1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 static DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 void audit_free_parent(struct inotify_watch *i_watch) 99 { 100 struct audit_parent *parent; 101 102 parent = container_of(i_watch, struct audit_parent, wdata); 103 WARN_ON(!list_empty(&parent->watches)); 104 kfree(parent); 105 } 106 107 static inline void audit_get_watch(struct audit_watch *watch) 108 { 109 atomic_inc(&watch->count); 110 } 111 112 static void audit_put_watch(struct audit_watch *watch) 113 { 114 if (atomic_dec_and_test(&watch->count)) { 115 WARN_ON(watch->parent); 116 WARN_ON(!list_empty(&watch->rules)); 117 kfree(watch->path); 118 kfree(watch); 119 } 120 } 121 122 static void audit_remove_watch(struct audit_watch *watch) 123 { 124 list_del(&watch->wlist); 125 put_inotify_watch(&watch->parent->wdata); 126 watch->parent = NULL; 127 audit_put_watch(watch); /* match initial get */ 128 } 129 130 static inline void audit_free_rule(struct audit_entry *e) 131 { 132 int i; 133 134 /* some rules don't have associated watches */ 135 if (e->rule.watch) 136 audit_put_watch(e->rule.watch); 137 if (e->rule.fields) 138 for (i = 0; i < e->rule.field_count; i++) { 139 struct audit_field *f = &e->rule.fields[i]; 140 kfree(f->se_str); 141 selinux_audit_rule_free(f->se_rule); 142 } 143 kfree(e->rule.fields); 144 kfree(e->rule.filterkey); 145 kfree(e); 146 } 147 148 static inline void audit_free_rule_rcu(struct rcu_head *head) 149 { 150 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 151 audit_free_rule(e); 152 } 153 154 /* Initialize a parent watch entry. */ 155 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 156 { 157 struct audit_parent *parent; 158 s32 wd; 159 160 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 161 if (unlikely(!parent)) 162 return ERR_PTR(-ENOMEM); 163 164 INIT_LIST_HEAD(&parent->watches); 165 parent->flags = 0; 166 167 inotify_init_watch(&parent->wdata); 168 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 169 get_inotify_watch(&parent->wdata); 170 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 171 AUDIT_IN_WATCH); 172 if (wd < 0) { 173 audit_free_parent(&parent->wdata); 174 return ERR_PTR(wd); 175 } 176 177 return parent; 178 } 179 180 /* Initialize a watch entry. */ 181 static struct audit_watch *audit_init_watch(char *path) 182 { 183 struct audit_watch *watch; 184 185 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 186 if (unlikely(!watch)) 187 return ERR_PTR(-ENOMEM); 188 189 INIT_LIST_HEAD(&watch->rules); 190 atomic_set(&watch->count, 1); 191 watch->path = path; 192 watch->dev = (dev_t)-1; 193 watch->ino = (unsigned long)-1; 194 195 return watch; 196 } 197 198 /* Initialize an audit filterlist entry. */ 199 static inline struct audit_entry *audit_init_entry(u32 field_count) 200 { 201 struct audit_entry *entry; 202 struct audit_field *fields; 203 204 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 205 if (unlikely(!entry)) 206 return NULL; 207 208 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 209 if (unlikely(!fields)) { 210 kfree(entry); 211 return NULL; 212 } 213 entry->rule.fields = fields; 214 215 return entry; 216 } 217 218 /* Unpack a filter field's string representation from user-space 219 * buffer. */ 220 static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 221 { 222 char *str; 223 224 if (!*bufp || (len == 0) || (len > *remain)) 225 return ERR_PTR(-EINVAL); 226 227 /* Of the currently implemented string fields, PATH_MAX 228 * defines the longest valid length. 229 */ 230 if (len > PATH_MAX) 231 return ERR_PTR(-ENAMETOOLONG); 232 233 str = kmalloc(len + 1, GFP_KERNEL); 234 if (unlikely(!str)) 235 return ERR_PTR(-ENOMEM); 236 237 memcpy(str, *bufp, len); 238 str[len] = 0; 239 *bufp += len; 240 *remain -= len; 241 242 return str; 243 } 244 245 /* Translate an inode field to kernel respresentation. */ 246 static inline int audit_to_inode(struct audit_krule *krule, 247 struct audit_field *f) 248 { 249 if (krule->listnr != AUDIT_FILTER_EXIT || 250 krule->watch || krule->inode_f) 251 return -EINVAL; 252 253 krule->inode_f = f; 254 return 0; 255 } 256 257 /* Translate a watch string to kernel respresentation. */ 258 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 259 u32 op) 260 { 261 struct audit_watch *watch; 262 263 if (!audit_ih) 264 return -EOPNOTSUPP; 265 266 if (path[0] != '/' || path[len-1] == '/' || 267 krule->listnr != AUDIT_FILTER_EXIT || 268 op & ~AUDIT_EQUAL || 269 krule->inode_f || krule->watch) /* 1 inode # per rule, for hash */ 270 return -EINVAL; 271 272 watch = audit_init_watch(path); 273 if (unlikely(IS_ERR(watch))) 274 return PTR_ERR(watch); 275 276 audit_get_watch(watch); 277 krule->watch = watch; 278 279 return 0; 280 } 281 282 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 283 284 int __init audit_register_class(int class, unsigned *list) 285 { 286 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 287 if (!p) 288 return -ENOMEM; 289 while (*list != ~0U) { 290 unsigned n = *list++; 291 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 292 kfree(p); 293 return -EINVAL; 294 } 295 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 296 } 297 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 298 kfree(p); 299 return -EINVAL; 300 } 301 classes[class] = p; 302 return 0; 303 } 304 305 /* Common user-space to