1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 23 24 #include <linux/kernel.h> 25 #include <linux/audit.h> 26 #include <linux/kthread.h> 27 #include <linux/mutex.h> 28 #include <linux/fs.h> 29 #include <linux/namei.h> 30 #include <linux/netlink.h> 31 #include <linux/sched.h> 32 #include <linux/slab.h> 33 #include <linux/security.h> 34 #include <net/net_namespace.h> 35 #include <net/sock.h> 36 #include "audit.h" 37 38 /* 39 * Locking model: 40 * 41 * audit_filter_mutex: 42 * Synchronizes writes and blocking reads of audit's filterlist 43 * data. Rcu is used to traverse the filterlist and access 44 * contents of structs audit_entry, audit_watch and opaque 45 * LSM rules during filtering. If modified, these structures 46 * must be copied and replace their counterparts in the filterlist. 47 * An audit_parent struct is not accessed during filtering, so may 48 * be written directly provided audit_filter_mutex is held. 49 */ 50 51 /* Audit filter lists, defined in <linux/audit.h> */ 52 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 53 LIST_HEAD_INIT(audit_filter_list[0]), 54 LIST_HEAD_INIT(audit_filter_list[1]), 55 LIST_HEAD_INIT(audit_filter_list[2]), 56 LIST_HEAD_INIT(audit_filter_list[3]), 57 LIST_HEAD_INIT(audit_filter_list[4]), 58 LIST_HEAD_INIT(audit_filter_list[5]), 59 #if AUDIT_NR_FILTERS != 6 60 #error Fix audit_filter_list initialiser 61 #endif 62 }; 63 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 64 LIST_HEAD_INIT(audit_rules_list[0]), 65 LIST_HEAD_INIT(audit_rules_list[1]), 66 LIST_HEAD_INIT(audit_rules_list[2]), 67 LIST_HEAD_INIT(audit_rules_list[3]), 68 LIST_HEAD_INIT(audit_rules_list[4]), 69 LIST_HEAD_INIT(audit_rules_list[5]), 70 }; 71 72 DEFINE_MUTEX(audit_filter_mutex); 73 74 static void audit_free_lsm_field(struct audit_field *f) 75 { 76 switch (f->type) { 77 case AUDIT_SUBJ_USER: 78 case AUDIT_SUBJ_ROLE: 79 case AUDIT_SUBJ_TYPE: 80 case AUDIT_SUBJ_SEN: 81 case AUDIT_SUBJ_CLR: 82 case AUDIT_OBJ_USER: 83 case AUDIT_OBJ_ROLE: 84 case AUDIT_OBJ_TYPE: 85 case AUDIT_OBJ_LEV_LOW: 86 case AUDIT_OBJ_LEV_HIGH: 87 kfree(f->lsm_str); 88 security_audit_rule_free(f->lsm_rule); 89 } 90 } 91 92 static inline void audit_free_rule(struct audit_entry *e) 93 { 94 int i; 95 struct audit_krule *erule = &e->rule; 96 97 /* some rules don't have associated watches */ 98 if (erule->watch) 99 audit_put_watch(erule->watch); 100 if (erule->fields) 101 for (i = 0; i < erule->field_count; i++) 102 audit_free_lsm_field(&erule->fields[i]); 103 kfree(erule->fields); 104 kfree(erule->filterkey); 105 kfree(e); 106 } 107 108 void audit_free_rule_rcu(struct rcu_head *head) 109 { 110 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 111 audit_free_rule(e); 112 } 113 114 /* Initialize an audit filterlist entry. */ 115 static inline struct audit_entry *audit_init_entry(u32 field_count) 116 { 117 struct audit_entry *entry; 118 struct audit_field *fields; 119 120 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 121 if (unlikely(!entry)) 122 return NULL; 123 124 fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL); 125 if (unlikely(!fields)) { 126 kfree(entry); 127 return NULL; 128 } 129 entry->rule.fields = fields; 130 131 return entry; 132 } 133 134 /* Unpack a filter field's string representation from user-space 135 * buffer. */ 136 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 137 { 138 char *str; 139 140 if (!*bufp || (len == 0) || (len > *remain)) 141 return ERR_PTR(-EINVAL); 142 143 /* Of the currently implemented string fields, PATH_MAX 144 * defines the longest valid length. 145 */ 146 if (len > PATH_MAX) 147 return ERR_PTR(-ENAMETOOLONG); 148 149 str = kmalloc(len + 1, GFP_KERNEL); 150 if (unlikely(!str)) 151 return ERR_PTR(-ENOMEM); 152 153 memcpy(str, *bufp, len); 154 str[len] = 0; 155 *bufp += len; 156 *remain -= len; 157 158 return str; 159 } 160 161 /* Translate an inode field to kernel representation. */ 162 static inline int audit_to_inode(struct audit_krule *krule, 163 struct audit_field *f) 164 { 165 if (krule->listnr != AUDIT_FILTER_EXIT || 166 krule->inode_f || krule->watch || krule->tree || 167 (f->op != Audit_equal && f->op != Audit_not_equal)) 168 return -EINVAL; 169 170 krule->inode_f = f; 171 return 0; 172 } 173 174 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 175 176 int __init audit_register_class(int class, unsigned *list) 177 { 178 __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL); 179 if (!p) 180 return -ENOMEM; 181 while (*list != ~0U) { 182 unsigned n = *list++; 183 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 184 kfree(p); 185 return -EINVAL; 186 } 187 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 