 data->buflen += data->values[i] = 744 audit_pack_string(&bufp, f->se_str); 745 break; 746 case AUDIT_WATCH: 747 data->buflen += data->values[i] = 748 audit_pack_string(&bufp, krule->watch->path); 749 break; 750 case AUDIT_FILTERKEY: 751 data->buflen += data->values[i] = 752 audit_pack_string(&bufp, krule->filterkey); 753 break; 754 default: 755 data->values[i] = f->val; 756 } 757 } 758 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 759 760 return data; 761 } 762 763 /* Compare two rules in kernel format. Considered success if rules 764 * don't match. */ 765 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 766 { 767 int i; 768 769 if (a->flags != b->flags || 770 a->listnr != b->listnr || 771 a->action != b->action || 772 a->field_count != b->field_count) 773 return 1; 774 775 for (i = 0; i < a->field_count; i++) { 776 if (a->fields[i].type != b->fields[i].type || 777 a->fields[i].op != b->fields[i].op) 778 return 1; 779 780 switch(a->fields[i].type) { 781 case AUDIT_SUBJ_USER: 782 case AUDIT_SUBJ_ROLE: 783 case AUDIT_SUBJ_TYPE: 784 case AUDIT_SUBJ_SEN: 785 case AUDIT_SUBJ_CLR: 786 case AUDIT_OBJ_USER: 787 case AUDIT_OBJ_ROLE: 788 case AUDIT_OBJ_TYPE: 789 case AUDIT_OBJ_LEV_LOW: 790 case AUDIT_OBJ_LEV_HIGH: 791 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 792 return 1; 793 break; 794 case AUDIT_WATCH: 795 if (strcmp(a->watch->path, b->watch->path)) 796 return 1; 797 break; 798 case AUDIT_FILTERKEY: 799 /* both filterkeys exist based on above type compare */ 800 if (strcmp(a->filterkey, b->filterkey)) 801 return 1; 802 break; 803 default: 804 if (a->fields[i].val != b->fields[i].val) 805 return 1; 806 } 807 } 808 809 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 810 if (a->mask[i] != b->mask[i]) 811 return 1; 812 813 return 0; 814 } 815 816 /* Duplicate the given audit watch. The new watch's rules list is initialized 817 * to an empty list and wlist is undefined. */ 818 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 819 { 820 char *path; 821 struct audit_watch *new; 822 823 path = kstrdup(old->path, GFP_KERNEL); 824 if (unlikely(!path)) 825 return ERR_PTR(-ENOMEM); 826 827 new = audit_init_watch(path); 828 if (unlikely(IS_ERR(new))) { 829 kfree(path); 830 goto out; 831 } 832 833 new->dev = old->dev; 834 new->ino = old->ino; 835 get_inotify_watch(&old->parent->wdata); 836 new->parent = old->parent; 837 838 out: 839 return new; 840 } 841 842 /* Duplicate selinux field information. The se_rule is opaque, so must be 843 * re-initialized. */ 844 static inline int audit_dupe_selinux_field(struct audit_field *df, 845 struct audit_field *sf) 846 { 847 int ret = 0; 848 char *se_str; 849 850 /* our own copy of se_str */ 851 se_str = kstrdup(sf->se_str, GFP_KERNEL); 852 if (unlikely(!se_str)) 853 return -ENOMEM; 854 df->se_str = se_str; 855 856 /* our own (refreshed) copy of se_rule */ 857 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 858 &df->se_rule); 859 /* Keep currently invalid fields around in case they 860 * become valid after a policy reload. */ 861 if (ret == -EINVAL) { 862 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 863 "invalid\n", df->se_str); 864 ret = 0; 865 } 866 867 return ret; 868 } 869 870 /* Duplicate an audit rule. This will be a deep copy with the exception 871 * of the watch - that pointer is carried over. The selinux specific fields 872 * will be updated in the copy. The point is to be able to replace the old 873 * rule with the new rule in the filterlist, then free the old rule. 874 * The rlist element is undefined; list manipulations are handled apart from 875 * the initial copy. */ 876 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 877 struct audit_watch *watch) 878 { 879 u32 