1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* Audit filter lists, defined in <linux/audit.h> */ 48 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 49 LIST_HEAD_INIT(audit_filter_list[0]), 50 LIST_HEAD_INIT(audit_filter_list[1]), 51 LIST_HEAD_INIT(audit_filter_list[2]), 52 LIST_HEAD_INIT(audit_filter_list[3]), 53 LIST_HEAD_INIT(audit_filter_list[4]), 54 LIST_HEAD_INIT(audit_filter_list[5]), 55 #if AUDIT_NR_FILTERS != 6 56 #error Fix audit_filter_list initialiser 57 #endif 58 }; 59 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 60 LIST_HEAD_INIT(audit_rules_list[0]), 61 LIST_HEAD_INIT(audit_rules_list[1]), 62 LIST_HEAD_INIT(audit_rules_list[2]), 63 LIST_HEAD_INIT(audit_rules_list[3]), 64 LIST_HEAD_INIT(audit_rules_list[4]), 65 LIST_HEAD_INIT(audit_rules_list[5]), 66 }; 67 68 DEFINE_MUTEX(audit_filter_mutex); 69 70 static inline void audit_free_rule(struct audit_entry *e) 71 { 72 int i; 73 struct audit_krule *erule = &e->rule; 74 75 /* some rules don't have associated watches */ 76 if (erule->watch) 77 audit_put_watch(erule->watch); 78 if (erule->fields) 79 for (i = 0; i < erule->field_count; i++) { 80 struct audit_field *f = &erule->fields[i]; 81 kfree(f->lsm_str); 82 security_audit_rule_free(f->lsm_rule); 83 } 84 kfree(erule->fields); 85 kfree(erule->filterkey); 86 kfree(e); 87 } 88 89 void audit_free_rule_rcu(struct rcu_head *head) 90 { 91 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 92 audit_free_rule(e); 93 } 94 95 /* Initialize an audit filterlist entry. */ 96 static inline struct audit_entry *audit_init_entry(u32 field_count) 97 { 98 struct audit_entry *entry; 99 struct audit_field *fields; 100 101 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 102 if (unlikely(!entry)) 103 return NULL; 104 105 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 106 if (unlikely(!fields)) { 107 kfree(entry); 108 return NULL; 109 } 110 entry->rule.fields = fields; 111 112 return entry; 113 } 114 115 /* Unpack a filter field's string representation from user-space 116 * buffer. */ 117 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 118 { 119 char *str; 120 121 if (!*bufp || (len == 0) || (len > *remain)) 122 return ERR_PTR(-EINVAL); 123 124 /* Of the currently implemented string fields, PATH_MAX 125 * defines the longest valid length. 126 */ 127 if (len > PATH_MAX) 128 return ERR_PTR(-ENAMETOOLONG); 129 130 str = kmalloc(len + 1, GFP_KERNEL); 131 if (unlikely(!str)) 132 return ERR_PTR(-ENOMEM); 133 134 memcpy(str, *bufp, len); 135 str[len] = 0; 136 *bufp += len; 137 *remain -= len; 138 139 return str; 140 } 141 142 /* Translate an inode field to kernel respresentation. */ 143 static inline int audit_to_inode(struct audit_krule *krule, 144 struct audit_field *f) 145 { 146 if (krule->listnr != AUDIT_FILTER_EXIT || 147 krule->watch || krule->inode_f || krule->tree || 148 (f->op != Audit_equal && f->op != Audit_not_equal)) 149 return -EINVAL; 150 151 krule->inode_f = f; 152 return 0; 153 } 154 155 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 156 157 int __init audit_register_class(int class, unsigned *list) 158 { 159 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 160 if (!p) 161 return -ENOMEM; 162 while (*list != ~0U) { 163 unsigned n = *list++; 164 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 165 kfree(p); 166 return -EINVAL; 167 } 168 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 169 } 170 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 171 kfree(p); 172 return -EINVAL; 173 } 174 classes[class] = p; 175 return 0; 176 } 177 178 int audit_match_class(int class, unsigned syscall) 179 { 180 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 181 return 0; 182 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 183 return 0; 184 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 185 } 186 187 #ifdef CONFIG_AUDITSYSCALL 188 static inline int audit_match_class_bits(int class, u32 *mask) 189 { 190 int i; 191 192 if (classes[class]) { 193 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 194 if (mask[i] & classes[class][i]) 195 return 0; 196 } 197 return 1; 198 } 199 200 static int audit_match_signal(struct audit_entry *entry) 201 { 202 struct audit_field *arch = entry->rule.arch_f; 203 204 if (!arch) { 205 /* When arch is unspecified, we must check both masks on biarch 206 * as syscall number alone