kernel rule translation. */ 306 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 307 { 308 unsigned listnr; 309 struct audit_entry *entry; 310 int i, err; 311 312 err = -EINVAL; 313 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 314 switch(listnr) { 315 default: 316 goto exit_err; 317 case AUDIT_FILTER_USER: 318 case AUDIT_FILTER_TYPE: 319 #ifdef CONFIG_AUDITSYSCALL 320 case AUDIT_FILTER_ENTRY: 321 case AUDIT_FILTER_EXIT: 322 case AUDIT_FILTER_TASK: 323 #endif 324 ; 325 } 326 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 327 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 328 goto exit_err; 329 } 330 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 331 goto exit_err; 332 if (rule->field_count > AUDIT_MAX_FIELDS) 333 goto exit_err; 334 335 err = -ENOMEM; 336 entry = audit_init_entry(rule->field_count); 337 if (!entry) 338 goto exit_err; 339 340 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 341 entry->rule.listnr = listnr; 342 entry->rule.action = rule->action; 343 entry->rule.field_count = rule->field_count; 344 345 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 346 entry->rule.mask[i] = rule->mask[i]; 347 348 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 349 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 350 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 351 __u32 *class; 352 353 if (!(*p & AUDIT_BIT(bit))) 354 continue; 355 *p &= ~AUDIT_BIT(bit); 356 class = classes[i]; 357 if (class) { 358 int j; 359 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 360 entry->rule.mask[j] |= class[j]; 361 } 362 } 363 364 return entry; 365 366 exit_err: 367 return ERR_PTR(err); 368 } 369 370 /* Translate struct audit_rule to kernel's rule respresentation. 371 * Exists for backward compatibility with userspace. */ 372 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 373 { 374 struct audit_entry *entry; 375 struct audit_field *f; 376 int err = 0; 377 int i; 378 379 entry = audit_to_entry_common(rule); 380 if (IS_ERR(entry)) 381 goto exit_nofree; 382 383 for (i = 0; i < rule->field_count; i++) { 384 struct audit_field *f = &entry->rule.fields[i]; 385 386 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 387 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 388 f->val = rule->values[i]; 389 390 err = -EINVAL; 391 switch(f->type) { 392 default: 393 goto exit_free; 394 case AUDIT_PID: 395 case AUDIT_UID: 396 case AUDIT_EUID: 397 case AUDIT_SUID: 398 case AUDIT_FSUID: 399 case AUDIT_GID: 400 case AUDIT_EGID: 401 case AUDIT_SGID: 402 case AUDIT_FSGID: 403 case AUDIT_LOGINUID: 404 case AUDIT_PERS: 405 case AUDIT_ARCH: 406 case AUDIT_MSGTYPE: 407 case AUDIT_DEVMAJOR: 408 case AUDIT_DEVMINOR: 409 case AUDIT_EXIT: 410 case AUDIT_SUCCESS: 411 case AUDIT_ARG0: 412 case AUDIT_ARG1: 413 case AUDIT_ARG2: 414 case AUDIT_ARG3: 415 break; 416 case AUDIT_INODE: 417 err = audit_to_inode(&entry->rule, f); 418 if (err) 419 goto exit_free; 420 break; 421 } 422 423 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 424 425 /* Support for legacy operators where 426 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 427 if (f->op & AUDIT_NEGATE) 428 f->op = AUDIT_NOT_EQUAL; 429 else if (!f->op) 430 f->op = AUDIT_EQUAL; 431 else if (f->op == AUDIT_OPERATORS) { 432 err = -EINVAL; 433 goto exit_free; 434 } 435 } 436 437 f = entry->rule.inode_f; 438 if (f) { 439 switch(f->op) { 440 case AUDIT_NOT_EQUAL: 441 entry->rule.inode_f = NULL; 442 case AUDIT_EQUAL: 443 break; 444 default: 445 goto exit_free; 446 } 447 } 448 449 exit_nofree: 450 return entry; 451 452 exit_free: 453 audit_free_rule(entry); 454 return ERR_PTR(err); 455 } 456 457 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 458 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 459 size_t datasz) 460 { 461 int err = 0; 462 struct audit_entry *entry; 463 struct audit_field *f; 464 void *bufp; 465 size_t remain = datasz - sizeof(struct audit_rule_data); 466 int i; 467 char *str; 468 469 entry = audit_to_entry_common((struct audit_rule *)data); 470 if (IS_ERR(entry)) 471 goto exit_nofree; 472 473 bufp = data->buf; 474 entry->rule.vers_ops = 2; 475 for (i = 0; i < data->field_count; i++) { 476 struct audit_field *f = &entry->rule.fields[i]; 477 478 err = -EINVAL; 479 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 480 data->fieldflags[i] & ~AUDIT_OPERATORS) 481 goto exit_free; 482 483 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 484 f->type = data->fields[i]; 485 f->val = data->values[i]; 486 f->se_str = NULL; 487 f->se_rule = NULL; 488 switch(f->type) { 489 case AUDIT_PID: 490 case AUDIT_UID: 491 case AUDIT_EUID: 492 case AUDIT_SUID: 493 case AUDIT_FSUID: 494 case AUDIT_GID: 495 case AUDIT_EGID: 496 case AUDIT_SGID: 497 case AUDIT_FSGID: 498 case AUDIT_LOGINUID: 499 case AUDIT_PERS: 500 case AUDIT_ARCH: 501 case AUDIT_MSGTYPE: 502 case AUDIT_PPID: 503 case AUDIT_DEVMAJOR: 504 case AUDIT_DEVMINOR: 505 case AUDIT_EXIT: 506 case AUDIT_SUCCESS: 507 case AUDIT_ARG0: 508 case AUDIT_ARG1: 509 case AUDIT_ARG2: 510 case AUDIT_ARG3: 511 break; 512 case AUDIT_SUBJ_USER: 513 case AUDIT_SUBJ_ROLE: 514 case AUDIT_SUBJ_TYPE: 515 case AUDIT_SUBJ_SEN: 516 case AUDIT_SUBJ_CLR: 517 case AUDIT_OBJ_USER: 518 case AUDIT_OBJ_ROLE: 519 case AUDIT_OBJ_TYPE: 520 case AUDIT_OBJ_LEV_LOW: 521 case AUDIT_OBJ_LEV_HIGH: 522 str = audit_unpack_string(&bufp, &remain, f->val); 