1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 static DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 void audit_free_parent(struct inotify_watch *i_watch) 99 { 100 struct audit_parent *parent; 101 102 parent = container_of(i_watch, struct audit_parent, wdata); 103 WARN_ON(!list_empty(&parent->watches)); 104 kfree(parent); 105 } 106 107 static inline void audit_get_watch(struct audit_watch *watch) 108 { 109 atomic_inc(&watch->count); 110 } 111 112 static void audit_put_watch(struct audit_watch *watch) 113 { 114 if (atomic_dec_and_test(&watch->count)) { 115 WARN_ON(watch->parent); 116 WARN_ON(!list_empty(&watch->rules)); 117 kfree(watch->path); 118 kfree(watch); 119 } 120 } 121 122 static void audit_remove_watch(struct audit_watch *watch) 123 { 124 list_del(&watch->wlist); 125 put_inotify_watch(&watch->parent->wdata); 126 watch->parent = NULL; 127 audit_put_watch(watch); /* match initial get */ 128 } 129 130 static inline void audit_free_rule(struct audit_entry *e) 131 { 132 int i; 133 134 /* some rules don't have associated watches */ 135 if (e->rule.watch) 136 audit_put_watch(e->rule.watch); 137 if (e->rule.fields) 138 for (i = 0; i < e->rule.field_count; i++) { 139 struct audit_field *f = &e->rule.fields[i]; 140 kfree(f->se_str); 141 selinux_audit_rule_free(f->se_rule); 142 } 143 kfree(e->rule.fields); 144 kfree(e->rule.filterkey); 145 kfree(e); 146 } 147 148 static inline void audit_free_rule_rcu(struct rcu_head *head) 149 { 150 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 151 audit_free_rule(e); 152 } 153 154 /* Initialize a parent watch entry. */ 155 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 156 { 157 struct audit_parent *parent; 158 s32 wd; 159 160 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 161 if (unlikely(!parent)) 162 return ERR_PTR(-ENOMEM); 163 164 INIT_LIST_HEAD(&parent->watches); 165 parent->flags = 0; 166 167 inotify_init_watch(&parent->wdata); 168 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 169 get_inotify_watch(&parent->wdata); 170 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 171 AUDIT_IN_WATCH); 172 if (wd < 0) { 173 audit_free_parent(&parent->wdata); 174 return ERR_PTR(wd); 175 } 176 177 return parent; 178 } 179 180 /* Initialize a watch entry. */ 181 static struct audit_watch *audit_init_watch(char *path) 182 { 183 struct audit_watch *watch; 184 185 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 186 if (unlikely(!watch)) 187 return ERR_PTR(-ENOMEM); 188 189 INIT_LIST_HEAD(&watch->rules); 190 atomic_set(&watch->count, 1); 191 watch->path = path; 192 watch->dev = (dev_t)-1; 193 watch->ino = (unsigned long)-1; 194 195 return watch; 196 } 197 198 /* Initialize an audit filterlist entry. */ 199 static inline struct audit_entry *audit_init_entry(u32 field_count) 200 { 201 struct audit_entry *entry; 202 struct audit_field *fields; 203 204 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 205 if (unlikely(!entry)) 206 return NULL; 207 208 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 209 if (unlikely(!fields)) { 210 kfree(entry); 211 return NULL; 212 } 213 entry->rule.fields = fields; 214 215 return entry; 216 } 217 218 /* Unpack a filter field's string representation from user-space 219 * buffer. */ 220 static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 221 { 222 char *str; 223 224 if (!*bufp || (len == 0) || (len > *remain)) 225 return ERR_PTR(-EINVAL); 226 227 /* Of the currently implemented string fields, PATH_MAX 228 * defines the longest valid length. 