1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* Audit filter lists, defined in <linux/audit.h> */ 48 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 49 LIST_HEAD_INIT(audit_filter_list[0]), 50 LIST_HEAD_INIT(audit_filter_list[1]), 51 LIST_HEAD_INIT(audit_filter_list[2]), 52 LIST_HEAD_INIT(audit_filter_list[3]), 53 LIST_HEAD_INIT(audit_filter_list[4]), 54 LIST_HEAD_INIT(audit_filter_list[5]), 55 #if AUDIT_NR_FILTERS != 6 56 #error Fix audit_filter_list initialiser 57 #endif 58 }; 59 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 60 LIST_HEAD_INIT(audit_rules_list[0]), 61 LIST_HEAD_INIT(audit_rules_list[1]), 62 LIST_HEAD_INIT(audit_rules_list[2]), 63 LIST_HEAD_INIT(audit_rules_list[3]), 64 LIST_HEAD_INIT(audit_rules_list[4]), 65 LIST_HEAD_INIT(audit_rules_list[5]), 66 }; 67 68 DEFINE_MUTEX(audit_filter_mutex); 69 70 static inline void audit_free_rule(struct audit_entry *e) 71 { 72 int i; 73 struct audit_krule *erule = &e->rule; 74 75 /* some rules don't have associated watches */ 76 if (erule->watch) 77 audit_put_watch(erule->watch); 78 if (erule->fields) 79 for (i = 0; i < erule->field_count; i++) { 80 struct audit_field *f = &erule->fields[i]; 81 kfree(f->lsm_str); 82 security_audit_rule_free(f->lsm_rule); 83 } 84 kfree(erule->fields); 85 kfree(erule->filterkey); 86 kfree(e); 87 } 88 89 void audit_free_rule_rcu(struct rcu_head *head) 90 { 91 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 92 audit_free_rule(e); 93 } 94 95 /* Initialize an audit filterlist entry. */ 96 static inline struct audit_entry *audit_init_entry(u32 field_count) 97 { 98 struct audit_entry *entry; 99 struct audit_field *fields; 100 101 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 102 if (unlikely(!entry)) 103 return NULL; 104 105 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 106 if (unlikely(!fields)) { 107 kfree(entry); 108 return NULL; 109 } 110 entry->rule.fields = fields; 111 112 return entry; 113 } 114 115 /* Unpack a filter field's string representation from user-space 116 * buffer. */ 117 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 118 { 119 char *str; 120 121 if (!*bufp || (len == 0) || (len > *remain)) 122 return ERR_PTR(-EINVAL); 123 124 /* Of the currently implemented string fields, PATH_MAX 125 * defines the longest valid length. 126 */ 127 if (len > PATH_MAX) 128 return ERR_PTR(-ENAMETOOLONG); 129 130 str = kmalloc(len + 1, GFP_KERNEL); 131 if (unlikely(!str)) 132 return ERR_PTR(-ENOMEM); 133 134 memcpy(str, *bufp, len); 135 str[len] = 0; 136 *bufp += len; 137 *remain -= len; 138 139 return str; 140 } 141 142 /* Translate an inode field to kernel respresentation. */ 143 static inline int audit_to_inode(struct audit_krule *krule, 144 struct audit_field *f) 145 { 146 if (krule->listnr != AUDIT_FILTER_EXIT || 147 krule->watch || krule->inode_f || krule->tree || 148 (f->op != Audit_equal && f->op != Audit_not_equal)) 149 return -EINVAL; 150 151 krule->inode_f = f; 152 return 0; 153 } 154 155 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 156 157 int __init audit_register_class(int class, unsigned *list) 158 { 159 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 160 if (!p) 161 return -ENOMEM; 162 while (*list != ~0U) { 163 unsigned n = *list++; 164 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 165 kfree(p); 166 return -EINVAL; 167 } 168 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 169 } 170 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 171 kfree(p); 172 return -EINVAL; 173 } 174 classes[class] = p; 175 return 0; 176 } 177 178 int audit_match_class(int class, unsigned syscall) 179 { 180 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 181 return 0; 182 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 183 return 0; 184 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 185 } 186 187 #ifdef CONFIG_AUDITSYSCALL 188 static inline int audit_match_class_bits(int class, u32 *mask) 189 { 190 int i; 191 192 if (classes[class]) { 193 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 194 if (mask[i] & classes[class][i]) 195 return 0; 196 } 197 return 1; 198 } 199 200 static int audit_match_signal(struct audit_entry *entry) 201 { 202 struct audit_field *arch = entry->rule.arch_f; 203 204 if (!arch) { 205 /* When arch is unspecified, we must check both masks on biarch 206 * as syscall number alone is ambiguous. */ 207 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 208 entry->rule.mask) && 209 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 210 entry->rule.mask)); 211 } 212 213 switch(audit_classify_arch(arch->val)) { 214 case 0: /* native */ 215 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 216 entry->rule.mask)); 217 case 1: /* 32bit on biarch */ 218 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 219 entry->rule.mask)); 220 default: 221 return 1; 222 } 