188 } 189 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 190 kfree(p); 191 return -EINVAL; 192 } 193 classes[class] = p; 194 return 0; 195 } 196 197 int audit_match_class(int class, unsigned syscall) 198 { 199 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 200 return 0; 201 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 202 return 0; 203 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 204 } 205 206 #ifdef CONFIG_AUDITSYSCALL 207 static inline int audit_match_class_bits(int class, u32 *mask) 208 { 209 int i; 210 211 if (classes[class]) { 212 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 213 if (mask[i] & classes[class][i]) 214 return 0; 215 } 216 return 1; 217 } 218 219 static int audit_match_signal(struct audit_entry *entry) 220 { 221 struct audit_field *arch = entry->rule.arch_f; 222 223 if (!arch) { 224 /* When arch is unspecified, we must check both masks on biarch 225 * as syscall number alone is ambiguous. */ 226 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 227 entry->rule.mask) && 228 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 229 entry->rule.mask)); 230 } 231 232 switch(audit_classify_arch(arch->val)) { 233 case 0: /* native */ 234 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 235 entry->rule.mask)); 236 case 1: /* 32bit on biarch */ 237 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 238 entry->rule.mask)); 239 default: 240 return 1; 241 } 242 } 243 #endif 244 245 /* Common user-space to kernel rule translation. */ 246 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule) 247 { 248 unsigned listnr; 249 struct audit_entry *entry; 250 int i, err; 251 252 err = -EINVAL; 253 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 254 switch(listnr) { 255 default: 256 goto exit_err; 257 #ifdef CONFIG_AUDITSYSCALL 258 case AUDIT_FILTER_ENTRY: 259 if (rule->action == AUDIT_ALWAYS) 260 goto exit_err; 261 case AUDIT_FILTER_EXIT: 262 case AUDIT_FILTER_TASK: 263 #endif 264 case AUDIT_FILTER_USER: 265 case AUDIT_FILTER_TYPE: 266 ; 267 } 268 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 269 pr_err("AUDIT_POSSIBLE is deprecated\n"); 270 goto exit_err; 271 } 272 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 273 goto exit_err; 274 if (rule->field_count > AUDIT_MAX_FIELDS) 275 goto exit_err; 276 277 err = -ENOMEM; 278 entry = audit_init_entry(rule->field_count); 279 if (!entry) 280 goto exit_err; 281 282 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 283 entry->rule.listnr = listnr; 284 entry->rule.action = rule->action; 285 entry->rule.field_count = rule->field_count; 286 287 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 288 entry->rule.mask[i] = rule->mask[i]; 289 290 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 291 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 292 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 293 __u32 *class; 294 295 if (!(*p & AUDIT_BIT(bit))) 296 continue; 297 *p &= ~AUDIT_BIT(bit); 298 class = classes[i]; 299 if (class) { 300 int j; 301 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 302 entry->rule.mask[j] |= class[j]; 303 } 304 } 305 306 return entry; 307 308 exit_err: 309 return ERR_PTR(err); 310 } 311 312 static u32 audit_ops[] = 313 { 314 [Audit_equal] = AUDIT_EQUAL, 315 [Audit_not_equal] = AUDIT_NOT_EQUAL, 316 [Audit_bitmask] = AUDIT_BIT_MASK, 317 [Audit_bittest] = AUDIT_BIT_TEST, 318 [Audit_lt] = AUDIT_LESS_THAN, 319 [Audit_gt] = AUDIT_GREATER_THAN, 320 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 321 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 322 }; 323 324 static u32 audit_to_op(u32 op) 325 { 326 u32 n; 327 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 328 ; 329 return n; 330 } 331 332 /* check if an audit field is valid */ 333 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) 334 { 335 switch(f->type) { 336 case AUDIT_MSGTYPE: 337 if (entry->rule.listnr != AUDIT_FILTER_TYPE && 338 entry->rule.listnr != AUDIT_FILTER_USER) 339 return -EINVAL; 340 break; 341 } 342 343 switch(f->type) { 344 default: 345 return -EINVAL; 346 case AUDIT_UID: 347 case AUDIT_EUID: 348 case AUDIT_SUID: 349 case AUDIT_FSUID: 350 case AUDIT_LOGINUID: 351 case AUDIT_OBJ_UID: 352 case AUDIT_GID: 353 case AUDIT_EGID: 354 case AUDIT_SGID: 355 case AUDIT_FSGID: 356 case AUDIT_OBJ_GID: 357 case AUDIT_PID: 358 case AUDIT_PERS: 359 case AUDIT_MSGTYPE: 360 case AUDIT_PPID: 361 case AUDIT_DEVMAJOR: 362 case AUDIT_DEVMINOR: 363 case AUDIT_EXIT: 364 case AUDIT_SUCCESS: 365 case AUDIT_INODE: 366 case AUDIT_SESSIONID: 367 /* bit ops are only useful on syscall args */ 368 if (f->op == Audit_bitmask || f->op == Audit_bittest) 369 return -EINVAL; 370 break; 371 case AUDIT_ARG0: 372 case AUDIT_ARG1: 373 case AUDIT_ARG2: 374 case AUDIT_ARG3: 375 case AUDIT_SUBJ_USER: 376 case AUDIT_SUBJ_ROLE: 377 case AUDIT_SUBJ_TYPE: 378 case AUDIT_SUBJ_SEN: 379 case AUDIT_SUBJ_CLR: 380 case AUDIT_OBJ_USER: 381 case AUDIT_OBJ_ROLE: 382 case AUDIT_OBJ_TYPE: 383 case AUDIT_OBJ_LEV_LOW: 384 case AUDIT_OBJ_LEV_HIGH: 385 case AUDIT_WATCH: 386 case AUDIT_DIR: 387 case AUDIT_FILTERKEY: 388 break; 389 case AUDIT_LOGINUID_SET: 390 if ((f->val != 0) && (f->val != 1)) 391 return -EINVAL; 392 /* FALL THROUGH */ 393 case AUDIT_ARCH: 394 if (f->op != Audit_not_equal && f->op != Audit_equal) 395 return -EINVAL; 396 break; 397 case AUDIT_PERM: 398 if (f->val & ~15) 399 return -EINVAL; 400 break; 401 case AUDIT_FILETYPE: 402 if (f->val & ~S_IFMT) 403 return -EINVAL; 404 break; 405 case AUDIT_FIELD_COMPARE: 406 if (f->val > AUDIT_MAX_FIELD_COMPARE) 407 return -EINVAL; 408 break; 409 case AUDIT_EXE: 410 if (f->op != Audit_equal) 411 return -EINVAL; 412 if (entry->rule.listnr != AUDIT_FILTER_EXIT) 413 return -EINVAL; 414 break; 415 } 416 return 0; 417 } 418 419 /* Translate struct audit_rule_data to kernel's rule representation. */ 420 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 421 size_t datasz) 422 { 423 int err = 0; 424 struct audit_entry *entry; 425 void *bufp; 426 size_t remain = datasz - sizeof(struct audit_rule_data); 427 int i; 428 char *str; 429 struct audit_fsnotify_mark *audit_mark; 430 431 entry = audit_to_entry_common(data); 432 if (IS_ERR(entry)) 433 goto exit_nofree; 434 435 bufp = data->buf; 436 for (i = 0; i < data->field_count; i++) { 437 struct audit_field *f = &entry->rule.fields[i]; 438 439 err = -EINVAL; 440 441 f->op = audit_to_op(data->fieldflags[i]); 442 if (f->op == Audit_bad) 443 goto exit_free; 444 445 f->type = data->fields[i]; 446 f->val = data->values[i]; 447 448 /* Support legacy tests for a valid loginuid */ 449 if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { 450 f->type = AUDIT_LOGINUID_SET; 451 f->val = 0; 452 entry->rule.pflags |= AUDIT_LOGINUID_LEGACY; 453 } 454 455 err = audit_field_valid(entry, f); 456 if (err) 457 goto exit_free; 458 459 err = -EINVAL; 460 switch (f->type) { 461 case AUDIT_LOGINUID: 462 case AUDIT_UID: 463 case AUDIT_EUID: 464 case AUDIT_SUID: 465 case AUDIT_FSUID: 466 case AUDIT_OBJ_UID: 467 f->uid = make_kuid(current_user_ns(), f->val); 468 if (!uid_valid(f->uid)) 469 goto exit_free; 470 break; 471 case AUDIT_GID: 472 case AUDIT_EGID: 473 case AUDIT_SGID: 474 case AUDIT_FSGID: 475 case AUDIT_OBJ_GID: 476 f->gid = make_kgid(current_user_ns(), f->val); 477 if (!gid_valid(f->gid)) 478 goto exit_free; 479 break; 480 case AUDIT_SESSIONID: 481 case AUDIT_ARCH: 482 entry->rule.arch_f = f; 483 break; 484 case AUDIT_SUBJ_USER: 485 case AUDIT_SUBJ_ROLE: 486 case AUDIT_SUBJ_TYPE: 487 case AUDIT_SUBJ_SEN: 488 case AUDIT_SUBJ_CLR: 489 case AUDIT_OBJ_USER: 490 case AUDIT_OBJ_ROLE: 491 case AUDIT_OBJ_TYPE: 492 case AUDIT_OBJ_LEV_LOW: 493 case AUDIT_OBJ_LEV_HIGH: 494 str = audit_unpack_string(&bufp, &remain, f->val); 495 if (IS_ERR(str)) 496 goto exit_free; 497 entry->rule.buflen += f->val; 498 499 err = security_audit_rule_init(f->type, f->op, str, 500 (void **)&f->lsm_rule); 501 /* Keep currently invalid fields around in case they 502 * become valid after a policy reload. */ 503 if (err == -EINVAL) { 504 pr_warn("audit rule for LSM \'%s\' is invalid\n", 505 str); 506 err = 0; 507 } 508 if (err) { 509 kfree(str); 510 goto exit_free; 511 } else 512 f->lsm_str = str; 513 break; 514 case AUDIT_WATCH: 515 str = audit_unpack_string(&bufp, &remain, f->val); 516 if (IS_ERR(str)) 517 goto exit_free; 518 entry->rule.buflen += f->val; 519 520 err = audit_to_watch(&entry->rule, str, f->val, f->op); 521 if (err) { 522 kfree(str); 523 goto exit_free; 524 } 525 break; 526 case AUDIT_DIR: 527 str = audit_unpack_string(&bufp, &remain, f->val); 528 if (IS_ERR(str)) 529 goto exit_free; 530 entry->rule.buflen += f->val; 531 532 err = audit_make_tree(&entry->rule, str, f->op); 533 kfree(str); 534 if (err) 535 goto exit_free; 536 break; 537 case AUDIT_INODE: 538 err = audit_to_inode(&entry->rule, f); 539 if (err) 540 goto exit_free; 541 break; 542 case AUDIT_FILTERKEY: 543 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 544 goto exit_free; 545 str = audit_unpack_string(&bufp, &remain, f->val); 546 if (IS_ERR(str)) 547 goto exit_free; 548 entry->rule.buflen += f->val; 549 entry->rule.filterkey = str; 550 break; 551 case AUDIT_EXE: 552 if (entry->rule.exe || f->val > PATH_MAX) 553 goto exit_free; 554 str = audit_unpack_string(&bufp, &remain, f->val); 