is ambiguous. */ 207 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 208 entry->rule.mask) && 209 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 210 entry->rule.mask)); 211 } 212 213 switch(audit_classify_arch(arch->val)) { 214 case 0: /* native */ 215 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 216 entry->rule.mask)); 217 case 1: /* 32bit on biarch */ 218 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 219 entry->rule.mask)); 220 default: 221 return 1; 222 } 223 } 224 #endif 225 226 /* Common user-space to kernel rule translation. */ 227 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 228 { 229 unsigned listnr; 230 struct audit_entry *entry; 231 int i, err; 232 233 err = -EINVAL; 234 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 235 switch(listnr) { 236 default: 237 goto exit_err; 238 #ifdef CONFIG_AUDITSYSCALL 239 case AUDIT_FILTER_ENTRY: 240 if (rule->action == AUDIT_ALWAYS) 241 goto exit_err; 242 case AUDIT_FILTER_EXIT: 243 case AUDIT_FILTER_TASK: 244 #endif 245 case AUDIT_FILTER_USER: 246 case AUDIT_FILTER_TYPE: 247 ; 248 } 249 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 250 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 251 goto exit_err; 252 } 253 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 254 goto exit_err; 255 if (rule->field_count > AUDIT_MAX_FIELDS) 256 goto exit_err; 257 258 err = -ENOMEM; 259 entry = audit_init_entry(rule->field_count); 260 if (!entry) 261 goto exit_err; 262 263 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 264 entry->rule.listnr = listnr; 265 entry->rule.action = rule->action; 266 entry->rule.field_count = rule->field_count; 267 268 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 269 entry->rule.mask[i] = rule->mask[i]; 270 271 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 272 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 273 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 274 __u32 *class; 275 276 if (!(*p & AUDIT_BIT(bit))) 277 continue; 278 *p &= ~AUDIT_BIT(bit); 279 class = classes[i]; 280 if (class) { 281 int j; 282 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 283 entry->rule.mask[j] |= class[j]; 284 } 285 } 286 287 return entry; 288 289 exit_err: 290 return ERR_PTR(err); 291 } 292 293 static u32 audit_ops[] = 294 { 295 [Audit_equal] = AUDIT_EQUAL, 296 [Audit_not_equal] = AUDIT_NOT_EQUAL, 297 [Audit_bitmask] = AUDIT_BIT_MASK, 298 [Audit_bittest] = AUDIT_BIT_TEST, 299 [Audit_lt] = AUDIT_LESS_THAN, 300 [Audit_gt] = AUDIT_GREATER_THAN, 301 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 302 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 303 }; 304 305 static u32 audit_to_op(u32 op) 306 { 307 u32 n; 308 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 309 ; 310 return n; 311 } 312 313 /* check if an audit field is valid */ 314 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) 315 { 316 switch(f->type) { 317 case AUDIT_MSGTYPE: 318 if (entry->rule.listnr != AUDIT_FILTER_TYPE && 319 entry->rule.listnr != AUDIT_FILTER_USER) 320 return -EINVAL; 321 break; 322 }; 323 324 switch(f->type) { 325 default: 326 return -EINVAL; 327 case AUDIT_UID: 328 case AUDIT_EUID: 329 case AUDIT_SUID: 330 case AUDIT_FSUID: 331 case AUDIT_LOGINUID: 332 case AUDIT_OBJ_UID: 333 case AUDIT_GID: 334 case AUDIT_EGID: 335 case AUDIT_SGID: 336 case AUDIT_FSGID: 337 case AUDIT_OBJ_GID: 338 case AUDIT_PID: 339 case AUDIT_PERS: 340 case AUDIT_MSGTYPE: 341 case AUDIT_PPID: 342 case AUDIT_DEVMAJOR: 343 case AUDIT_DEVMINOR: 344 case AUDIT_EXIT: 345 case AUDIT_SUCCESS: 346 /* bit ops are only useful on syscall args */ 347 if (f->op == Audit_bitmask || f->op == Audit_bittest) 348 return -EINVAL; 349 break; 350 case AUDIT_ARG0: 351 case AUDIT_ARG1: 352 case AUDIT_ARG2: 353 case AUDIT_ARG3: 354 case AUDIT_SUBJ_USER: 355 case AUDIT_SUBJ_ROLE: 356 case AUDIT_SUBJ_TYPE: 357 case AUDIT_SUBJ_SEN: 358 case AUDIT_SUBJ_CLR: 359 case AUDIT_OBJ_USER: 360 case AUDIT_OBJ_ROLE: 361 case AUDIT_OBJ_TYPE: 362 case AUDIT_OBJ_LEV_LOW: 363 case AUDIT_OBJ_LEV_HIGH: 364 case AUDIT_WATCH: 365 case AUDIT_DIR: 366 case AUDIT_FILTERKEY: 367 break; 368 /* arch is only allowed to be = or != */ 369 case AUDIT_ARCH: 370 if (f->op != Audit_not_equal && f->op != Audit_equal) 371 return -EINVAL; 372 break; 373 case AUDIT_PERM: 374 if (f->val & ~15) 375 return -EINVAL; 376 