223 } 224 #endif 225 226 /* Common user-space to kernel rule translation. */ 227 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 228 { 229 unsigned listnr; 230 struct audit_entry *entry; 231 int i, err; 232 233 err = -EINVAL; 234 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 235 switch(listnr) { 236 default: 237 goto exit_err; 238 #ifdef CONFIG_AUDITSYSCALL 239 case AUDIT_FILTER_ENTRY: 240 if (rule->action == AUDIT_ALWAYS) 241 goto exit_err; 242 case AUDIT_FILTER_EXIT: 243 case AUDIT_FILTER_TASK: 244 #endif 245 case AUDIT_FILTER_USER: 246 case AUDIT_FILTER_TYPE: 247 ; 248 } 249 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 250 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 251 goto exit_err; 252 } 253 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 254 goto exit_err; 255 if (rule->field_count > AUDIT_MAX_FIELDS) 256 goto exit_err; 257 258 err = -ENOMEM; 259 entry = audit_init_entry(rule->field_count); 260 if (!entry) 261 goto exit_err; 262 263 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 264 entry->rule.listnr = listnr; 265 entry->rule.action = rule->action; 266 entry->rule.field_count = rule->field_count; 267 268 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 269 entry->rule.mask[i] = rule->mask[i]; 270 271 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 272 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 273 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 274 __u32 *class; 275 276 if (!(*p & AUDIT_BIT(bit))) 277 continue; 278 *p &= ~AUDIT_BIT(bit); 279 class = classes[i]; 280 if (class) { 281 int j; 282 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 283 entry->rule.mask[j] |= class[j]; 284 } 285 } 286 287 return entry; 288 289 exit_err: 290 return ERR_PTR(err); 291 } 292 293 static u32 audit_ops[] = 294 { 295 [Audit_equal] = AUDIT_EQUAL, 296 [Audit_not_equal] = AUDIT_NOT_EQUAL, 297 [Audit_bitmask] = AUDIT_BIT_MASK, 298 [Audit_bittest] = AUDIT_BIT_TEST, 299 [Audit_lt] = AUDIT_LESS_THAN, 300 [Audit_gt] = AUDIT_GREATER_THAN, 301 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 302 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 303 }; 304 305 static u32 audit_to_op(u32 op) 306 { 307 u32 n; 308 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 309 ; 310 return n; 311 } 312 313 314 /* Translate struct audit_rule to kernel's rule respresentation. 315 * Exists for backward compatibility with userspace. */ 316 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 317 { 318 struct audit_entry *entry; 319 int err = 0; 320 int i; 321 322 entry = audit_to_entry_common(rule); 323 if (IS_ERR(entry)) 324 goto exit_nofree; 325 326 for (i = 0; i < rule->field_count; i++) { 327 struct audit_field *f = &entry->rule.fields[i]; 328 u32 n; 329 330 n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 331 332 /* Support for legacy operators where 333 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 334 if (n & AUDIT_NEGATE) 335 f->op = Audit_not_equal; 336 else if (!n) 337 f->op = Audit_equal; 338 else 339 f->op = audit_to_op(n); 340 341 entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1; 342 343 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 344 f->val = rule->values[i]; 345 f->uid = INVALID_UID; 346 f->gid = INVALID_GID; 347 348 err = -EINVAL; 349 if (f->op == Audit_bad) 350 goto exit_free; 351 352 switch(f->type) { 353 default: 354 goto exit_free; 355 case AUDIT_UID: 356 case AUDIT_EUID: 357 case AUDIT_SUID: 358 case AUDIT_FSUID: 359 case AUDIT_LOGINUID: 360 /* bit ops not implemented for uid comparisons */ 361 if (f->op == Audit_bitmask || f->op == Audit_bittest) 362 goto exit_free; 363 364 f->uid = make_kuid(current_user_ns(), f->val); 365 if (!uid_valid(f->uid)) 366 goto exit_free; 367 break; 368 case AUDIT_GID: 369 case AUDIT_EGID: 370 case AUDIT_SGID: 371 case AUDIT_FSGID: 372 /* bit ops not implemented for gid comparisons */ 373 if (f->op == Audit_bitmask || f->op == Audit_bittest) 374 goto exit_free; 375 376 f->gid = make_kgid(current_user_ns(), f->val); 377 if (!gid_valid(f->gid)) 378 goto exit_free; 379 break; 380 case AUDIT_PID: 381 case AUDIT_PERS: 382 case AUDIT_MSGTYPE: 383 case AUDIT_PPID: 384 case AUDIT_DEVMAJOR: 385 case AUDIT_DEVMINOR: 386 case AUDIT_EXIT: 387 case AUDIT_SUCCESS: 388 /* bit ops are only useful on syscall args */ 389 if (f->op == Audit_bitmask || f->op == Audit_bittest) 390 goto exit_free; 391 break; 392 case AUDIT_ARG0: 393 case AUDIT_ARG1: 394 case AUDIT_ARG2: 395 case AUDIT_ARG3: 396 break; 397 /* arch is only allowed to be = or != */ 398 case AUDIT_ARCH: 399 if (f->op != Audit_not_equal && f->op != Audit_equal) 400 goto exit_free; 401 entry->rule.arch_f = f; 402 break; 403 case AUDIT_PERM: 404 if (f->val & ~15) 405 goto exit_free; 406 break; 407 case AUDIT_FILETYPE: 408 if (f->val & ~S_IFMT) 409 goto exit_free; 410 break; 411 case