555 if (IS_ERR(str)) { 556 err = PTR_ERR(str); 557 goto exit_free; 558 } 559 entry->rule.buflen += f->val; 560 561 audit_mark = audit_alloc_mark(&entry->rule, str, f->val); 562 if (IS_ERR(audit_mark)) { 563 kfree(str); 564 err = PTR_ERR(audit_mark); 565 goto exit_free; 566 } 567 entry->rule.exe = audit_mark; 568 break; 569 } 570 } 571 572 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 573 entry->rule.inode_f = NULL; 574 575 exit_nofree: 576 return entry; 577 578 exit_free: 579 if (entry->rule.tree) 580 audit_put_tree(entry->rule.tree); /* that's the temporary one */ 581 if (entry->rule.exe) 582 audit_remove_mark(entry->rule.exe); /* that's the template one */ 583 audit_free_rule(entry); 584 return ERR_PTR(err); 585 } 586 587 /* Pack a filter field's string representation into data block. */ 588 static inline size_t audit_pack_string(void **bufp, const char *str) 589 { 590 size_t len = strlen(str); 591 592 memcpy(*bufp, str, len); 593 *bufp += len; 594 595 return len; 596 } 597 598 /* Translate kernel rule representation to struct audit_rule_data. */ 599 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 600 { 601 struct audit_rule_data *data; 602 void *bufp; 603 int i; 604 605 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 606 if (unlikely(!data)) 607 return NULL; 608 memset(data, 0, sizeof(*data)); 609 610 data->flags = krule->flags | krule->listnr; 611 data->action = krule->action; 612 data->field_count = krule->field_count; 613 bufp = data->buf; 614 for (i = 0; i < data->field_count; i++) { 615 struct audit_field *f = &krule->fields[i]; 616 617 data->fields[i] = f->type; 618 data->fieldflags[i] = audit_ops[f->op]; 619 switch(f->type) { 620 case AUDIT_SUBJ_USER: 621 case AUDIT_SUBJ_ROLE: 622 case AUDIT_SUBJ_TYPE: 623 case AUDIT_SUBJ_SEN: 624 case AUDIT_SUBJ_CLR: 625 case AUDIT_OBJ_USER: 626 case AUDIT_OBJ_ROLE: 627 case AUDIT_OBJ_TYPE: 628 case AUDIT_OBJ_LEV_LOW: 629 case AUDIT_OBJ_LEV_HIGH: 630 data->buflen += data->values[i] = 631 audit_pack_string(&bufp, f->lsm_str); 632 break; 633 case AUDIT_WATCH: 634 data->buflen += data->values[i] = 635 audit_pack_string(&bufp, 636 audit_watch_path(krule->watch)); 637 break; 638 case AUDIT_DIR: 639 data->buflen += data->values[i] = 640 audit_pack_string(&bufp, 641 audit_tree_path(krule->tree)); 642 break; 643 case AUDIT_FILTERKEY: 644 data->buflen += data->values[i] = 645 audit_pack_string(&bufp, krule->filterkey); 646 break; 647 case AUDIT_EXE: 648 data->buflen += data->values[i] = 649 audit_pack_string(&bufp, audit_mark_path(krule->exe)); 650 break; 651 case AUDIT_LOGINUID_SET: 652 if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) { 653 data->fields[i] = AUDIT_LOGINUID; 654 data->values[i] = AUDIT_UID_UNSET; 655 break; 656 } 657 /* fallthrough if set */ 658 default: 659 data->values[i] = f->val; 660 } 661 } 662 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 663 664 return data; 665 } 666 667 /* Compare two rules in kernel format. Considered success if rules 668 * don't match. */ 669 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 670 { 671 int i; 672 673 if (a->flags != b->flags || 674 a->pflags != b->pflags || 675 a->listnr != b->listnr || 676 a->action != b->action || 677 a->field_count != b->field_count) 678 return 1; 679 680 for (i = 0; i < a->field_count; i++) { 681 if (a->fields[i].type != b->fields[i].type || 682 a->fields[i].op != b->fields[i].op) 683 return 1; 684 685 switch(a->fields[i].type) { 686 case AUDIT_SUBJ_USER: 687 case AUDIT_SUBJ_ROLE: 688 case AUDIT_SUBJ_TYPE: 689 case AUDIT_SUBJ_SEN: 690 case AUDIT_SUBJ_CLR: 691 case AUDIT_OBJ_USER: 692 case AUDIT_OBJ_ROLE: 693 case AUDIT_OBJ_TYPE: 694 case AUDIT_OBJ_LEV_LOW: 695 case AUDIT_OBJ_LEV_HIGH: 696 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 697 return 1; 698 break; 699 case AUDIT_WATCH: 700 if (strcmp(audit_watch_path(a->watch), 701 audit_watch_path(b->watch))) 702 return 1; 703 break; 704 case AUDIT_DIR: 705 if (strcmp(audit_tree_path(a->tree), 706 audit_tree_path(b->tree))) 707 return 1; 708 break; 709 case AUDIT_FILTERKEY: 710 /* both filterkeys exist based on above type compare */ 711 if (strcmp(a->filterkey, b->filterkey)) 712 return 1; 713 break; 714 case AUDIT_EXE: 715 /* both paths exist based on above type compare */ 716 if (strcmp(audit_mark_path(a->exe), 717 audit_mark_path(b->exe))) 718 return 1; 719 break; 720 case AUDIT_UID: 721 case AUDIT_EUID: 722 case AUDIT_SUID: 723 case AUDIT_FSUID: 724 case AUDIT_LOGINUID: 725 case AUDIT_OBJ_UID: 726 if (!uid_eq(a->fields[i].uid, b->fields[i].uid)) 727 return 1; 728 break; 729 case AUDIT_GID: 730 case AUDIT_EGID: 731 case AUDIT_SGID: 732 