229 */ 230 if (len > PATH_MAX) 231 return ERR_PTR(-ENAMETOOLONG); 232 233 str = kmalloc(len + 1, GFP_KERNEL); 234 if (unlikely(!str)) 235 return ERR_PTR(-ENOMEM); 236 237 memcpy(str, *bufp, len); 238 str[len] = 0; 239 *bufp += len; 240 *remain -= len; 241 242 return str; 243 } 244 245 /* Translate an inode field to kernel respresentation. */ 246 static inline int audit_to_inode(struct audit_krule *krule, 247 struct audit_field *f) 248 { 249 if (krule->listnr != AUDIT_FILTER_EXIT || 250 krule->watch || krule->inode_f) 251 return -EINVAL; 252 253 krule->inode_f = f; 254 return 0; 255 } 256 257 /* Translate a watch string to kernel respresentation. */ 258 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 259 u32 op) 260 { 261 struct audit_watch *watch; 262 263 if (!audit_ih) 264 return -EOPNOTSUPP; 265 266 if (path[0] != '/' || path[len-1] == '/' || 267 krule->listnr != AUDIT_FILTER_EXIT || 268 op & ~AUDIT_EQUAL || 269 krule->inode_f || krule->watch) /* 1 inode # per rule, for hash */ 270 return -EINVAL; 271 272 watch = audit_init_watch(path); 273 if (unlikely(IS_ERR(watch))) 274 return PTR_ERR(watch); 275 276 audit_get_watch(watch); 277 krule->watch = watch; 278 279 return 0; 280 } 281 282 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 283 284 int __init audit_register_class(int class, unsigned *list) 285 { 286 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 287 if (!p) 288 return -ENOMEM; 289 while (*list != ~0U) { 290 unsigned n = *list++; 291 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 292 kfree(p); 293 return -EINVAL; 294 } 295 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 296 } 297 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 298 kfree(p); 299 return -EINVAL; 300 } 301 classes[class] = p; 302 return 0; 303 } 304 305 int audit_match_class(int class, unsigned syscall) 306 { 307 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) 308 return 0; 309 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 310 return 0; 311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 312 } 313 314 /* Common user-space to kernel rule translation. */ 315 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 316 { 317 unsigned listnr; 318 struct audit_entry *entry; 319 int i, err; 320 321 err = -EINVAL; 322 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 323 switch(listnr) { 324 default: 325 goto exit_err; 326 case AUDIT_FILTER_USER: 327 case AUDIT_FILTER_TYPE: 328 #ifdef CONFIG_AUDITSYSCALL 329 case AUDIT_FILTER_ENTRY: 330 case AUDIT_FILTER_EXIT: 331 case AUDIT_FILTER_TASK: 332 #endif 333 ; 334 } 335 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 336 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 337 goto exit_err; 338 } 339 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 340 goto exit_err; 341 if (rule->field_count > AUDIT_MAX_FIELDS) 342 goto exit_err; 343 344 err = -ENOMEM; 345 entry = audit_init_entry(rule->field_count); 346 if (!entry) 347 goto exit_err; 348 349 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 350 entry->rule.listnr = listnr; 351 entry->rule.action = rule->action; 352 entry->rule.field_count = rule->field_count; 353 354 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 355 entry->rule.mask[i] = rule->mask[i]; 356 357 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 358 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 359 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 360 __u32 *class; 361 362 if (!(*p & AUDIT_BIT(bit))) 363 continue; 364 *p &= ~AUDIT_BIT(bit); 365 class = classes[i]; 366 if (class) { 367 int j; 368 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 369 entry->rule.mask[j] |= class[j]; 370 } 371 } 372 373 return entry; 374 375 exit_err: 376 return ERR_PTR(err); 377 } 378 379 /* Translate struct audit_rule to kernel's rule respresentation. 