AUDIT_INODE: 412 err = audit_to_inode(&entry->rule, f); 413 if (err) 414 goto exit_free; 415 break; 416 } 417 } 418 419 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 420 entry->rule.inode_f = NULL; 421 422 exit_nofree: 423 return entry; 424 425 exit_free: 426 audit_free_rule(entry); 427 return ERR_PTR(err); 428 } 429 430 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 431 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 432 size_t datasz) 433 { 434 int err = 0; 435 struct audit_entry *entry; 436 void *bufp; 437 size_t remain = datasz - sizeof(struct audit_rule_data); 438 int i; 439 char *str; 440 441 entry = audit_to_entry_common((struct audit_rule *)data); 442 if (IS_ERR(entry)) 443 goto exit_nofree; 444 445 bufp = data->buf; 446 entry->rule.vers_ops = 2; 447 for (i = 0; i < data->field_count; i++) { 448 struct audit_field *f = &entry->rule.fields[i]; 449 450 err = -EINVAL; 451 452 f->op = audit_to_op(data->fieldflags[i]); 453 if (f->op == Audit_bad) 454 goto exit_free; 455 456 f->type = data->fields[i]; 457 f->val = data->values[i]; 458 f->uid = INVALID_UID; 459 f->gid = INVALID_GID; 460 f->lsm_str = NULL; 461 f->lsm_rule = NULL; 462 switch(f->type) { 463 case AUDIT_UID: 464 case AUDIT_EUID: 465 case AUDIT_SUID: 466 case AUDIT_FSUID: 467 case AUDIT_LOGINUID: 468 case AUDIT_OBJ_UID: 469 /* bit ops not implemented for uid comparisons */ 470 if (f->op == Audit_bitmask || f->op == Audit_bittest) 471 goto exit_free; 472 473 f->uid = make_kuid(current_user_ns(), f->val); 474 if (!uid_valid(f->uid)) 475 goto exit_free; 476 break; 477 case AUDIT_GID: 478 case AUDIT_EGID: 479 case AUDIT_SGID: 480 case AUDIT_FSGID: 481 case AUDIT_OBJ_GID: 482 /* bit ops not implemented for gid comparisons */ 483 if (f->op == Audit_bitmask || f->op == Audit_bittest) 484 goto exit_free; 485 486 f->gid = make_kgid(current_user_ns(), f->val); 487 if (!gid_valid(f->gid)) 488 goto exit_free; 489 break; 490 case AUDIT_PID: 491 case AUDIT_PERS: 492 case AUDIT_MSGTYPE: 493 case AUDIT_PPID: 494 case AUDIT_DEVMAJOR: 495 case AUDIT_DEVMINOR: 496 case AUDIT_EXIT: 497 case AUDIT_SUCCESS: 498 case AUDIT_ARG0: 499 case AUDIT_ARG1: 500 case AUDIT_ARG2: 501 case AUDIT_ARG3: 502 break; 503 case AUDIT_ARCH: 504 entry->rule.arch_f = f; 505 break; 506 case AUDIT_SUBJ_USER: 507 case AUDIT_SUBJ_ROLE: 508 case AUDIT_SUBJ_TYPE: 509 case AUDIT_SUBJ_SEN: 510 case AUDIT_SUBJ_CLR: 511 case AUDIT_OBJ_USER: 512 case AUDIT_OBJ_ROLE: 513 case AUDIT_OBJ_TYPE: 514 case AUDIT_OBJ_LEV_LOW: 515 case AUDIT_OBJ_LEV_HIGH: 516 str = audit_unpack_string(&bufp, &remain, f->val); 517 if (IS_ERR(str)) 518 goto exit_free; 519 entry->rule.buflen += f->val; 520 521 err = security_audit_rule_init(f->type, f->op, str, 522 (void **)&f->lsm_rule); 523 /* Keep currently invalid fields around in case they 524 * become valid after a policy reload. */ 525 if (err == -EINVAL) { 526 printk(KERN_WARNING "audit rule for LSM " 527 "\'%s\' is invalid\n", str); 528 err = 0; 529 } 530 if (err) { 531 kfree(str); 532 goto exit_free; 533 } else 534 f->lsm_str = str; 535 break; 536 case AUDIT_WATCH: 537 str = audit_unpack_string(&bufp, &remain, f->val); 538 if (IS_ERR(str)) 539 goto exit_free; 540 entry->rule.buflen += f->val; 541 542 err = audit_to_watch(&entry->rule, str, f->val, f->op); 543 if (err) { 544 kfree(str); 545 goto exit_free; 546 } 547 break; 548 case AUDIT_DIR: 549 str = audit_unpack_string(&bufp, &remain, f->val); 550 if (IS_ERR(str)) 551 goto exit_free; 552 entry->rule.buflen += f->val; 553 554 err = audit_make_tree(&entry->rule, str, f->op); 555 kfree(str); 556 if (err) 557 goto exit_free; 558 break; 559 case AUDIT_INODE: 560 err = audit_to_inode(&entry->rule, f); 561 if (err) 562 goto exit_free; 563 break; 564 case AUDIT_FILTERKEY: 565 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 566 goto exit_free; 567 str = audit_unpack_string(&bufp, &remain, f->val); 568 if (IS_ERR(str)) 569 goto exit_free; 570 entry->rule.buflen += f->val; 571 entry->rule.filterkey = str; 572 break; 573 case AUDIT_PERM: 574 if (f->val & ~15) 575 goto exit_free; 576 break; 577 case AUDIT_FILETYPE: 578 if (f->val & ~S_IFMT) 579 goto exit_free; 580 break; 581 case AUDIT_FIELD_COMPARE: 582 if (f->val > AUDIT_MAX_FIELD_COMPARE) 583 goto exit_free; 584 break; 585 default: 586 goto exit_free; 587 } 588 } 589 590 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 591 entry->rule.inode_f = NULL; 592 593 exit_nofree: 594 return entry; 595 596 exit_free: 597 audit_free_rule(entry); 598 return ERR_PTR(err); 599 } 600 601 /* Pack a filter field's string representation into data block. */ 602 static inline size_t audit_pack_string(void **bufp, const char *str) 603 { 604 size_t len = strlen(str); 605 606 memcpy(*bufp, str, len); 607 *bufp += len; 608 609 return len; 610 } 611 612 /* Translate kernel rule respresentation to struct audit_rule. 