fcount = old->field_count; 880 struct audit_entry *entry; 881 struct audit_krule *new; 882 char *fk; 883 int i, err = 0; 884 885 entry = audit_init_entry(fcount); 886 if (unlikely(!entry)) 887 return ERR_PTR(-ENOMEM); 888 889 new = &entry->rule; 890 new->vers_ops = old->vers_ops; 891 new->flags = old->flags; 892 new->listnr = old->listnr; 893 new->action = old->action; 894 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 895 new->mask[i] = old->mask[i]; 896 new->buflen = old->buflen; 897 new->inode_f = old->inode_f; 898 new->watch = NULL; 899 new->field_count = old->field_count; 900 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 901 902 /* deep copy this information, updating the se_rule fields, because 903 * the originals will all be freed when the old rule is freed. */ 904 for (i = 0; i < fcount; i++) { 905 switch (new->fields[i].type) { 906 case AUDIT_SUBJ_USER: 907 case AUDIT_SUBJ_ROLE: 908 case AUDIT_SUBJ_TYPE: 909 case AUDIT_SUBJ_SEN: 910 case AUDIT_SUBJ_CLR: 911 case AUDIT_OBJ_USER: 912 case AUDIT_OBJ_ROLE: 913 case AUDIT_OBJ_TYPE: 914 case AUDIT_OBJ_LEV_LOW: 915 case AUDIT_OBJ_LEV_HIGH: 916 err = audit_dupe_selinux_field(&new->fields[i], 917 &old->fields[i]); 918 break; 919 case AUDIT_FILTERKEY: 920 fk = kstrdup(old->filterkey, GFP_KERNEL); 921 if (unlikely(!fk)) 922 err = -ENOMEM; 923 else 924 new->filterkey = fk; 925 } 926 if (err) { 927 audit_free_rule(entry); 928 return ERR_PTR(err); 929 } 930 } 931 932 if (watch) { 933 audit_get_watch(watch); 934 new->watch = watch; 935 } 936 937 return entry; 938 } 939 940 /* Update inode info in audit rules based on filesystem event. */ 941 static void audit_update_watch(struct audit_parent *parent, 942 const char *dname, dev_t dev, 943 unsigned long ino, unsigned invalidating) 944 { 945 struct audit_watch *owatch, *nwatch, *nextw; 946 struct audit_krule *r, *nextr; 947 struct audit_entry *oentry, *nentry; 948 struct audit_buffer *ab; 949 950 mutex_lock(&audit_filter_mutex); 951 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 952 if (audit_compare_dname_path(dname, owatch->path, NULL)) 953 continue; 954 955 /* If the update involves invalidating rules, do the inode-based 956 * filtering now, so we don't omit records. */ 957 if (invalidating && current->audit_context && 958 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 959 audit_set_auditable(current->audit_context); 960 961 nwatch = audit_dupe_watch(owatch); 962 if (unlikely(IS_ERR(nwatch))) { 963 mutex_unlock(&audit_filter_mutex); 964 audit_panic("error updating watch, skipping"); 965 return; 966 } 967 nwatch->dev = dev; 968 nwatch->ino = ino; 969 970 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 971 972 oentry = container_of(r, struct audit_entry, rule); 973 list_del(&oentry->rule.rlist); 974 list_del_rcu(&oentry->list); 975 976 nentry = audit_dupe_rule(&oentry->rule, nwatch); 977 if (unlikely(IS_ERR(nentry))) 978 audit_panic("error updating watch, removing"); 979 else { 980 int h = audit_hash_ino((u32)ino); 981 list_add(&nentry->rule.rlist, &nwatch->rules); 982 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 983 } 984 985 call_rcu(&oentry->rcu, audit_free_rule_rcu); 986 } 987 988 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 989 audit_log_format(ab, "op=updated rules specifying path="); 990 audit_log_untrustedstring(ab, owatch->path); 991 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 992 audit_log_format(ab, " list=%d res=1", r->listnr); 993 audit_log_end(ab); 994 995 audit_remove_watch(owatch); 996 goto add_watch_to_parent; /* event applies to a single watch */ 997 } 998 mutex_unlock(&audit_filter_mutex); 999 return; 1000 1001 add_watch_to_parent: 1002 list_add(&nwatch->wlist, &parent->watches); 