case AUDIT_FSGID: 733 case AUDIT_OBJ_GID: 734 if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) 735 return 1; 736 break; 737 default: 738 if (a->fields[i].val != b->fields[i].val) 739 return 1; 740 } 741 } 742 743 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 744 if (a->mask[i] != b->mask[i]) 745 return 1; 746 747 return 0; 748 } 749 750 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 751 * re-initialized. */ 752 static inline int audit_dupe_lsm_field(struct audit_field *df, 753 struct audit_field *sf) 754 { 755 int ret = 0; 756 char *lsm_str; 757 758 /* our own copy of lsm_str */ 759 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 760 if (unlikely(!lsm_str)) 761 return -ENOMEM; 762 df->lsm_str = lsm_str; 763 764 /* our own (refreshed) copy of lsm_rule */ 765 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 766 (void **)&df->lsm_rule); 767 /* Keep currently invalid fields around in case they 768 * become valid after a policy reload. */ 769 if (ret == -EINVAL) { 770 pr_warn("audit rule for LSM \'%s\' is invalid\n", 771 df->lsm_str); 772 ret = 0; 773 } 774 775 return ret; 776 } 777 778 /* Duplicate an audit rule. This will be a deep copy with the exception 779 * of the watch - that pointer is carried over. The LSM specific fields 780 * will be updated in the copy. The point is to be able to replace the old 781 * rule with the new rule in the filterlist, then free the old rule. 782 * The rlist element is undefined; list manipulations are handled apart from 783 * the initial copy. */ 784 struct audit_entry *audit_dupe_rule(struct audit_krule *old) 785 { 786 u32 fcount = old->field_count; 787 struct audit_entry *entry; 788 struct audit_krule *new; 789 char *fk; 790 int i, err = 0; 791 792 entry = audit_init_entry(fcount); 793 if (unlikely(!entry)) 794 return ERR_PTR(-ENOMEM); 795 796 new = &entry->rule; 797 new->flags = old->flags; 798 new->pflags = old->pflags; 799 new->listnr = old->listnr; 800 new->action = old->action; 801 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 802 new->mask[i] = old->mask[i]; 803 new->prio = old->prio; 804 new->buflen = old->buflen; 805 new->inode_f = old->inode_f; 806 new->field_count = old->field_count; 807 808 /* 809 * note that we are OK with not refcounting here; audit_match_tree() 810 * never dereferences tree and we can't get false positives there 811 * since we'd have to have rule gone from the list *and* removed 812 * before the chunks found by lookup had been allocated, i.e. before 813 * the beginning of list scan. 814 */ 815 new->tree = old->tree; 816 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 817 818 /* deep copy this information, updating the lsm_rule fields, because 819 * the originals will all be freed when the old rule is freed. */ 820 for (i = 0; i < fcount; i++) { 821 switch (new->fields[i].type) { 822 case AUDIT_SUBJ_USER: 823 case AUDIT_SUBJ_ROLE: 824 case AUDIT_SUBJ_TYPE: 825 case AUDIT_SUBJ_SEN: 826 case AUDIT_SUBJ_CLR: 827 case AUDIT_OBJ_USER: 828 case AUDIT_OBJ_ROLE: 829 case AUDIT_OBJ_TYPE: 830 case AUDIT_OBJ_LEV_LOW: 831 case AUDIT_OBJ_LEV_HIGH: 832 err = audit_dupe_lsm_field(&new->fields[i], 833 &old->fields[i]); 834 break; 835 case AUDIT_FILTERKEY: 836 fk = kstrdup(old->filterkey, GFP_KERNEL); 837 if (unlikely(!fk)) 838 err = -ENOMEM; 839 else 840 new->filterkey = fk; 841 break; 842 case AUDIT_EXE: 843 err = audit_dupe_exe(new, old); 844 break; 845 } 846 if (err) { 847 if (new->exe) 848 audit_remove_mark(new->exe); 849 audit_free_rule(entry); 850 return ERR_PTR(err); 851 } 852 } 853 854 if (old->watch) { 855 audit_get_watch(old->watch); 856 new->watch = old->watch; 857 } 858 859 return entry; 860 } 861 862 /* Find an existing audit rule. 863 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 864 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 865 struct list_head **p) 866 { 867 struct audit_entry *e, *found = NULL; 868 struct list_head *list; 869 int h; 870 871 if (entry->rule.inode_f) { 872 h = audit_hash_ino(entry->rule.inode_f->val); 873 *p = list = &audit_inode_hash[h]; 874 } else if (entry->rule.watch) { 875 /* we don't know the inode number, so must walk entire hash */ 876 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 877 list = &audit_inode_hash[h]; 878 list_for_each_entry(e, list, list) 879 if (!audit_compare_rule(&entry->rule, &e->rule)) { 880 found = e; 881 goto out; 882 } 883 } 884 goto out; 885 } else { 886 *p = list = &audit_filter_list[entry->rule.listnr]; 887 } 888 889 list_for_each_entry(e, list, list) 890 if (!audit_compare_rule(&entry->rule, &e->rule)) { 891 found = e; 892 goto out; 893 } 894 895 out: 896 return found; 