1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* Audit filter lists, defined in <linux/audit.h> */ 48 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 49 LIST_HEAD_INIT(audit_filter_list[0]), 50 LIST_HEAD_INIT(audit_filter_list[1]), 51 LIST_HEAD_INIT(audit_filter_list[2]), 52 LIST_HEAD_INIT(audit_filter_list[3]), 53 LIST_HEAD_INIT(audit_filter_list[4]), 54 LIST_HEAD_INIT(audit_filter_list[5]), 55 #if AUDIT_NR_FILTERS != 6 56 #error Fix audit_filter_list initialiser 57 #endif 58 }; 59 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 60 LIST_HEAD_INIT(audit_rules_list[0]), 61 LIST_HEAD_INIT(audit_rules_list[1]), 62 LIST_HEAD_INIT(audit_rules_list[2]), 63 LIST_HEAD_INIT(audit_rules_list[3]), 64 LIST_HEAD_INIT(audit_rules_list[4]), 65 LIST_HEAD_INIT(audit_rules_list[5]), 66 }; 67 68 DEFINE_MUTEX(audit_filter_mutex); 69 70 static inline void audit_free_rule(struct audit_entry *e) 71 { 72 int i; 73 struct audit_krule *erule = &e->rule; 74 75 /* some rules don't have associated watches */ 76 if (erule->watch) 77 audit_put_watch(erule->watch); 78 if (erule->fields) 79 for (i = 0; i < erule->field_count; i++) { 80 struct audit_field *f = &erule->fields[i]; 81 kfree(f->lsm_str); 82 security_audit_rule_free(f->lsm_rule); 83 } 84 kfree(erule->fields); 85 kfree(erule->filterkey); 86 kfree(e); 87 } 88 89 void audit_free_rule_rcu(struct rcu_head *head) 90 { 91 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 92 audit_free_rule(e); 93 } 94 95 /* Initialize an audit filterlist entry. */ 96 static inline struct audit_entry *audit_init_entry(u32 field_count) 97 { 98 struct audit_entry *entry; 99 struct audit_field *fields; 100 101 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 102 if (unlikely(!entry)) 103 return NULL; 104 105 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 106 if (unlikely(!fields)) { 107 kfree(entry); 108 return NULL; 109 } 110 entry->rule.fields = fields; 111 112 return entry; 113 } 114 115 /* Unpack a filter field's string representation from user-space 116 * buffer. */ 117 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 118 { 119 char *str; 120 121 if (!*bufp || (len == 0) || (len > *remain)) 122 return ERR_PTR(-EINVAL); 123 124 /* Of the currently implemented string fields, PATH_MAX 125 * defines the longest valid length. 126 */ 127 if (len > PATH_MAX) 128 return ERR_PTR(-ENAMETOOLONG); 129 130 str = kmalloc(len + 1, GFP_KERNEL); 131 if (unlikely(!str)) 132 return ERR_PTR(-ENOMEM); 133 134 memcpy(str, *bufp, len); 135 str[len] = 0; 136 *bufp += len; 137 *remain -= len; 138 139 return str; 140 } 141 142 /* Translate an inode field to kernel respresentation. */ 143 static inline int audit_to_inode(struct audit_krule *krule, 144 struct audit_field *f) 145 { 146 if (krule->listnr != AUDIT_FILTER_EXIT || 147 krule->watch || krule->inode_f || krule->tree || 148 (f->op != Audit_equal && f->op != Audit_not_equal)) 149 return -EINVAL; 150 151 krule->inode_f = f; 152 return 0; 153 } 154 155 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 156 157 int __init audit_register_class(int class, unsigned *list) 158 { 159 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 160 if (!p) 161 return -ENOMEM; 162 while (*list != ~0U) { 163 unsigned n = *list++; 164 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 165 kfree(p); 166 return -EINVAL; 167 } 168 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 169 } 170 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 171 kfree(p); 172 return -EINVAL; 173 } 174 classes[class] = p; 175 return 0; 176 } 177 178 int audit_match_class(int class, unsigned syscall) 179 { 180 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 181 return 0; 182 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 183 return 0; 184 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 185 } 186 187 #ifdef CONFIG_AUDITSYSCALL 188 static inline int audit_match_class_bits(int class, u32 *mask) 189 { 190 int i; 191 192 if (classes[class]) { 193 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 194 if (mask[i] & classes[class][i]) 195 return 0; 196 } 197 return 1; 198 } 199 200 static int audit_match_signal(struct audit_entry *entry) 201 { 202 struct audit_field *arch = entry->rule.arch_f; 203 204 if (!arch) { 205 /* When arch is unspecified, we must check both masks on biarch 206 * as syscall number alone is ambiguous. */ 207 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 208 entry->rule.mask) && 209 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 210 entry->rule.mask)); 211 } 212 213 switch(audit_classify_arch(arch->val)) { 214 case 0: /* native */ 215 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 216 entry->rule.mask)); 217 case 1: /* 32bit on biarch */ 218 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 219 entry->rule.mask)); 220 default: 221 return 1; 222 } 223 } 224 #endif 