1003 mutex_unlock(&audit_filter_mutex); 1004 return; 1005 } 1006 1007 /* Remove all watches & rules associated with a parent that is going away. */ 1008 static void audit_remove_parent_watches(struct audit_parent *parent) 1009 { 1010 struct audit_watch *w, *nextw; 1011 struct audit_krule *r, *nextr; 1012 struct audit_entry *e; 1013 struct audit_buffer *ab; 1014 1015 mutex_lock(&audit_filter_mutex); 1016 parent->flags |= AUDIT_PARENT_INVALID; 1017 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1018 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1019 e = container_of(r, struct audit_entry, rule); 1020 1021 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1022 audit_log_format(ab, "op=remove rule path="); 1023 audit_log_untrustedstring(ab, w->path); 1024 if (r->filterkey) { 1025 audit_log_format(ab, " key="); 1026 audit_log_untrustedstring(ab, r->filterkey); 1027 } else 1028 audit_log_format(ab, " key=(null)"); 1029 audit_log_format(ab, " list=%d res=1", r->listnr); 1030 audit_log_end(ab); 1031 1032 list_del(&r->rlist); 1033 list_del_rcu(&e->list); 1034 call_rcu(&e->rcu, audit_free_rule_rcu); 1035 } 1036 audit_remove_watch(w); 1037 } 1038 mutex_unlock(&audit_filter_mutex); 1039 } 1040 1041 /* Unregister inotify watches for parents on in_list. 1042 * Generates an IN_IGNORED event. */ 1043 static void audit_inotify_unregister(struct list_head *in_list) 1044 { 1045 struct audit_parent *p, *n; 1046 1047 list_for_each_entry_safe(p, n, in_list, ilist) { 1048 list_del(&p->ilist); 1049 inotify_rm_watch(audit_ih, &p->wdata); 1050 /* the put matching the get in audit_do_del_rule() */ 1051 put_inotify_watch(&p->wdata); 1052 } 1053 } 1054 1055 /* Find an existing audit rule. 1056 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1057 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1058 struct list_head *list) 1059 { 1060 struct audit_entry *e, *found = NULL; 1061 int h; 1062 1063 if (entry->rule.watch) { 1064 /* we don't know the inode number, so must walk entire hash */ 1065 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1066 list = &audit_inode_hash[h]; 1067 list_for_each_entry(e, list, list) 1068 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1069 found = e; 1070 goto out; 1071 } 1072 } 1073 goto out; 1074 } 1075 1076 list_for_each_entry(e, list, list) 1077 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1078 found = e; 1079 goto out; 1080 } 1081 1082 out: 1083 return found; 1084 } 1085 1086 /* Get path information necessary for adding watches. */ 1087 static int audit_get_nd(char *path, struct nameidata **ndp, 1088 struct nameidata **ndw) 1089 { 1090 struct nameidata *ndparent, *ndwatch; 1091 int err; 1092 1093 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1094 if (unlikely(!ndparent)) 1095 return -ENOMEM; 1096 1097 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1098 if (unlikely(!ndwatch)) { 1099 kfree(ndparent); 1100 return -ENOMEM; 1101 } 1102 1103 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1104 if (err) { 1105 kfree(ndparent); 1106 kfree(ndwatch); 1107 return err; 1108 } 1109 1110 err = path_lookup(path, 0, ndwatch); 1111 if (err) { 1112 kfree(ndwatch); 1113 ndwatch = NULL; 1114 } 1115 1116 *ndp = ndparent; 1117 *ndw = ndwatch; 1118 1119 return 0; 1120 } 1121 1122 /* Release resources used for watch path information. */ 1123 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1124 { 1125 if (ndp) { 1126 path_release(ndp); 1127 kfree(ndp); 1128 } 1129 if (ndw) { 1130 path_release(ndw); 1131 kfree(ndw); 1132 } 1133 } 1134 1135 /* Associate the given rule with an existing parent inotify_watch. 