1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 static DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 void audit_free_parent(struct inotify_watch *i_watch) 99 { 100 struct audit_parent *parent; 101 102 parent = container_of(i_watch, struct audit_parent, wdata); 103 WARN_ON(!list_empty(&parent->watches)); 104 kfree(parent); 105 } 106 107 static inline void audit_get_watch(struct audit_watch *watch) 108 { 109 atomic_inc(&watch->count); 110 } 111 112 static void audit_put_watch(struct audit_watch *watch) 113 { 114 if (atomic_dec_and_test(&watch->count)) { 115 WARN_ON(watch->parent); 116 WARN_ON(!list_empty(&watch->rules)); 117 kfree(watch->path); 118 kfree(watch); 119 } 120 } 121 122 static void audit_remove_watch(struct audit_watch *watch) 123 { 124 list_del(&watch->wlist); 125 put_inotify_watch(&watch->parent->wdata); 126 watch->parent = NULL; 127 audit_put_watch(watch); /* match initial get */ 128 } 129 130 static inline void audit_free_rule(struct audit_entry *e) 131 { 132 int i; 133 134 /* some rules don't have associated watches */ 135 if (e->rule.watch) 136 audit_put_watch(e->rule.watch); 137 if (e->rule.fields) 138 for (i = 0; i < e->rule.field_count; i++) { 139 struct audit_field *f = &e->rule.fields[i]; 140 kfree(f->se_str); 141 selinux_audit_rule_free(f->se_rule); 142 } 143 kfree(e->rule.fields); 144 kfree(e->rule.filterkey); 145 kfree(e); 146 } 147 148 static inline void audit_free_rule_rcu(struct rcu_head *head) 149 { 150 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 151 audit_free_rule(e); 152 } 153 154 /* Initialize a parent watch entry. */ 155 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 156 { 157 struct audit_parent *parent; 158 s32 wd; 159 160 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 161 if (unlikely(!parent)) 162 return ERR_PTR(-ENOMEM); 163 164 INIT_LIST_HEAD(&parent->watches); 165 parent->flags = 0; 166 167 inotify_init_watch(&parent->wdata); 168 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 169 get_inotify_watch(&parent->wdata); 170 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 171 AUDIT_IN_WATCH); 172 if (wd < 0) { 173 audit_free_parent(&parent->wdata); 174 return ERR_PTR(wd); 175 } 176 177 return parent; 178 } 179 180 /* Initialize a watch entry. */ 181 static struct audit_watch *audit_init_watch(char *path) 182 { 183 struct audit_watch *watch; 184 185 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 186 if (unlikely(!watch)) 187 return ERR_PTR(-ENOMEM); 188 189 INIT_LIST_HEAD(&watch->rules); 190 atomic_set(&watch->count, 1); 191 watch->path = path; 192 watch->dev = (dev_t)-1; 193 watch->ino = (unsigned long)-1; 194 195 return watch; 196 } 197 198 /* Initialize an audit filterlist entry. */ 199 static inline struct audit_entry *audit_init_entry(u32 field_count) 200 { 201 struct audit_entry *entry; 202 struct audit_field *fields; 203 204 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 205 if (unlikely(!entry)) 206 return NULL; 207 208 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 209 if (unlikely(!fields)) { 210 kfree(entry); 211 return NULL; 212 } 213 entry->rule.fields = fields; 214 215 return entry; 216 } 217 218 /* Unpack a filter field's string representation from user-space 219 * buffer. */ 220 static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 221 { 222 char *str; 223 224 if (!*bufp || (len == 0) || (len > *remain)) 225 return ERR_PTR(-EINVAL); 226 227 /* Of the currently implemented string fields, PATH_MAX 228 * defines the longest valid length. 229 */ 230 if (len > PATH_MAX) 231 return ERR_PTR(-ENAMETOOLONG); 232 233 str = kmalloc(len + 1, GFP_KERNEL); 234 if (unlikely(!str)) 235 return ERR_PTR(-ENOMEM); 236 237 memcpy(str, *bufp, len); 238 str[len] = 0; 239 *bufp += len; 240 *remain -= len; 241 242 return str; 243 } 244 245 /* Translate an inode field to kernel respresentation. */ 246 static inline int audit_to_inode(struct audit_krule *krule, 247 struct audit_field *f) 248 { 249 if (krule->listnr != AUDIT_FILTER_EXIT || 250 krule->watch || krule->inode_f) 251 return -EINVAL; 252 253 krule->inode_f = f; 254 return 0; 255 } 256 257 /* Translate a watch string to kernel respresentation. */ 258 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 259 u32 op) 260 { 261 struct audit_watch *watch; 262 263 if (!audit_ih) 264 return -EOPNOTSUPP; 265 266 if (path[0] != '/' || path[len-1] == '/' || 267 krule->listnr != AUDIT_FILTER_EXIT || 268 op & ~AUDIT_EQUAL || 269 krule->inode_f || krule->watch) /* 1 inode # per rule, for hash */ 270 return -EINVAL; 271 272 watch = audit_init_watch(path); 273 if (unlikely(IS_ERR(watch))) 274 return PTR_ERR(watch); 275 276 audit_get_watch(watch); 277 krule->watch = watch; 278 279 return 0; 280 } 281 282 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 283 284 int __init audit_register_class(int class, unsigned *list) 285 { 286 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 287 if (!p) 288 return -ENOMEM; 289 while (*list != ~0U) { 290 unsigned n = *list++; 291 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 292 kfree(p); 293 return -EINVAL; 294 } 295 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 296 } 297 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 298 kfree(p); 299 return -EINVAL; 300 } 301 classes[class] = p; 302 return 0; 303 } 304 305 int audit_match_class(int class, unsigned syscall) 306 { 307 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) 308 return 0; 309 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 310 return 0; 311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 312 } 313 314 #ifdef CONFIG_AUDITSYSCALL 315 static inline int audit_match_class_bits(int class, u32 *mask) 316 { 317 int i; 318 319 if (classes[class]) { 320 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 321 if (mask[i] & classes[class][i]) 322 return 0; 323 } 324 return 1; 325 } 326 327 static int audit_match_signal(struct audit_entry *entry) 328 { 329 struct audit_field *arch = entry->rule.arch_f; 330 331 if (!arch) { 332 /* When arch is unspecified, we must check both masks on biarch 333 * as syscall number alone is ambiguous. */ 334 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 335 entry->rule.mask) && 336 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 337 entry->rule.mask)); 338 } 339 340 switch(audit_classify_arch(arch->val)) { 341 case 0: /* native */ 342 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 343 entry->rule.mask)); 344 case 1: /* 32bit on biarch */ 345 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 346 entry->rule.mask)); 347 default: 348 return 1; 349 } 350 } 351 #endif 352 353 /* Common user-space to kernel rule translation. */ 354 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 355 { 356 unsigned listnr; 357 struct audit_entry *entry; 358 int i, err; 359 360 err = -EINVAL; 361 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 362 switch(listnr) { 363 default: 364 goto exit_err; 365 case AUDIT_FILTER_USER: 366 case AUDIT_FILTER_TYPE: 367 #ifdef CONFIG_AUDITSYSCALL 368 case AUDIT_FILTER_ENTRY: 369 case AUDIT_FILTER_EXIT: 370 case AUDIT_FILTER_TASK: 371 #endif 372 ; 373 } 374 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 375 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 376 goto exit_err; 377 } 378 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 379 goto exit_err; 380 if (rule->field_count > AUDIT_MAX_FIELDS) 381 goto exit_err; 382 383 err = -ENOMEM; 384 entry = audit_init_entry(rule->field_count); 385 if (!entry) 386 goto exit_err; 387 388 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 389 entry->rule.listnr = listnr; 390 entry->rule.action = rule->action; 391 entry->rule.field_count = rule->field_count; 392 393 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 394 entry->rule.mask[i] = rule->mask[i]; 395 396 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 397 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 398 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 399 __u32 *class; 400 401 if (!(*p & AUDIT_BIT(bit))) 402 continue; 403 *p &= ~AUDIT_BIT(bit); 404 class = classes[i]; 405 if (class) { 406 int j; 407 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 408 entry->rule.mask[j] |= class[j]; 409 } 410 } 411 412 return entry; 413 414 exit_err: 415 return ERR_PTR(err); 416 } 417 418 /* Translate struct audit_rule to kernel's rule respresentation. 419 * Exists for backward compatibility with userspace. */ 420 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 421 { 422 struct audit_entry *entry; 423 struct audit_field *f; 424 int err = 0; 425 int i; 426 427 entry = audit_to_entry_common(rule); 428 if (IS_ERR(entry)) 429 goto exit_nofree; 430 431 for (i = 0; i < rule->field_count; i++) { 432 struct audit_field *f = &entry->rule.fields[i]; 433 434 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 435 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 436 f->val = rule->values[i]; 437 438 err = -EINVAL; 439 switch(f->type) { 440 default: 441 goto exit_free; 442 case AUDIT_PID: 443 case AUDIT_UID: 444 case AUDIT_EUID: 445 case AUDIT_SUID: 446 case AUDIT_FSUID: 447 case AUDIT_GID: 448 case AUDIT_EGID: 449 case AUDIT_SGID: 450 case AUDIT_FSGID: 451 case AUDIT_LOGINUID: 452 case AUDIT_PERS: 453 case AUDIT_MSGTYPE: 454 case AUDIT_PPID: 455 case AUDIT_DEVMAJOR: 456 case AUDIT_DEVMINOR: 457 case AUDIT_EXIT: 458 case AUDIT_SUCCESS: 459 case AUDIT_ARG0: 460 case AUDIT_ARG1: 461 case AUDIT_ARG2: 462 case AUDIT_ARG3: 463 break; 464 /* arch is only allowed to be = or != */ 465 case AUDIT_ARCH: 466 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 467 && (f->op != AUDIT_NEGATE) && (f->op)) { 468 err = -EINVAL; 469 goto exit_free; 470 } 471 entry->rule.arch_f = f; 472 break; 473 case AUDIT_PERM: 474 if (f->val & ~15) 475 goto exit_free; 476 break; 477 case AUDIT_INODE: 478 err = audit_to_inode(&entry->rule, f); 479 if (err) 480 goto exit_free; 481 break; 482 } 483 484 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 485 486 /* Support for legacy operators where 487 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 488 if (f->op & AUDIT_NEGATE) 489 f->op = AUDIT_NOT_EQUAL; 490 else if (!f->op) 491 f->op = AUDIT_EQUAL; 492 else if (f->op == AUDIT_OPERATORS) { 493 err = -EINVAL; 494 goto exit_free; 495 } 496 } 497 498 f = entry->rule.inode_f; 499 if (f) { 500 switch(f->op) { 501 case AUDIT_NOT_EQUAL: 502 entry->rule.inode_f = NULL; 503 case AUDIT_EQUAL: 504 break; 505 default: 506 err = -EINVAL; 507 goto exit_free; 508 } 509 } 510 511 exit_nofree: 512 return entry; 513 514 exit_free: 515 audit_free_rule(entry); 516 return ERR_PTR(err); 517 } 518 519 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 520 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 521 size_t datasz) 522 { 523 int err = 0; 524 struct audit_entry *entry; 525 struct audit_field *f; 526 void *bufp; 527 size_t remain = datasz - sizeof(struct audit_rule_data); 528 int i; 529 char *str; 530 531 entry = audit_to_entry_common((struct audit_rule *)data); 532 if (IS_ERR(entry)) 533 goto exit_nofree; 534 535 bufp = data->buf; 536 entry->rule.vers_ops = 2; 537 for (i = 0; i < data->field_count; i++) { 538 struct audit_field *f = &entry->rule.fields[i]; 539 540 err = -EINVAL; 541 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 542 data->fieldflags[i] & ~AUDIT_OPERATORS) 543 goto exit_free; 544 545 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 546 