break; 377 case AUDIT_FILETYPE: 378 if (f->val & ~S_IFMT) 379 return -EINVAL; 380 break; 381 case AUDIT_FIELD_COMPARE: 382 if (f->val > AUDIT_MAX_FIELD_COMPARE) 383 return -EINVAL; 384 break; 385 }; 386 return 0; 387 } 388 389 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 390 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 391 size_t datasz) 392 { 393 int err = 0; 394 struct audit_entry *entry; 395 void *bufp; 396 size_t remain = datasz - sizeof(struct audit_rule_data); 397 int i; 398 char *str; 399 400 entry = audit_to_entry_common((struct audit_rule *)data); 401 if (IS_ERR(entry)) 402 goto exit_nofree; 403 404 bufp = data->buf; 405 entry->rule.vers_ops = 2; 406 for (i = 0; i < data->field_count; i++) { 407 struct audit_field *f = &entry->rule.fields[i]; 408 409 err = -EINVAL; 410 411 f->op = audit_to_op(data->fieldflags[i]); 412 if (f->op == Audit_bad) 413 goto exit_free; 414 415 f->type = data->fields[i]; 416 f->val = data->values[i]; 417 f->uid = INVALID_UID; 418 f->gid = INVALID_GID; 419 f->lsm_str = NULL; 420 f->lsm_rule = NULL; 421 422 err = audit_field_valid(entry, f); 423 if (err) 424 goto exit_free; 425 426 err = -EINVAL; 427 switch (f->type) { 428 case AUDIT_UID: 429 case AUDIT_EUID: 430 case AUDIT_SUID: 431 case AUDIT_FSUID: 432 case AUDIT_LOGINUID: 433 case AUDIT_OBJ_UID: 434 f->uid = make_kuid(current_user_ns(), f->val); 435 if (!uid_valid(f->uid)) 436 goto exit_free; 437 break; 438 case AUDIT_GID: 439 case AUDIT_EGID: 440 case AUDIT_SGID: 441 case AUDIT_FSGID: 442 case AUDIT_OBJ_GID: 443 f->gid = make_kgid(current_user_ns(), f->val); 444 if (!gid_valid(f->gid)) 445 goto exit_free; 446 break; 447 case AUDIT_ARCH: 448 entry->rule.arch_f = f; 449 break; 450 case AUDIT_SUBJ_USER: 451 case AUDIT_SUBJ_ROLE: 452 case AUDIT_SUBJ_TYPE: 453 case AUDIT_SUBJ_SEN: 454 case AUDIT_SUBJ_CLR: 455 case AUDIT_OBJ_USER: 456 case AUDIT_OBJ_ROLE: 457 case AUDIT_OBJ_TYPE: 458 case AUDIT_OBJ_LEV_LOW: 459 case AUDIT_OBJ_LEV_HIGH: 460 str = audit_unpack_string(&bufp, &remain, f->val); 461 if (IS_ERR(str)) 462 goto exit_free; 463 entry->rule.buflen += f->val; 464 465 err = security_audit_rule_init(f->type, f->op, str, 466 (void **)&f->lsm_rule); 467 /* Keep currently invalid fields around in case they 468 * become valid after a policy reload. */ 469 if (err == -EINVAL) { 470 printk(KERN_WARNING "audit rule for LSM " 471 "\'%s\' is invalid\n", str); 472 err = 0; 473 } 474 if (err) { 475 kfree(str); 476 goto exit_free; 477 } else 478 f->lsm_str = str; 479 break; 480 case AUDIT_WATCH: 481 str = audit_unpack_string(&bufp, &remain, f->val); 482 if (IS_ERR(str)) 483 goto exit_free; 484 entry->rule.buflen += f->val; 485 486 err = audit_to_watch(&entry->rule, str, f->val, f->op); 487 if (err) { 488 kfree(str); 489 goto exit_free; 490 } 491 break; 492 case AUDIT_DIR: 493 str = audit_unpack_string(&bufp, &remain, f->val); 494 if (IS_ERR(str)) 495 goto exit_free; 496 entry->rule.buflen += f->val; 497 498 err = audit_make_tree(&entry->rule, str, f->op); 499 kfree(str); 500 if (err) 501 goto exit_free; 502 break; 503 case AUDIT_INODE: 504 err = audit_to_inode(&entry->rule, f); 505 if (err) 506 goto exit_free; 507 break; 508 case AUDIT_FILTERKEY: 509 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 510 goto exit_free; 511 str = audit_unpack_string(&bufp, &remain, f->val); 512 if (IS_ERR(str)) 513 goto exit_free; 514 entry->rule.buflen += f->val; 515 entry->rule.filterkey = str; 516 break; 517 } 518 } 519 520 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 521 entry->rule.inode_f = NULL; 522 523 exit_nofree: 524 return entry; 525 526 exit_free: 527 audit_free_rule(entry); 528 return ERR_PTR(err); 529 } 530 531 /* Pack a filter field's string representation into data block. */ 532 static inline size_t audit_pack_string(void **bufp, const char *str) 533 { 534 size_t len = strlen(str); 535 536 memcpy(*bufp, str, len); 537 *bufp += len; 538 539 return len; 540 } 541 542 /* Translate kernel rule respresentation to struct audit_rule_data. */ 543 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 544 { 545 struct audit_rule_data *data; 546 void *bufp; 547 int i; 548 549 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 550 if (unlikely(!data)) 551 return NULL; 552 memset(data, 0, sizeof(*data)); 553 554 data->flags = krule->flags | krule->listnr; 555 data->action = krule->action; 