1136 * Caller must hold audit_filter_mutex. */ 1137 static void audit_add_to_parent(struct audit_krule *krule, 1138 struct audit_parent *parent) 1139 { 1140 struct audit_watch *w, *watch = krule->watch; 1141 int watch_found = 0; 1142 1143 list_for_each_entry(w, &parent->watches, wlist) { 1144 if (strcmp(watch->path, w->path)) 1145 continue; 1146 1147 watch_found = 1; 1148 1149 /* put krule's and initial refs to temporary watch */ 1150 audit_put_watch(watch); 1151 audit_put_watch(watch); 1152 1153 audit_get_watch(w); 1154 krule->watch = watch = w; 1155 break; 1156 } 1157 1158 if (!watch_found) { 1159 get_inotify_watch(&parent->wdata); 1160 watch->parent = parent; 1161 1162 list_add(&watch->wlist, &parent->watches); 1163 } 1164 list_add(&krule->rlist, &watch->rules); 1165 } 1166 1167 /* Find a matching watch entry, or add this one. 1168 * Caller must hold audit_filter_mutex. */ 1169 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1170 struct nameidata *ndw) 1171 { 1172 struct audit_watch *watch = krule->watch; 1173 struct inotify_watch *i_watch; 1174 struct audit_parent *parent; 1175 int ret = 0; 1176 1177 /* update watch filter fields */ 1178 if (ndw) { 1179 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1180 watch->ino = ndw->dentry->d_inode->i_ino; 1181 } 1182 1183 /* The audit_filter_mutex must not be held during inotify calls because 1184 * we hold it during inotify event callback processing. If an existing 1185 * inotify watch is found, inotify_find_watch() grabs a reference before 1186 * returning. 1187 */ 1188 mutex_unlock(&audit_filter_mutex); 1189 1190 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1191 parent = audit_init_parent(ndp); 1192 if (IS_ERR(parent)) { 1193 /* caller expects mutex locked */ 1194 mutex_lock(&audit_filter_mutex); 1195 return PTR_ERR(parent); 1196 } 1197 } else 1198 parent = container_of(i_watch, struct audit_parent, wdata); 1199 1200 mutex_lock(&audit_filter_mutex); 1201 1202 /* parent was moved before we took audit_filter_mutex */ 1203 if (parent->flags & AUDIT_PARENT_INVALID) 1204 ret = -ENOENT; 1205 else 1206 audit_add_to_parent(krule, parent); 1207 1208 /* match get in audit_init_parent or inotify_find_watch */ 1209 put_inotify_watch(&parent->wdata); 1210 return ret; 1211 } 1212 1213 /* Add rule to given filterlist if not a duplicate. */ 1214 static inline int audit_add_rule(struct audit_entry *entry, 1215 struct list_head *list) 1216 { 1217 struct audit_entry *e; 1218 struct audit_field *inode_f = entry->rule.inode_f; 1219 struct audit_watch *watch = entry->rule.watch; 1220 struct nameidata *ndp = NULL, *ndw = NULL; 1221 int h, err; 1222 #ifdef CONFIG_AUDITSYSCALL 1223 int dont_count = 0; 1224 1225 /* If either of these, don't count towards total */ 1226 if (entry->rule.listnr == AUDIT_FILTER_USER || 1227 entry->rule.listnr == AUDIT_FILTER_TYPE) 1228 dont_count = 1; 1229 #endif 1230 1231 if (inode_f) { 1232 h = audit_hash_ino(inode_f->val); 1233 list = &audit_inode_hash[h]; 1234 } 1235 1236 mutex_lock(&audit_filter_mutex); 1237 e = audit_find_rule(entry, list); 1238 mutex_unlock(&audit_filter_mutex); 1239 if (e) { 1240 err = -EEXIST; 1241 goto error; 1242 } 1243 1244 /* Avoid calling path_lookup under audit_filter_mutex. */ 1245 if (watch) { 1246 err = audit_get_nd(watch->path, &ndp, &ndw); 1247 if (err) 1248 goto error; 1249 } 1250 1251 mutex_lock(&audit_filter_mutex); 1252 if (watch) { 1253 /* audit_filter_mutex is dropped and re-taken during this call */ 1254 err = audit_add_watch(&entry->rule, ndp, ndw); 1255 if (err) { 1256 mutex_unlock(&audit_filter_mutex); 1257 goto error; 1258 } 1259 h = audit_hash_ino((u32)watch->ino); 1260 list = &audit_inode_hash[h]; 1261 } 1262 1263 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1264 list_add_rcu(&entry->list, list); 1265 