f->type = data->fields[i]; 547 f->val = data->values[i]; 548 f->se_str = NULL; 549 f->se_rule = NULL; 550 switch(f->type) { 551 case AUDIT_PID: 552 case AUDIT_UID: 553 case AUDIT_EUID: 554 case AUDIT_SUID: 555 case AUDIT_FSUID: 556 case AUDIT_GID: 557 case AUDIT_EGID: 558 case AUDIT_SGID: 559 case AUDIT_FSGID: 560 case AUDIT_LOGINUID: 561 case AUDIT_PERS: 562 case AUDIT_MSGTYPE: 563 case AUDIT_PPID: 564 case AUDIT_DEVMAJOR: 565 case AUDIT_DEVMINOR: 566 case AUDIT_EXIT: 567 case AUDIT_SUCCESS: 568 case AUDIT_ARG0: 569 case AUDIT_ARG1: 570 case AUDIT_ARG2: 571 case AUDIT_ARG3: 572 break; 573 case AUDIT_ARCH: 574 entry->rule.arch_f = f; 575 break; 576 case AUDIT_SUBJ_USER: 577 case AUDIT_SUBJ_ROLE: 578 case AUDIT_SUBJ_TYPE: 579 case AUDIT_SUBJ_SEN: 580 case AUDIT_SUBJ_CLR: 581 case AUDIT_OBJ_USER: 582 case AUDIT_OBJ_ROLE: 583 case AUDIT_OBJ_TYPE: 584 case AUDIT_OBJ_LEV_LOW: 585 case AUDIT_OBJ_LEV_HIGH: 586 str = audit_unpack_string(&bufp, &remain, f->val); 587 if (IS_ERR(str)) 588 goto exit_free; 589 entry->rule.buflen += f->val; 590 591 err = selinux_audit_rule_init(f->type, f->op, str, 592 &f->se_rule); 593 /* Keep currently invalid fields around in case they 594 * become valid after a policy reload. */ 595 if (err == -EINVAL) { 596 printk(KERN_WARNING "audit rule for selinux " 597 "\'%s\' is invalid\n", str); 598 err = 0; 599 } 600 if (err) { 601 kfree(str); 602 goto exit_free; 603 } else 604 f->se_str = str; 605 break; 606 case AUDIT_WATCH: 607 str = audit_unpack_string(&bufp, &remain, f->val); 608 if (IS_ERR(str)) 609 goto exit_free; 610 entry->rule.buflen += f->val; 611 612 err = audit_to_watch(&entry->rule, str, f->val, f->op); 613 if (err) { 614 kfree(str); 615 goto exit_free; 616 } 617 break; 618 case AUDIT_INODE: 619 err = audit_to_inode(&entry->rule, f); 620 if (err) 621 goto exit_free; 622 break; 623 case AUDIT_FILTERKEY: 624 err = -EINVAL; 625 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 626 goto exit_free; 627 str = audit_unpack_string(&bufp, &remain, f->val); 628 if (IS_ERR(str)) 629 goto exit_free; 630 entry->rule.buflen += f->val; 631 entry->rule.filterkey = str; 632 break; 633 case AUDIT_PERM: 634 if (f->val & ~15) 635 goto exit_free; 636 break; 637 default: 638 goto exit_free; 639 } 640 } 641 642 f = entry->rule.inode_f; 643 if (f) { 644 switch(f->op) { 645 case AUDIT_NOT_EQUAL: 646 entry->rule.inode_f = NULL; 647 case AUDIT_EQUAL: 648 break; 649 default: 650 err = -EINVAL; 651 goto exit_free; 652 } 653 } 654 655 exit_nofree: 656 return entry; 657 658 exit_free: 659 audit_free_rule(entry); 660 return ERR_PTR(err); 661 } 662 663 /* Pack a filter field's string representation into data block. */ 664 static inline size_t audit_pack_string(void **bufp, char *str) 665 { 666 size_t len = strlen(str); 667 668 memcpy(*bufp, str, len); 669 *bufp += len; 670 671 return len; 672 } 673 674 /* Translate kernel rule respresentation to struct audit_rule. 675 * Exists for backward compatibility with userspace. */ 676 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 677 { 678 struct audit_rule *rule; 679 int i; 680 681 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 682 if (unlikely(!rule)) 683 return NULL; 684 685 rule->flags = krule->flags | krule->listnr; 686 rule->action = krule->action; 687 rule->field_count = krule->field_count; 688 for (i = 0; i < rule->field_count; i++) { 689 rule->values[i] = krule->fields[i].val; 690 rule->fields[i] = krule->fields[i].type; 691 692 if (krule->vers_ops == 1) { 693 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 694 rule->fields[i] |= AUDIT_NEGATE; 695 } else { 696 rule->fields[i] |= krule->fields[i].op; 697 } 698 } 699 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 700 701 return rule; 702 } 703 704 /* Translate kernel rule respresentation to struct audit_rule_data. */ 705 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 706 { 707 struct audit_rule_data *data; 708 void *bufp; 709 int i; 710 711 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 712 if (unlikely(!data)) 713 return NULL; 714 memset(data, 0, sizeof(*data)); 715 716 data->flags = krule->flags | krule->listnr; 717 data->action = krule->action; 718 data->field_count = krule->field_count; 719 bufp = data->buf; 720 for (i = 0; i < data->field_count; i++) { 721 struct audit_field *f = &krule->fields[i]; 722 723 data->fields[i] = f->type; 724 data->fieldflags[i] = f->op; 725 switch(f->type) { 726 case AUDIT_SUBJ_USER: 727 case AUDIT_SUBJ_ROLE: 728 case AUDIT_SUBJ_TYPE: 729 case AUDIT_SUBJ_SEN: 730 case AUDIT_SUBJ_CLR: 731 case AUDIT_OBJ_USER: 732 case AUDIT_OBJ_ROLE: 733 case AUDIT_OBJ_TYPE: 734 case AUDIT_OBJ_LEV_LOW: 735 case AUDIT_OBJ_LEV_HIGH: 736 data->buflen += data->values[i] = 737 audit_pack_string(&bufp, f->se_str); 738 break; 739 case AUDIT_WATCH: 740 data->buflen += data->values[i] = 741 audit_pack_string(&bufp, krule->watch->path); 742 break; 743 case AUDIT_FILTERKEY: 744 data->buflen += data->values[i] = 745 audit_pack_string(&bufp, krule->filterkey); 746 break; 747 default: 748 data->values[i] = f->val; 749 } 750 } 751 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 752 753 return data; 754 } 755 756 /* Compare two rules in kernel format. Considered success if rules 757 * don't match. */ 758 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 759 { 760 int i; 761 762 if (a->flags != b->flags || 763 a->listnr != b->listnr || 764 a->action != b->action || 765 a->field_count != b->field_count) 766 return 1; 767 768 for (i = 0; i < a->field_count; i++) { 769 if (a->fields[i].type != b->fields[i].type || 770 a->fields[i].op != b->fields[i].op) 771 return 1; 772 773 switch(a->fields[i].type) { 774 case AUDIT_SUBJ_USER: 775 case AUDIT_SUBJ_ROLE: 776 case