613 * Exists for backward compatibility with userspace. */ 614 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 615 { 616 struct audit_rule *rule; 617 int i; 618 619 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 620 if (unlikely(!rule)) 621 return NULL; 622 623 rule->flags = krule->flags | krule->listnr; 624 rule->action = krule->action; 625 rule->field_count = krule->field_count; 626 for (i = 0; i < rule->field_count; i++) { 627 rule->values[i] = krule->fields[i].val; 628 rule->fields[i] = krule->fields[i].type; 629 630 if (krule->vers_ops == 1) { 631 if (krule->fields[i].op == Audit_not_equal) 632 rule->fields[i] |= AUDIT_NEGATE; 633 } else { 634 rule->fields[i] |= audit_ops[krule->fields[i].op]; 635 } 636 } 637 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 638 639 return rule; 640 } 641 642 /* Translate kernel rule respresentation to struct audit_rule_data. */ 643 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 644 { 645 struct audit_rule_data *data; 646 void *bufp; 647 int i; 648 649 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 650 if (unlikely(!data)) 651 return NULL; 652 memset(data, 0, sizeof(*data)); 653 654 data->flags = krule->flags | krule->listnr; 655 data->action = krule->action; 656 data->field_count = krule->field_count; 657 bufp = data->buf; 658 for (i = 0; i < data->field_count; i++) { 659 struct audit_field *f = &krule->fields[i]; 660 661 data->fields[i] = f->type; 662 data->fieldflags[i] = audit_ops[f->op]; 663 switch(f->type) { 664 case AUDIT_SUBJ_USER: 665 case AUDIT_SUBJ_ROLE: 666 case AUDIT_SUBJ_TYPE: 667 case AUDIT_SUBJ_SEN: 668 case AUDIT_SUBJ_CLR: 669 case AUDIT_OBJ_USER: 670 case AUDIT_OBJ_ROLE: 671 case AUDIT_OBJ_TYPE: 672 case AUDIT_OBJ_LEV_LOW: 673 case AUDIT_OBJ_LEV_HIGH: 674 data->buflen += data->values[i] = 675 audit_pack_string(&bufp, f->lsm_str); 676 break; 677 case AUDIT_WATCH: 678 data->buflen += data->values[i] = 679 audit_pack_string(&bufp, 680 audit_watch_path(krule->watch)); 681 break; 682 case AUDIT_DIR: 683 data->buflen += data->values[i] = 684 audit_pack_string(&bufp, 685 audit_tree_path(krule->tree)); 686 break; 687 case AUDIT_FILTERKEY: 688 data->buflen += data->values[i] = 689 audit_pack_string(&bufp, krule->filterkey); 690 break; 691 default: 692 data->values[i] = f->val; 693 } 694 } 695 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 696 697 return data; 698 } 699 700 /* Compare two rules in kernel format. Considered success if rules 701 * don't match. */ 702 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 703 { 704 int i; 705 706 if (a->flags != b->flags || 707 a->listnr != b->listnr || 708 a->action != b->action || 709 a->field_count != b->field_count) 710 return 1; 711 712 for (i = 0; i < a->field_count; i++) { 713 if (a->fields[i].type != b->fields[i].type || 714 a->fields[i].op != b->fields[i].op) 715 return 1; 716 717 switch(a->fields[i].type) { 718 case AUDIT_SUBJ_USER: 719 case AUDIT_SUBJ_ROLE: 720 case AUDIT_SUBJ_TYPE: 721 case AUDIT_SUBJ_SEN: 722 case AUDIT_SUBJ_CLR: 723 case AUDIT_OBJ_USER: 724 case AUDIT_OBJ_ROLE: 725 case AUDIT_OBJ_TYPE: 726 case AUDIT_OBJ_LEV_LOW: 727 case AUDIT_OBJ_LEV_HIGH: 728 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 729 return 1; 730 break; 731 case AUDIT_WATCH: 732 if (strcmp(audit_watch_path(a->watch), 733 audit_watch_path(b->watch))) 734 return 1; 735 break; 736 case AUDIT_DIR: 737 if (strcmp(audit_tree_path(a->tree), 738 audit_tree_path(b->tree))) 739 return 1; 740 break; 741 case AUDIT_FILTERKEY: 742 /* both filterkeys exist based on above type compare */ 743 if (strcmp(a->filterkey, b->filterkey)) 744 return 1; 745 break; 746 case AUDIT_UID: 747 case AUDIT_EUID: 748 case AUDIT_SUID: 749 case AUDIT_FSUID: 750 case AUDIT_LOGINUID: 751 case AUDIT_OBJ_UID: 752 if (!uid_eq(a->fields[i].uid, b->fields[i].uid)) 753 return 1; 754 break; 755 case AUDIT_GID: 756 case AUDIT_EGID: 757 case AUDIT_SGID: 758 case AUDIT_FSGID: 759 case AUDIT_OBJ_GID: 760 if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) 761 return 1; 762 break; 763 default: 764 if (a->fields[i].val != b->fields[i].val) 765 return 1; 766 } 767 } 768 769 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 770 if (a->mask[i] != b->mask[i]) 771 return 1; 772 773 return 0; 774 } 775 776 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 777 * re-initialized. */ 778 static inline int audit_dupe_lsm_field(struct audit_field *df, 779 struct audit_field *sf) 780 { 781 int ret = 0; 782 char *lsm_str; 783 784 /* our own copy of lsm_str */ 785 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 786 if (unlikely(!lsm_str)) 787 return -ENOMEM; 788 df->lsm_str = lsm_str; 789 790 /* our own (refreshed) copy of lsm_rule */ 791 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 792 (void **)&df->lsm_rule); 793 /* Keep currently invalid fields around in case