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1266 } else { 1267 list_add_tail_rcu(&entry->list, list); 1268 } 1269 #ifdef CONFIG_AUDITSYSCALL 1270 if (!dont_count) 1271 audit_n_rules++; 1272 1273 if (!audit_match_signal(entry)) 1274 audit_signals++; 1275 #endif 1276 mutex_unlock(&audit_filter_mutex); 1277 1278 audit_put_nd(ndp, ndw); /* NULL args OK */ 1279 return 0; 1280 1281 error: 1282 audit_put_nd(ndp, ndw); /* NULL args OK */ 1283 if (watch) 1284 audit_put_watch(watch); /* tmp watch, matches initial get */ 1285 return err; 1286 } 1287 1288 /* Remove an existing rule from filterlist. */ 1289 static inline int audit_del_rule(struct audit_entry *entry, 1290 struct list_head *list) 1291 { 1292 struct audit_entry *e; 1293 struct audit_field *inode_f = entry->rule.inode_f; 1294 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1295 LIST_HEAD(inotify_list); 1296 int h, ret = 0; 1297 #ifdef CONFIG_AUDITSYSCALL 1298 int dont_count = 0; 1299 1300 /* If either of these, don't count towards total */ 1301 if (entry->rule.listnr == AUDIT_FILTER_USER || 1302 entry->rule.listnr == AUDIT_FILTER_TYPE) 1303 dont_count = 1; 1304 #endif 1305 1306 if (inode_f) { 1307 h = audit_hash_ino(inode_f->val); 1308 list = &audit_inode_hash[h]; 1309 } 1310 1311 mutex_lock(&audit_filter_mutex); 1312 e = audit_find_rule(entry, list); 1313 if (!e) { 1314 mutex_unlock(&audit_filter_mutex); 1315 ret = -ENOENT; 1316 goto out; 1317 } 1318 1319 watch = e->rule.watch; 1320 if (watch) { 1321 struct audit_parent *parent = watch->parent; 1322 1323 list_del(&e->rule.rlist); 1324 1325 if (list_empty(&watch->rules)) { 1326 audit_remove_watch(watch); 1327 1328 if (list_empty(&parent->watches)) { 1329 /* Put parent on the inotify un-registration 1330 * list. Grab a reference before releasing 1331 * audit_filter_mutex, to be released in 1332 * audit_inotify_unregister(). */ 1333 list_add(&parent->ilist, &inotify_list); 1334 get_inotify_watch(&parent->wdata); 1335 } 1336 } 1337 } 1338 1339 list_del_rcu(&e->list); 1340 call_rcu(&e->rcu, audit_free_rule_rcu); 1341 1342 #ifdef CONFIG_AUDITSYSCALL 1343 if (!dont_count) 1344 audit_n_rules--; 1345 1346 if (!audit_match_signal(entry)) 1347 audit_signals--; 1348 #endif 1349 mutex_unlock(&audit_filter_mutex); 1350 1351 if (!list_empty(&inotify_list)) 1352 audit_inotify_unregister(&inotify_list); 1353 1354 out: 1355 if (tmp_watch) 1356 audit_put_watch(tmp_watch); /* match initial get */ 1357 1358 return ret; 1359 } 1360 1361 /* List rules using struct audit_rule. Exists for backward 1362 * compatibility with userspace. */ 1363 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1364 { 1365 struct sk_buff *skb; 1366 struct audit_entry *entry; 1367 int i; 1368 1369 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1370 * iterator to sync with list writers. */ 1371 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1372 list_for_each_entry(entry, &audit_filter_list[i], list) { 1373 struct audit_rule *rule; 1374 1375 rule = audit_krule_to_rule(&entry->rule); 1376 if (unlikely(!rule)) 1377 break; 1378 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1379 rule, sizeof(*rule)); 1380 if (skb) 1381 skb_queue_tail(q, skb); 1382 kfree(rule); 1383 } 1384 } 1385 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1386 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1387 struct audit_rule *rule; 1388 1389 rule = audit_krule_to_rule(&entry->rule); 1390 if (unlikely(!rule)) 1391 break; 1392 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1393 rule, sizeof(*rule)); 1394 if (skb) 1395 skb_queue_tail(q, skb); 1396 kfree(rule); 1397 } 1398 } 1399 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1400 if (skb) 1401 skb_queue_tail(q, skb); 1402 } 1403 1404 /* List rules