225 226 /* Common user-space to kernel rule translation. */ 227 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 228 { 229 unsigned listnr; 230 struct audit_entry *entry; 231 int i, err; 232 233 err = -EINVAL; 234 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 235 switch(listnr) { 236 default: 237 goto exit_err; 238 #ifdef CONFIG_AUDITSYSCALL 239 case AUDIT_FILTER_ENTRY: 240 if (rule->action == AUDIT_ALWAYS) 241 goto exit_err; 242 case AUDIT_FILTER_EXIT: 243 case AUDIT_FILTER_TASK: 244 #endif 245 case AUDIT_FILTER_USER: 246 case AUDIT_FILTER_TYPE: 247 ; 248 } 249 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 250 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 251 goto exit_err; 252 } 253 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 254 goto exit_err; 255 if (rule->field_count > AUDIT_MAX_FIELDS) 256 goto exit_err; 257 258 err = -ENOMEM; 259 entry = audit_init_entry(rule->field_count); 260 if (!entry) 261 goto exit_err; 262 263 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 264 entry->rule.listnr = listnr; 265 entry->rule.action = rule->action; 266 entry->rule.field_count = rule->field_count; 267 268 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 269 entry->rule.mask[i] = rule->mask[i]; 270 271 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 272 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 273 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 274 __u32 *class; 275 276 if (!(*p & AUDIT_BIT(bit))) 277 continue; 278 *p &= ~AUDIT_BIT(bit); 279 class = classes[i]; 280 if (class) { 281 int j; 282 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 283 entry->rule.mask[j] |= class[j]; 284 } 285 } 286 287 return entry; 288 289 exit_err: 290 return ERR_PTR(err); 291 } 292 293 static u32 audit_ops[] = 294 { 295 [Audit_equal] = AUDIT_EQUAL, 296 [Audit_not_equal] = AUDIT_NOT_EQUAL, 297 [Audit_bitmask] = AUDIT_BIT_MASK, 298 [Audit_bittest] = AUDIT_BIT_TEST, 299 [Audit_lt] = AUDIT_LESS_THAN, 300 [Audit_gt] = AUDIT_GREATER_THAN, 301 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 302 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 303 }; 304 305 static u32 audit_to_op(u32 op) 306 { 307 u32 n; 308 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 309 ; 310 return n; 311 } 312 313 314 /* Translate struct audit_rule to kernel's rule respresentation. 315 * Exists for backward compatibility with userspace. */ 316 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 317 { 318 struct audit_entry *entry; 319 int err = 0; 320 int i; 321 322 entry = audit_to_entry_common(rule); 323 if (IS_ERR(entry)) 324 goto exit_nofree; 325 326 for (i = 0; i < rule->field_count; i++) { 327 struct audit_field *f = &entry->rule.fields[i]; 328 u32 n; 329 330 n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 331 332 /* Support for legacy operators where 333 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 334 if (n & AUDIT_NEGATE) 335 f->op = Audit_not_equal; 336 else if (!n) 337 f->op = Audit_equal; 338 else 339 f->op = audit_to_op(n); 340 341 entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1; 342 343 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 344 f->val = rule->values[i]; 345 f->uid = INVALID_UID; 346 f->gid = INVALID_GID; 347 348 err = -EINVAL; 349 if (f->op == Audit_bad) 350 goto exit_free; 351 352 switch(f->type) { 353 default: 354 goto exit_free; 355 case AUDIT_UID: 356 case AUDIT_EUID: 357 case AUDIT_SUID: 358 case AUDIT_FSUID: 359 case AUDIT_LOGINUID: 360 /* bit ops not implemented for uid comparisons */ 361 if (f->op == Audit_bitmask || f->op == Audit_bittest) 362 goto exit_free; 363 364 f->uid = make_kuid(current_user_ns(), f->val); 365 if (!uid_valid(f->uid)) 366 goto exit_free; 367 break; 368 case AUDIT_GID: 369 case AUDIT_EGID: 370 case AUDIT_SGID: 371 case AUDIT_FSGID: 372 /* bit ops not implemented for gid comparisons */ 373 if (f->op == Audit_bitmask || f->op == Audit_bittest) 374 goto exit_free; 375 376 f->gid = make_kgid(current_user_ns(), f->val); 377 if (!gid_valid(f->gid)) 378 goto exit_free; 379 break; 380 case AUDIT_PID: 381 case AUDIT_PERS: 382 case AUDIT_MSGTYPE: 383 case AUDIT_PPID: 384 case AUDIT_DEVMAJOR: 385 case AUDIT_DEVMINOR: 386 case AUDIT_EXIT: 387 case AUDIT_SUCCESS: 388 /* bit ops are only useful on syscall args */ 389 if (f->op == Audit_bitmask || f->op == Audit_bittest) 390 goto exit_free; 391 break; 392 case AUDIT_ARG0: 393 case AUDIT_ARG1: 394 case AUDIT_ARG2: 395 case AUDIT_ARG3: 396 break; 397 /* arch is only allowed to be = or != */ 398 case AUDIT_ARCH: 399 if (f->op != Audit_not_equal && f->op != Audit_equal) 400 goto exit_free; 401 entry->rule.arch_f = f; 402 break; 403 case AUDIT_PERM: 404 if (f->val & ~15) 405 goto exit_free; 406 break; 407 case AUDIT_FILETYPE: 408 if (f->val & ~S_IFMT) 409 goto exit_free; 410 break; 411 case AUDIT_INODE: 412 err = audit_to_inode(&entry->rule, f); 413 if (err) 414 goto exit_free; 415 break; 416 } 417 } 418 419 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 420 entry->rule.inode_f = NULL; 421 422 exit_nofree: 423 return entry; 424 425 exit_free: 426 audit_free_rule(entry); 427 return ERR_PTR(err); 428 } 429 430 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 431 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 432 size_t datasz) 433 { 434 int err = 0; 435 struct audit_entry *entry; 436 void *bufp; 437 size_t remain = datasz - sizeof(struct audit_rule_data); 438 int i; 439 char *str; 440 441 entry = audit_to_entry_common((struct audit_rule *)data); 442 if (IS_ERR(entry)) 443 goto exit_nofree; 444 445 bufp = data->buf; 446 entry->rule.vers_ops = 2; 447 for (i = 0; i < data->field_count; i++) { 448 struct audit_field *f = &entry->rule.fields[i]; 449 450 err = -EINVAL; 451 452 f->op = audit_to_op(data->fieldflags[i]); 453 if (f->op == Audit_bad) 454 goto exit_free; 455 456 f->type = data->fields[i]; 457 f->val = data->values[i]; 458 f->uid = INVALID_UID; 459 f->gid = INVALID_GID; 460 f->lsm_str = NULL; 461 f->lsm_rule = NULL; 462 switch(f->type) { 463 case AUDIT_UID: 464 case AUDIT_EUID: 465 case AUDIT_SUID: 466 case AUDIT_FSUID: 467 case AUDIT_LOGINUID: 468 case AUDIT_OBJ_UID: 469 /* bit ops not implemented for uid comparisons */ 470 if (f->op == Audit_bitmask || f->op == Audit_bittest) 471 goto exit_free; 472 473 f->uid = make_kuid(current_user_ns(), f->val); 474 if (!uid_valid(f->uid)) 475 goto exit_free; 476 break; 477 case AUDIT_GID: 478 case AUDIT_EGID: 479 case AUDIT_SGID: 480 case AUDIT_FSGID: 481 case AUDIT_OBJ_GID: 482 /* bit ops not implemented for gid comparisons */ 483 if (f->op == Audit_bitmask || f->op == Audit_bittest) 484 goto exit_free; 485 486 f->gid = make_kgid(current_user_ns(), f->val); 487 if (!gid_valid(f->gid)) 488 goto exit_free; 489 break; 490 case AUDIT_PID: 491 case AUDIT_PERS: 492 case AUDIT_MSGTYPE: 493 case AUDIT_PPID: 494 case AUDIT_DEVMAJOR: 495 case AUDIT_DEVMINOR: 496 case AUDIT_EXIT: 497 case AUDIT_SUCCESS: 498 case AUDIT_ARG0: 499 case AUDIT_ARG1: 500 case AUDIT_ARG2: 501 case AUDIT_ARG3: 502 break; 503 case AUDIT_ARCH: 504 entry->rule.arch_f = f; 505 break; 506 case AUDIT_SUBJ_USER: 507 case AUDIT_SUBJ_ROLE: 508 case AUDIT_SUBJ_TYPE: 509 case AUDIT_SUBJ_SEN: 510 case AUDIT_SUBJ_CLR: 511 case AUDIT_OBJ_USER: 512 case AUDIT_OBJ_ROLE: 513 case AUDIT_OBJ_TYPE: 514 case AUDIT_OBJ_LEV_LOW: 515 case AUDIT_OBJ_LEV_HIGH: 516 str = audit_unpack_string(&bufp, &remain, f->val); 517 if (IS_ERR(str)) 518 goto exit_free; 519 entry->rule.buflen += f->val; 520 521 err = security_audit_rule_init(f->type, f->op, str, 522 (void **)&f->lsm_rule); 523 /* Keep currently invalid fields around in case they 524 * become valid after a policy reload. */ 525 if (err == -EINVAL) { 526 printk(KERN_WARNING "audit rule for LSM " 527 "\'%s\' is invalid\n", str); 528 err = 0; 529 } 530 if (err) { 531 kfree(str); 532 goto exit_free; 533 } else 534 f->lsm_str = str; 535 break; 536 case AUDIT_WATCH: 537 str = audit_unpack_string(&bufp, &remain, f->val); 538 if (IS_ERR(str)) 539 goto exit_free; 540 entry->rule.buflen += f->val; 541 542 err = audit_to_watch(&entry->rule, str, f->val, f->op); 543 if (err) { 544 kfree(str); 545 goto exit_free; 546 } 547 break; 548 case AUDIT_DIR: 549 str = audit_unpack_string(&bufp, &remain, f->val); 550 if (IS_ERR(str)) 551 goto exit_free; 552 entry->rule.buflen += f->val; 553 554 err = audit_make_tree(&entry->rule, str, f->op); 555 kfree(str); 556 if (err) 557 goto exit_free; 558 break; 559 case AUDIT_INODE: 560 err = audit_to_inode(&entry->rule, f); 561 if (err) 562 goto exit_free; 563 break; 564 case AUDIT_FILTERKEY: 565 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 566 goto exit_free; 567 str = audit_unpack_string(&bufp, &remain, f->val); 568 if (IS_ERR(str)) 569 goto exit_free; 570 entry->rule.buflen += f->val; 571 entry->rule.filterkey = str; 572 break; 573 case AUDIT_PERM: 574 if (f->val & ~15) 575 goto exit_free; 576 break; 577 case AUDIT_FILETYPE: 578 if (f->val & ~S_IFMT) 579 goto exit_free; 580 break; 581 case AUDIT_FIELD_COMPARE: 582 if (f->val > AUDIT_MAX_FIELD_COMPARE) 583 goto exit_free; 584 break; 585 default: 586 goto exit_free; 587 } 588 } 589 590 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 591 entry->rule.inode_f = NULL; 592 593 exit_nofree: 594 return entry; 595 596 exit_free: 597 if (entry->rule.watch) 598 audit_put_watch(entry->rule.watch); /* matches initial get */ 599 if (entry->rule.tree) 600 audit_put_tree(entry->rule.tree); /* that's the temporary one */ 601 audit_free_rule(entry); 602 return ERR_PTR(err); 603 } 604 605 /* Pack a filter field's string representation into data block. */ 606 static inline size_t audit_pack_string(void **bufp, const char *str) 607 { 608 size_t len = strlen(str); 609 610 