they 794 * become valid after a policy reload. */ 795 if (ret == -EINVAL) { 796 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 797 "invalid\n", df->lsm_str); 798 ret = 0; 799 } 800 801 return ret; 802 } 803 804 /* Duplicate an audit rule. This will be a deep copy with the exception 805 * of the watch - that pointer is carried over. The LSM specific fields 806 * will be updated in the copy. The point is to be able to replace the old 807 * rule with the new rule in the filterlist, then free the old rule. 808 * The rlist element is undefined; list manipulations are handled apart from 809 * the initial copy. */ 810 struct audit_entry *audit_dupe_rule(struct audit_krule *old) 811 { 812 u32 fcount = old->field_count; 813 struct audit_entry *entry; 814 struct audit_krule *new; 815 char *fk; 816 int i, err = 0; 817 818 entry = audit_init_entry(fcount); 819 if (unlikely(!entry)) 820 return ERR_PTR(-ENOMEM); 821 822 new = &entry->rule; 823 new->vers_ops = old->vers_ops; 824 new->flags = old->flags; 825 new->listnr = old->listnr; 826 new->action = old->action; 827 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 828 new->mask[i] = old->mask[i]; 829 new->prio = old->prio; 830 new->buflen = old->buflen; 831 new->inode_f = old->inode_f; 832 new->field_count = old->field_count; 833 834 /* 835 * note that we are OK with not refcounting here; audit_match_tree() 836 * never dereferences tree and we can't get false positives there 837 * since we'd have to have rule gone from the list *and* removed 838 * before the chunks found by lookup had been allocated, i.e. before 839 * the beginning of list scan. 840 */ 841 new->tree = old->tree; 842 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 843 844 /* deep copy this information, updating the lsm_rule fields, because 845 * the originals will all be freed when the old rule is freed. */ 846 for (i = 0; i < fcount; i++) { 847 switch (new->fields[i].type) { 848 case AUDIT_SUBJ_USER: 849 case AUDIT_SUBJ_ROLE: 850 case AUDIT_SUBJ_TYPE: 851 case AUDIT_SUBJ_SEN: 852 case AUDIT_SUBJ_CLR: 853 case AUDIT_OBJ_USER: 854 case AUDIT_OBJ_ROLE: 855 case AUDIT_OBJ_TYPE: 856 case AUDIT_OBJ_LEV_LOW: 857 case AUDIT_OBJ_LEV_HIGH: 858 err = audit_dupe_lsm_field(&new->fields[i], 859 &old->fields[i]); 860 break; 861 case AUDIT_FILTERKEY: 862 fk = kstrdup(old->filterkey, GFP_KERNEL); 863 if (unlikely(!fk)) 864 err = -ENOMEM; 865 else 866 new->filterkey = fk; 867 } 868 if (err) { 869 audit_free_rule(entry); 870 return ERR_PTR(err); 871 } 872 } 873 874 if (old->watch) { 875 audit_get_watch(old->watch); 876 new->watch = old->watch; 877 } 878 879 return entry; 880 } 881 882 /* Find an existing audit rule. 883 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 884 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 885 struct list_head **p) 886 { 887 struct audit_entry *e, *found = NULL; 888 struct list_head *list; 889 int h; 890 891 if (entry->rule.inode_f) { 892 h = audit_hash_ino(entry->rule.inode_f->val); 893 *p = list = &audit_inode_hash[h]; 894 } else if (entry->rule.watch) { 895 /* we don't know the inode number, so must walk entire hash */ 896 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 897 list = &audit_inode_hash[h]; 898 list_for_each_entry(e, list, list) 899 if (!audit_compare_rule(&entry->rule, &e->rule)) { 900 found = e; 901 goto out; 902 } 903 } 904 goto out; 905 } else { 906 *p = list = &audit_filter_list[entry->rule.listnr]; 907 } 908 909 list_for_each_entry(e, list, list) 910 if (!audit_compare_rule(&entry->rule, &e->rule)) { 911 found = e; 912 goto out; 913 } 914 915 out: 916 return found; 917 } 918 919 static u64 prio_low = ~0ULL/2; 920 static u64 prio_high = ~0ULL/2 - 1; 921 922 /* Add rule to given filterlist if not a duplicate. */ 923 static inline int audit_add_rule(struct audit_entry *entry) 924 { 925 struct audit_entry *e; 926 struct audit_watch *watch = entry->rule.watch; 927 struct audit_tree *tree = entry->rule.tree; 928 struct list_head *list; 929 int err; 930 #ifdef CONFIG_AUDITSYSCALL 931 int dont_count = 0; 932 933 /* If either of these, don't count towards total */ 934 if (entry->rule.listnr == AUDIT_FILTER_USER || 935 entry->rule.listnr == AUDIT_FILTER_TYPE) 936 dont_count = 1; 937 #endif 938 939 mutex_lock(&audit_filter_mutex); 940 e = audit_find_rule(entry, &list); 941 if (e) { 942 mutex_unlock(&audit_filter_mutex); 943 err = -EEXIST; 944 /* normally audit_add_tree_rule() will free it on failure */ 945 if (tree) 946 audit_put_tree(tree); 947 goto error; 948 } 949 950 if (watch) { 951 /* audit_filter_mutex is dropped and re-taken during this call */ 952 err = audit_add_watch(&entry->rule, &list); 953 if (err) { 954 mutex_unlock(&audit_filter_mutex); 955 goto error; 956 } 957 } 958 if (tree) { 959 err = audit_add_tree_rule(&entry->rule); 960 if (err) { 961 mutex_unlock(&audit_filter_mutex); 