380 * Exists for backward compatibility with userspace. */ 381 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 382 { 383 struct audit_entry *entry; 384 struct audit_field *f; 385 int err = 0; 386 int i; 387 388 entry = audit_to_entry_common(rule); 389 if (IS_ERR(entry)) 390 goto exit_nofree; 391 392 for (i = 0; i < rule->field_count; i++) { 393 struct audit_field *f = &entry->rule.fields[i]; 394 395 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 396 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 397 f->val = rule->values[i]; 398 399 err = -EINVAL; 400 switch(f->type) { 401 default: 402 goto exit_free; 403 case AUDIT_PID: 404 case AUDIT_UID: 405 case AUDIT_EUID: 406 case AUDIT_SUID: 407 case AUDIT_FSUID: 408 case AUDIT_GID: 409 case AUDIT_EGID: 410 case AUDIT_SGID: 411 case AUDIT_FSGID: 412 case AUDIT_LOGINUID: 413 case AUDIT_PERS: 414 case AUDIT_MSGTYPE: 415 case AUDIT_PPID: 416 case AUDIT_DEVMAJOR: 417 case AUDIT_DEVMINOR: 418 case AUDIT_EXIT: 419 case AUDIT_SUCCESS: 420 case AUDIT_ARG0: 421 case AUDIT_ARG1: 422 case AUDIT_ARG2: 423 case AUDIT_ARG3: 424 break; 425 /* arch is only allowed to be = or != */ 426 case AUDIT_ARCH: 427 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 428 && (f->op != AUDIT_NEGATE) && (f->op)) { 429 err = -EINVAL; 430 goto exit_free; 431 } 432 break; 433 case AUDIT_PERM: 434 if (f->val & ~15) 435 goto exit_free; 436 break; 437 case AUDIT_INODE: 438 err = audit_to_inode(&entry->rule, f); 439 if (err) 440 goto exit_free; 441 break; 442 } 443 444 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 445 446 /* Support for legacy operators where 447 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 448 if (f->op & AUDIT_NEGATE) 449 f->op = AUDIT_NOT_EQUAL; 450 else if (!f->op) 451 f->op = AUDIT_EQUAL; 452 else if (f->op == AUDIT_OPERATORS) { 453 err = -EINVAL; 454 goto exit_free; 455 } 456 } 457 458 f = entry->rule.inode_f; 459 if (f) { 460 switch(f->op) { 461 case AUDIT_NOT_EQUAL: 462 entry->rule.inode_f = NULL; 463 case AUDIT_EQUAL: 464 break; 465 default: 466 err = -EINVAL; 467 goto exit_free; 468 } 469 } 470 471 exit_nofree: 472 return entry; 473 474 exit_free: 475 audit_free_rule(entry); 476 return ERR_PTR(err); 477 } 478 479 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 480 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 481 size_t datasz) 482 { 483 int err = 0; 484 struct audit_entry *entry; 485 struct audit_field *f; 486 void *bufp; 487 size_t remain = datasz - sizeof(struct audit_rule_data); 488 int i; 489 char *str; 490 491 entry = audit_to_entry_common((struct audit_rule *)data); 492 if (IS_ERR(entry)) 493 goto exit_nofree; 494 495 bufp = data->buf; 496 entry->rule.vers_ops = 2; 497 for (i = 0; i < data->field_count; i++) { 498 struct audit_field *f = &entry->rule.fields[i]; 499 500 err = -EINVAL; 501 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 502 data->fieldflags[i] & ~AUDIT_OPERATORS) 503 goto exit_free; 504 505 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 506 f->type = data->fields[i]; 507 f->val = data->values[i]; 508 f->se_str = NULL; 509 f->se_rule = NULL; 510 switch(f->type) { 511 case AUDIT_PID: 512 case AUDIT_UID: 513 case AUDIT_EUID: 514 case AUDIT_SUID: 515 case AUDIT_FSUID: 516 case AUDIT_GID: 517 case AUDIT_EGID: 518 case AUDIT_SGID: 519 case AUDIT_FSGID: 520 case AUDIT_LOGINUID: 521 case AUDIT_PERS: 522 case AUDIT_ARCH: 523 case AUDIT_MSGTYPE: 524 case AUDIT_PPID: 525 case AUDIT_DEVMAJOR: 526 case AUDIT_DEVMINOR: 527 case AUDIT_EXIT: 528 case AUDIT_SUCCESS: 529 case AUDIT_ARG0: 530 case AUDIT_ARG1: 531 case AUDIT_ARG2: 532 case AUDIT_ARG3: 533 break; 534 case AUDIT_SUBJ_USER: 535 case AUDIT_SUBJ_ROLE: 536 case AUDIT_SUBJ_TYPE: 537 case AUDIT_SUBJ_SEN: 538 case AUDIT_SUBJ_CLR: 539 case AUDIT_OBJ_USER: 540 case AUDIT_OBJ_ROLE: 541 case AUDIT_OBJ_TYPE: 542 case AUDIT_OBJ_LEV_LOW: 543 case AUDIT_OBJ_LEV_HIGH: 544 str = audit_unpack_string(&bufp, &remain, f->val); 545 if (IS_ERR(str)) 546 goto exit_free; 547 entry->rule.buflen += f->val; 548 549 err = selinux_audit_rule_init(f->type, f->op, str, 550 &f->se_rule); 551 /* Keep currently invalid fields around in case they 552 * become valid after a policy reload. */ 553 if (err == -EINVAL) { 554 printk(KERN_WARNING "audit rule for selinux " 555 "\'%s\' is invalid\n", str); 556 err = 0; 557 } 558 if (err) { 559 kfree(str); 560 goto exit_free; 561 } else 562 f->se_str = str; 563 break; 564 case AUDIT_WATCH: 565 str = audit_unpack_string(&bufp, &remain, f->val); 566 if (IS_ERR(str)) 567 goto exit_free; 568 entry->rule.buflen += f->val; 569 570 err = audit_to_watch(&entry->rule, str, f->val, f->op); 571 if (err) { 572 kfree(str); 573 goto exit_free; 574 } 575 break; 576 case AUDIT_INODE: 577 err = audit_to_inode(&entry->rule, f); 578 if (err) 579 goto exit_free; 580 break; 581 case AUDIT_FILTERKEY: 582 err = -EINVAL; 583 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 584 goto exit_free; 585 str = audit_unpack_string(&bufp, &remain, f->val); 586 if (IS_ERR(str)) 587 goto exit_free; 588 entry->rule.buflen += f->val; 589 entry->rule.filterkey = str; 590 break; 591 case AUDIT_PERM: 592 if (f->val & ~15) 593 goto exit_free; 594 break; 595 default: 596 goto exit_free; 597 } 598 } 599 600 f = entry->rule.inode_f; 601 if (f) { 602 switch(f->op) { 603 case AUDIT_NOT_EQUAL: 604 entry->rule.inode_f = NULL; 605 case AUDIT_EQUAL: 606 break; 607 default: 608 err = -EINVAL; 609 goto exit_free; 610 } 611 } 612 613 exit_nofree: 614 return entry; 615 616 exit_free: 617 audit_free_rule(entry); 618 return ERR_PTR(err); 619 } 620 621 /* Pack a filter field's string representation into data block. */ 622 static inline size_t audit_pack_string(void **bufp, char *str) 623 { 624 size_t len = strlen(str); 625 626 memcpy(*bufp, str, len); 627 *bufp += len; 628 629 return len; 630 } 631 632 /* Translate kernel rule respresentation to struct audit_rule. 633 * Exists for backward compatibility with userspace. */ 634 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 635 { 636 struct audit_rule *rule; 637 int i; 638 639 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 640 if (unlikely(!rule)) 641 return NULL; 642 643 rule->flags = krule->flags | krule->listnr; 644 rule->action = krule->action; 645 rule->field_count = krule->field_count; 646 for (i = 0; i < rule->field_count; i++) { 647 rule->values[i] = krule->fields[i].val; 648 rule->fields[i] = krule->fields[i].type; 649 650 if (krule->vers_ops == 1) { 651 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 652 rule->fields[i] |= AUDIT_NEGATE; 653 } else { 654 rule->fields[i] |= krule->fields[i].op; 655 } 656 } 657 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 658 659 return rule; 660 } 661 662 /* Translate kernel rule respresentation to struct audit_rule_data. */ 663 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 664 { 665 struct audit_rule_data *data; 666 void *bufp; 667 int i; 668 669 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 670 if (unlikely(!data)) 671 return NULL; 672 memset(data, 0, sizeof(*data)); 673 674 data->flags = krule->flags | krule->listnr; 675 data->action = krule->action; 676 data->field_count = krule->field_count; 677 bufp = data->buf; 678 for (i = 0; i < data->field_count; i++) { 679 struct audit_field *f = &krule->fields[i]; 680 681 data->fields[i] = f->type; 682 data->fieldflags[i] = f->op; 683 switch(f->type) { 684 case AUDIT_SUBJ_USER: 685 case AUDIT_SUBJ_ROLE: 686 case AUDIT_SUBJ_TYPE: 687 case AUDIT_SUBJ_SEN: 688 case AUDIT_SUBJ_CLR: 689 case AUDIT_OBJ_USER: 690 case AUDIT_OBJ_ROLE: 691 case AUDIT_OBJ_TYPE: 692 case AUDIT_OBJ_LEV_LOW: 693 case AUDIT_OBJ_LEV_HIGH: 694 data->buflen += data->values[i] = 695 audit_pack_string(&bufp, f->se_str); 696 break; 697 case AUDIT_WATCH: 698 data->buflen += data->values[i] = 699 audit_pack_string(&bufp, krule->watch->path); 700 break; 701 case AUDIT_FILTERKEY: 702 data->buflen += data->values[i] = 703 audit_pack_string(&bufp, krule->filterkey); 704 break; 705 default: 706 data->values[i] = f->val; 707 } 708 } 709 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 710 711 return data; 712 } 713 714 /* Compare two rules in kernel format. Considered success if rules 715 * don't match. */ 716 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 717 { 718 int i; 719 720 if (a->flags != b->flags || 721 a->listnr != b->listnr || 722 a->action != b->action || 723 a->field_count != b->field_count) 724 return 1; 725 726 for (i = 0; i < a->field_count; i++) { 727 if (a->fields[i].type != b->fields[i].type || 728 a->fields[i].op != b->fields[i].op) 729 return 1; 730 731 switch(a->fields[i].type) { 732 case AUDIT_SUBJ_USER: 733 case AUDIT_SUBJ_ROLE: 734 case AUDIT_SUBJ_TYPE: 735 case AUDIT_SUBJ_SEN: 736 case AUDIT_SUBJ_CLR: 737 case AUDIT_OBJ_USER: 738 case AUDIT_OBJ_ROLE: 739 case AUDIT_OBJ_TYPE: 740 case AUDIT_OBJ_LEV_LOW: 741 case AUDIT_OBJ_LEV_HIGH: 742 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 743 return 1; 744 break; 745 case AUDIT_WATCH: 746 if (strcmp(a->watch->path, b->watch->path)) 747 return 1; 748 break; 749 case AUDIT_FILTERKEY: 750 /* both filterkeys exist based on above type compare */ 751 if (strcmp(a->filterkey, b->filterkey)) 752 return 1; 753 break; 754 default: 755 if (a->fields[i].val != b->fields[i].val) 756 return 1; 757 } 758 } 759 760 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 761 if (a->mask[i] != b->mask[i]) 762 return 1; 763 764 return 0; 765 } 766 767 /* Duplicate the given audit watch. The new watch's rules list is initialized 768 * to an empty list and wlist is undefined. */ 769 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 770 { 771 char *path; 772 struct audit_watch *new; 773 774 path = kstrdup(old->path, GFP_KERNEL); 775 if (unlikely(!path)) 776 return ERR_PTR(-ENOMEM); 777 778 new = audit_init_watch(path); 779 if (unlikely(IS_ERR(new))) { 780 kfree(path); 781 goto out; 782 } 783 784 new->dev = old->dev; 785 new->ino = old->ino; 786 get_inotify_watch(&old->parent->wdata); 787 new->parent = old->parent; 788 789 out: 790 return new; 791 } 792 793 /* Duplicate selinux field information. The se_rule is opaque, so must be 794 * re-initialized. */ 795 static inline int audit_dupe_selinux_field(struct audit_field *df, 796 struct audit_field *sf) 797 { 798 int ret = 0; 799 char *se_str; 800 801 /* our own copy of se_str */ 802 se_str = kstrdup(sf->se_str, GFP_KERNEL); 803 if (unlikely(!se_str)) 804 return -ENOMEM; 805 df->se_str = se_str; 806 807 /* our own (refreshed) copy of se_rule */ 808 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 809 &df->se_rule); 810 /* Keep currently invalid fields around in case they 811 * become valid after a policy reload. */ 812 if (ret == -EINVAL) { 813 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 814 "invalid\n", df->se_str); 815 ret = 0; 816 } 817 818 return ret; 819 } 820 821 /* Duplicate an audit rule. This will be a deep copy with the exception 822 * of the watch - that pointer is carried over. The selinux specific fields 823 * will be updated in the copy. The point is to be able to replace the old 824 * rule with the new rule in the filterlist, then free the old rule. 825 * The rlist element is undefined; list manipulations are handled apart from 826 * the initial copy. */ 827 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 828 struct audit_watch *watch) 829 { 830 u32 fcount = old->field_count; 831 struct audit_entry *entry; 