AUDIT_SUBJ_TYPE: 777 case AUDIT_SUBJ_SEN: 778 case AUDIT_SUBJ_CLR: 779 case AUDIT_OBJ_USER: 780 case AUDIT_OBJ_ROLE: 781 case AUDIT_OBJ_TYPE: 782 case AUDIT_OBJ_LEV_LOW: 783 case AUDIT_OBJ_LEV_HIGH: 784 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 785 return 1; 786 break; 787 case AUDIT_WATCH: 788 if (strcmp(a->watch->path, b->watch->path)) 789 return 1; 790 break; 791 case AUDIT_FILTERKEY: 792 /* both filterkeys exist based on above type compare */ 793 if (strcmp(a->filterkey, b->filterkey)) 794 return 1; 795 break; 796 default: 797 if (a->fields[i].val != b->fields[i].val) 798 return 1; 799 } 800 } 801 802 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 803 if (a->mask[i] != b->mask[i]) 804 return 1; 805 806 return 0; 807 } 808 809 /* Duplicate the given audit watch. The new watch's rules list is initialized 810 * to an empty list and wlist is undefined. */ 811 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 812 { 813 char *path; 814 struct audit_watch *new; 815 816 path = kstrdup(old->path, GFP_KERNEL); 817 if (unlikely(!path)) 818 return ERR_PTR(-ENOMEM); 819 820 new = audit_init_watch(path); 821 if (unlikely(IS_ERR(new))) { 822 kfree(path); 823 goto out; 824 } 825 826 new->dev = old->dev; 827 new->ino = old->ino; 828 get_inotify_watch(&old->parent->wdata); 829 new->parent = old->parent; 830 831 out: 832 return new; 833 } 834 835 /* Duplicate selinux field information. The se_rule is opaque, so must be 836 * re-initialized. */ 837 static inline int audit_dupe_selinux_field(struct audit_field *df, 838 struct audit_field *sf) 839 { 840 int ret = 0; 841 char *se_str; 842 843 /* our own copy of se_str */ 844 se_str = kstrdup(sf->se_str, GFP_KERNEL); 845 if (unlikely(!se_str)) 846 return -ENOMEM; 847 df->se_str = se_str; 848 849 /* our own (refreshed) copy of se_rule */ 850 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 851 &df->se_rule); 852 /* Keep currently invalid fields around in case they 853 * become valid after a policy reload. */ 854 if (ret == -EINVAL) { 855 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 856 "invalid\n", df->se_str); 857 ret = 0; 858 } 859 860 return ret; 861 } 862 863 /* Duplicate an audit rule. This will be a deep copy with the exception 864 * of the watch - that pointer is carried over. The selinux specific fields 865 * will be updated in the copy. The point is to be able to replace the old 866 * rule with the new rule in the filterlist, then free the old rule. 867 * The rlist element is undefined; list manipulations are handled apart from 868 * the initial copy. */ 869 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 870 struct audit_watch *watch) 871 { 872 u32 fcount = old->field_count; 873 struct audit_entry *entry; 874 struct audit_krule *new; 875 char *fk; 876 int i, err = 0; 877 878 entry = audit_init_entry(fcount); 879 if (unlikely(!entry)) 880 return ERR_PTR(-ENOMEM); 881 882 new = &entry->rule; 883 new->vers_ops = old->vers_ops; 884 new->flags = old->flags; 885 new->listnr = old->listnr; 886 new->action = old->action; 887 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 888 new->mask[i] = old->mask[i]; 889 new->buflen = old->buflen; 890 new->inode_f = old->inode_f; 891 new->watch = NULL; 892 new->field_count = old->field_count; 893 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 894 895 /* deep copy this information, updating the se_rule fields, because 896 * the originals will all be freed when the old rule is freed. */ 897 for (i = 0; i < fcount; i++) { 898 switch (new->fields[i].type) { 899 case AUDIT_SUBJ_USER: 900 case AUDIT_SUBJ_ROLE: 901 case AUDIT_SUBJ_TYPE: 902 case AUDIT_SUBJ_SEN: 903 case AUDIT_SUBJ_CLR: 904 case AUDIT_OBJ_USER: 905 case AUDIT_OBJ_ROLE: 906 case AUDIT_OBJ_TYPE: 907 case AUDIT_OBJ_LEV_LOW: 908 case AUDIT_OBJ_LEV_HIGH: 909 err = audit_dupe_selinux_field(&new->fields[i], 910 &old->fields[i]); 911 break; 912 case AUDIT_FILTERKEY: 913 fk = kstrdup(old->filterkey, GFP_KERNEL); 914 if (unlikely(!fk)) 915 err = -ENOMEM; 916 else 917 new->filterkey = fk; 918 } 919 if (err) { 920 audit_free_rule(entry); 921 return ERR_PTR(err); 922 } 923 } 924 925 if (watch) { 926 audit_get_watch(watch); 927 new->watch = watch; 928 } 929 930 return entry; 931 } 932 933 /* Update inode info in audit rules based on filesystem event. */ 934 static void audit_update_watch(struct audit_parent *parent, 935 const char *dname, dev_t dev, 936 unsigned long ino, unsigned invalidating) 937 { 938 struct audit_watch *owatch, *nwatch, *nextw; 939 struct audit_krule *r, *nextr; 940 struct audit_entry *oentry, *nentry; 941 struct audit_buffer *ab; 942 943 mutex_lock(&audit_filter_mutex); 944 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 945 if (audit_compare_dname_path(dname, owatch->path, NULL)) 946 continue; 947 948 /* If the update involves invalidating rules, do the inode-based 949 * filtering now, so we don't omit records. */ 950 if (invalidating && current->audit_context && 951 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 952 audit_set_auditable(current->audit_context); 953 954 nwatch = audit_dupe_watch(owatch); 955 if (unlikely(IS_ERR(nwatch))) { 956 mutex_unlock(&audit_filter_mutex); 957 audit_panic("error updating watch, skipping"); 958 return; 959 } 960 nwatch->dev = dev; 961 nwatch->ino = ino; 962 963 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 964 965 oentry = container_of(r, struct audit_entry, rule); 966 list_del(&oentry->rule.rlist); 967 list_del_rcu(&oentry->list); 968 969 nentry = audit_dupe_rule(&oentry->rule, nwatch); 970 if (unlikely(IS_ERR(nentry))) 971 audit_panic("error updating watch, removing"); 972 else { 973 int h = audit_hash_ino((u32)ino); 974 list_add(&nentry->rule.rlist, &nwatch->rules); 