memcpy(*bufp, str, len); 611 *bufp += len; 612 613 return len; 614 } 615 616 /* Translate kernel rule respresentation to struct audit_rule. 617 * Exists for backward compatibility with userspace. */ 618 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 619 { 620 struct audit_rule *rule; 621 int i; 622 623 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 624 if (unlikely(!rule)) 625 return NULL; 626 627 rule->flags = krule->flags | krule->listnr; 628 rule->action = krule->action; 629 rule->field_count = krule->field_count; 630 for (i = 0; i < rule->field_count; i++) { 631 rule->values[i] = krule->fields[i].val; 632 rule->fields[i] = krule->fields[i].type; 633 634 if (krule->vers_ops == 1) { 635 if (krule->fields[i].op == Audit_not_equal) 636 rule->fields[i] |= AUDIT_NEGATE; 637 } else { 638 rule->fields[i] |= audit_ops[krule->fields[i].op]; 639 } 640 } 641 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 642 643 return rule; 644 } 645 646 /* Translate kernel rule respresentation to struct audit_rule_data. */ 647 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 648 { 649 struct audit_rule_data *data; 650 void *bufp; 651 int i; 652 653 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 654 if (unlikely(!data)) 655 return NULL; 656 memset(data, 0, sizeof(*data)); 657 658 data->flags = krule->flags | krule->listnr; 659 data->action = krule->action; 660 data->field_count = krule->field_count; 661 bufp = data->buf; 662 for (i = 0; i < data->field_count; i++) { 663 struct audit_field *f = &krule->fields[i]; 664 665 data->fields[i] = f->type; 666 data->fieldflags[i] = audit_ops[f->op]; 667 switch(f->type) { 668 case AUDIT_SUBJ_USER: 669 case AUDIT_SUBJ_ROLE: 670 case AUDIT_SUBJ_TYPE: 671 case AUDIT_SUBJ_SEN: 672 case AUDIT_SUBJ_CLR: 673 case AUDIT_OBJ_USER: 674 case AUDIT_OBJ_ROLE: 675 case AUDIT_OBJ_TYPE: 676 case AUDIT_OBJ_LEV_LOW: 677 case AUDIT_OBJ_LEV_HIGH: 678 data->buflen += data->values[i] = 679 audit_pack_string(&bufp, f->lsm_str); 680 break; 681 case AUDIT_WATCH: 682 data->buflen += data->values[i] = 683 audit_pack_string(&bufp, 684 audit_watch_path(krule->watch)); 685 break; 686 case AUDIT_DIR: 687 data->buflen += data->values[i] = 688 audit_pack_string(&bufp, 689 audit_tree_path(krule->tree)); 690 break; 691 case AUDIT_FILTERKEY: 692 data->buflen += data->values[i] = 693 audit_pack_string(&bufp, krule->filterkey); 694 break; 695 default: 696 data->values[i] = f->val; 697 } 698 } 699 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 700 701 return data; 702 } 703 704 /* Compare two rules in kernel format. Considered success if rules 705 * don't match. */ 706 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 707 { 708 int i; 709 710 if (a->flags != b->flags || 711 a->listnr != b->listnr || 712 a->action != b->action || 713 a->field_count != b->field_count) 714 return 1; 715 716 for (i = 0; i < a->field_count; i++) { 717 if (a->fields[i].type != b->fields[i].type || 718 a->fields[i].op != b->fields[i].op) 719 return 1; 720 721 switch(a->fields[i].type) { 722 case AUDIT_SUBJ_USER: 723 case AUDIT_SUBJ_ROLE: 724 case AUDIT_SUBJ_TYPE: 725 case AUDIT_SUBJ_SEN: 726 case AUDIT_SUBJ_CLR: 727 case AUDIT_OBJ_USER: 728 case AUDIT_OBJ_ROLE: 729 case AUDIT_OBJ_TYPE: 730 case AUDIT_OBJ_LEV_LOW: 731 case AUDIT_OBJ_LEV_HIGH: 732 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 733 return 1; 734 break; 735 case AUDIT_WATCH: 736 if (strcmp(audit_watch_path(a->watch), 737 audit_watch_path(b->watch))) 738 return 1; 739 break; 740 case AUDIT_DIR: 741 if (strcmp(audit_tree_path(a->tree), 742 audit_tree_path(b->tree))) 743 return 1; 744 break; 745 case AUDIT_FILTERKEY: 746 /* both filterkeys exist based on above type compare */ 747 if (strcmp(a->filterkey, b->filterkey)) 748 return 1; 749 break; 750 case AUDIT_UID: 751 case AUDIT_EUID: 752 case AUDIT_SUID: 753 case AUDIT_FSUID: 754 case AUDIT_LOGINUID: 755 case AUDIT_OBJ_UID: 756 if (!uid_eq(a->fields[i].uid, b->fields[i].uid)) 757 return 1; 758 break; 759 case AUDIT_GID: 760 case AUDIT_EGID: 761 case AUDIT_SGID: 762 case AUDIT_FSGID: 763 case AUDIT_OBJ_GID: 764 if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) 765 return 1; 766 break; 767 default: 768 if (a->fields[i].val != b->fields[i].val) 769 return 1; 770 } 771 } 772 773 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 774 if (a->mask[i] != b->mask[i]) 775 return 1; 776 777 return 0; 778 } 779 780 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 781 * re-initialized. */ 782 static inline int audit_dupe_lsm_field(struct audit_field *df, 783 struct audit_field *sf) 784 { 785 int ret = 0; 786 char *lsm_str; 787 788 /* our own copy of lsm_str */ 789 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 790 if (unlikely(!lsm_str)) 791 return -ENOMEM; 792 df->lsm_str = lsm_str; 793 794 /* our own (refreshed) copy of lsm_rule */ 795 