556 data->field_count = krule->field_count; 557 bufp = data->buf; 558 for (i = 0; i < data->field_count; i++) { 559 struct audit_field *f = &krule->fields[i]; 560 561 data->fields[i] = f->type; 562 data->fieldflags[i] = audit_ops[f->op]; 563 switch(f->type) { 564 case AUDIT_SUBJ_USER: 565 case AUDIT_SUBJ_ROLE: 566 case AUDIT_SUBJ_TYPE: 567 case AUDIT_SUBJ_SEN: 568 case AUDIT_SUBJ_CLR: 569 case AUDIT_OBJ_USER: 570 case AUDIT_OBJ_ROLE: 571 case AUDIT_OBJ_TYPE: 572 case AUDIT_OBJ_LEV_LOW: 573 case AUDIT_OBJ_LEV_HIGH: 574 data->buflen += data->values[i] = 575 audit_pack_string(&bufp, f->lsm_str); 576 break; 577 case AUDIT_WATCH: 578 data->buflen += data->values[i] = 579 audit_pack_string(&bufp, 580 audit_watch_path(krule->watch)); 581 break; 582 case AUDIT_DIR: 583 data->buflen += data->values[i] = 584 audit_pack_string(&bufp, 585 audit_tree_path(krule->tree)); 586 break; 587 case AUDIT_FILTERKEY: 588 data->buflen += data->values[i] = 589 audit_pack_string(&bufp, krule->filterkey); 590 break; 591 default: 592 data->values[i] = f->val; 593 } 594 } 595 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 596 597 return data; 598 } 599 600 /* Compare two rules in kernel format. Considered success if rules 601 * don't match. */ 602 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 603 { 604 int i; 605 606 if (a->flags != b->flags || 607 a->listnr != b->listnr || 608 a->action != b->action || 609 a->field_count != b->field_count) 610 return 1; 611 612 for (i = 0; i < a->field_count; i++) { 613 if (a->fields[i].type != b->fields[i].type || 614 a->fields[i].op != b->fields[i].op) 615 return 1; 616 617 switch(a->fields[i].type) { 618 case AUDIT_SUBJ_USER: 619 case AUDIT_SUBJ_ROLE: 620 case AUDIT_SUBJ_TYPE: 621 case AUDIT_SUBJ_SEN: 622 case AUDIT_SUBJ_CLR: 623 case AUDIT_OBJ_USER: 624 case AUDIT_OBJ_ROLE: 625 case AUDIT_OBJ_TYPE: 626 case AUDIT_OBJ_LEV_LOW: 627 case AUDIT_OBJ_LEV_HIGH: 628 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 629 return 1; 630 break; 631 case AUDIT_WATCH: 632 if (strcmp(audit_watch_path(a->watch), 633 audit_watch_path(b->watch))) 634 return 1; 635 break; 636 case AUDIT_DIR: 637 if (strcmp(audit_tree_path(a->tree), 638 audit_tree_path(b->tree))) 639 return 1; 640 break; 641 case AUDIT_FILTERKEY: 642 /* both filterkeys exist based on above type compare */ 643 if (strcmp(a->filterkey, b->filterkey)) 644 return 1; 645 break; 646 case AUDIT_UID: 647 case AUDIT_EUID: 648 case AUDIT_SUID: 649 case AUDIT_FSUID: 650 case AUDIT_LOGINUID: 651 case AUDIT_OBJ_UID: 652 if (!uid_eq(a->fields[i].uid, b->fields[i].uid)) 653 return 1; 654 break; 655 case AUDIT_GID: 656 case AUDIT_EGID: 657 case AUDIT_SGID: 658 case AUDIT_FSGID: 659 case AUDIT_OBJ_GID: 660 if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) 661 return 1; 662 break; 663 default: 664 if (a->fields[i].val != b->fields[i].val) 665 return 1; 666 } 667 } 668 669 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 670 if (a->mask[i] != b->mask[i]) 671 return 1; 672 673 return 0; 674 } 675 676 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 677 * re-initialized. */ 678 static inline int audit_dupe_lsm_field(struct audit_field *df, 679 struct audit_field *sf) 680 { 681 int ret = 0; 682 char *lsm_str; 683 684 /* our own copy of lsm_str */ 685 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 686 if (unlikely(!lsm_str)) 687 return -ENOMEM; 688 df->lsm_str = lsm_str; 689 690 /* our own (refreshed) copy of lsm_rule */ 691 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 692 (void **)&df->lsm_rule); 693 /* Keep currently invalid fields around in case they 694 * become valid after a policy reload. */ 695 if (ret == -EINVAL) { 696 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 697 "invalid\n", df->lsm_str); 698 ret = 0; 699 } 700 701 return ret; 702 } 703 704 /* Duplicate an audit rule. This will be a deep copy with the exception 705 * of the watch - that pointer is carried over. The LSM specific fields 706 * will be updated in the copy. The point is to be able to replace the old 707 * rule with the new rule in the filterlist, then free the old rule. 708 * The rlist element is undefined; list manipulations are handled apart from 709 * the initial copy. */ 710 struct audit_entry *audit_dupe_rule(struct audit_krule *old) 711 { 712 u32 fcount = old->field_count; 713 struct audit_entry *entry; 714 struct audit_krule *new; 715 char *fk; 716 int i, err = 0; 717 718 entry = audit_init_entry(fcount); 719 if (unlikely(!entry)) 720 return ERR_PTR(-ENOMEM); 721 722 new = &entry->rule; 723 new->vers_ops = old->vers_ops; 724 new->flags = old->flags; 725 new->listnr = old->listnr; 726 new->action = old->action; 727 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 728 new->mask[i] = old->mask[i]; 729 new->prio = old->prio; 730 new->buflen = old->buflen; 731 new->inode_f = old->inode_f; 732 new->field_count = old->field_count; 733 734 /* 735 * note that we are OK with not refcounting here; audit_match_tree() 736 * never dereferences tree and we can't get false positives there 737 * since we'd have to have rule gone from the list *and* removed 738 * before the chunks found by lookup had been allocated, i.e. before 739 * the beginning of list scan. 740 */ 741 new->tree = old->tree; 742 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 743 744 /* deep copy this information, updating the lsm_rule fields, because 745 * the originals will all be freed when the old rule is freed. */ 746 for (i = 0; i < fcount; i++) { 747 switch (new->fields[i].type) { 748 case AUDIT_SUBJ_USER: 749 case AUDIT_SUBJ_ROLE: 750 case AUDIT_SUBJ_TYPE: 751 case AUDIT_SUBJ_SEN: 752 case AUDIT_SUBJ_CLR: 753 case AUDIT_OBJ_USER: 754 case AUDIT_OBJ_ROLE: 755 case AUDIT_OBJ_TYPE: 756 case AUDIT_OBJ_LEV_LOW: 757 case AUDIT_OBJ_LEV_HIGH: 758 err = audit_dupe_lsm_field(&new->fields[i], 759 &old->fields[i]); 760 break; 761 case AUDIT_FILTERKEY: 762 fk = kstrdup(old->filterkey, GFP_KERNEL); 763 if (unlikely(!fk)) 764 err = -ENOMEM; 765 else 766 new->filterkey = fk; 767 } 768 if (err) { 769 audit_free_rule(entry); 770 return ERR_PTR(err); 771 } 772 } 773 774 if (old->watch) { 775 audit_get_watch(old->watch); 776 new->watch = old->watch; 777 } 778 779 return entry; 780 } 781 782 /* Find an existing audit rule. 783 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 784 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 785 struct list_head **p) 786 { 787 struct audit_entry *e, *found = NULL; 788 struct list_head *list; 789 int h; 790 791 if (entry->rule.inode_f) { 792 h = audit_hash_ino(entry->rule.inode_f->val); 793 *p = list = &audit_inode_hash[h]; 794 } else if (entry->rule.watch) { 795 /* we don't know the inode number, so must walk entire hash */ 796 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 797 list = &audit_inode_hash[h]; 798 list_for_each_entry(e, list, list) 799 if (!audit_compare_rule(&entry->rule, &e->rule)) { 800 found = e; 801 goto out; 802 } 803 } 804 goto out; 805 } else { 806 *p = list = &audit_filter_list[entry->rule.listnr]; 807 } 808 809 list_for_each_entry(e, list, list) 810 if (!audit_compare_rule(&entry->rule, &e->rule)) { 811 found = e; 812 goto out; 813 } 814 815 out: 816 return found; 817 } 818 819 static u64 prio_low = ~0ULL/2; 820 static u64 prio_high = ~0ULL/2 - 1; 821 822 /* Add rule to given filterlist if not a duplicate. */ 823 static inline int audit_add_rule(struct audit_entry *entry) 824 { 825 struct audit_entry *e; 826 struct audit_watch *watch = entry->rule.watch; 827 struct audit_tree *tree = entry->rule.tree; 828 struct list_head *list; 829 int err; 830 #ifdef CONFIG_AUDITSYSCALL 831 int dont_count = 0; 832 833 /* If either of these, don't count towards total */ 834 if (entry->rule.listnr == AUDIT_FILTER_USER || 835 entry->rule.listnr == AUDIT_FILTER_TYPE) 836 dont_count = 1; 837 #endif 838 839 mutex_lock(&audit_filter_mutex); 840 e = audit_find_rule(entry, &list); 841 if (e) { 842 mutex_unlock(&audit_filter_mutex); 843 err = -EEXIST; 844 /* normally audit_add_tree_rule() will free it on failure */ 845 if (tree) 846 audit_put_tree(tree); 847 goto error; 848 } 849 850 if (watch) { 851 /* audit_filter_mutex is dropped and re-taken during this call */ 852 err = audit_add_watch(&entry->rule, &list); 853 if (err) { 854 mutex_unlock(&audit_filter_mutex); 855 goto error; 856 } 857 } 858 if (tree) { 859 err = audit_add_tree_rule(&entry->rule); 860 if (err) { 861 mutex_unlock(&audit_filter_mutex); 862 goto error; 863 } 864 } 865 866 entry->rule.prio = ~0ULL; 867 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 868 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 869 entry->rule.prio = ++prio_high; 870 else 871 entry->rule.prio = --prio_low; 