975 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 976 } 977 978 call_rcu(&oentry->rcu, audit_free_rule_rcu); 979 } 980 981 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 982 audit_log_format(ab, "op=updated rules specifying path="); 983 audit_log_untrustedstring(ab, owatch->path); 984 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 985 audit_log_format(ab, " list=%d res=1", r->listnr); 986 audit_log_end(ab); 987 988 audit_remove_watch(owatch); 989 goto add_watch_to_parent; /* event applies to a single watch */ 990 } 991 mutex_unlock(&audit_filter_mutex); 992 return; 993 994 add_watch_to_parent: 995 list_add(&nwatch->wlist, &parent->watches); 996 mutex_unlock(&audit_filter_mutex); 997 return; 998 } 999 1000 /* Remove all watches & rules associated with a parent that is going away. */ 1001 static void audit_remove_parent_watches(struct audit_parent *parent) 1002 { 1003 struct audit_watch *w, *nextw; 1004 struct audit_krule *r, *nextr; 1005 struct audit_entry *e; 1006 struct audit_buffer *ab; 1007 1008 mutex_lock(&audit_filter_mutex); 1009 parent->flags |= AUDIT_PARENT_INVALID; 1010 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1011 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1012 e = container_of(r, struct audit_entry, rule); 1013 1014 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1015 audit_log_format(ab, "op=remove rule path="); 1016 audit_log_untrustedstring(ab, w->path); 1017 if (r->filterkey) { 1018 audit_log_format(ab, " key="); 1019 audit_log_untrustedstring(ab, r->filterkey); 1020 } else 1021 audit_log_format(ab, " key=(null)"); 1022 audit_log_format(ab, " list=%d res=1", r->listnr); 1023 audit_log_end(ab); 1024 1025 list_del(&r->rlist); 1026 list_del_rcu(&e->list); 1027 call_rcu(&e->rcu, audit_free_rule_rcu); 1028 } 1029 audit_remove_watch(w); 1030 } 1031 mutex_unlock(&audit_filter_mutex); 1032 } 1033 1034 /* Unregister inotify watches for parents on in_list. 1035 * Generates an IN_IGNORED event. */ 1036 static void audit_inotify_unregister(struct list_head *in_list) 1037 { 1038 struct audit_parent *p, *n; 1039 1040 list_for_each_entry_safe(p, n, in_list, ilist) { 1041 list_del(&p->ilist); 1042 inotify_rm_watch(audit_ih, &p->wdata); 1043 /* the put matching the get in audit_do_del_rule() */ 1044 put_inotify_watch(&p->wdata); 1045 } 1046 } 1047 1048 /* Find an existing audit rule. 1049 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1050 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1051 struct list_head *list) 1052 { 1053 struct audit_entry *e, *found = NULL; 1054 int h; 1055 1056 if (entry->rule.watch) { 1057 /* we don't know the inode number, so must walk entire hash */ 1058 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1059 list = &audit_inode_hash[h]; 1060 list_for_each_entry(e, list, list) 1061 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1062 found = e; 1063 goto out; 1064 } 1065 } 1066 goto out; 1067 } 1068 1069 list_for_each_entry(e, list, list) 1070 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1071 found = e; 1072 goto out; 1073 } 1074 1075 out: 1076 return found; 1077 } 1078 1079 /* Get path information necessary for adding watches. */ 1080 static int audit_get_nd(char *path, struct nameidata **ndp, 1081 struct nameidata **ndw) 1082 { 1083 struct nameidata *ndparent, *ndwatch; 1084 int err; 1085 1086 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1087 if (unlikely(!ndparent)) 1088 return -ENOMEM; 1089 1090 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1091 if (unlikely(!ndwatch)) { 1092 kfree(ndparent); 1093 return -ENOMEM; 1094 } 1095 1096 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1097 if (err) { 1098 kfree(ndparent); 1099 kfree(ndwatch); 1100 return err; 1101 } 1102 1103 err = path_lookup(path, 0, ndwatch); 1104 if (err) { 1105 kfree(ndwatch); 1106 ndwatch = NULL; 1107 } 1108 1109 *ndp = ndparent; 1110 *ndw = ndwatch; 1111 1112 return 0; 1113 } 1114 1115 /* Release resources used for watch path information. */ 1116 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1117 { 1118 if (ndp) { 1119 path_release(ndp); 1120 kfree(ndp); 1121 } 1122 if (ndw) { 1123 path_release(ndw); 1124 kfree(ndw); 1125 } 1126 } 1127 1128 /* Associate the given rule with an existing parent inotify_watch. 1129 * Caller must hold audit_filter_mutex. */ 1130 static void audit_add_to_parent(struct audit_krule *krule, 1131 struct audit_parent *parent) 1132 { 1133 struct audit_watch *w, *watch = krule->watch; 1134 int watch_found = 0; 1135 1136 list_for_each_entry(w, &parent->watches, wlist) { 1137 if (strcmp(watch->path, w->path)) 1138 continue; 1139 1140 watch_found = 1; 1141 1142 /* put krule's and initial refs to temporary watch */ 1143 audit_put_watch(watch); 1144 audit_put_watch(watch); 1145 1146 audit_get_watch(w); 1147 krule->watch = watch = w; 1148 break; 1149 } 1150 1151 if (!watch_found) { 1152 get_inotify_watch(&parent->wdata); 1153 watch->parent = parent; 1154 1155 list_add(&watch->wlist, &parent->watches); 1156 } 1157 list_add(&krule->rlist, &watch->rules); 1158 } 1159 1160 /* Find a matching watch entry, or add this one. 1161 * Caller must hold audit_filter_mutex. */ 1162 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1163 struct nameidata *ndw) 1164 { 1165 struct audit_watch *watch = krule->watch; 1166 struct inotify_watch *i_watch; 1167 struct audit_parent *parent; 1168 int ret = 0; 1169 1170 /* update watch filter fields */ 1171 if (ndw) { 1172 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1173 watch->ino = ndw->dentry->d_inode->i_ino; 1174 } 1175 1176 /* The audit_filter_mutex must not be held during inotify calls because 1177 * we hold it during inotify event callback processing. If an existing 1178 * inotify watch is found, inotify_find_watch() grabs a reference before 1179 * returning. 