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 796 (void **)&df->lsm_rule); 797 /* Keep currently invalid fields around in case they 798 * become valid after a policy reload. */ 799 if (ret == -EINVAL) { 800 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 801 "invalid\n", df->lsm_str); 802 ret = 0; 803 } 804 805 return ret; 806 } 807 808 /* Duplicate an audit rule. This will be a deep copy with the exception 809 * of the watch - that pointer is carried over. The LSM specific fields 810 * will be updated in the copy. The point is to be able to replace the old 811 * rule with the new rule in the filterlist, then free the old rule. 812 * The rlist element is undefined; list manipulations are handled apart from 813 * the initial copy. */ 814 struct audit_entry *audit_dupe_rule(struct audit_krule *old) 815 { 816 u32 fcount = old->field_count; 817 struct audit_entry *entry; 818 struct audit_krule *new; 819 char *fk; 820 int i, err = 0; 821 822 entry = audit_init_entry(fcount); 823 if (unlikely(!entry)) 824 return ERR_PTR(-ENOMEM); 825 826 new = &entry->rule; 827 new->vers_ops = old->vers_ops; 828 new->flags = old->flags; 829 new->listnr = old->listnr; 830 new->action = old->action; 831 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 832 new->mask[i] = old->mask[i]; 833 new->prio = old->prio; 834 new->buflen = old->buflen; 835 new->inode_f = old->inode_f; 836 new->field_count = old->field_count; 837 838 /* 839 * note that we are OK with not refcounting here; audit_match_tree() 840 * never dereferences tree and we can't get false positives there 841 * since we'd have to have rule gone from the list *and* removed 842 * before the chunks found by lookup had been allocated, i.e. before 843 * the beginning of list scan. 844 */ 845 new->tree = old->tree; 846 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 847 848 /* deep copy this information, updating the lsm_rule fields, because 849 * the originals will all be freed when the old rule is freed. */ 850 for (i = 0; i < fcount; i++) { 851 switch (new->fields[i].type) { 852 case AUDIT_SUBJ_USER: 853 case AUDIT_SUBJ_ROLE: 854 case AUDIT_SUBJ_TYPE: 855 case AUDIT_SUBJ_SEN: 856 case AUDIT_SUBJ_CLR: 857 case AUDIT_OBJ_USER: 858 case AUDIT_OBJ_ROLE: 859 case AUDIT_OBJ_TYPE: 860 case AUDIT_OBJ_LEV_LOW: 861 case AUDIT_OBJ_LEV_HIGH: 862 err = audit_dupe_lsm_field(&new->fields[i], 863 &old->fields[i]); 864 break; 865 case AUDIT_FILTERKEY: 866 fk = kstrdup(old->filterkey, GFP_KERNEL); 867 if (unlikely(!fk)) 868 err = -ENOMEM; 869 else 870 new->filterkey = fk; 871 } 872 if (err) { 873 audit_free_rule(entry); 874 return ERR_PTR(err); 875 } 876 } 877 878 if (old->watch) { 879 audit_get_watch(old->watch); 880 new->watch = old->watch; 881 } 882 883 return entry; 884 } 885 886 /* Find an existing audit rule. 887 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 888 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 889 struct list_head **p) 890 { 891 struct audit_entry *e, *found = NULL; 892 struct list_head *list; 893 int h; 894 895 if (entry->rule.inode_f) { 896 h = audit_hash_ino(entry->rule.inode_f->val); 897 *p = list = &audit_inode_hash[h]; 898 } else if (entry->rule.watch) { 899 /* we don't know the inode number, so must walk entire hash */ 900 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 901 list = &audit_inode_hash[h]; 902 list_for_each_entry(e, list, list) 903 if (!audit_compare_rule(&entry->rule, &e->rule)) { 904 found = e; 905 goto out; 906 } 907 } 908 goto out; 909 } else { 910 *p = list = &audit_filter_list[entry->rule.listnr]; 911 } 912 913 list_for_each_entry(e, list, list) 914 if (!audit_compare_rule(&entry->rule, &e->rule)) { 915 found = e; 916 goto out; 917 } 918 919 out: 920 return found; 921 } 922 923 static u64 prio_low = ~0ULL/2; 924 static u64 prio_high = ~0ULL/2 - 1; 925 926 /* Add rule to given filterlist if not a duplicate. */ 927 static inline int audit_add_rule(struct audit_entry *entry) 928 { 929 struct audit_entry *e; 930 struct audit_watch *watch = entry->rule.watch; 931 struct audit_tree *tree = entry->rule.tree; 932 struct list_head *list; 933 int err; 934 #ifdef CONFIG_AUDITSYSCALL 935 int dont_count = 0; 936 937 /* If either of these, don't count towards total */ 938 if (entry->rule.listnr == AUDIT_FILTER_USER || 939 entry->rule.listnr == AUDIT_FILTER_TYPE) 940 dont_count = 1; 941 #endif 942 943 mutex_lock(&audit_filter_mutex); 944 e = audit_find_rule(entry, &list); 945 if (e) { 946 mutex_unlock(&audit_filter_mutex); 947 err = -EEXIST; 948 /* normally audit_add_tree_rule() will free it on failure */ 949 if (tree) 950 audit_put_tree(tree); 951 goto error; 952 } 953 954 if (watch) { 955 /* audit_filter_mutex is dropped and re-taken during this call */ 956 err = audit_add_watch(&entry->rule, &list); 957 if (err) { 958 mutex_unlock(&audit_filter_mutex); 959 goto error; 960 } 961 } 962 if (tree) { 