1 /* audit_watch.c -- watching inodes 2 * 3 * Copyright 2003-2009 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/inotify.h> 32 #include <linux/security.h> 33 #include "audit.h" 34 35 /* 36 * Reference counting: 37 * 38 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 39 * event. Each audit_watch holds a reference to its associated parent. 40 * 41 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 42 * audit_remove_watch(). Additionally, an audit_watch may exist 43 * temporarily to assist in searching existing filter data. Each 44 * audit_krule holds a reference to its associated watch. 45 */ 46 47 struct audit_watch { 48 atomic_t count; /* reference count */ 49 dev_t dev; /* associated superblock device */ 50 char *path; /* insertion path */ 51 unsigned long ino; /* associated inode number */ 52 struct audit_parent *parent; /* associated parent */ 53 struct list_head wlist; /* entry in parent->watches list */ 54 struct list_head rules; /* associated rules */ 55 }; 56 57 struct audit_parent { 58 struct list_head ilist; /* entry in inotify registration list */ 59 struct list_head watches; /* associated watches */ 60 struct inotify_watch wdata; /* inotify watch data */ 61 unsigned flags; /* status flags */ 62 }; 63 64 /* Inotify handle. */ 65 struct inotify_handle *audit_ih; 66 67 /* 68 * audit_parent status flags: 69 * 70 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 71 * a filesystem event to ensure we're adding audit watches to a valid parent. 72 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 73 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 74 * we can receive while holding nameidata. 75 */ 76 #define AUDIT_PARENT_INVALID 0x001 77 78 /* Inotify events we care about. */ 79 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 80 81 static void audit_free_parent(struct inotify_watch *i_watch) 82 { 83 struct audit_parent *parent; 84 85 parent = container_of(i_watch, struct audit_parent, wdata); 86 WARN_ON(!list_empty(&parent->watches)); 87 kfree(parent); 88 } 89 90 void audit_get_watch(struct audit_watch *watch) 91 { 92 atomic_inc(&watch->count); 93 } 94 95 void audit_put_watch(struct audit_watch *watch) 96 { 97 if (atomic_dec_and_test(&watch->count)) { 98 WARN_ON(watch->parent); 99 WARN_ON(!list_empty(&watch->rules)); 100 kfree(watch->path); 101 kfree(watch); 102 } 103 } 104 105 void audit_remove_watch(struct audit_watch *watch) 106 { 107 list_del(&watch->wlist); 108 put_inotify_watch(&watch->parent->wdata); 109 watch->parent = NULL; 110 audit_put_watch(watch); /* match initial get */ 111 } 112 113 char *audit_watch_path(struct audit_watch *watch) 114 { 115 return watch->path; 116 } 117 118 struct list_head *audit_watch_rules(struct audit_watch *watch) 119 { 120 return &watch->rules; 121 } 122 123 unsigned long audit_watch_inode(struct audit_watch *watch) 124 { 125 return watch->ino; 126 } 127 128 dev_t audit_watch_dev(struct audit_watch *watch) 129 { 130 return watch->dev; 131 } 132 133 /* Initialize a parent watch entry. */ 134 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 135 { 136 struct audit_parent *parent; 137 s32 wd; 138 139 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 140 if (unlikely(!parent)) 141 return ERR_PTR(-ENOMEM); 142 143 INIT_LIST_HEAD(&parent->watches); 144 parent->flags = 0; 145 146 inotify_init_watch(&parent->wdata); 147 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 148 get_inotify_watch(&parent->wdata); 149 wd = inotify_add_watch(audit_ih, &parent->wdata, 150 ndp->path.dentry->d_inode, AUDIT_IN_WATCH); 151 if (wd < 0) { 152 audit_free_parent(&parent->wdata); 153 return ERR_PTR(wd); 154 } 155 156 return parent; 157 } 158 159 /* Initialize a watch