897 } 898 899 static u64 prio_low = ~0ULL/2; 900 static u64 prio_high = ~0ULL/2 - 1; 901 902 /* Add rule to given filterlist if not a duplicate. */ 903 static inline int audit_add_rule(struct audit_entry *entry) 904 { 905 struct audit_entry *e; 906 struct audit_watch *watch = entry->rule.watch; 907 struct audit_tree *tree = entry->rule.tree; 908 struct list_head *list; 909 int err = 0; 910 #ifdef CONFIG_AUDITSYSCALL 911 int dont_count = 0; 912 913 /* If either of these, don't count towards total */ 914 if (entry->rule.listnr == AUDIT_FILTER_USER || 915 entry->rule.listnr == AUDIT_FILTER_TYPE) 916 dont_count = 1; 917 #endif 918 919 mutex_lock(&audit_filter_mutex); 920 e = audit_find_rule(entry, &list); 921 if (e) { 922 mutex_unlock(&audit_filter_mutex); 923 err = -EEXIST; 924 /* normally audit_add_tree_rule() will free it on failure */ 925 if (tree) 926 audit_put_tree(tree); 927 return err; 928 } 929 930 if (watch) { 931 /* audit_filter_mutex is dropped and re-taken during this call */ 932 err = audit_add_watch(&entry->rule, &list); 933 if (err) { 934 mutex_unlock(&audit_filter_mutex); 935 /* 936 * normally audit_add_tree_rule() will free it 937 * on failure 938 */ 939 if (tree) 940 audit_put_tree(tree); 941 return err; 942 } 943 } 944 if (tree) { 945 err = audit_add_tree_rule(&entry->rule); 946 if (err) { 947 mutex_unlock(&audit_filter_mutex); 948 return err; 949 } 950 } 951 952 entry->rule.prio = ~0ULL; 953 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 954 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 955 entry->rule.prio = ++prio_high; 956 else 957 entry->rule.prio = --prio_low; 958 } 959 960 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 961 list_add(&entry->rule.list, 962 &audit_rules_list[entry->rule.listnr]); 963 list_add_rcu(&entry->list, list); 964 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 965 } else { 966 list_add_tail(&entry->rule.list, 967 &audit_rules_list[entry->rule.listnr]); 968 list_add_tail_rcu(&entry->list, list); 969 } 970 #ifdef CONFIG_AUDITSYSCALL 971 if (!dont_count) 972 audit_n_rules++; 973 974 if (!audit_match_signal(entry)) 975 audit_signals++; 976 #endif 977 mutex_unlock(&audit_filter_mutex); 978 979 return err; 980 } 981 982 /* Remove an existing rule from filterlist. */ 983 int audit_del_rule(struct audit_entry *entry) 984 { 985 struct audit_entry *e; 986 struct audit_tree *tree = entry->rule.tree; 987 struct list_head *list; 988 int ret = 0; 989 #ifdef CONFIG_AUDITSYSCALL 990 int dont_count = 0; 991 992 /* If either of these, don't count towards total */ 993 if (entry->rule.listnr == AUDIT_FILTER_USER || 994 entry->rule.listnr == AUDIT_FILTER_TYPE) 995 dont_count = 1; 996 #endif 997 998 mutex_lock(&audit_filter_mutex); 999 e = audit_find_rule(entry, &list); 1000 if (!e) { 1001 ret = -ENOENT; 1002 goto out; 1003 } 1004 1005 if (e->rule.watch) 1006 audit_remove_watch_rule(&e->rule); 1007 1008 if (e->rule.tree) 1009 audit_remove_tree_rule(&e->rule); 1010 1011 if (e->rule.exe) 1012 audit_remove_mark_rule(&e->rule); 1013 1014 #ifdef CONFIG_AUDITSYSCALL 1015 if (!dont_count) 1016 audit_n_rules--; 1017 1018 if (!audit_match_signal(entry)) 1019 audit_signals--; 1020 #endif 1021 1022 list_del_rcu(&e->list); 1023 list_del(&e->rule.list); 1024 call_rcu(&e->rcu, audit_free_rule_rcu); 1025 1026 out: 1027 mutex_unlock(&audit_filter_mutex); 1028 1029 if (tree) 1030 audit_put_tree(tree); /* that's the temporary one */ 1031 1032 return ret; 1033 } 1034 1035 /* List rules using struct audit_rule_data. */ 1036 static void audit_list_rules(int seq, struct sk_buff_head *q) 1037 { 1038 struct sk_buff *skb; 1039 struct audit_krule *r; 1040 int i; 1041 1042 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1043 * iterator to sync with list writers. */ 1044 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1045 list_for_each_entry(r, &audit_rules_list[i], list) { 1046 struct audit_rule_data *data; 1047 1048 data = audit_krule_to_data(r); 1049 if (unlikely(!data)) 1050 break; 1051 skb = audit_make_reply(seq, AUDIT_LIST_RULES, 0, 1, 1052 data, 1053 sizeof(*data) + data->buflen); 1054 if (skb) 1055 skb_queue_tail(q, skb); 1056 kfree(data); 1057 } 1058 } 1059 skb = audit_make_reply(seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1060 if (skb) 1061 skb_queue_tail(q, skb); 1062 } 1063 1064 /* Log rule additions and removals */ 1065 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) 1066 { 1067 struct audit_buffer *ab; 1068 uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 1069 unsigned int sessionid = audit_get_sessionid(current); 1070 1071 if (!audit_enabled) 1072 return; 1073 1074 