962 goto error; 963 } 964 } 965 966 entry->rule.prio = ~0ULL; 967 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 968 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 969 entry->rule.prio = ++prio_high; 970 else 971 entry->rule.prio = --prio_low; 972 } 973 974 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 975 list_add(&entry->rule.list, 976 &audit_rules_list[entry->rule.listnr]); 977 list_add_rcu(&entry->list, list); 978 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 979 } else { 980 list_add_tail(&entry->rule.list, 981 &audit_rules_list[entry->rule.listnr]); 982 list_add_tail_rcu(&entry->list, list); 983 } 984 #ifdef CONFIG_AUDITSYSCALL 985 if (!dont_count) 986 audit_n_rules++; 987 988 if (!audit_match_signal(entry)) 989 audit_signals++; 990 #endif 991 mutex_unlock(&audit_filter_mutex); 992 993 return 0; 994 995 error: 996 if (watch) 997 audit_put_watch(watch); /* tmp watch, matches initial get */ 998 return err; 999 } 1000 1001 /* Remove an existing rule from filterlist. */ 1002 static inline int audit_del_rule(struct audit_entry *entry) 1003 { 1004 struct audit_entry *e; 1005 struct audit_watch *watch = entry->rule.watch; 1006 struct audit_tree *tree = entry->rule.tree; 1007 struct list_head *list; 1008 int ret = 0; 1009 #ifdef CONFIG_AUDITSYSCALL 1010 int dont_count = 0; 1011 1012 /* If either of these, don't count towards total */ 1013 if (entry->rule.listnr == AUDIT_FILTER_USER || 1014 entry->rule.listnr == AUDIT_FILTER_TYPE) 1015 dont_count = 1; 1016 #endif 1017 1018 mutex_lock(&audit_filter_mutex); 1019 e = audit_find_rule(entry, &list); 1020 if (!e) { 1021 mutex_unlock(&audit_filter_mutex); 1022 ret = -ENOENT; 1023 goto out; 1024 } 1025 1026 if (e->rule.watch) 1027 audit_remove_watch_rule(&e->rule); 1028 1029 if (e->rule.tree) 1030 audit_remove_tree_rule(&e->rule); 1031 1032 list_del_rcu(&e->list); 1033 list_del(&e->rule.list); 1034 call_rcu(&e->rcu, audit_free_rule_rcu); 1035 1036 #ifdef CONFIG_AUDITSYSCALL 1037 if (!dont_count) 1038 audit_n_rules--; 1039 1040 if (!audit_match_signal(entry)) 1041 audit_signals--; 1042 #endif 1043 mutex_unlock(&audit_filter_mutex); 1044 1045 out: 1046 if (watch) 1047 audit_put_watch(watch); /* match initial get */ 1048 if (tree) 1049 audit_put_tree(tree); /* that's the temporary one */ 1050 1051 return ret; 1052 } 1053 1054 /* List rules using struct audit_rule. Exists for backward 1055 * compatibility with userspace. */ 1056 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1057 { 1058 struct sk_buff *skb; 1059 struct audit_krule *r; 1060 int i; 1061 1062 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1063 * iterator to sync with list writers. */ 1064 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1065 list_for_each_entry(r, &audit_rules_list[i], list) { 1066 struct audit_rule *rule; 1067 1068 rule = audit_krule_to_rule(r); 1069 if (unlikely(!rule)) 1070 break; 1071 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1072 rule, sizeof(*rule)); 1073 if (skb) 1074 skb_queue_tail(q, skb); 1075 kfree(rule); 1076 } 1077 } 1078 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1079 if (skb) 1080 skb_queue_tail(q, skb); 1081 } 1082 1083 /* List rules using struct audit_rule_data. */ 1084 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1085 { 1086 struct sk_buff *skb; 1087 struct audit_krule *r; 1088 int i; 1089 1090 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1091 * iterator to sync with list writers. */ 1092 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1093 list_for_each_entry(r, &audit_rules_list[i], list) { 1094 struct audit_rule_data *data; 1095 1096 data = audit_krule_to_data(r); 1097 if (unlikely(!data)) 1098 break; 1099 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1100 data, sizeof(*data) + data->buflen); 1101 if (skb) 1102 skb_queue_tail(q, skb); 1103 kfree(data); 1104 } 1105 } 1106 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1107 if (skb) 1108 skb_queue_tail(q, skb); 1109 } 1110 1111 /* Log rule additions and removals */ 1112 static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid, 1113 char *action, struct audit_krule *rule, 1114 int res) 1115 { 1116 struct audit_buffer *ab; 1117 1118 if (!audit_enabled) 1119 return; 1120 1121 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1122 if (!ab) 1123 return; 1124 audit_log_format(ab, "auid=%u ses=%u", 1125 from_kuid(&init_user_ns, loginuid), sessionid); 1126 if (sid) { 1127 char *ctx = NULL; 1128 u32 len; 1129 if (security_secid_to_secctx(sid, &ctx, &len)) 1130 audit_log_format(ab, " ssid=%u", sid); 1131 else { 1132 audit_log_format(ab, " subj=%s", ctx); 1133 security_release_secctx(ctx, len); 1134 } 1135 } 1136 audit_log_format(ab, " op="); 1137 audit_log_string(ab, action); 1138 audit_log_key(ab, rule->filterkey); 1139 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1140 