using struct audit_rule_data. */ 1405 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1406 { 1407 struct sk_buff *skb; 1408 struct audit_entry *e; 1409 int i; 1410 1411 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1412 * iterator to sync with list writers. */ 1413 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1414 list_for_each_entry(e, &audit_filter_list[i], list) { 1415 struct audit_rule_data *data; 1416 1417 data = audit_krule_to_data(&e->rule); 1418 if (unlikely(!data)) 1419 break; 1420 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1421 data, sizeof(*data) + data->buflen); 1422 if (skb) 1423 skb_queue_tail(q, skb); 1424 kfree(data); 1425 } 1426 } 1427 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1428 list_for_each_entry(e, &audit_inode_hash[i], list) { 1429 struct audit_rule_data *data; 1430 1431 data = audit_krule_to_data(&e->rule); 1432 if (unlikely(!data)) 1433 break; 1434 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1435 data, sizeof(*data) + data->buflen); 1436 if (skb) 1437 skb_queue_tail(q, skb); 1438 kfree(data); 1439 } 1440 } 1441 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1442 if (skb) 1443 skb_queue_tail(q, skb); 1444 } 1445 1446 /* Log rule additions and removals */ 1447 static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1448 struct audit_krule *rule, int res) 1449 { 1450 struct audit_buffer *ab; 1451 1452 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1453 if (!ab) 1454 return; 1455 audit_log_format(ab, "auid=%u", loginuid); 1456 if (sid) { 1457 char *ctx = NULL; 1458 u32 len; 1459 if (selinux_sid_to_string(sid, &ctx, &len)) 1460 audit_log_format(ab, " ssid=%u", sid); 1461 else 1462 audit_log_format(ab, " subj=%s", ctx); 1463 kfree(ctx); 1464 } 1465 audit_log_format(ab, " op=%s rule key=", action); 1466 if (rule->filterkey) 1467 audit_log_untrustedstring(ab, rule->filterkey); 1468 else 1469 audit_log_format(ab, "(null)"); 1470 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1471 audit_log_end(ab); 1472 } 1473 1474 /** 1475 * audit_receive_filter - apply all rules to the specified message type 1476 * @type: audit message type 1477 * @pid: target pid for netlink audit messages 1478 * @uid: target uid for netlink audit messages 1479 * @seq: netlink audit message sequence (serial) number 1480 * @data: payload data 1481 * @datasz: size of payload data 1482 * @loginuid: loginuid of sender 1483 * @sid: SE Linux Security ID of sender 1484 */ 1485 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1486 size_t datasz, uid_t loginuid, u32 sid) 1487 { 1488 struct task_struct *tsk; 1489 struct audit_netlink_list *dest; 1490 int err = 0; 1491 struct audit_entry *entry; 1492 1493 switch (type) { 1494 case AUDIT_LIST: 1495 case AUDIT_LIST_RULES: 1496 /* We can't just spew out the rules here because we might fill 1497 * the available socket buffer space and deadlock waiting for 1498 * auditctl to read from it... which isn't ever going to 1499 * happen if we're actually running in the context of auditctl 1500 * trying to _send_ the stuff */ 1501 1502 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1503 if (!dest) 1504 return -ENOMEM; 1505 dest->pid = pid; 1506 skb_queue_head_init(&dest->q); 1507 1508 mutex_lock(&audit_filter_mutex); 1509 if (type == AUDIT_LIST) 1510 audit_list(pid, seq, &dest->q); 1511 else 1512 audit_list_rules(pid, seq, &dest->q); 1513 mutex_unlock(&audit_filter_mutex); 1514 1515 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1516 if (IS_ERR(tsk)) { 1517 skb_queue_purge(&dest->q); 1518 kfree(dest); 1519 err = PTR_ERR(tsk); 1520 } 1521 break; 1522 case AUDIT_ADD: 1523 case AUDIT_ADD_RULE: 1524 if (type == AUDIT_ADD) 1525 entry = audit_rule_to_entry(data); 