523 if (IS_ERR(str)) 524 goto exit_free; 525 entry->rule.buflen += f->val; 526 527 err = selinux_audit_rule_init(f->type, f->op, str, 528 &f->se_rule); 529 /* Keep currently invalid fields around in case they 530 * become valid after a policy reload. */ 531 if (err == -EINVAL) { 532 printk(KERN_WARNING "audit rule for selinux " 533 "\'%s\' is invalid\n", str); 534 err = 0; 535 } 536 if (err) { 537 kfree(str); 538 goto exit_free; 539 } else 540 f->se_str = str; 541 break; 542 case AUDIT_WATCH: 543 str = audit_unpack_string(&bufp, &remain, f->val); 544 if (IS_ERR(str)) 545 goto exit_free; 546 entry->rule.buflen += f->val; 547 548 err = audit_to_watch(&entry->rule, str, f->val, f->op); 549 if (err) { 550 kfree(str); 551 goto exit_free; 552 } 553 break; 554 case AUDIT_INODE: 555 err = audit_to_inode(&entry->rule, f); 556 if (err) 557 goto exit_free; 558 break; 559 case AUDIT_FILTERKEY: 560 err = -EINVAL; 561 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 562 goto exit_free; 563 str = audit_unpack_string(&bufp, &remain, f->val); 564 if (IS_ERR(str)) 565 goto exit_free; 566 entry->rule.buflen += f->val; 567 entry->rule.filterkey = str; 568 break; 569 default: 570 goto exit_free; 571 } 572 } 573 574 f = entry->rule.inode_f; 575 if (f) { 576 switch(f->op) { 577 case AUDIT_NOT_EQUAL: 578 entry->rule.inode_f = NULL; 579 case AUDIT_EQUAL: 580 break; 581 default: 582 goto exit_free; 583 } 584 } 585 586 exit_nofree: 587 return entry; 588 589 exit_free: 590 audit_free_rule(entry); 591 return ERR_PTR(err); 592 } 593 594 /* Pack a filter field's string representation into data block. */ 595 static inline size_t audit_pack_string(void **bufp, char *str) 596 { 597 size_t len = strlen(str); 598 599 memcpy(*bufp, str, len); 600 *bufp += len; 601 602 return len; 603 } 604 605 /* Translate kernel rule respresentation to struct audit_rule. 606 * Exists for backward compatibility with userspace. */ 607 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 608 { 609 struct audit_rule *rule; 610 int i; 611 612 rule = kmalloc(sizeof(*rule), GFP_KERNEL); 613 if (unlikely(!rule)) 614 return NULL; 615 memset(rule, 0, sizeof(*rule)); 616 617 rule->flags = krule->flags | krule->listnr; 618 rule->action = krule->action; 619 rule->field_count = krule->field_count; 620 for (i = 0; i < rule->field_count; i++) { 621 rule->values[i] = krule->fields[i].val; 622 rule->fields[i] = krule->fields[i].type; 623 624 if (krule->vers_ops == 1) { 625 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 626 rule->fields[i] |= AUDIT_NEGATE; 627 } else { 628 rule->fields[i] |= krule->fields[i].op; 629 } 630 } 631 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 632 633 return rule; 634 } 635 636 /* Translate kernel rule respresentation to struct audit_rule_data. */ 637 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 638 { 639 struct audit_rule_data *data; 640 void *bufp; 641 int i; 642 643 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 644 if (unlikely(!data)) 645 return NULL; 646 memset(data, 0, sizeof(*data)); 647 648 data->flags = krule->flags | krule->listnr; 649 data->action = krule->action; 650 data->field_count = krule->field_count; 651 bufp = data->buf; 652 for (i = 0; i < data->field_count; i++) { 653 struct audit_field *f = &krule->fields[i]; 654 655 data->fields[i] = f->type; 656 data->fieldflags[i] = f->op; 657 switch(f->type) { 658 case AUDIT_SUBJ_USER: 659 case AUDIT_SUBJ_ROLE: 660 case AUDIT_SUBJ_TYPE: 661 case AUDIT_SUBJ_SEN: 662 case AUDIT_SUBJ_CLR: 663 case AUDIT_OBJ_USER: 664 case AUDIT_OBJ_ROLE: 665 case AUDIT_OBJ_TYPE: 666 case AUDIT_OBJ_LEV_LOW: 667 case AUDIT_OBJ_LEV_HIGH: 668 data->buflen += data->values[i] = 669 audit_pack_string(&bufp, f->se_str); 670 break; 671 case AUDIT_WATCH: 672 data->buflen += data->values[i] = 673 audit_pack_string(&bufp, krule->watch->path); 674 break; 675 case AUDIT_FILTERKEY: 676 data->buflen += data->values[i] = 677 audit_pack_string(&bufp, krule->filterkey); 678 break; 679 default: 680 data->values[i] = f->val; 681 } 682 } 683 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 684 685 return data; 686 } 687 688 /* Compare two rules in kernel format. Considered success if rules 689 * don't match. */ 690 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 691 { 692 int i; 693 694 if (a->flags != b->flags || 695 a->listnr != b->listnr || 696 a->action != b->action || 697 a->field_count != b->field_count) 698 return 1; 699 700 for (i = 0; i < a->field_count; i++) { 701 if (a->fields[i].type != b->fields[i].type || 702 a->fields[i].op != b->fields[i].op) 703 return 1; 704 705 switch(a->fields[i].type) { 706 case AUDIT_SUBJ_USER: 707 case AUDIT_SUBJ_ROLE: 708 case AUDIT_SUBJ_TYPE: 709 case AUDIT_SUBJ_SEN: 710 case AUDIT_SUBJ_CLR: 711 case AUDIT_OBJ_USER: 712 case AUDIT_OBJ_ROLE: 713 case AUDIT_OBJ_TYPE: 714 case AUDIT_OBJ_LEV_LOW: 715 case AUDIT_OBJ_LEV_HIGH: 716 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 717 return 1; 718 break; 719 case AUDIT_WATCH: 720 if (strcmp(a->watch->path, b->watch->path)) 721 return 1; 722 break; 723 case AUDIT_FILTERKEY: 724 /* both filterkeys exist based on above type compare */ 725 if (strcmp(a->filterkey, b->filterkey)) 726 return 1; 727 break; 728 default: 729 if (a->fields[i].val != b->fields[i].val) 730 return 1; 731 } 732 } 733 734 