audit_log_end(ab); 1141 } 1142 1143 /** 1144 * audit_receive_filter - apply all rules to the specified message type 1145 * @type: audit message type 1146 * @pid: target pid for netlink audit messages 1147 * @uid: target uid for netlink audit messages 1148 * @seq: netlink audit message sequence (serial) number 1149 * @data: payload data 1150 * @datasz: size of payload data 1151 * @loginuid: loginuid of sender 1152 * @sessionid: sessionid for netlink audit message 1153 * @sid: SE Linux Security ID of sender 1154 */ 1155 int audit_receive_filter(int type, int pid, int seq, void *data, 1156 size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid) 1157 { 1158 struct task_struct *tsk; 1159 struct audit_netlink_list *dest; 1160 int err = 0; 1161 struct audit_entry *entry; 1162 1163 switch (type) { 1164 case AUDIT_LIST: 1165 case AUDIT_LIST_RULES: 1166 /* We can't just spew out the rules here because we might fill 1167 * the available socket buffer space and deadlock waiting for 1168 * auditctl to read from it... which isn't ever going to 1169 * happen if we're actually running in the context of auditctl 1170 * trying to _send_ the stuff */ 1171 1172 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1173 if (!dest) 1174 return -ENOMEM; 1175 dest->pid = pid; 1176 skb_queue_head_init(&dest->q); 1177 1178 mutex_lock(&audit_filter_mutex); 1179 if (type == AUDIT_LIST) 1180 audit_list(pid, seq, &dest->q); 1181 else 1182 audit_list_rules(pid, seq, &dest->q); 1183 mutex_unlock(&audit_filter_mutex); 1184 1185 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1186 if (IS_ERR(tsk)) { 1187 skb_queue_purge(&dest->q); 1188 kfree(dest); 1189 err = PTR_ERR(tsk); 1190 } 1191 break; 1192 case AUDIT_ADD: 1193 case AUDIT_ADD_RULE: 1194 if (type == AUDIT_ADD) 1195 entry = audit_rule_to_entry(data); 1196 else 1197 entry = audit_data_to_entry(data, datasz); 1198 if (IS_ERR(entry)) 1199 return PTR_ERR(entry); 1200 1201 err = audit_add_rule(entry); 1202 audit_log_rule_change(loginuid, sessionid, sid, "add rule", 1203 &entry->rule, !err); 1204 1205 if (err) 1206 audit_free_rule(entry); 1207 break; 1208 case AUDIT_DEL: 1209 case AUDIT_DEL_RULE: 1210 if (type == AUDIT_DEL) 1211 entry = audit_rule_to_entry(data); 1212 else 1213 entry = audit_data_to_entry(data, datasz); 1214 if (IS_ERR(entry)) 1215 return PTR_ERR(entry); 1216 1217 err = audit_del_rule(entry); 1218 audit_log_rule_change(loginuid, sessionid, sid, "remove rule", 1219 &entry->rule, !err); 1220 1221 audit_free_rule(entry); 1222 break; 1223 default: 1224 return -EINVAL; 1225 } 1226 1227 return err; 1228 } 1229 1230 int audit_comparator(u32 left, u32 op, u32 right) 1231 { 1232 switch (op) { 1233 case Audit_equal: 1234 return (left == right); 1235 case Audit_not_equal: 1236 return (left != right); 1237 case Audit_lt: 1238 return (left < right); 1239 case Audit_le: 1240 return (left <= right); 1241 case Audit_gt: 1242 return (left > right); 1243 case Audit_ge: 1244 return (left >= right); 1245 case Audit_bitmask: 1246 return (left & right); 1247 case Audit_bittest: 1248 return ((left & right) == right); 1249 default: 1250 BUG(); 1251 return 0; 1252 } 1253 } 1254 1255 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) 1256 { 1257 switch (op) { 1258 case Audit_equal: 1259 return uid_eq(left, right); 1260 case Audit_not_equal: 1261 return !uid_eq(left, right); 1262 case Audit_lt: 1263 return uid_lt(left, right); 1264 case Audit_le: 1265 return uid_lte(left, right); 1266 case Audit_gt: 1267 return uid_gt(left, right); 1268 case Audit_ge: 1269 return uid_gte(left, right); 1270 case Audit_bitmask: 1271 case Audit_bittest: 1272 default: 1273 BUG(); 1274 return 0; 1275 } 1276 } 1277 1278 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right) 1279 { 1280 switch (op) { 1281 case Audit_equal: 1282 return gid_eq(left, right); 1283 case Audit_not_equal: 1284 return !gid_eq(left, right); 1285 case Audit_lt: 1286 return gid_lt(left, right); 1287 case Audit_le: 1288 return gid_lte(left, right); 1289 case Audit_gt: 1290 return gid_gt(left, right); 1291 case Audit_ge: 1292 return gid_gte(left, right); 1293 case Audit_bitmask: 1294 case Audit_bittest: 1295 default: 1296 BUG(); 1297 return 0; 1298 } 1299 } 1300 1301 /** 1302 * parent_len - find the length of the parent portion of a pathname 1303 * @path: pathname of which to determine length 1304 */ 1305 int parent_len(const char *path) 1306 { 1307 int plen; 1308 const char *p; 1309 1310 plen = strlen(path); 1311 1312 if (plen == 0) 1313 return plen; 1314 1315 /* disregard trailing slashes */ 1316 p = path + plen - 1; 1317 while ((*p == '/') && (p > path)) 1318 p--; 1319 1320 /* walk backward until we find the next slash or hit beginning */ 1321 while ((*p != '/') && (p > path)) 1322 p--; 1323 1324 /* did we find a slash? Then increment to include it in path */ 1325 if (*p == '/') 1326 p++; 1327 1328 return p - path; 1329 } 1330 1331 /** 1332 * audit_compare_dname_path - compare given dentry name with last component in 1333 * given path. Return of 0 indicates a match. 