1526 else 1527 entry = audit_data_to_entry(data, datasz); 1528 if (IS_ERR(entry)) 1529 return PTR_ERR(entry); 1530 1531 err = audit_add_rule(entry, 1532 &audit_filter_list[entry->rule.listnr]); 1533 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1534 1535 if (err) 1536 audit_free_rule(entry); 1537 break; 1538 case AUDIT_DEL: 1539 case AUDIT_DEL_RULE: 1540 if (type == AUDIT_DEL) 1541 entry = audit_rule_to_entry(data); 1542 else 1543 entry = audit_data_to_entry(data, datasz); 1544 if (IS_ERR(entry)) 1545 return PTR_ERR(entry); 1546 1547 err = audit_del_rule(entry, 1548 &audit_filter_list[entry->rule.listnr]); 1549 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1550 !err); 1551 1552 audit_free_rule(entry); 1553 break; 1554 default: 1555 return -EINVAL; 1556 } 1557 1558 return err; 1559 } 1560 1561 int audit_comparator(const u32 left, const u32 op, const u32 right) 1562 { 1563 switch (op) { 1564 case AUDIT_EQUAL: 1565 return (left == right); 1566 case AUDIT_NOT_EQUAL: 1567 return (left != right); 1568 case AUDIT_LESS_THAN: 1569 return (left < right); 1570 case AUDIT_LESS_THAN_OR_EQUAL: 1571 return (left <= right); 1572 case AUDIT_GREATER_THAN: 1573 return (left > right); 1574 case AUDIT_GREATER_THAN_OR_EQUAL: 1575 return (left >= right); 1576 case AUDIT_BIT_MASK: 1577 return (left & right); 1578 case AUDIT_BIT_TEST: 1579 return ((left & right) == right); 1580 } 1581 BUG(); 1582 return 0; 1583 } 1584 1585 /* Compare given dentry name with last component in given path, 1586 * return of 0 indicates a match. */ 1587 int audit_compare_dname_path(const char *dname, const char *path, 1588 int *dirlen) 1589 { 1590 int dlen, plen; 1591 const char *p; 1592 1593 if (!dname || !path) 1594 return 1; 1595 1596 dlen = strlen(dname); 1597 plen = strlen(path); 1598 if (plen < dlen) 1599 return 1; 1600 1601 /* disregard trailing slashes */ 1602 p = path + plen - 1; 1603 while ((*p == '/') && (p > path)) 1604 p--; 1605 1606 /* find last path component */ 1607 p = p - dlen + 1; 1608 if (p < path) 1609 return 1; 1610 else if (p > path) { 1611 if (*--p != '/') 1612 return 1; 1613 else 1614 p++; 1615 } 1616 1617 /* return length of path's directory component */ 1618 if (dirlen) 1619 *dirlen = p - path; 1620 return strncmp(p, dname, dlen); 1621 } 1622 1623 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1624 struct audit_krule *rule, 1625 enum audit_state *state) 1626 { 1627 int i; 1628 1629 for (i = 0; i < rule->field_count; i++) { 1630 struct audit_field *f = &rule->fields[i]; 1631 int result = 0; 1632 1633 switch (f->type) { 1634 case AUDIT_PID: 1635 result = audit_comparator(cb->creds.pid, f->op, f->val); 1636 break; 1637 case AUDIT_UID: 1638 result = audit_comparator(cb->creds.uid, f->op, f->val); 1639 break; 1640 case AUDIT_GID: 1641 result = audit_comparator(cb->creds.gid, f->op, f->val); 1642 break; 1643 case AUDIT_LOGINUID: 1644 result = audit_comparator(cb->loginuid, f->op, f->val); 1645 break; 1646 } 1647 1648 if (!result) 1649 return 0; 1650 } 1651 switch (rule->action) { 1652 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1653 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1654 } 1655 return 1; 1656 } 1657 1658 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1659 { 1660 enum audit_state state = AUDIT_DISABLED; 1661 struct audit_entry *e; 1662 int ret = 1; 1663 1664 rcu_read_lock(); 1665 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1666 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1667 if (state == AUDIT_DISABLED) 1668 ret = 0; 1669 break; 1670 } 1671 } 1672 rcu_read_unlock(); 1673 1674 return ret; /* Audit by default */ 1675 } 1676 1677 int audit_filter_type(int type) 1678 { 1679 struct audit_entry *e; 1680 int