1180 */ 1181 mutex_unlock(&audit_filter_mutex); 1182 1183 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1184 parent = audit_init_parent(ndp); 1185 if (IS_ERR(parent)) { 1186 /* caller expects mutex locked */ 1187 mutex_lock(&audit_filter_mutex); 1188 return PTR_ERR(parent); 1189 } 1190 } else 1191 parent = container_of(i_watch, struct audit_parent, wdata); 1192 1193 mutex_lock(&audit_filter_mutex); 1194 1195 /* parent was moved before we took audit_filter_mutex */ 1196 if (parent->flags & AUDIT_PARENT_INVALID) 1197 ret = -ENOENT; 1198 else 1199 audit_add_to_parent(krule, parent); 1200 1201 /* match get in audit_init_parent or inotify_find_watch */ 1202 put_inotify_watch(&parent->wdata); 1203 return ret; 1204 } 1205 1206 /* Add rule to given filterlist if not a duplicate. */ 1207 static inline int audit_add_rule(struct audit_entry *entry, 1208 struct list_head *list) 1209 { 1210 struct audit_entry *e; 1211 struct audit_field *inode_f = entry->rule.inode_f; 1212 struct audit_watch *watch = entry->rule.watch; 1213 struct nameidata *ndp = NULL, *ndw = NULL; 1214 int h, err; 1215 #ifdef CONFIG_AUDITSYSCALL 1216 int dont_count = 0; 1217 1218 /* If either of these, don't count towards total */ 1219 if (entry->rule.listnr == AUDIT_FILTER_USER || 1220 entry->rule.listnr == AUDIT_FILTER_TYPE) 1221 dont_count = 1; 1222 #endif 1223 1224 if (inode_f) { 1225 h = audit_hash_ino(inode_f->val); 1226 list = &audit_inode_hash[h]; 1227 } 1228 1229 mutex_lock(&audit_filter_mutex); 1230 e = audit_find_rule(entry, list); 1231 mutex_unlock(&audit_filter_mutex); 1232 if (e) { 1233 err = -EEXIST; 1234 goto error; 1235 } 1236 1237 /* Avoid calling path_lookup under audit_filter_mutex. */ 1238 if (watch) { 1239 err = audit_get_nd(watch->path, &ndp, &ndw); 1240 if (err) 1241 goto error; 1242 } 1243 1244 mutex_lock(&audit_filter_mutex); 1245 if (watch) { 1246 /* audit_filter_mutex is dropped and re-taken during this call */ 1247 err = audit_add_watch(&entry->rule, ndp, ndw); 1248 if (err) { 1249 mutex_unlock(&audit_filter_mutex); 1250 goto error; 1251 } 1252 h = audit_hash_ino((u32)watch->ino); 1253 list = &audit_inode_hash[h]; 1254 } 1255 1256 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1257 list_add_rcu(&entry->list, list); 1258 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1259 } else { 1260 list_add_tail_rcu(&entry->list, list); 1261 } 1262 #ifdef CONFIG_AUDITSYSCALL 1263 if (!dont_count) 1264 audit_n_rules++; 1265 1266 if (!audit_match_signal(entry)) 1267 audit_signals++; 1268 #endif 1269 mutex_unlock(&audit_filter_mutex); 1270 1271 audit_put_nd(ndp, ndw); /* NULL args OK */ 1272 return 0; 1273 1274 error: 1275 audit_put_nd(ndp, ndw); /* NULL args OK */ 1276 if (watch) 1277 audit_put_watch(watch); /* tmp watch, matches initial get */ 1278 return err; 1279 } 1280 1281 /* Remove an existing rule from filterlist. */ 1282 static inline int audit_del_rule(struct audit_entry *entry, 1283 struct list_head *list) 1284 { 1285 struct audit_entry *e; 1286 struct audit_field *inode_f = entry->rule.inode_f; 1287 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1288 LIST_HEAD(inotify_list); 1289 int h, ret = 0; 1290 #ifdef CONFIG_AUDITSYSCALL 1291 int dont_count = 0; 1292 1293 /* If either of these, don't count towards total */ 1294 if (entry->rule.listnr == AUDIT_FILTER_USER || 1295 entry->rule.listnr == AUDIT_FILTER_TYPE) 1296 dont_count = 1; 1297 #endif 1298 1299 if (inode_f) { 1300 h = audit_hash_ino(inode_f->val); 1301 list = &audit_inode_hash[h]; 1302 } 1303 1304 mutex_lock(&audit_filter_mutex); 1305 e = audit_find_rule(entry, list); 1306 if (!e) { 1307 mutex_unlock(&audit_filter_mutex); 1308 ret = -ENOENT; 1309 goto out; 1310 } 1311 1312 watch = e->rule.watch; 1313 if (watch) { 1314 struct audit_parent *parent = watch->parent; 1315 1316 list_del(&e->rule.rlist); 1317 1318 if (list_empty(&watch->rules)) { 1319 audit_remove_watch(watch); 1320 1321 if (list_empty(&parent->watches)) { 1322 /* Put parent on the inotify un-registration 1323 * list. Grab a reference before releasing 1324 * audit_filter_mutex, to be released in 1325 * audit_inotify_unregister(). */ 1326 list_add(&parent->ilist, &inotify_list); 1327 get_inotify_watch(&parent->wdata); 1328 } 1329 } 1330 } 1331 1332 list_del_rcu(&e->list); 1333 call_rcu(&e->rcu, audit_free_rule_rcu); 1334 1335 #ifdef CONFIG_AUDITSYSCALL 1336 if (!dont_count) 1337 audit_n_rules--; 1338 1339 if (!audit_match_signal(entry)) 1340 audit_signals--; 1341 #endif 1342 mutex_unlock(&audit_filter_mutex); 1343 1344 if (!list_empty(&inotify_list)) 1345 audit_inotify_unregister(&inotify_list); 1346 1347 out: 1348 if (tmp_watch) 1349 audit_put_watch(tmp_watch); /* match initial get */ 1350 1351 return ret; 1352 } 1353 1354 /* List rules using struct audit_rule. Exists for backward 1355 * compatibility with userspace. */ 1356 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1357 { 1358 struct sk_buff *skb; 1359 struct audit_entry *entry; 1360 int i; 1361 1362 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1363 * iterator to sync with list writers. */ 1364 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1365 list_for_each_entry(entry, &audit_filter_list[i], list) { 1366 struct audit_rule *rule; 1367 1368 rule = audit_krule_to_rule(&entry->rule); 1369 if (unlikely(!rule)) 1370 break; 1371 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1372 rule, sizeof(*rule)); 1373 if (skb) 1374 skb_queue_tail(q, skb); 1375 kfree(rule); 1376 } 1377 } 1378 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1379 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1380 struct