963 err = audit_add_tree_rule(&entry->rule); 964 if (err) { 965 mutex_unlock(&audit_filter_mutex); 966 goto error; 967 } 968 } 969 970 entry->rule.prio = ~0ULL; 971 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 972 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 973 entry->rule.prio = ++prio_high; 974 else 975 entry->rule.prio = --prio_low; 976 } 977 978 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 979 list_add(&entry->rule.list, 980 &audit_rules_list[entry->rule.listnr]); 981 list_add_rcu(&entry->list, list); 982 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 983 } else { 984 list_add_tail(&entry->rule.list, 985 &audit_rules_list[entry->rule.listnr]); 986 list_add_tail_rcu(&entry->list, list); 987 } 988 #ifdef CONFIG_AUDITSYSCALL 989 if (!dont_count) 990 audit_n_rules++; 991 992 if (!audit_match_signal(entry)) 993 audit_signals++; 994 #endif 995 mutex_unlock(&audit_filter_mutex); 996 997 return 0; 998 999 error: 1000 if (watch) 1001 audit_put_watch(watch); /* tmp watch, matches initial get */ 1002 return err; 1003 } 1004 1005 /* Remove an existing rule from filterlist. */ 1006 static inline int audit_del_rule(struct audit_entry *entry) 1007 { 1008 struct audit_entry *e; 1009 struct audit_watch *watch = entry->rule.watch; 1010 struct audit_tree *tree = entry->rule.tree; 1011 struct list_head *list; 1012 int ret = 0; 1013 #ifdef CONFIG_AUDITSYSCALL 1014 int dont_count = 0; 1015 1016 /* If either of these, don't count towards total */ 1017 if (entry->rule.listnr == AUDIT_FILTER_USER || 1018 entry->rule.listnr == AUDIT_FILTER_TYPE) 1019 dont_count = 1; 1020 #endif 1021 1022 mutex_lock(&audit_filter_mutex); 1023 e = audit_find_rule(entry, &list); 1024 if (!e) { 1025 mutex_unlock(&audit_filter_mutex); 1026 ret = -ENOENT; 1027 goto out; 1028 } 1029 1030 if (e->rule.watch) 1031 audit_remove_watch_rule(&e->rule); 1032 1033 if (e->rule.tree) 1034 audit_remove_tree_rule(&e->rule); 1035 1036 list_del_rcu(&e->list); 1037 list_del(&e->rule.list); 1038 call_rcu(&e->rcu, audit_free_rule_rcu); 1039 1040 #ifdef CONFIG_AUDITSYSCALL 1041 if (!dont_count) 1042 audit_n_rules--; 1043 1044 if (!audit_match_signal(entry)) 1045 audit_signals--; 1046 #endif 1047 mutex_unlock(&audit_filter_mutex); 1048 1049 out: 1050 if (watch) 1051 audit_put_watch(watch); /* match initial get */ 1052 if (tree) 1053 audit_put_tree(tree); /* that's the temporary one */ 1054 1055 return ret; 1056 } 1057 1058 /* List rules using struct audit_rule. Exists for backward 1059 * compatibility with userspace. */ 1060 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1061 { 1062 struct sk_buff *skb; 1063 struct audit_krule *r; 1064 int i; 1065 1066 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1067 * iterator to sync with list writers. */ 1068 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1069 list_for_each_entry(r, &audit_rules_list[i], list) { 1070 struct audit_rule *rule; 1071 1072 rule = audit_krule_to_rule(r); 1073 if (unlikely(!rule)) 1074 break; 1075 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1076 rule, sizeof(*rule)); 1077 if (skb) 1078 skb_queue_tail(q, skb); 1079 kfree(rule); 1080 } 1081 } 1082 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1083 if (skb) 1084 skb_queue_tail(q, skb); 1085 } 1086 1087 /* List rules using struct audit_rule_data. */ 1088 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1089 { 1090 struct sk_buff *skb; 1091 struct audit_krule *r; 1092 int i; 1093 1094 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1095 * iterator to sync with list writers. */ 1096 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1097 list_for_each_entry(r, &audit_rules_list[i], list) { 1098 struct audit_rule_data *data; 1099 1100 data = audit_krule_to_data(r); 1101 if (unlikely(!data)) 1102 break; 1103 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1104 data, sizeof(*data) + data->buflen); 1105 if (skb) 1106 skb_queue_tail(q, skb); 1107 kfree(data); 1108 } 1109 } 1110 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1111 if (skb) 1112 skb_queue_tail(q, skb); 1113 } 1114 1115 /* Log rule additions and removals */ 1116 static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid, 1117 char *action, struct audit_krule *rule, 1118 int res) 1119 { 1120 struct audit_buffer *ab; 1121 1122 if (!audit_enabled) 1123 return; 1124 1125 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1126 if (!ab) 1127 return; 1128 audit_log_format(ab, "auid=%u ses=%u", 1129 from_kuid(&init_user_ns, loginuid), sessionid); 1130 if (sid) { 1131 char *ctx = NULL; 1132 u32 len; 1133 if (security_secid_to_secctx(sid, &ctx, &len)) 1134 audit_log_format(ab, " ssid=%u", sid); 1135 else { 1136 audit_log_format(ab, " subj=%s", ctx); 1137 security_release_secctx(ctx, len); 1138 } 1139 } 1140 audit_log_format(ab, " op="); 1141 audit_log_string(ab, action); 1142 