entry. */ 160 static struct audit_watch *audit_init_watch(char *path) 161 { 162 struct audit_watch *watch; 163 164 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 165 if (unlikely(!watch)) 166 return ERR_PTR(-ENOMEM); 167 168 INIT_LIST_HEAD(&watch->rules); 169 atomic_set(&watch->count, 1); 170 watch->path = path; 171 watch->dev = (dev_t)-1; 172 watch->ino = (unsigned long)-1; 173 174 return watch; 175 } 176 177 /* Translate a watch string to kernel respresentation. */ 178 int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op) 179 { 180 struct audit_watch *watch; 181 182 if (!audit_ih) 183 return -EOPNOTSUPP; 184 185 if (path[0] != '/' || path[len-1] == '/' || 186 krule->listnr != AUDIT_FILTER_EXIT || 187 op != Audit_equal || 188 krule->inode_f || krule->watch || krule->tree) 189 return -EINVAL; 190 191 watch = audit_init_watch(path); 192 if (IS_ERR(watch)) 193 return PTR_ERR(watch); 194 195 audit_get_watch(watch); 196 krule->watch = watch; 197 198 return 0; 199 } 200 201 /* Duplicate the given audit watch. The new watch's rules list is initialized 202 * to an empty list and wlist is undefined. */ 203 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 204 { 205 char *path; 206 struct audit_watch *new; 207 208 path = kstrdup(old->path, GFP_KERNEL); 209 if (unlikely(!path)) 210 return ERR_PTR(-ENOMEM); 211 212 new = audit_init_watch(path); 213 if (IS_ERR(new)) { 214 kfree(path); 215 goto out; 216 } 217 218 new->dev = old->dev; 219 new->ino = old->ino; 220 get_inotify_watch(&old->parent->wdata); 221 new->parent = old->parent; 222 223 out: 224 return new; 225 } 226 227 static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op) 228 { 229 if (audit_enabled) { 230 struct audit_buffer *ab; 231 ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); 232 audit_log_format(ab, "auid=%u ses=%u op=", 233 audit_get_loginuid(current), 234 audit_get_sessionid(current)); 235 audit_log_string(ab, op); 236 audit_log_format(ab, " path="); 237 audit_log_untrustedstring(ab, w->path); 238 audit_log_key(ab, r->filterkey); 239 audit_log_format(ab, " list=%d res=1", r->listnr); 240 audit_log_end(ab); 241 } 242 } 243 244 /* Update inode info in audit rules based on filesystem event. */ 245 static void audit_update_watch(struct audit_parent *parent, 246 const char *dname, dev_t dev, 247 unsigned long ino, unsigned invalidating) 248 { 249 struct audit_watch *owatch, *nwatch, *nextw; 250 struct audit_krule *r, *nextr; 251 struct audit_entry *oentry, *nentry; 252 253 mutex_lock(&audit_filter_mutex); 254 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 255 if (audit_compare_dname_path(dname, owatch->path, NULL)) 256 continue; 257 258 /* If the update involves invalidating rules, do the inode-based 259 * filtering now, so we don't omit records. */ 260 if (invalidating && current->audit_context) 261 audit_filter_inodes(current, current->audit_context); 262 263 nwatch = audit_dupe_watch(owatch); 264 if (IS_ERR(nwatch)) { 265 mutex_unlock(&audit_filter_mutex); 266 audit_panic("error updating watch, skipping"); 267 return; 268 } 269 nwatch->dev = dev; 270 nwatch->ino = ino; 271 272 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 273 274 oentry = container_of(r, struct audit_entry, rule); 275 list_del(&oentry->rule.rlist); 276 list_del_rcu(&oentry->list); 277 278 nentry = audit_dupe_rule(&oentry->rule, nwatch); 279 if (IS_ERR(nentry)) { 280 list_del(&oentry->rule.list); 281 audit_panic("error updating watch, removing"); 282 } else { 283 int h = audit_hash_ino((u32)ino); 284 list_add(&nentry->rule.rlist, &nwatch->rules); 285 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 286 list_replace(&oentry->rule.list, 287 &nentry->rule.list); 288 } 