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 735 if (a->mask[i] != b->mask[i]) 736 return 1; 737 738 return 0; 739 } 740 741 /* Duplicate the given audit watch. The new watch's rules list is initialized 742 * to an empty list and wlist is undefined. */ 743 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 744 { 745 char *path; 746 struct audit_watch *new; 747 748 path = kstrdup(old->path, GFP_KERNEL); 749 if (unlikely(!path)) 750 return ERR_PTR(-ENOMEM); 751 752 new = audit_init_watch(path); 753 if (unlikely(IS_ERR(new))) { 754 kfree(path); 755 goto out; 756 } 757 758 new->dev = old->dev; 759 new->ino = old->ino; 760 get_inotify_watch(&old->parent->wdata); 761 new->parent = old->parent; 762 763 out: 764 return new; 765 } 766 767 /* Duplicate selinux field information. The se_rule is opaque, so must be 768 * re-initialized. */ 769 static inline int audit_dupe_selinux_field(struct audit_field *df, 770 struct audit_field *sf) 771 { 772 int ret = 0; 773 char *se_str; 774 775 /* our own copy of se_str */ 776 se_str = kstrdup(sf->se_str, GFP_KERNEL); 777 if (unlikely(IS_ERR(se_str))) 778 return -ENOMEM; 779 df->se_str = se_str; 780 781 /* our own (refreshed) copy of se_rule */ 782 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 783 &df->se_rule); 784 /* Keep currently invalid fields around in case they 785 * become valid after a policy reload. */ 786 if (ret == -EINVAL) { 787 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 788 "invalid\n", df->se_str); 789 ret = 0; 790 } 791 792 return ret; 793 } 794 795 /* Duplicate an audit rule. This will be a deep copy with the exception 796 * of the watch - that pointer is carried over. The selinux specific fields 797 * will be updated in the copy. The point is to be able to replace the old 798 * rule with the new rule in the filterlist, then free the old rule. 799 * The rlist element is undefined; list manipulations are handled apart from 800 * the initial copy. */ 801 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 802 struct audit_watch *watch) 803 { 804 u32 fcount = old->field_count; 805 struct audit_entry *entry; 806 struct audit_krule *new; 807 char *fk; 808 int i, err = 0; 809 810 entry = audit_init_entry(fcount); 811 if (unlikely(!entry)) 812 return ERR_PTR(-ENOMEM); 813 814 new = &entry->rule; 815 new->vers_ops = old->vers_ops; 816 new->flags = old->flags; 817 new->listnr = old->listnr; 818 new->action = old->action; 819 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 820 new->mask[i] = old->mask[i]; 821 new->buflen = old->buflen; 822 new->inode_f = old->inode_f; 823 new->watch = NULL; 824 new->field_count = old->field_count; 825 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 826 827 /* deep copy this information, updating the se_rule fields, because 828 * the originals will all be freed when the old rule is freed. */ 829 for (i = 0; i < fcount; i++) { 830 switch (new->fields[i].type) { 831 case AUDIT_SUBJ_USER: 832 case AUDIT_SUBJ_ROLE: 833 case AUDIT_SUBJ_TYPE: 834 case AUDIT_SUBJ_SEN: 835 case AUDIT_SUBJ_CLR: 836 case AUDIT_OBJ_USER: 837 case AUDIT_OBJ_ROLE: 838 case AUDIT_OBJ_TYPE: 839 case AUDIT_OBJ_LEV_LOW: 840 case AUDIT_OBJ_LEV_HIGH: 841 err = audit_dupe_selinux_field(&new->fields[i], 842 &old->fields[i]); 843 break; 844 case AUDIT_FILTERKEY: 845 fk = kstrdup(old->filterkey, GFP_KERNEL); 846 if (unlikely(!fk)) 847 err = -ENOMEM; 848 else 849 new->filterkey = fk; 850 } 851 if (err) { 852 audit_free_rule(entry); 853 return ERR_PTR(err); 854 } 855 } 856 857 if (watch) { 858 audit_get_watch(watch); 859 new->watch = watch; 860 } 861 862 return entry; 863 } 864 865 /* Update inode info in audit rules based on filesystem event. */ 866 static void audit_update_watch(struct audit_parent *parent, 867 const char *dname, dev_t dev, 868 unsigned long ino, unsigned invalidating) 869 { 870 struct audit_watch *owatch, *nwatch, *nextw; 871 struct audit_krule *r, *nextr; 872 struct audit_entry *oentry, *nentry; 873 struct audit_buffer *ab; 874 875 mutex_lock(&audit_filter_mutex); 876 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 877 if (audit_compare_dname_path(dname, owatch->path, NULL)) 878 continue; 879 880 /* If the update involves invalidating rules, do the inode-based 881 * filtering now, so we don't omit records. */ 882 if (invalidating && 883 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 884 audit_set_auditable(current->audit_context); 885 886 nwatch = audit_dupe_watch(owatch); 887 if (unlikely(IS_ERR(nwatch))) { 888 mutex_unlock(&audit_filter_mutex); 889 audit_panic("error updating watch, skipping"); 890 return; 891 } 892 nwatch->dev = dev; 893 nwatch->ino = ino; 894 895 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 896 897 oentry = container_of(r, struct audit_entry, rule); 898 list_del(&oentry->rule.rlist); 899 list_del_rcu(&oentry->list); 900 901 nentry = audit_dupe_rule(&oentry->rule, nwatch); 902 if (unlikely(IS_ERR(nentry))) 903 audit_panic("error updating watch, removing"); 904 else { 905 int h = audit_hash_ino((u32)ino); 906 list_add(&nentry->rule.rlist, &nwatch->rules); 907 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 908 } 909 910 call_rcu(&oentry->rcu, audit_free_rule_rcu); 911 } 912 913 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 914 audit_log_format(ab, "audit updated rules specifying watch="); 915 audit_log_untrustedstring(ab, owatch->path); 