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1075 if (!ab) 1076 return; 1077 audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); 1078 audit_log_task_context(ab); 1079 audit_log_format(ab, " op=%s", action); 1080 audit_log_key(ab, rule->filterkey); 1081 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1082 audit_log_end(ab); 1083 } 1084 1085 /** 1086 * audit_rule_change - apply all rules to the specified message type 1087 * @type: audit message type 1088 * @seq: netlink audit message sequence (serial) number 1089 * @data: payload data 1090 * @datasz: size of payload data 1091 */ 1092 int audit_rule_change(int type, int seq, void *data, size_t datasz) 1093 { 1094 int err = 0; 1095 struct audit_entry *entry; 1096 1097 entry = audit_data_to_entry(data, datasz); 1098 if (IS_ERR(entry)) 1099 return PTR_ERR(entry); 1100 1101 switch (type) { 1102 case AUDIT_ADD_RULE: 1103 err = audit_add_rule(entry); 1104 audit_log_rule_change("add_rule", &entry->rule, !err); 1105 break; 1106 case AUDIT_DEL_RULE: 1107 err = audit_del_rule(entry); 1108 audit_log_rule_change("remove_rule", &entry->rule, !err); 1109 break; 1110 default: 1111 err = -EINVAL; 1112 WARN_ON(1); 1113 } 1114 1115 if (err || type == AUDIT_DEL_RULE) { 1116 if (entry->rule.exe) 1117 audit_remove_mark(entry->rule.exe); 1118 audit_free_rule(entry); 1119 } 1120 1121 return err; 1122 } 1123 1124 /** 1125 * audit_list_rules_send - list the audit rules 1126 * @request_skb: skb of request we are replying to (used to target the reply) 1127 * @seq: netlink audit message sequence (serial) number 1128 */ 1129 int audit_list_rules_send(struct sk_buff *request_skb, int seq) 1130 { 1131 u32 portid = NETLINK_CB(request_skb).portid; 1132 struct net *net = sock_net(NETLINK_CB(request_skb).sk); 1133 struct task_struct *tsk; 1134 struct audit_netlink_list *dest; 1135 int err = 0; 1136 1137 /* We can't just spew out the rules here because we might fill 1138 * the available socket buffer space and deadlock waiting for 1139 * auditctl to read from it... which isn't ever going to 1140 * happen if we're actually running in the context of auditctl 1141 * trying to _send_ the stuff */ 1142 1143 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1144 if (!dest) 1145 return -ENOMEM; 1146 dest->net = get_net(net); 1147 dest->portid = portid; 1148 skb_queue_head_init(&dest->q); 1149 1150 mutex_lock(&audit_filter_mutex); 1151 audit_list_rules(seq, &dest->q); 1152 mutex_unlock(&audit_filter_mutex); 1153 1154 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1155 if (IS_ERR(tsk)) { 1156 skb_queue_purge(&dest->q); 1157 kfree(dest); 1158 err = PTR_ERR(tsk); 1159 } 1160 1161 return err; 1162 } 1163 1164 int audit_comparator(u32 left, u32 op, u32 right) 1165 { 1166 switch (op) { 1167 case Audit_equal: 1168 return (left == right); 1169 case Audit_not_equal: 1170 return (left != right); 1171 case Audit_lt: 1172 return (left < right); 1173 case Audit_le: 1174 return (left <= right); 1175 case Audit_gt: 1176 return (left > right); 1177 case Audit_ge: 1178 return (left >= right); 1179 case Audit_bitmask: 1180 return (left & right); 1181 case Audit_bittest: 1182 return ((left & right) == right); 1183 default: 1184 BUG(); 1185 return 0; 1186 } 1187 } 1188 1189 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) 1190 { 1191 switch (op) { 1192 case Audit_equal: 1193 return uid_eq(left, right); 1194 case Audit_not_equal: 1195 return !uid_eq(left, right); 1196 case Audit_lt: 1197 return uid_lt(left, right); 1198 case Audit_le: 1199 return uid_lte(left, right); 1200 case Audit_gt: 1201 return uid_gt(left, right); 1202 case Audit_ge: 1203 return uid_gte(left, right); 1204 case Audit_bitmask: 1205 case Audit_bittest: 1206 default: 1207 BUG(); 1208 return 0; 1209 } 1210 } 1211 1212 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right) 1213 { 1214 switch (op) { 1215 case Audit_equal: 1216 return gid_eq(left, right); 1217 case Audit_not_equal: 1218 return !gid_eq(left, right); 1219 case Audit_lt: 1220 return gid_lt(left, right); 1221 case Audit_le: 1222 return gid_lte(left, right); 1223 case Audit_gt: 1224 return gid_gt(left, right); 1225 case Audit_ge: 1226 return gid_gte(left, right); 1227 case Audit_bitmask: 1228 case Audit_bittest: 1229 default: 1230 BUG(); 1231 return 0; 1232 } 1233 } 1234 1235 /** 1236 * parent_len - find the length of the parent portion of a pathname 1237 * @path: pathname of which to determine length 1238 */ 1239 int parent_len(const char *path) 1240 { 1241 int plen; 1242 const char *p; 1243 1244 plen = strlen(path); 1245 1246 if (plen == 0) 1247 return plen; 1248 1249 /* disregard trailing slashes */ 1250 p = path + plen - 1; 1251 while ((*p == '/') && (p > path)) 1252 p--; 1253 1254 /* walk backward until we find the next slash or hit beginning */ 1255 while ((*p != '/') && (p > path)) 1256 p--; 1257 1258 /* did we find a slash? Then increment to include it in path */ 1259 if (*p == '/') 1260 p++; 1261 1262 return p - path; 1263 } 1264 1265 /** 1266 * audit_compare_dname_path - compare given dentry name with last component in 1267 * given path. Return of 0 indicates a match. 