audit_rule *rule; 1381 1382 rule = audit_krule_to_rule(&entry->rule); 1383 if (unlikely(!rule)) 1384 break; 1385 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1386 rule, sizeof(*rule)); 1387 if (skb) 1388 skb_queue_tail(q, skb); 1389 kfree(rule); 1390 } 1391 } 1392 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1393 if (skb) 1394 skb_queue_tail(q, skb); 1395 } 1396 1397 /* List rules using struct audit_rule_data. */ 1398 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1399 { 1400 struct sk_buff *skb; 1401 struct audit_entry *e; 1402 int i; 1403 1404 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1405 * iterator to sync with list writers. */ 1406 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1407 list_for_each_entry(e, &audit_filter_list[i], list) { 1408 struct audit_rule_data *data; 1409 1410 data = audit_krule_to_data(&e->rule); 1411 if (unlikely(!data)) 1412 break; 1413 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1414 data, sizeof(*data) + data->buflen); 1415 if (skb) 1416 skb_queue_tail(q, skb); 1417 kfree(data); 1418 } 1419 } 1420 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1421 list_for_each_entry(e, &audit_inode_hash[i], list) { 1422 struct audit_rule_data *data; 1423 1424 data = audit_krule_to_data(&e->rule); 1425 if (unlikely(!data)) 1426 break; 1427 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1428 data, sizeof(*data) + data->buflen); 1429 if (skb) 1430 skb_queue_tail(q, skb); 1431 kfree(data); 1432 } 1433 } 1434 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1435 if (skb) 1436 skb_queue_tail(q, skb); 1437 } 1438 1439 /* Log rule additions and removals */ 1440 static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1441 struct audit_krule *rule, int res) 1442 { 1443 struct audit_buffer *ab; 1444 1445 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1446 if (!ab) 1447 return; 1448 audit_log_format(ab, "auid=%u", loginuid); 1449 if (sid) { 1450 char *ctx = NULL; 1451 u32 len; 1452 if (selinux_sid_to_string(sid, &ctx, &len)) 1453 audit_log_format(ab, " ssid=%u", sid); 1454 else 1455 audit_log_format(ab, " subj=%s", ctx); 1456 kfree(ctx); 1457 } 1458 audit_log_format(ab, " op=%s rule key=", action); 1459 if (rule->filterkey) 1460 audit_log_untrustedstring(ab, rule->filterkey); 1461 else 1462 audit_log_format(ab, "(null)"); 1463 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1464 audit_log_end(ab); 1465 } 1466 1467 /** 1468 * audit_receive_filter - apply all rules to the specified message type 1469 * @type: audit message type 1470 * @pid: target pid for netlink audit messages 1471 * @uid: target uid for netlink audit messages 1472 * @seq: netlink audit message sequence (serial) number 1473 * @data: payload data 1474 * @datasz: size of payload data 1475 * @loginuid: loginuid of sender 1476 * @sid: SE Linux Security ID of sender 1477 */ 1478 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1479 size_t datasz, uid_t loginuid, u32 sid) 1480 { 1481 struct task_struct *tsk; 1482 struct audit_netlink_list *dest; 1483 int err = 0; 1484 struct audit_entry *entry; 1485 1486 switch (type) { 1487 case AUDIT_LIST: 1488 case AUDIT_LIST_RULES: 1489 /* We can't just spew out the rules here because we might fill 1490 * the available socket buffer space and deadlock waiting for 1491 * auditctl to read from it... which isn't ever going to 1492 * happen if we're actually running in the context of auditctl 1493 * trying to _send_ the stuff */ 1494 1495 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1496 if (!dest) 1497 return -ENOMEM; 1498 dest->pid = pid; 1499 skb_queue_head_init(&dest->q); 1500 1501 mutex_lock(&audit_filter_mutex); 1502 if (type == AUDIT_LIST) 1503 audit_list(pid, seq, &dest->q); 1504 else 1505 audit_list_rules(pid, seq, &dest->q); 1506 mutex_unlock(&audit_filter_mutex); 1507 1508 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1509 if (IS_ERR(tsk)) { 1510 skb_queue_purge(&dest->q); 1511 kfree(dest); 1512 err = PTR_ERR(tsk); 1513 } 1514 break; 1515 case AUDIT_ADD: 1516 case AUDIT_ADD_RULE: 1517 if (type == AUDIT_ADD) 1518 entry = audit_rule_to_entry(data); 1519 else 1520 entry = audit_data_to_entry(data, datasz); 1521 if (IS_ERR(entry)) 1522 return PTR_ERR(entry); 1523 1524 err = audit_add_rule(entry, 1525 &audit_filter_list[entry->rule.listnr]); 1526 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1527 1528 if (err) 1529 audit_free_rule(entry); 1530 break; 1531 case AUDIT_DEL: 1532 case AUDIT_DEL_RULE: 1533 if (type == AUDIT_DEL) 1534 entry = audit_rule_to_entry(data); 1535 else 1536 entry = audit_data_to_entry(data, datasz); 1537 if (IS_ERR(entry)) 1538 return PTR_ERR(entry); 1539 1540 err = audit_del_rule(entry, 1541 &audit_filter_list[entry->rule.listnr]); 1542 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1543 !err); 1544 1545 audit_free_rule(entry); 1546 break; 1547 default: 1548 return -EINVAL; 1549 } 1550 1551 return err; 1552 } 1553 1554 int audit_comparator(const u32 left, const u32 op, const u32 right) 1555 { 1556 switch (op) { 1557 case AUDIT_EQUAL: 1558 return (left == right); 1559 case AUDIT_NOT_EQUAL: 1560 return (left != right); 1561 case AUDIT_LESS_THAN: 1562 return (left < right); 1563 case AUDIT_LESS_THAN_OR_EQUAL: 1564 return (left <= right); 1565 case AUDIT_GREATER_THAN: 1566 return (left > right); 1567 case AUDIT_GREATER_THAN_OR_EQUAL: 1568 return (left >= right); 1569 } 1570 BUG(); 1571 return 0; 1572 } 1573 1574 /* Compare given dentry name with last component in given path, 1575 * return of 0 indicates a match. */ 1576 int audit_compare_dname_path(const char *dname, const char *path, 1577 int *dirlen) 1578 { 1579 int dlen, plen; 1580 const char *p; 1581 1582 if (!dname || !path) 1583 