audit_log_key(ab, rule->filterkey); 1143 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1144 audit_log_end(ab); 1145 } 1146 1147 /** 1148 * audit_receive_filter - apply all rules to the specified message type 1149 * @type: audit message type 1150 * @pid: target pid for netlink audit messages 1151 * @seq: netlink audit message sequence (serial) number 1152 * @data: payload data 1153 * @datasz: size of payload data 1154 * @loginuid: loginuid of sender 1155 * @sessionid: sessionid for netlink audit message 1156 * @sid: SE Linux Security ID of sender 1157 */ 1158 int audit_receive_filter(int type, int pid, int seq, void *data, 1159 size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid) 1160 { 1161 struct task_struct *tsk; 1162 struct audit_netlink_list *dest; 1163 int err = 0; 1164 struct audit_entry *entry; 1165 1166 switch (type) { 1167 case AUDIT_LIST: 1168 case AUDIT_LIST_RULES: 1169 /* We can't just spew out the rules here because we might fill 1170 * the available socket buffer space and deadlock waiting for 1171 * auditctl to read from it... which isn't ever going to 1172 * happen if we're actually running in the context of auditctl 1173 * trying to _send_ the stuff */ 1174 1175 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1176 if (!dest) 1177 return -ENOMEM; 1178 dest->pid = pid; 1179 skb_queue_head_init(&dest->q); 1180 1181 mutex_lock(&audit_filter_mutex); 1182 if (type == AUDIT_LIST) 1183 audit_list(pid, seq, &dest->q); 1184 else 1185 audit_list_rules(pid, seq, &dest->q); 1186 mutex_unlock(&audit_filter_mutex); 1187 1188 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1189 if (IS_ERR(tsk)) { 1190 skb_queue_purge(&dest->q); 1191 kfree(dest); 1192 err = PTR_ERR(tsk); 1193 } 1194 break; 1195 case AUDIT_ADD: 1196 case AUDIT_ADD_RULE: 1197 if (type == AUDIT_ADD) 1198 entry = audit_rule_to_entry(data); 1199 else 1200 entry = audit_data_to_entry(data, datasz); 1201 if (IS_ERR(entry)) 1202 return PTR_ERR(entry); 1203 1204 err = audit_add_rule(entry); 1205 audit_log_rule_change(loginuid, sessionid, sid, "add rule", 1206 &entry->rule, !err); 1207 1208 if (err) 1209 audit_free_rule(entry); 1210 break; 1211 case AUDIT_DEL: 1212 case AUDIT_DEL_RULE: 1213 if (type == AUDIT_DEL) 1214 entry = audit_rule_to_entry(data); 1215 else 1216 entry = audit_data_to_entry(data, datasz); 1217 if (IS_ERR(entry)) 1218 return PTR_ERR(entry); 1219 1220 err = audit_del_rule(entry); 1221 audit_log_rule_change(loginuid, sessionid, sid, "remove rule", 1222 &entry->rule, !err); 1223 1224 audit_free_rule(entry); 1225 break; 1226 default: 1227 return -EINVAL; 1228 } 1229 1230 return err; 1231 } 1232 1233 int audit_comparator(u32 left, u32 op, u32 right) 1234 { 1235 switch (op) { 1236 case Audit_equal: 1237 return (left == right); 1238 case Audit_not_equal: 1239 return (left != right); 1240 case Audit_lt: 1241 return (left < right); 1242 case Audit_le: 1243 return (left <= right); 1244 case Audit_gt: 1245 return (left > right); 1246 case Audit_ge: 1247 return (left >= right); 1248 case Audit_bitmask: 1249 return (left & right); 1250 case Audit_bittest: 1251 return ((left & right) == right); 1252 default: 1253 BUG(); 1254 return 0; 1255 } 1256 } 1257 1258 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) 1259 { 1260 switch (op) { 1261 case Audit_equal: 1262 return uid_eq(left, right); 1263 case Audit_not_equal: 1264 return !uid_eq(left, right); 1265 case Audit_lt: 1266 return uid_lt(left, right); 1267 case Audit_le: 1268 return uid_lte(left, right); 1269 case Audit_gt: 1270 return uid_gt(left, right); 1271 case Audit_ge: 1272 return uid_gte(left, right); 1273 case Audit_bitmask: 1274 case Audit_bittest: 1275 default: 1276 BUG(); 1277 return 0; 1278 } 1279 } 1280 1281 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right) 1282 { 1283 switch (op) { 1284 case Audit_equal: 1285 return gid_eq(left, right); 1286 case Audit_not_equal: 1287 return !gid_eq(left, right); 1288 case Audit_lt: 1289 return gid_lt(left, right); 1290 case Audit_le: 1291 return gid_lte(left, right); 1292 case Audit_gt: 1293 return gid_gt(left, right); 1294 case Audit_ge: 1295 return gid_gte(left, right); 1296 case Audit_bitmask: 1297 case Audit_bittest: 1298 default: 1299 BUG(); 1300 return 0; 1301 } 1302 } 1303 1304 /** 1305 * parent_len - find the length of the parent portion of a pathname 1306 * @path: pathname of which to determine length 1307 */ 1308 int parent_len(const char *path) 1309 { 1310 int plen; 1311 const char *p; 1312 1313 plen = strlen(path); 1314 1315 if (plen == 0) 1316 return plen; 1317 1318 /* disregard trailing slashes */ 1319 p = path + plen - 1; 1320 while ((*p == '/') && (p > path)) 1321 p--; 1322 1323 /* walk backward until we find the next slash or hit beginning */ 1324 while ((*p != '/') && (p > path)) 1325 p--; 1326 1327 /* did we find a slash? Then increment to include it in path */ 1328 if (*p == '/') 1329 p++; 1330 1331 return p - path; 1332 } 1333 1334 /** 1335 * audit_compare_dname_path - compare given dentry name with last component in 1336 * given path. Return of 0 indicates a match. 