832 struct audit_krule *new; 833 char *fk; 834 int i, err = 0; 835 836 entry = audit_init_entry(fcount); 837 if (unlikely(!entry)) 838 return ERR_PTR(-ENOMEM); 839 840 new = &entry->rule; 841 new->vers_ops = old->vers_ops; 842 new->flags = old->flags; 843 new->listnr = old->listnr; 844 new->action = old->action; 845 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 846 new->mask[i] = old->mask[i]; 847 new->buflen = old->buflen; 848 new->inode_f = old->inode_f; 849 new->watch = NULL; 850 new->field_count = old->field_count; 851 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 852 853 /* deep copy this information, updating the se_rule fields, because 854 * the originals will all be freed when the old rule is freed. */ 855 for (i = 0; i < fcount; i++) { 856 switch (new->fields[i].type) { 857 case AUDIT_SUBJ_USER: 858 case AUDIT_SUBJ_ROLE: 859 case AUDIT_SUBJ_TYPE: 860 case AUDIT_SUBJ_SEN: 861 case AUDIT_SUBJ_CLR: 862 case AUDIT_OBJ_USER: 863 case AUDIT_OBJ_ROLE: 864 case AUDIT_OBJ_TYPE: 865 case AUDIT_OBJ_LEV_LOW: 866 case AUDIT_OBJ_LEV_HIGH: 867 err = audit_dupe_selinux_field(&new->fields[i], 868 &old->fields[i]); 869 break; 870 case AUDIT_FILTERKEY: 871 fk = kstrdup(old->filterkey, GFP_KERNEL); 872 if (unlikely(!fk)) 873 err = -ENOMEM; 874 else 875 new->filterkey = fk; 876 } 877 if (err) { 878 audit_free_rule(entry); 879 return ERR_PTR(err); 880 } 881 } 882 883 if (watch) { 884 audit_get_watch(watch); 885 new->watch = watch; 886 } 887 888 return entry; 889 } 890 891 /* Update inode info in audit rules based on filesystem event. */ 892 static void audit_update_watch(struct audit_parent *parent, 893 const char *dname, dev_t dev, 894 unsigned long ino, unsigned invalidating) 895 { 896 struct audit_watch *owatch, *nwatch, *nextw; 897 struct audit_krule *r, *nextr; 898 struct audit_entry *oentry, *nentry; 899 struct audit_buffer *ab; 900 901 mutex_lock(&audit_filter_mutex); 902 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 903 if (audit_compare_dname_path(dname, owatch->path, NULL)) 904 continue; 905 906 /* If the update involves invalidating rules, do the inode-based 907 * filtering now, so we don't omit records. */ 908 if (invalidating && 909 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 910 audit_set_auditable(current->audit_context); 911 912 nwatch = audit_dupe_watch(owatch); 913 if (unlikely(IS_ERR(nwatch))) { 914 mutex_unlock(&audit_filter_mutex); 915 audit_panic("error updating watch, skipping"); 916 return; 917 } 918 nwatch->dev = dev; 919 nwatch->ino = ino; 920 921 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 922 923 oentry = container_of(r, struct audit_entry, rule); 924 list_del(&oentry->rule.rlist); 925 list_del_rcu(&oentry->list); 926 927 nentry = audit_dupe_rule(&oentry->rule, nwatch); 928 if (unlikely(IS_ERR(nentry))) 929 audit_panic("error updating watch, removing"); 930 else { 931 int h = audit_hash_ino((u32)ino); 932 list_add(&nentry->rule.rlist, &nwatch->rules); 933 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 934 } 935 936 call_rcu(&oentry->rcu, audit_free_rule_rcu); 937 } 938 939 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 940 audit_log_format(ab, "op=updated rules specifying path="); 941 audit_log_untrustedstring(ab, owatch->path); 942 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 943 audit_log_format(ab, " list=%d res=1", r->listnr); 944 audit_log_end(ab); 945 946 audit_remove_watch(owatch); 947 goto add_watch_to_parent; /* event applies to a single watch */ 948 } 949 mutex_unlock(&audit_filter_mutex); 950 return; 951 952 add_watch_to_parent: 953 list_add(&nwatch->wlist, &parent->watches); 954 mutex_unlock(&audit_filter_mutex); 955 return; 956 } 957 958 /* Remove all watches & rules associated with a parent that