1268 * @dname: dentry name that we're comparing 1269 * @path: full pathname that we're comparing 1270 * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL 1271 * here indicates that we must compute this value. 1272 */ 1273 int audit_compare_dname_path(const char *dname, const char *path, int parentlen) 1274 { 1275 int dlen, pathlen; 1276 const char *p; 1277 1278 dlen = strlen(dname); 1279 pathlen = strlen(path); 1280 if (pathlen < dlen) 1281 return 1; 1282 1283 parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen; 1284 if (pathlen - parentlen != dlen) 1285 return 1; 1286 1287 p = path + parentlen; 1288 1289 return strncmp(p, dname, dlen); 1290 } 1291 1292 int audit_filter(int msgtype, unsigned int listtype) 1293 { 1294 struct audit_entry *e; 1295 int ret = 1; /* Audit by default */ 1296 1297 rcu_read_lock(); 1298 if (list_empty(&audit_filter_list[listtype])) 1299 goto unlock_and_return; 1300 list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) { 1301 int i, result = 0; 1302 1303 for (i = 0; i < e->rule.field_count; i++) { 1304 struct audit_field *f = &e->rule.fields[i]; 1305 pid_t pid; 1306 u32 sid; 1307 1308 switch (f->type) { 1309 case AUDIT_PID: 1310 pid = task_pid_nr(current); 1311 result = audit_comparator(pid, f->op, f->val); 1312 break; 1313 case AUDIT_UID: 1314 result = audit_uid_comparator(current_uid(), f->op, f->uid); 1315 break; 1316 case AUDIT_GID: 1317 result = audit_gid_comparator(current_gid(), f->op, f->gid); 1318 break; 1319 case AUDIT_LOGINUID: 1320 result = audit_uid_comparator(audit_get_loginuid(current), 1321 f->op, f->uid); 1322 break; 1323 case AUDIT_LOGINUID_SET: 1324 result = audit_comparator(audit_loginuid_set(current), 1325 f->op, f->val); 1326 break; 1327 case AUDIT_MSGTYPE: 1328 result = audit_comparator(msgtype, f->op, f->val); 1329 break; 1330 case AUDIT_SUBJ_USER: 1331 case AUDIT_SUBJ_ROLE: 1332 case AUDIT_SUBJ_TYPE: 1333 case AUDIT_SUBJ_SEN: 1334 case AUDIT_SUBJ_CLR: 1335 if (f->lsm_rule) { 1336 security_task_getsecid(current, &sid); 1337 result = security_audit_rule_match(sid, 1338 f->type, f->op, f->lsm_rule, NULL); 1339 } 1340 break; 1341 default: 1342 goto unlock_and_return; 1343 } 1344 if (result < 0) /* error */ 1345 goto unlock_and_return; 1346 if (!result) 1347 break; 1348 } 1349 if (result > 0) { 1350 if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE) 1351 ret = 0; 1352 break; 1353 } 1354 } 1355 unlock_and_return: 1356 rcu_read_unlock(); 1357 return ret; 1358 } 1359 1360 static int update_lsm_rule(struct audit_krule *r) 1361 { 1362 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1363 struct audit_entry *nentry; 1364 int err = 0; 1365 1366 if (!security_audit_rule_known(r)) 1367 return 0; 1368 1369 nentry = audit_dupe_rule(r); 1370 if (entry->rule.exe) 1371 audit_remove_mark(entry->rule.exe); 1372 if (IS_ERR(nentry)) { 1373 /* save the first error encountered for the 1374 * return value */ 1375 err = PTR_ERR(nentry); 1376 audit_panic("error updating LSM filters"); 1377 if (r->watch) 1378 list_del(&r->rlist); 1379 list_del_rcu(&entry->list); 1380 list_del(&r->list); 1381 } else { 1382 if (r->watch || r->tree) 1383 list_replace_init(&r->rlist, &nentry->rule.rlist); 1384 list_replace_rcu(&entry->list, &nentry->list); 1385 list_replace(&r->list, &nentry->rule.list); 1386 } 1387 call_rcu(&entry->rcu, audit_free_rule_rcu); 1388 1389 return err; 1390 } 1391 1392 /* This function will re-initialize the lsm_rule field of all applicable rules. 1393 * It will traverse the filter lists serarching for rules that contain LSM 1394 * specific filter fields. When such a rule is found, it is copied, the 1395 * LSM field is re-initialized, and the old rule is replaced with the 1396 * updated rule. */ 1397 int audit_update_lsm_rules(void) 1398 { 1399 struct audit_krule *r, *n; 1400 int i, err = 0; 1401 1402 /* audit_filter_mutex synchronizes the writers */ 1403 mutex_lock(&audit_filter_mutex); 1404 1405 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1406 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1407 int res = update_lsm_rule(r); 1408 if (!err) 1409 err = res; 1410 } 1411 } 1412 mutex_unlock(&audit_filter_mutex); 1413 1414 return err; 1415 } 1416