916 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 917 audit_log_end(ab); 918 919 audit_remove_watch(owatch); 920 goto add_watch_to_parent; /* event applies to a single watch */ 921 } 922 mutex_unlock(&audit_filter_mutex); 923 return; 924 925 add_watch_to_parent: 926 list_add(&nwatch->wlist, &parent->watches); 927 mutex_unlock(&audit_filter_mutex); 928 return; 929 } 930 931 /* Remove all watches & rules associated with a parent that is going away. */ 932 static void audit_remove_parent_watches(struct audit_parent *parent) 933 { 934 struct audit_watch *w, *nextw; 935 struct audit_krule *r, *nextr; 936 struct audit_entry *e; 937 938 mutex_lock(&audit_filter_mutex); 939 parent->flags |= AUDIT_PARENT_INVALID; 940 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 941 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 942 e = container_of(r, struct audit_entry, rule); 943 list_del(&r->rlist); 944 list_del_rcu(&e->list); 945 call_rcu(&e->rcu, audit_free_rule_rcu); 946 947 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 948 "audit implicitly removed rule from list=%d\n", 949 AUDIT_FILTER_EXIT); 950 } 951 audit_remove_watch(w); 952 } 953 mutex_unlock(&audit_filter_mutex); 954 } 955 956 /* Unregister inotify watches for parents on in_list. 957 * Generates an IN_IGNORED event. */ 958 static void audit_inotify_unregister(struct list_head *in_list) 959 { 960 struct audit_parent *p, *n; 961 962 list_for_each_entry_safe(p, n, in_list, ilist) { 963 list_del(&p->ilist); 964 inotify_rm_watch(audit_ih, &p->wdata); 965 /* the put matching the get in audit_do_del_rule() */ 966 put_inotify_watch(&p->wdata); 967 } 968 } 969 970 /* Find an existing audit rule. 971 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 972 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 973 struct list_head *list) 974 { 975 struct audit_entry *e, *found = NULL; 976 int h; 977 978 if (entry->rule.watch) { 979 /* we don't know the inode number, so must walk entire hash */ 980 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 981 list = &audit_inode_hash[h]; 982 list_for_each_entry(e, list, list) 983 if (!audit_compare_rule(&entry->rule, &e->rule)) { 984 found = e; 985 goto out; 986 } 987 } 988 goto out; 989 } 990 991 list_for_each_entry(e, list, list) 992 if (!audit_compare_rule(&entry->rule, &e->rule)) { 993 found = e; 994 goto out; 995 } 996 997 out: 998 return found; 999 } 1000 1001 /* Get path information necessary for adding watches. */ 1002 static int audit_get_nd(char *path, struct nameidata **ndp, 1003 struct nameidata **ndw) 1004 { 1005 struct nameidata *ndparent, *ndwatch; 1006 int err; 1007 1008 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1009 if (unlikely(!ndparent)) 1010 return -ENOMEM; 1011 1012 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1013 if (unlikely(!ndwatch)) { 1014 kfree(ndparent); 1015 return -ENOMEM; 1016 } 1017 1018 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1019 if (err) { 1020 kfree(ndparent); 1021 kfree(ndwatch); 1022 return err; 1023 } 1024 1025 err = path_lookup(path, 0, ndwatch); 1026 if (err) { 1027 kfree(ndwatch); 1028 ndwatch = NULL; 1029 } 1030 1031 *ndp = ndparent; 1032 *ndw = ndwatch; 1033 1034 return 0; 1035 } 1036 1037 /* Release resources used for watch path information. */ 1038 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1039 { 1040 if (ndp) { 1041 path_release(ndp); 1042 kfree(ndp); 1043 } 1044 if (ndw) { 1045 path_release(ndw); 1046 kfree(ndw); 1047 } 1048 } 1049 1050 /* Associate the given rule with an existing parent inotify_watch. 1051 * Caller must hold audit_filter_mutex. */ 1052 static void audit_add_to_parent(struct audit_krule *krule, 1053 struct audit_parent *parent) 1054 { 1055 struct audit_watch *w, *watch = krule->watch; 1056 int watch_found = 0; 1057 1058 list_for_each_entry(w, &parent->watches, wlist) { 1059 if (strcmp(watch->path, w->path)) 1060 continue; 1061 1062 watch_found = 1; 1063 1064 /* put krule's and initial refs to temporary watch */ 1065 audit_put_watch(watch); 1066 audit_put_watch(watch); 1067 1068 audit_get_watch(w); 1069 krule->watch = watch = w; 1070 break; 1071 } 1072 1073 if (!watch_found) { 1074 get_inotify_watch(&parent->wdata); 1075 watch->parent = parent; 1076 1077 list_add(&watch->wlist, &parent->watches); 1078 } 1079 list_add(&krule->rlist, &watch->rules); 1080 } 1081 1082 /* Find a matching watch entry, or add this one. 1083 * Caller must hold audit_filter_mutex. */ 1084 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1085 struct nameidata *ndw) 1086 { 1087 struct audit_watch *watch = krule->watch; 1088 struct inotify_watch *i_watch; 1089 struct audit_parent *parent; 1090 int ret = 0; 1091 1092 /* update watch filter fields */ 1093 if (ndw) { 1094 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1095 watch->ino = ndw->dentry->d_inode->i_ino; 1096 } 1097 1098 /* The audit_filter_mutex must not be held during inotify calls because 1099 * we hold it during inotify event callback processing. If an existing 1100 * inotify watch is found, inotify_find_watch() grabs a reference before 1101 * returning. 