872 } 873 874 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 875 list_add(&entry->rule.list, 876 &audit_rules_list[entry->rule.listnr]); 877 list_add_rcu(&entry->list, list); 878 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 879 } else { 880 list_add_tail(&entry->rule.list, 881 &audit_rules_list[entry->rule.listnr]); 882 list_add_tail_rcu(&entry->list, list); 883 } 884 #ifdef CONFIG_AUDITSYSCALL 885 if (!dont_count) 886 audit_n_rules++; 887 888 if (!audit_match_signal(entry)) 889 audit_signals++; 890 #endif 891 mutex_unlock(&audit_filter_mutex); 892 893 return 0; 894 895 error: 896 if (watch) 897 audit_put_watch(watch); /* tmp watch, matches initial get */ 898 return err; 899 } 900 901 /* Remove an existing rule from filterlist. */ 902 static inline int audit_del_rule(struct audit_entry *entry) 903 { 904 struct audit_entry *e; 905 struct audit_watch *watch = entry->rule.watch; 906 struct audit_tree *tree = entry->rule.tree; 907 struct list_head *list; 908 int ret = 0; 909 #ifdef CONFIG_AUDITSYSCALL 910 int dont_count = 0; 911 912 /* If either of these, don't count towards total */ 913 if (entry->rule.listnr == AUDIT_FILTER_USER || 914 entry->rule.listnr == AUDIT_FILTER_TYPE) 915 dont_count = 1; 916 #endif 917 918 mutex_lock(&audit_filter_mutex); 919 e = audit_find_rule(entry, &list); 920 if (!e) { 921 mutex_unlock(&audit_filter_mutex); 922 ret = -ENOENT; 923 goto out; 924 } 925 926 if (e->rule.watch) 927 audit_remove_watch_rule(&e->rule); 928 929 if (e->rule.tree) 930 audit_remove_tree_rule(&e->rule); 931 932 list_del_rcu(&e->list); 933 list_del(&e->rule.list); 934 call_rcu(&e->rcu, audit_free_rule_rcu); 935 936 #ifdef CONFIG_AUDITSYSCALL 937 if (!dont_count) 938 audit_n_rules--; 939 940 if (!audit_match_signal(entry)) 941 audit_signals--; 942 #endif 943 mutex_unlock(&audit_filter_mutex); 944 945 out: 946 if (watch) 947 audit_put_watch(watch); /* match initial get */ 948 if (tree) 949 audit_put_tree(tree); /* that's the temporary one */ 950 951 return ret; 952 } 953 954 /* List rules using struct audit_rule_data. */ 955 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 956 { 957 struct sk_buff *skb; 958 struct audit_krule *r; 959 int i; 960 961 /* This is a blocking read, so use audit_filter_mutex instead of rcu 962 * iterator to sync with list writers. */ 963 for (i=0; i<AUDIT_NR_FILTERS; i++) { 964 list_for_each_entry(r, &audit_rules_list[i], list) { 965 struct audit_rule_data *data; 966 967 data = audit_krule_to_data(r); 968 if (unlikely(!data)) 969 break; 970 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 971 data, sizeof(*data) + data->buflen); 972 if (skb) 973 skb_queue_tail(q, skb); 974 kfree(data); 975 } 976 } 977 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 978 if (skb) 979 skb_queue_tail(q, skb); 980 } 981 982 /* Log rule additions and removals */ 983 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) 984 { 985 struct audit_buffer *ab; 986 uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 987 u32 sessionid = audit_get_sessionid(current); 988 u32 sid; 989 990 if (!audit_enabled) 991 return; 992 993 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 994 if (!ab) 995 return; 996 audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); 997 security_task_getsecid(current, &sid); 998 if (sid) { 999 char *ctx = NULL; 1000 u32 len; 1001 if (security_secid_to_secctx(sid, &ctx, &len)) 1002 audit_log_format(ab, " ssid=%u", sid); 1003 else { 1004 audit_log_format(ab, " subj=%s", ctx); 1005 security_release_secctx(ctx, len); 1006 } 1007 } 1008 audit_log_format(ab, " op="); 1009 audit_log_string(ab, action); 1010 audit_log_key(ab, rule->filterkey); 1011 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1012 audit_log_end(ab); 1013 } 1014 1015 /** 1016 * audit_receive_filter - apply all rules to the specified message type 1017 * @type: audit message type 1018 * @pid: target pid for netlink audit messages 1019 * @seq: netlink audit message sequence (serial) number 1020 * @data: payload data 1021 * @datasz: size of payload data 1022 * @loginuid: loginuid of sender 1023 * @sessionid: sessionid for netlink audit message 1024 * @sid: SE Linux Security ID of sender 1025 */ 1026 int audit_receive_filter(int type, int pid, int seq, void *data, size_t datasz) 1027 { 1028 struct task_struct *tsk; 1029 struct audit_netlink_list *dest; 