289 290 audit_watch_log_rule_change(r, owatch, "updated rules"); 291 292 call_rcu(&oentry->rcu, audit_free_rule_rcu); 293 } 294 295 audit_remove_watch(owatch); 296 goto add_watch_to_parent; /* event applies to a single watch */ 297 } 298 mutex_unlock(&audit_filter_mutex); 299 return; 300 301 add_watch_to_parent: 302 list_add(&nwatch->wlist, &parent->watches); 303 mutex_unlock(&audit_filter_mutex); 304 return; 305 } 306 307 /* Remove all watches & rules associated with a parent that is going away. */ 308 static void audit_remove_parent_watches(struct audit_parent *parent) 309 { 310 struct audit_watch *w, *nextw; 311 struct audit_krule *r, *nextr; 312 struct audit_entry *e; 313 314 mutex_lock(&audit_filter_mutex); 315 parent->flags |= AUDIT_PARENT_INVALID; 316 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 317 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 318 e = container_of(r, struct audit_entry, rule); 319 audit_watch_log_rule_change(r, w, "remove rule"); 320 list_del(&r->rlist); 321 list_del(&r->list); 322 list_del_rcu(&e->list); 323 call_rcu(&e->rcu, audit_free_rule_rcu); 324 } 325 audit_remove_watch(w); 326 } 327 mutex_unlock(&audit_filter_mutex); 328 } 329 330 /* Unregister inotify watches for parents on in_list. 331 * Generates an IN_IGNORED event. */ 332 void audit_inotify_unregister(struct list_head *in_list) 333 { 334 struct audit_parent *p, *n; 335 336 list_for_each_entry_safe(p, n, in_list, ilist) { 337 list_del(&p->ilist); 338 inotify_rm_watch(audit_ih, &p->wdata); 339 /* the unpin matching the pin in audit_do_del_rule() */ 340 unpin_inotify_watch(&p->wdata); 341 } 342 } 343 344 /* Get path information necessary for adding watches. */ 345 static int audit_get_nd(char *path, struct nameidata **ndp, struct nameidata **ndw) 346 { 347 struct nameidata *ndparent, *ndwatch; 348 int err; 349 350 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 351 if (unlikely(!ndparent)) 352 return -ENOMEM; 353 354 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 355 if (unlikely(!ndwatch)) { 356 kfree(ndparent); 357 return -ENOMEM; 358 } 359 360 err = path_lookup(path, LOOKUP_PARENT, ndparent); 361 if (err) { 362 kfree(ndparent); 363 kfree(ndwatch); 364 return err; 365 } 366 367 err = path_lookup(path, 0, ndwatch); 368 if (err) { 369 kfree(ndwatch); 370 ndwatch = NULL; 371 } 372 373 *ndp = ndparent; 374 *ndw = ndwatch; 375 376 return 0; 377 } 378 379 /* Release resources used for watch path information. */ 380 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 381 { 382 if (ndp) { 383 path_put(&ndp->path); 384 kfree(ndp); 385 } 386 if (ndw) { 387 path_put(&ndw->path); 388 kfree(ndw); 389 } 390 } 391 392 /* Associate the given rule with an existing parent inotify_watch. 393 * Caller must hold audit_filter_mutex. */ 394 static void audit_add_to_parent(struct audit_krule *krule, 395 struct audit_parent *parent) 396 { 397 struct audit_watch *w, *watch = krule->watch; 398 int watch_found = 0; 399 400 list_for_each_entry(w, &parent->watches, wlist) { 401 if (strcmp(watch->path, w->path)) 402 continue; 403 404 watch_found = 1; 405 406 /* put krule's and initial refs to temporary watch */ 407 audit_put_watch(watch); 408 audit_put_watch(watch); 409 410 audit_get_watch(w); 411 krule->watch = watch = w; 412 break; 413 } 414 415 if (!watch_found) { 416 get_inotify_watch(&parent->wdata); 417 watch->parent = parent; 418 419 list_add(&watch->wlist, &parent->watches); 420 } 421 list_add(&krule->rlist, &watch->rules); 422 } 423 424 /* Find a matching watch entry, or add this one. 425 * Caller must hold audit_filter_mutex. */ 426 int audit_add_watch(struct audit_krule *krule) 427 { 428 struct audit_watch *watch = krule->watch; 429 