1102 */ 1103 mutex_unlock(&audit_filter_mutex); 1104 1105 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1106 parent = audit_init_parent(ndp); 1107 if (IS_ERR(parent)) { 1108 /* caller expects mutex locked */ 1109 mutex_lock(&audit_filter_mutex); 1110 return PTR_ERR(parent); 1111 } 1112 } else 1113 parent = container_of(i_watch, struct audit_parent, wdata); 1114 1115 mutex_lock(&audit_filter_mutex); 1116 1117 /* parent was moved before we took audit_filter_mutex */ 1118 if (parent->flags & AUDIT_PARENT_INVALID) 1119 ret = -ENOENT; 1120 else 1121 audit_add_to_parent(krule, parent); 1122 1123 /* match get in audit_init_parent or inotify_find_watch */ 1124 put_inotify_watch(&parent->wdata); 1125 return ret; 1126 } 1127 1128 /* Add rule to given filterlist if not a duplicate. */ 1129 static inline int audit_add_rule(struct audit_entry *entry, 1130 struct list_head *list) 1131 { 1132 struct audit_entry *e; 1133 struct audit_field *inode_f = entry->rule.inode_f; 1134 struct audit_watch *watch = entry->rule.watch; 1135 struct nameidata *ndp, *ndw; 1136 int h, err, putnd_needed = 0; 1137 1138 if (inode_f) { 1139 h = audit_hash_ino(inode_f->val); 1140 list = &audit_inode_hash[h]; 1141 } 1142 1143 mutex_lock(&audit_filter_mutex); 1144 e = audit_find_rule(entry, list); 1145 mutex_unlock(&audit_filter_mutex); 1146 if (e) { 1147 err = -EEXIST; 1148 goto error; 1149 } 1150 1151 /* Avoid calling path_lookup under audit_filter_mutex. */ 1152 if (watch) { 1153 err = audit_get_nd(watch->path, &ndp, &ndw); 1154 if (err) 1155 goto error; 1156 putnd_needed = 1; 1157 } 1158 1159 mutex_lock(&audit_filter_mutex); 1160 if (watch) { 1161 /* audit_filter_mutex is dropped and re-taken during this call */ 1162 err = audit_add_watch(&entry->rule, ndp, ndw); 1163 if (err) { 1164 mutex_unlock(&audit_filter_mutex); 1165 goto error; 1166 } 1167 h = audit_hash_ino((u32)watch->ino); 1168 list = &audit_inode_hash[h]; 1169 } 1170 1171 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1172 list_add_rcu(&entry->list, list); 1173 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1174 } else { 1175 list_add_tail_rcu(&entry->list, list); 1176 } 1177 mutex_unlock(&audit_filter_mutex); 1178 1179 if (putnd_needed) 1180 audit_put_nd(ndp, ndw); 1181 1182 return 0; 1183 1184 error: 1185 if (putnd_needed) 1186 audit_put_nd(ndp, ndw); 1187 if (watch) 1188 audit_put_watch(watch); /* tmp watch, matches initial get */ 1189 return err; 1190 } 1191 1192 /* Remove an existing rule from filterlist. */ 1193 static inline int audit_del_rule(struct audit_entry *entry, 1194 struct list_head *list) 1195 { 1196 struct audit_entry *e; 1197 struct audit_field *inode_f = entry->rule.inode_f; 1198 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1199 LIST_HEAD(inotify_list); 1200 int h, ret = 0; 1201 1202 if (inode_f) { 1203 h = audit_hash_ino(inode_f->val); 1204 list = &audit_inode_hash[h]; 1205 } 1206 1207 mutex_lock(&audit_filter_mutex); 1208 e = audit_find_rule(entry, list); 1209 if (!e) { 1210 mutex_unlock(&audit_filter_mutex); 1211 ret = -ENOENT; 1212 goto out; 1213 } 1214 1215 watch = e->rule.watch; 1216 if (watch) { 1217 struct audit_parent *parent = watch->parent; 1218 1219 list_del(&e->rule.rlist); 1220 1221 if (list_empty(&watch->rules)) { 1222 audit_remove_watch(watch); 1223 1224 if (list_empty(&parent->watches)) { 1225 /* Put parent on the inotify un-registration 1226 * list. Grab a reference before releasing 1227 * audit_filter_mutex, to be released in 1228 * audit_inotify_unregister(). */ 1229 list_add(&parent->ilist, &inotify_list); 1230 get_inotify_watch(&parent->wdata); 1231 } 1232 } 1233 } 1234 1235 list_del_rcu(&e->list); 1236 call_rcu(&e->rcu, audit_free_rule_rcu); 1237 1238 mutex_unlock(&audit_filter_mutex); 1239 1240 if (!list_empty(&inotify_list)) 1241 audit_inotify_unregister(&inotify_list); 1242 1243 out: 1244 if (tmp_watch) 1245 audit_put_watch(tmp_watch); /* match initial get */ 1246 1247 return ret; 1248 } 1249 1250 /* List rules using struct audit_rule. Exists for backward 1251 * compatibility with userspace. */ 1252 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1253 { 1254 struct sk_buff *skb; 1255 struct audit_entry *entry; 1256 int i; 1257 1258 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1259 * iterator to sync with list writers. */ 1260 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1261 list_for_each_entry(entry, &audit_filter_list[i], list) { 1262 struct audit_rule *rule; 1263 1264 rule = audit_krule_to_rule(&entry->rule); 1265 if (unlikely(!rule)) 1266 break; 1267 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1268 rule, sizeof(*rule)); 1269 if (skb) 1270 skb_queue_tail(q, skb); 1271 kfree(rule); 1272 } 1273 } 1274 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1275 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1276 struct audit_rule *rule; 1277 1278 rule = audit_krule_to_rule(&entry->rule); 1279 if (unlikely(!rule)) 1280 break; 1281 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1282 rule, sizeof(*rule)); 1283 if (skb) 1284 skb_queue_tail(q, skb); 1285 kfree(rule); 1286 } 1287 } 1288 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1289 if (skb) 1290 skb_queue_tail(q, skb); 1291 } 1292 1293 /* List rules using struct audit_rule_data. */ 1294 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1295 { 1296 struct sk_buff *skb; 1297 struct audit_entry *e; 1298 int i; 1299 1300 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1301 * iterator to sync with list writers. */ 1302 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1303 