result = 0; 1681 1682 rcu_read_lock(); 1683 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1684 goto unlock_and_return; 1685 1686 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1687 list) { 1688 int i; 1689 for (i = 0; i < e->rule.field_count; i++) { 1690 struct audit_field *f = &e->rule.fields[i]; 1691 if (f->type == AUDIT_MSGTYPE) { 1692 result = audit_comparator(type, f->op, f->val); 1693 if (!result) 1694 break; 1695 } 1696 } 1697 if (result) 1698 goto unlock_and_return; 1699 } 1700 unlock_and_return: 1701 rcu_read_unlock(); 1702 return result; 1703 } 1704 1705 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1706 are selinux fields specified in the rule, 0 otherwise. */ 1707 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1708 { 1709 int i; 1710 1711 for (i = 0; i < rule->field_count; i++) { 1712 struct audit_field *f = &rule->fields[i]; 1713 switch (f->type) { 1714 case AUDIT_SUBJ_USER: 1715 case AUDIT_SUBJ_ROLE: 1716 case AUDIT_SUBJ_TYPE: 1717 case AUDIT_SUBJ_SEN: 1718 case AUDIT_SUBJ_CLR: 1719 case AUDIT_OBJ_USER: 1720 case AUDIT_OBJ_ROLE: 1721 case AUDIT_OBJ_TYPE: 1722 case AUDIT_OBJ_LEV_LOW: 1723 case AUDIT_OBJ_LEV_HIGH: 1724 return 1; 1725 } 1726 } 1727 1728 return 0; 1729 } 1730 1731 /* This function will re-initialize the se_rule field of all applicable rules. 1732 * It will traverse the filter lists serarching for rules that contain selinux 1733 * specific filter fields. When such a rule is found, it is copied, the 1734 * selinux field is re-initialized, and the old rule is replaced with the 1735 * updated rule. */ 1736 int selinux_audit_rule_update(void) 1737 { 1738 struct audit_entry *entry, *n, *nentry; 1739 struct audit_watch *watch; 1740 int i, err = 0; 1741 1742 /* audit_filter_mutex synchronizes the writers */ 1743 mutex_lock(&audit_filter_mutex); 1744 1745 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1746 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1747 if (!audit_rule_has_selinux(&entry->rule)) 1748 continue; 1749 1750 watch = entry->rule.watch; 1751 nentry = audit_dupe_rule(&entry->rule, watch); 1752 if (unlikely(IS_ERR(nentry))) { 1753 /* save the first error encountered for the 1754 * return value */ 1755 if (!err) 1756 err = PTR_ERR(nentry); 1757 audit_panic("error updating selinux filters"); 1758 if (watch) 1759 list_del(&entry->rule.rlist); 1760 list_del_rcu(&entry->list); 1761 } else { 1762 if (watch) { 1763 list_add(&nentry->rule.rlist, 1764 &watch->rules); 1765 list_del(&entry->rule.rlist); 1766 } 1767 list_replace_rcu(&entry->list, &nentry->list); 1768 } 1769 call_rcu(&entry->rcu, audit_free_rule_rcu); 1770 } 1771 } 1772 1773 mutex_unlock(&audit_filter_mutex); 1774 1775 return err; 1776 } 1777 1778 /* Update watch data in audit rules based on inotify events. */ 1779 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1780 u32 cookie, const char *dname, struct inode *inode) 1781 { 1782 struct audit_parent *parent; 1783 1784 parent = container_of(i_watch, struct audit_parent, wdata); 1785 1786 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1787 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1788 inode->i_ino, 0); 1789 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1790 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1791 /* inotify automatically removes the watch and sends IN_IGNORED */ 1792 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1793 audit_remove_parent_watches(parent); 1794 /* inotify does not remove the watch, so remove it manually */ 1795 else if(mask & IN_MOVE_SELF) { 1796 audit_remove_parent_watches(parent); 1797 inotify_remove_watch_locked(audit_ih, i_watch); 1798 } else if (mask & IN_IGNORED) 1799 put_inotify_watch(i_watch); 1800 } 1801