struct inotify_watch *i_watch; 430 struct audit_parent *parent; 431 struct nameidata *ndp = NULL, *ndw = NULL; 432 int ret = 0; 433 434 mutex_unlock(&audit_filter_mutex); 435 436 /* Avoid calling path_lookup under audit_filter_mutex. */ 437 ret = audit_get_nd(watch->path, &ndp, &ndw); 438 if (ret) { 439 /* caller expects mutex locked */ 440 mutex_lock(&audit_filter_mutex); 441 goto error; 442 } 443 444 /* update watch filter fields */ 445 if (ndw) { 446 watch->dev = ndw->path.dentry->d_inode->i_sb->s_dev; 447 watch->ino = ndw->path.dentry->d_inode->i_ino; 448 } 449 450 /* The audit_filter_mutex must not be held during inotify calls because 451 * we hold it during inotify event callback processing. If an existing 452 * inotify watch is found, inotify_find_watch() grabs a reference before 453 * returning. 454 */ 455 if (inotify_find_watch(audit_ih, ndp->path.dentry->d_inode, 456 &i_watch) < 0) { 457 parent = audit_init_parent(ndp); 458 if (IS_ERR(parent)) { 459 /* caller expects mutex locked */ 460 mutex_lock(&audit_filter_mutex); 461 ret = PTR_ERR(parent); 462 goto error; 463 } 464 } else 465 parent = container_of(i_watch, struct audit_parent, wdata); 466 467 mutex_lock(&audit_filter_mutex); 468 469 /* parent was moved before we took audit_filter_mutex */ 470 if (parent->flags & AUDIT_PARENT_INVALID) 471 ret = -ENOENT; 472 else 473 audit_add_to_parent(krule, parent); 474 475 /* match get in audit_init_parent or inotify_find_watch */ 476 put_inotify_watch(&parent->wdata); 477 478 error: 479 audit_put_nd(ndp, ndw); /* NULL args OK */ 480 return ret; 481 482 } 483 484 void audit_remove_watch_rule(struct audit_krule *krule, struct list_head *list) 485 { 486 struct audit_watch *watch = krule->watch; 487 struct audit_parent *parent = watch->parent; 488 489 list_del(&krule->rlist); 490 491 if (list_empty(&watch->rules)) { 492 audit_remove_watch(watch); 493 494 if (list_empty(&parent->watches)) { 495 /* Put parent on the inotify un-registration 496 * list. Grab a reference before releasing 497 * audit_filter_mutex, to be released in 498 * audit_inotify_unregister(). 499 * If filesystem is going away, just leave 500 * the sucker alone, eviction will take 501 * care of it. */ 502 if (pin_inotify_watch(&parent->wdata)) 503 list_add(&parent->ilist, list); 504 } 505 } 506 } 507 508 /* Update watch data in audit rules based on inotify events. */ 509 static void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 510 u32 cookie, const char *dname, struct inode *inode) 511 { 512 struct audit_parent *parent; 513 514 parent = container_of(i_watch, struct audit_parent, wdata); 515 516 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 517 audit_update_watch(parent, dname, inode->i_sb->s_dev, 518 inode->i_ino, 0); 519 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 520 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 521 /* inotify automatically removes the watch and sends IN_IGNORED */ 522 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 523 audit_remove_parent_watches(parent); 524 /* inotify does not remove the watch, so remove it manually */ 525 else if(mask & IN_MOVE_SELF) { 526 audit_remove_parent_watches(parent); 527 inotify_remove_watch_locked(audit_ih, i_watch); 528 } else if (mask & IN_IGNORED) 529 put_inotify_watch(i_watch); 530 } 531 532 static const struct inotify_operations audit_inotify_ops = { 533 .handle_event = audit_handle_ievent, 534 .destroy_watch = audit_free_parent, 535 }; 536 537 static int __init audit_watch_init(void) 538 { 539 audit_ih = inotify_init(&audit_inotify_ops); 540 if (IS_ERR(audit_ih)) 541 audit_panic("cannot initialize inotify handle"); 542 return 0; 543 } 544 subsys_initcall(audit_watch_init); 545