1334 * @dname: dentry name that we're comparing 1335 * @path: full pathname that we're comparing 1336 * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL 1337 * here indicates that we must compute this value. 1338 */ 1339 int audit_compare_dname_path(const char *dname, const char *path, int parentlen) 1340 { 1341 int dlen, pathlen; 1342 const char *p; 1343 1344 dlen = strlen(dname); 1345 pathlen = strlen(path); 1346 if (pathlen < dlen) 1347 return 1; 1348 1349 parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen; 1350 if (pathlen - parentlen != dlen) 1351 return 1; 1352 1353 p = path + parentlen; 1354 1355 return strncmp(p, dname, dlen); 1356 } 1357 1358 static int audit_filter_user_rules(struct audit_krule *rule, 1359 enum audit_state *state) 1360 { 1361 int i; 1362 1363 for (i = 0; i < rule->field_count; i++) { 1364 struct audit_field *f = &rule->fields[i]; 1365 int result = 0; 1366 u32 sid; 1367 1368 switch (f->type) { 1369 case AUDIT_PID: 1370 result = audit_comparator(task_pid_vnr(current), f->op, f->val); 1371 break; 1372 case AUDIT_UID: 1373 result = audit_uid_comparator(current_uid(), f->op, f->uid); 1374 break; 1375 case AUDIT_GID: 1376 result = audit_gid_comparator(current_gid(), f->op, f->gid); 1377 break; 1378 case AUDIT_LOGINUID: 1379 result = audit_uid_comparator(audit_get_loginuid(current), 1380 f->op, f->uid); 1381 break; 1382 case AUDIT_SUBJ_USER: 1383 case AUDIT_SUBJ_ROLE: 1384 case AUDIT_SUBJ_TYPE: 1385 case AUDIT_SUBJ_SEN: 1386 case AUDIT_SUBJ_CLR: 1387 if (f->lsm_rule) { 1388 security_task_getsecid(current, &sid); 1389 result = security_audit_rule_match(sid, 1390 f->type, 1391 f->op, 1392 f->lsm_rule, 1393 NULL); 1394 } 1395 break; 1396 } 1397 1398 if (!result) 1399 return 0; 1400 } 1401 switch (rule->action) { 1402 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1403 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1404 } 1405 return 1; 1406 } 1407 1408 int audit_filter_user(void) 1409 { 1410 enum audit_state state = AUDIT_DISABLED; 1411 struct audit_entry *e; 1412 int ret = 1; 1413 1414 rcu_read_lock(); 1415 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1416 if (audit_filter_user_rules(&e->rule, &state)) { 1417 if (state == AUDIT_DISABLED) 1418 ret = 0; 1419 break; 1420 } 1421 } 1422 rcu_read_unlock(); 1423 1424 return ret; /* Audit by default */ 1425 } 1426 1427 int audit_filter_type(int type) 1428 { 1429 struct audit_entry *e; 1430 int result = 0; 1431 1432 rcu_read_lock(); 1433 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1434 goto unlock_and_return; 1435 1436 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1437 list) { 1438 int i; 1439 for (i = 0; i < e->rule.field_count; i++) { 1440 struct audit_field *f = &e->rule.fields[i]; 1441 if (f->type == AUDIT_MSGTYPE) { 1442 result = audit_comparator(type, f->op, f->val); 1443 if (!result) 1444 break; 1445 } 1446 } 1447 if (result) 1448 goto unlock_and_return; 1449 } 1450 unlock_and_return: 1451 rcu_read_unlock(); 1452 return result; 1453 } 1454 1455 static int update_lsm_rule(struct audit_krule *r) 1456 { 1457 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1458 struct audit_entry *nentry; 1459 int err = 0; 1460 1461 if (!security_audit_rule_known(r)) 1462 return 0; 1463 1464 nentry = audit_dupe_rule(r); 1465 if (IS_ERR(nentry)) { 1466 /* save the first error encountered for the 1467 * return value */ 1468 err = PTR_ERR(nentry); 1469 audit_panic("error updating LSM filters"); 1470 if (r->watch) 1471 list_del(&r->rlist); 1472 list_del_rcu(&entry->list); 1473 list_del(&r->list); 1474 } else { 1475 if (r->watch || r->tree) 1476 list_replace_init(&r->rlist, &nentry->rule.rlist); 1477 list_replace_rcu(&entry->list, &nentry->list); 1478 list_replace(&r->list, &nentry->rule.list); 1479 } 1480 call_rcu(&entry->rcu, audit_free_rule_rcu); 1481 1482 return err; 1483 } 1484 1485 /* This function will re-initialize the lsm_rule field of all applicable rules. 1486 * It will traverse the filter lists serarching for rules that contain LSM 1487 * specific filter fields. When such a rule is found, it is copied, the 1488 * LSM field is re-initialized, and the old rule is replaced with the 1489 * updated rule. */ 1490 int audit_update_lsm_rules(void) 1491 { 1492 struct audit_krule *r, *n; 1493 int i, err = 0; 1494 1495 /* audit_filter_mutex synchronizes the writers */ 1496 mutex_lock(&audit_filter_mutex); 1497 1498 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1499 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1500 int res = update_lsm_rule(r); 1501 if (!err) 1502 err = res; 1503 } 1504 } 1505 mutex_unlock(&audit_filter_mutex); 1506 1507 return err; 1508 } 1509