1030 int err = 0; 1031 struct audit_entry *entry; 1032 1033 switch (type) { 1034 case AUDIT_LIST_RULES: 1035 /* We can't just spew out the rules here because we might fill 1036 * the available socket buffer space and deadlock waiting for 1037 * auditctl to read from it... which isn't ever going to 1038 * happen if we're actually running in the context of auditctl 1039 * trying to _send_ the stuff */ 1040 1041 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1042 if (!dest) 1043 return -ENOMEM; 1044 dest->pid = pid; 1045 skb_queue_head_init(&dest->q); 1046 1047 mutex_lock(&audit_filter_mutex); 1048 audit_list_rules(pid, seq, &dest->q); 1049 mutex_unlock(&audit_filter_mutex); 1050 1051 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1052 if (IS_ERR(tsk)) { 1053 skb_queue_purge(&dest->q); 1054 kfree(dest); 1055 err = PTR_ERR(tsk); 1056 } 1057 break; 1058 case AUDIT_ADD_RULE: 1059 entry = audit_data_to_entry(data, datasz); 1060 if (IS_ERR(entry)) 1061 return PTR_ERR(entry); 1062 1063 err = audit_add_rule(entry); 1064 audit_log_rule_change("add rule", &entry->rule, !err); 1065 if (err) 1066 audit_free_rule(entry); 1067 break; 1068 case AUDIT_DEL_RULE: 1069 entry = audit_data_to_entry(data, datasz); 1070 if (IS_ERR(entry)) 1071 return PTR_ERR(entry); 1072 1073 err = audit_del_rule(entry); 1074 audit_log_rule_change("remove rule", &entry->rule, !err); 1075 audit_free_rule(entry); 1076 break; 1077 default: 1078 return -EINVAL; 1079 } 1080 1081 return err; 1082 } 1083 1084 int audit_comparator(u32 left, u32 op, u32 right) 1085 { 1086 switch (op) { 1087 case Audit_equal: 1088 return (left == right); 1089 case Audit_not_equal: 1090 return (left != right); 1091 case Audit_lt: 1092 return (left < right); 1093 case Audit_le: 1094 return (left <= right); 1095 case Audit_gt: 1096 return (left > right); 1097 case Audit_ge: 1098 return (left >= right); 1099 case Audit_bitmask: 1100 return (left & right); 1101 case Audit_bittest: 1102 return ((left & right) == right); 1103 default: 1104 BUG(); 1105 return 0; 1106 } 1107 } 1108 1109 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) 1110 { 1111 switch (op) { 1112 case Audit_equal: 1113 return uid_eq(left, right); 1114 case Audit_not_equal: 1115 return !uid_eq(left, right); 1116 case Audit_lt: 1117 return uid_lt(left, right); 1118 case Audit_le: 1119 return uid_lte(left, right); 1120 case Audit_gt: 1121 return uid_gt(left, right); 1122 case Audit_ge: 1123 return uid_gte(left, right); 1124 case Audit_bitmask: 1125 case Audit_bittest: 1126 default: 1127 BUG(); 1128 return 0; 1129 } 1130 } 1131 1132 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right) 1133 { 1134 switch (op) { 1135 case Audit_equal: 1136 return gid_eq(left, right); 1137 case Audit_not_equal: 1138 return !gid_eq(left, right); 1139 case Audit_lt: 1140 return gid_lt(left, right); 1141 case Audit_le: 1142 return gid_lte(left, right); 1143 case Audit_gt: 1144 return gid_gt(left, right); 1145 case Audit_ge: 1146 return gid_gte(left, right); 1147 case Audit_bitmask: 1148 case Audit_bittest: 1149 default: 1150 BUG(); 1151 return 0; 1152 } 1153 } 1154 1155 /** 1156 * parent_len - find the length of the parent portion of a pathname 1157 * @path: pathname of which to determine length 1158 */ 1159 int parent_len(const char *path) 1160 { 1161 int plen; 1162 const char *p; 1163 1164 plen = strlen(path); 1165 1166 if (plen == 0) 1167 return plen; 1168 1169 /* disregard trailing slashes */ 1170 p = path + plen - 1; 1171 while ((*p == '/') && (p > path)) 1172 p--; 1173 1174 /* walk backward until we find the next slash or hit beginning */ 1175 while ((*p != '/') && (p > path)) 1176 p--; 1177 1178 /* did we find a slash? Then increment to include it in path */ 1179 if (*p == '/') 1180 p++; 1181 1182 return p - path; 1183 } 1184 1185 /** 1186 * audit_compare_dname_path - compare given dentry name with last component in 1187 * given path. Return of 0 indicates a match. 1188 * @dname: dentry name that we're comparing 1189 * @path: full pathname that we're comparing 1190 * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL 1191 * here indicates that we must compute this value. 