return 1; 1584 1585 dlen = strlen(dname); 1586 plen = strlen(path); 1587 if (plen < dlen) 1588 return 1; 1589 1590 /* disregard trailing slashes */ 1591 p = path + plen - 1; 1592 while ((*p == '/') && (p > path)) 1593 p--; 1594 1595 /* find last path component */ 1596 p = p - dlen + 1; 1597 if (p < path) 1598 return 1; 1599 else if (p > path) { 1600 if (*--p != '/') 1601 return 1; 1602 else 1603 p++; 1604 } 1605 1606 /* return length of path's directory component */ 1607 if (dirlen) 1608 *dirlen = p - path; 1609 return strncmp(p, dname, dlen); 1610 } 1611 1612 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1613 struct audit_krule *rule, 1614 enum audit_state *state) 1615 { 1616 int i; 1617 1618 for (i = 0; i < rule->field_count; i++) { 1619 struct audit_field *f = &rule->fields[i]; 1620 int result = 0; 1621 1622 switch (f->type) { 1623 case AUDIT_PID: 1624 result = audit_comparator(cb->creds.pid, f->op, f->val); 1625 break; 1626 case AUDIT_UID: 1627 result = audit_comparator(cb->creds.uid, f->op, f->val); 1628 break; 1629 case AUDIT_GID: 1630 result = audit_comparator(cb->creds.gid, f->op, f->val); 1631 break; 1632 case AUDIT_LOGINUID: 1633 result = audit_comparator(cb->loginuid, f->op, f->val); 1634 break; 1635 } 1636 1637 if (!result) 1638 return 0; 1639 } 1640 switch (rule->action) { 1641 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1642 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1643 } 1644 return 1; 1645 } 1646 1647 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1648 { 1649 enum audit_state state = AUDIT_DISABLED; 1650 struct audit_entry *e; 1651 int ret = 1; 1652 1653 rcu_read_lock(); 1654 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1655 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1656 if (state == AUDIT_DISABLED) 1657 ret = 0; 1658 break; 1659 } 1660 } 1661 rcu_read_unlock(); 1662 1663 return ret; /* Audit by default */ 1664 } 1665 1666 int audit_filter_type(int type) 1667 { 1668 struct audit_entry *e; 1669 int result = 0; 1670 1671 rcu_read_lock(); 1672 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1673 goto unlock_and_return; 1674 1675 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1676 list) { 1677 int i; 1678 for (i = 0; i < e->rule.field_count; i++) { 1679 struct audit_field *f = &e->rule.fields[i]; 1680 if (f->type == AUDIT_MSGTYPE) { 1681 result = audit_comparator(type, f->op, f->val); 1682 if (!result) 1683 break; 1684 } 1685 } 1686 if (result) 1687 goto unlock_and_return; 1688 } 1689 unlock_and_return: 1690 rcu_read_unlock(); 1691 return result; 1692 } 1693 1694 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1695 are selinux fields specified in the rule, 0 otherwise. */ 1696 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1697 { 1698 int i; 1699 1700 for (i = 0; i < rule->field_count; i++) { 1701 struct audit_field *f = &rule->fields[i]; 1702 switch (f->type) { 1703 case AUDIT_SUBJ_USER: 1704 case AUDIT_SUBJ_ROLE: 1705 case AUDIT_SUBJ_TYPE: 1706 case AUDIT_SUBJ_SEN: 1707 case AUDIT_SUBJ_CLR: 1708 case AUDIT_OBJ_USER: 1709 case AUDIT_OBJ_ROLE: 1710 case AUDIT_OBJ_TYPE: 1711 case AUDIT_OBJ_LEV_LOW: 1712 case AUDIT_OBJ_LEV_HIGH: 1713 return 1; 1714 } 1715 } 1716 1717 return 0; 1718 } 1719 1720 /* This function will re-initialize the se_rule field of all applicable rules. 1721 * It will traverse the filter lists serarching for rules that contain selinux 1722 * specific filter fields. When such a rule is found, it is copied, the 1723 * selinux field is re-initialized, and the old rule is replaced with the 1724 * updated rule. */ 1725 int selinux_audit_rule_update(void) 1726 { 1727 struct audit_entry *entry, *n, *nentry; 1728 struct audit_watch *watch; 1729 int i, err = 0; 1730 1731 /* audit_filter_mutex synchronizes the writers */ 1732 mutex_lock(&audit_filter_mutex); 1733 1734 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1735 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1736 if (!audit_rule_has_selinux(&entry->rule)) 1737 continue; 1738 1739 watch = entry->rule.watch; 1740 nentry = audit_dupe_rule(&entry->rule, watch); 1741 if (unlikely(IS_ERR(nentry))) { 1742 /* save the first error encountered for the 1743 * return value */ 1744 if (!err) 1745 err = PTR_ERR(nentry); 1746 audit_panic("error updating selinux filters"); 1747 if (watch) 1748 list_del(&entry->rule.rlist); 1749 list_del_rcu(&entry->list); 1750 } else { 1751 if (watch) { 1752 list_add(&nentry->rule.rlist, 1753 &watch->rules); 1754 list_del(&entry->rule.rlist); 1755 } 1756 list_replace_rcu(&entry->list, &nentry->list); 1757 } 1758 call_rcu(&entry->rcu, audit_free_rule_rcu); 1759 } 1760 } 1761 1762 mutex_unlock(&audit_filter_mutex); 1763 1764 return err; 1765 } 1766 1767 /* Update watch data in audit rules based on inotify events. */ 1768 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1769 u32 cookie, const char *dname, struct inode *inode) 1770 { 1771 struct audit_parent *parent; 1772 1773 parent = container_of(i_watch, struct audit_parent, wdata); 1774 1775 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1776 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1777 inode->i_ino, 0); 1778 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1779 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1780 /* inotify automatically removes the watch and sends IN_IGNORED */ 1781 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1782 audit_remove_parent_watches(parent); 1783 /* inotify does not remove the watch, so remove it manually */ 1784 else if(mask & IN_MOVE_SELF) { 1785 audit_remove_parent_watches(parent); 1786 inotify_remove_watch_locked(audit_ih, i_watch); 1787 } else if (mask & IN_IGNORED) 1788 put_inotify_watch(i_watch); 1789 } 1790