list_for_each_entry(e, &audit_filter_list[i], list) { 1304 struct audit_rule_data *data; 1305 1306 data = audit_krule_to_data(&e->rule); 1307 if (unlikely(!data)) 1308 break; 1309 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1310 data, sizeof(*data) + data->buflen); 1311 if (skb) 1312 skb_queue_tail(q, skb); 1313 kfree(data); 1314 } 1315 } 1316 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1317 list_for_each_entry(e, &audit_inode_hash[i], list) { 1318 struct audit_rule_data *data; 1319 1320 data = audit_krule_to_data(&e->rule); 1321 if (unlikely(!data)) 1322 break; 1323 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1324 data, sizeof(*data) + data->buflen); 1325 if (skb) 1326 skb_queue_tail(q, skb); 1327 kfree(data); 1328 } 1329 } 1330 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1331 if (skb) 1332 skb_queue_tail(q, skb); 1333 } 1334 1335 /* Log rule additions and removals */ 1336 static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1337 struct audit_krule *rule, int res) 1338 { 1339 struct audit_buffer *ab; 1340 1341 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1342 if (!ab) 1343 return; 1344 audit_log_format(ab, "auid=%u", loginuid); 1345 if (sid) { 1346 char *ctx = NULL; 1347 u32 len; 1348 if (selinux_ctxid_to_string(sid, &ctx, &len)) 1349 audit_log_format(ab, " ssid=%u", sid); 1350 else 1351 audit_log_format(ab, " subj=%s", ctx); 1352 kfree(ctx); 1353 } 1354 audit_log_format(ab, " %s rule key=", action); 1355 if (rule->filterkey) 1356 audit_log_untrustedstring(ab, rule->filterkey); 1357 else 1358 audit_log_format(ab, "(null)"); 1359 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1360 audit_log_end(ab); 1361 } 1362 1363 /** 1364 * audit_receive_filter - apply all rules to the specified message type 1365 * @type: audit message type 1366 * @pid: target pid for netlink audit messages 1367 * @uid: target uid for netlink audit messages 1368 * @seq: netlink audit message sequence (serial) number 1369 * @data: payload data 1370 * @datasz: size of payload data 1371 * @loginuid: loginuid of sender 1372 * @sid: SE Linux Security ID of sender 1373 */ 1374 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1375 size_t datasz, uid_t loginuid, u32 sid) 1376 { 1377 struct task_struct *tsk; 1378 struct audit_netlink_list *dest; 1379 int err = 0; 1380 struct audit_entry *entry; 1381 1382 switch (type) { 1383 case AUDIT_LIST: 1384 case AUDIT_LIST_RULES: 1385 /* We can't just spew out the rules here because we might fill 1386 * the available socket buffer space and deadlock waiting for 1387 * auditctl to read from it... which isn't ever going to 1388 * happen if we're actually running in the context of auditctl 1389 * trying to _send_ the stuff */ 1390 1391 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1392 if (!dest) 1393 return -ENOMEM; 1394 dest->pid = pid; 1395 skb_queue_head_init(&dest->q); 1396 1397 mutex_lock(&audit_filter_mutex); 1398 if (type == AUDIT_LIST) 1399 audit_list(pid, seq, &dest->q); 1400 else 1401 audit_list_rules(pid, seq, &dest->q); 1402 mutex_unlock(&audit_filter_mutex); 1403 1404 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1405 if (IS_ERR(tsk)) { 1406 skb_queue_purge(&dest->q); 1407 kfree(dest); 1408 err = PTR_ERR(tsk); 1409 } 1410 break; 1411 case AUDIT_ADD: 1412 case AUDIT_ADD_RULE: 1413 if (type == AUDIT_ADD) 1414 entry = audit_rule_to_entry(data); 1415 else 1416 entry = audit_data_to_entry(data, datasz); 1417 if (IS_ERR(entry)) 1418 return PTR_ERR(entry); 1419 1420 err = audit_add_rule(entry, 1421 &audit_filter_list[entry->rule.listnr]); 1422 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1423 1424 if (err) 1425 audit_free_rule(entry); 1426 break; 1427 case AUDIT_DEL: 1428 case AUDIT_DEL_RULE: 1429 if (type == AUDIT_DEL) 1430 entry = audit_rule_to_entry(data); 1431 else 1432 entry = audit_data_to_entry(data, datasz); 1433 if (IS_ERR(entry)) 1434 return PTR_ERR(entry); 1435 1436 err = audit_del_rule(entry, 1437 &audit_filter_list[entry->rule.listnr]); 1438 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1439 !err); 1440 1441 audit_free_rule(entry); 1442 break; 1443 default: 1444 return -EINVAL; 1445 } 1446 1447 return err; 1448 } 1449 1450 int audit_comparator(const u32 left, const u32 op, const u32 right) 1451 { 1452 switch (op) { 1453 case AUDIT_EQUAL: 1454 return (left == right); 1455 case AUDIT_NOT_EQUAL: 1456 return (left != right); 1457 case AUDIT_LESS_THAN: 1458 return (left < right); 1459 case AUDIT_LESS_THAN_OR_EQUAL: 1460 return (left <= right); 1461 case AUDIT_GREATER_THAN: 1462 return (left > right); 1463 case AUDIT_GREATER_THAN_OR_EQUAL: 1464 return (left >= right); 1465 } 1466 BUG(); 1467 return 0; 1468 } 1469 1470 /* Compare given dentry name with last component in given path, 1471 * return of 0 indicates a match. */ 1472 int audit_compare_dname_path(const char *dname, const char *path, 1473 int *dirlen) 1474 { 1475 int dlen, plen; 1476 const char *p; 1477 1478 if (!dname || !path) 1479 return 1; 1480 1481 dlen = strlen(dname); 1482 plen = strlen(path); 1483 if (plen < dlen) 1484 return 1; 1485 1486 /* disregard trailing slashes */ 1487 p = path + plen - 1; 1488 while ((*p == '/') && (p > path)) 1489 p--; 1490 1491 /* find last path component */ 1492 p = p - dlen + 1; 1493 if (p < path) 1494 return 1; 1495 else if (p > path) { 1496 if (*--p != '/') 1497 return 1; 1498 else 1499 p++; 1500 } 1501 1502 /* return length of path's directory component */ 1503 if (dirlen) 1504 *dirlen = p - path; 1505 return strncmp(p, dname, dlen); 1506 } 1507 1508 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1509 struct audit_krule *rule, 1510 enum audit_state *state) 1511 { 1512 int i; 1513 1514 for (i = 0; i < rule->field_count; i++) { 1515 struct audit_field *f = &rule->fields[i]; 1516 int result = 0; 1517 1518 switch (f->type) { 1519 case AUDIT_PID: 1520 result = audit_comparator(cb->creds.pid, f->op, f->val); 1521 break; 1522 case AUDIT_UID: 1523 result = audit_comparator(cb->creds.uid, f->op, f->val); 1524 break; 1525 case AUDIT_GID: 1526 result = audit_comparator(cb->creds.gid, f->op, f->val); 1527 break; 1528 case AUDIT_LOGINUID: 1529 result = audit_comparator(cb->loginuid, f->op, f->val); 1530 break; 1531 } 1532 1533 if (!result) 1534 return 0; 1535 } 1536 switch (rule->action) { 1537 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1538 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1539 } 1540 return 1; 1541 } 1542 1543 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1544 { 1545 struct audit_entry *e; 1546 enum audit_state state; 1547 int ret = 1; 1548 1549 rcu_read_lock(); 1550 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1551 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1552 if (state == AUDIT_DISABLED) 1553 ret = 0; 1554 break; 1555 } 1556 } 1557 rcu_read_unlock(); 1558 1559 return ret; /* Audit by default */ 1560 } 1561 1562 int audit_filter_type(int type) 1563 { 1564 struct audit_entry *e; 1565 int result = 0; 1566 1567 rcu_read_lock(); 1568 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1569 goto unlock_and_return; 1570 1571 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1572 list) { 1573 int i; 1574 for (i = 0; i < e->rule.field_count; i++) { 1575 struct audit_field *f = &e->rule.fields[i]; 1576 if (f->type == AUDIT_MSGTYPE) { 1577 result = audit_comparator(type, f->op, f->val); 1578 if (!result) 1579 break; 1580 } 1581 } 1582 if (result) 1583 goto unlock_and_return; 1584 } 1585 unlock_and_return: 1586 rcu_read_unlock(); 1587 return result; 1588 } 1589 1590 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1591 are selinux fields specified in the rule, 0 otherwise. */ 1592 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1593 { 1594 int i; 1595 1596 for (i = 0; i < rule->field_count; i++) { 1597 struct audit_field *f = &rule->fields[i]; 1598 switch (f->type) { 1599 case AUDIT_SUBJ_USER: 1600 case AUDIT_SUBJ_ROLE: 1601 case AUDIT_SUBJ_TYPE: 1602 case AUDIT_SUBJ_SEN: 1603 case AUDIT_SUBJ_CLR: 1604 case AUDIT_OBJ_USER: 1605 case AUDIT_OBJ_ROLE: 1606 case AUDIT_OBJ_TYPE: 1607 case AUDIT_OBJ_LEV_LOW: 1608 case AUDIT_OBJ_LEV_HIGH: 1609 return 1; 1610 } 1611 } 1612 1613 return 0; 1614 } 1615 1616 /* This function will re-initialize the se_rule field of all applicable rules. 1617 * It will traverse the filter lists serarching for rules that contain selinux 1618 * specific filter fields. When such a rule is found, it is copied, the 1619 * selinux field is re-initialized, and the old rule is replaced with the 1620 * updated rule. */ 1621 int selinux_audit_rule_update(void) 1622 { 1623 struct audit_entry *entry, *n, *nentry; 1624 struct audit_watch *watch; 1625 int i, err = 0; 1626 1627 /* audit_filter_mutex synchronizes the writers */ 1628 mutex_lock(&audit_filter_mutex); 1629 1630 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1631 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1632 if (!audit_rule_has_selinux(&entry->rule)) 1633 continue; 1634 1635 watch = entry->rule.watch; 1636 nentry = audit_dupe_rule(&entry->rule, watch); 1637 if (unlikely(IS_ERR(nentry))) { 1638 /* save the first error encountered for the 1639 * return value */ 1640 if (!err) 1641 err = PTR_ERR(nentry); 1642 audit_panic("error updating selinux filters"); 1643 if (watch) 1644 list_del(&entry->rule.rlist); 1645 list_del_rcu(&entry->list); 1646 } else { 1647 if (watch) { 1648 list_add(&nentry->rule.rlist, 1649 &watch->rules); 1650 list_del(&entry->rule.rlist); 1651 } 1652 list_replace_rcu(&entry->list, &nentry->list); 1653 } 1654 call_rcu(&entry->rcu, audit_free_rule_rcu); 1655 } 1656 } 1657 1658 mutex_unlock(&audit_filter_mutex); 1659 1660 return err; 1661 } 1662 1663 /* Update watch data in audit rules based on inotify events. */ 1664 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1665 u32 cookie, const char *dname, struct inode *inode) 1666 { 1667 struct audit_parent *parent; 1668 1669 parent = container_of(i_watch, struct audit_parent, wdata); 1670 1671 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1672 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1673 inode->i_ino, 0); 1674 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1675 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1676 /* inotify automatically removes the watch and sends IN_IGNORED */ 1677 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1678 audit_remove_parent_watches(parent); 1679 /* inotify does not remove the watch, so remove it manually */ 1680 else if(mask & IN_MOVE_SELF) { 1681 audit_remove_parent_watches(parent); 1682 inotify_remove_watch_locked(audit_ih, i_watch); 1683 } else if (mask & IN_IGNORED) 1684 put_inotify_watch(i_watch); 1685 } 1686