1337 * @dname: dentry name that we're comparing 1338 * @path: full pathname that we're comparing 1339 * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL 1340 * here indicates that we must compute this value. 1341 */ 1342 int audit_compare_dname_path(const char *dname, const char *path, int parentlen) 1343 { 1344 int dlen, pathlen; 1345 const char *p; 1346 1347 dlen = strlen(dname); 1348 pathlen = strlen(path); 1349 if (pathlen < dlen) 1350 return 1; 1351 1352 parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen; 1353 if (pathlen - parentlen != dlen) 1354 return 1; 1355 1356 p = path + parentlen; 1357 1358 return strncmp(p, dname, dlen); 1359 } 1360 1361 static int audit_filter_user_rules(struct audit_krule *rule, 1362 enum audit_state *state) 1363 { 1364 int i; 1365 1366 for (i = 0; i < rule->field_count; i++) { 1367 struct audit_field *f = &rule->fields[i]; 1368 int result = 0; 1369 u32 sid; 1370 1371 switch (f->type) { 1372 case AUDIT_PID: 1373 result = audit_comparator(task_pid_vnr(current), f->op, f->val); 1374 break; 1375 case AUDIT_UID: 1376 result = audit_uid_comparator(current_uid(), f->op, f->uid); 1377 break; 1378 case AUDIT_GID: 1379 result = audit_gid_comparator(current_gid(), f->op, f->gid); 1380 break; 1381 case AUDIT_LOGINUID: 1382 result = audit_uid_comparator(audit_get_loginuid(current), 1383 f->op, f->uid); 1384 break; 1385 case AUDIT_SUBJ_USER: 1386 case AUDIT_SUBJ_ROLE: 1387 case AUDIT_SUBJ_TYPE: 1388 case AUDIT_SUBJ_SEN: 1389 case AUDIT_SUBJ_CLR: 1390 if (f->lsm_rule) { 1391 security_task_getsecid(current, &sid); 1392 result = security_audit_rule_match(sid, 1393 f->type, 1394 f->op, 1395 f->lsm_rule, 1396 NULL); 1397 } 1398 break; 1399 } 1400 1401 if (!result) 1402 return 0; 1403 } 1404 switch (rule->action) { 1405 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1406 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1407 } 1408 return 1; 1409 } 1410 1411 int audit_filter_user(void) 1412 { 1413 enum audit_state state = AUDIT_DISABLED; 1414 struct audit_entry *e; 1415 int ret = 1; 1416 1417 rcu_read_lock(); 1418 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1419 if (audit_filter_user_rules(&e->rule, &state)) { 1420 if (state == AUDIT_DISABLED) 1421 ret = 0; 1422 break; 1423 } 1424 } 1425 rcu_read_unlock(); 1426 1427 return ret; /* Audit by default */ 1428 } 1429 1430 int audit_filter_type(int type) 1431 { 1432 struct audit_entry *e; 1433 int result = 0; 1434 1435 rcu_read_lock(); 1436 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1437 goto unlock_and_return; 1438 1439 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1440 list) { 1441 int i; 1442 for (i = 0; i < e->rule.field_count; i++) { 1443 struct audit_field *f = &e->rule.fields[i]; 1444 if (f->type == AUDIT_MSGTYPE) { 1445 result = audit_comparator(type, f->op, f->val); 1446 if (!result) 1447 break; 1448 } 1449 } 1450 if (result) 1451 goto unlock_and_return; 1452 } 1453 unlock_and_return: 1454 rcu_read_unlock(); 1455 return result; 1456 } 1457 1458 static int update_lsm_rule(struct audit_krule *r) 1459 { 1460 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1461 struct audit_entry *nentry; 1462 int err = 0; 1463 1464 if (!security_audit_rule_known(r)) 1465 return 0; 1466 1467 nentry = audit_dupe_rule(r); 1468 if (IS_ERR(nentry)) { 1469 /* save the first error encountered for the 1470 * return value */ 1471 err = PTR_ERR(nentry); 1472 audit_panic("error updating LSM filters"); 1473 if (r->watch) 1474 list_del(&r->rlist); 1475 list_del_rcu(&entry->list); 1476 list_del(&r->list); 1477 } else { 1478 if (r->watch || r->tree) 1479 list_replace_init(&r->rlist, &nentry->rule.rlist); 1480 list_replace_rcu(&entry->list, &nentry->list); 1481 list_replace(&r->list, &nentry->rule.list); 1482 } 1483 call_rcu(&entry->rcu, audit_free_rule_rcu); 1484 1485 return err; 1486 } 1487 1488 /* This function will re-initialize the lsm_rule field of all applicable rules. 1489 * It will traverse the filter lists serarching for rules that contain LSM 1490 * specific filter fields. When such a rule is found, it is copied, the 1491 * LSM field is re-initialized, and the old rule is replaced with the 1492 * updated rule. */ 1493 int audit_update_lsm_rules(void) 1494 { 1495 struct audit_krule *r, *n; 1496 int i, err = 0; 1497 1498 /* audit_filter_mutex synchronizes the writers */ 1499 mutex_lock(&audit_filter_mutex); 1500 1501 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1502 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1503 int res = update_lsm_rule(r); 1504 if (!err) 1505 err = res; 1506 } 1507 } 1508 mutex_unlock(&audit_filter_mutex); 1509 1510 return err; 1511 } 1512