1192 */ 1193 int audit_compare_dname_path(const char *dname, const char *path, int parentlen) 1194 { 1195 int dlen, pathlen; 1196 const char *p; 1197 1198 dlen = strlen(dname); 1199 pathlen = strlen(path); 1200 if (pathlen < dlen) 1201 return 1; 1202 1203 parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen; 1204 if (pathlen - parentlen != dlen) 1205 return 1; 1206 1207 p = path + parentlen; 1208 1209 return strncmp(p, dname, dlen); 1210 } 1211 1212 static int audit_filter_user_rules(struct audit_krule *rule, int type, 1213 enum audit_state *state) 1214 { 1215 int i; 1216 1217 for (i = 0; i < rule->field_count; i++) { 1218 struct audit_field *f = &rule->fields[i]; 1219 int result = 0; 1220 u32 sid; 1221 1222 switch (f->type) { 1223 case AUDIT_PID: 1224 result = audit_comparator(task_pid_vnr(current), f->op, f->val); 1225 break; 1226 case AUDIT_UID: 1227 result = audit_uid_comparator(current_uid(), f->op, f->uid); 1228 break; 1229 case AUDIT_GID: 1230 result = audit_gid_comparator(current_gid(), f->op, f->gid); 1231 break; 1232 case AUDIT_LOGINUID: 1233 result = audit_uid_comparator(audit_get_loginuid(current), 1234 f->op, f->uid); 1235 break; 1236 case AUDIT_MSGTYPE: 1237 result = audit_comparator(type, f->op, f->val); 1238 break; 1239 case AUDIT_SUBJ_USER: 1240 case AUDIT_SUBJ_ROLE: 1241 case AUDIT_SUBJ_TYPE: 1242 case AUDIT_SUBJ_SEN: 1243 case AUDIT_SUBJ_CLR: 1244 if (f->lsm_rule) { 1245 security_task_getsecid(current, &sid); 1246 result = security_audit_rule_match(sid, 1247 f->type, 1248 f->op, 1249 f->lsm_rule, 1250 NULL); 1251 } 1252 break; 1253 } 1254 1255 if (!result) 1256 return 0; 1257 } 1258 switch (rule->action) { 1259 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1260 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1261 } 1262 return 1; 1263 } 1264 1265 int audit_filter_user(int type) 1266 { 1267 enum audit_state state = AUDIT_DISABLED; 1268 struct audit_entry *e; 1269 int ret = 1; 1270 1271 rcu_read_lock(); 1272 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1273 if (audit_filter_user_rules(&e->rule, type, &state)) { 1274 if (state == AUDIT_DISABLED) 1275 ret = 0; 1276 break; 1277 } 1278 } 1279 rcu_read_unlock(); 1280 1281 return ret; /* Audit by default */ 1282 } 1283 1284 int audit_filter_type(int type) 1285 { 1286 struct audit_entry *e; 1287 int result = 0; 1288 1289 rcu_read_lock(); 1290 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1291 goto unlock_and_return; 1292 1293 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1294 list) { 1295 int i; 1296 for (i = 0; i < e->rule.field_count; i++) { 1297 struct audit_field *f = &e->rule.fields[i]; 1298 if (f->type == AUDIT_MSGTYPE) { 1299 result = audit_comparator(type, f->op, f->val); 1300 if (!result) 1301 break; 1302 } 1303 } 1304 if (result) 1305 goto unlock_and_return; 1306 } 1307 unlock_and_return: 1308 rcu_read_unlock(); 1309 return result; 1310 } 1311 1312 static int update_lsm_rule(struct audit_krule *r) 1313 { 1314 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1315 struct audit_entry *nentry; 1316 int err = 0; 1317 1318 if (!security_audit_rule_known(r)) 1319 return 0; 1320 1321 nentry = audit_dupe_rule(r); 1322 if (IS_ERR(nentry)) { 1323 /* save the first error encountered for the 1324 * return value */ 1325 err = PTR_ERR(nentry); 1326 audit_panic("error updating LSM filters"); 1327 if (r->watch) 1328 list_del(&r->rlist); 1329 list_del_rcu(&entry->list); 1330 list_del(&r->list); 1331 } else { 1332 if (r->watch || r->tree) 1333 list_replace_init(&r->rlist, &nentry->rule.rlist); 1334 list_replace_rcu(&entry->list, &nentry->list); 1335 list_replace(&r->list, &nentry->rule.list); 1336 } 1337 call_rcu(&entry->rcu, audit_free_rule_rcu); 1338 1339 return err; 1340 } 1341 1342 /* This function will re-initialize the lsm_rule field of all applicable rules. 1343 * It will traverse the filter lists serarching for rules that contain LSM 1344 * specific filter fields. When such a rule is found, it is copied, the 1345 * LSM field is re-initialized, and the old rule is replaced with the 1346 * updated rule. */ 1347 int audit_update_lsm_rules(void) 1348 { 1349 struct audit_krule *r, *n; 1350 int i, err = 0; 1351 1352 /* audit_filter_mutex synchronizes the writers */ 1353 mutex_lock(&audit_filter_mutex); 1354 1355 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1356 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1357 int res = update_lsm_rule(r); 1358 if (!err) 1359 err = res; 1360 } 1361 } 1362 mutex_unlock(&audit_filter_mutex); 1363 1364 return err; 1365 } 1366