is going away. */ 959 static void audit_remove_parent_watches(struct audit_parent *parent) 960 { 961 struct audit_watch *w, *nextw; 962 struct audit_krule *r, *nextr; 963 struct audit_entry *e; 964 struct audit_buffer *ab; 965 966 mutex_lock(&audit_filter_mutex); 967 parent->flags |= AUDIT_PARENT_INVALID; 968 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 969 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 970 e = container_of(r, struct audit_entry, rule); 971 972 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 973 audit_log_format(ab, "op=remove rule path="); 974 audit_log_untrustedstring(ab, w->path); 975 if (r->filterkey) { 976 audit_log_format(ab, " key="); 977 audit_log_untrustedstring(ab, r->filterkey); 978 } else 979 audit_log_format(ab, " key=(null)"); 980 audit_log_format(ab, " list=%d res=1", r->listnr); 981 audit_log_end(ab); 982 983 list_del(&r->rlist); 984 list_del_rcu(&e->list); 985 call_rcu(&e->rcu, audit_free_rule_rcu); 986 } 987 audit_remove_watch(w); 988 } 989 mutex_unlock(&audit_filter_mutex); 990 } 991 992 /* Unregister inotify watches for parents on in_list. 993 * Generates an IN_IGNORED event. */ 994 static void audit_inotify_unregister(struct list_head *in_list) 995 { 996 struct audit_parent *p, *n; 997 998 list_for_each_entry_safe(p, n, in_list, ilist) { 999 list_del(&p->ilist); 1000 inotify_rm_watch(audit_ih, &p->wdata); 1001 /* the put matching the get in audit_do_del_rule() */ 1002 put_inotify_watch(&p->wdata); 1003 } 1004 } 1005 1006 /* Find an existing audit rule. 1007 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1008 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1009 struct list_head *list) 1010 { 1011 struct audit_entry *e, *found = NULL; 1012 int h; 1013 1014 if (entry->rule.watch) { 1015 /* we don't know the inode number, so must walk entire hash */ 1016 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1017 list = &audit_inode_hash[h]; 1018 list_for_each_entry(e, list, list) 1019 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1020 found = e; 1021 goto out; 1022 } 1023 } 1024 goto out; 1025 } 1026 1027 list_for_each_entry(e, list, list) 1028 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1029 found = e; 1030 goto out; 1031 } 1032 1033 out: 1034 return found; 1035 } 1036 1037 /* Get path information necessary for adding watches. */ 1038 static int audit_get_nd(char *path, struct nameidata **ndp, 1039 struct nameidata **ndw) 1040 { 1041 struct nameidata *ndparent, *ndwatch; 1042 int err; 1043 1044 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1045 if (unlikely(!ndparent)) 1046 return -ENOMEM; 1047 1048 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1049 if (unlikely(!ndwatch)) { 1050 kfree(ndparent); 1051 return -ENOMEM; 1052 } 1053 1054 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1055 if (err) { 1056 kfree(ndparent); 1057 kfree(ndwatch); 1058 return err; 1059 } 1060 1061 err = path_lookup(path, 0, ndwatch); 1062 if (err) { 1063 kfree(ndwatch); 1064 ndwatch = NULL; 1065 } 1066 1067 *ndp = ndparent; 1068 *ndw = ndwatch; 1069 1070 return 0; 1071 } 1072 1073 /* Release resources used for watch path information. */ 1074 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1075 { 1076 if (ndp) { 1077 path_release(ndp); 1078 kfree(ndp); 1079 } 1080 if (ndw) { 1081 path_release(ndw); 1082 kfree(ndw); 1083 } 1084 } 1085 1086 /* Associate the given rule with an existing parent inotify_watch. 1087 * Caller must hold audit_filter_mutex. */ 1088 static void audit_add_to_parent(struct audit_krule *krule, 1089 struct audit_parent *parent) 1090 { 1091 struct audit_watch *w, *watch = krule->watch; 1092 int watch_found = 0; 1093 1094 list_for_each_entry(w, &parent->watches, wlist) { 1095 if (strcmp(watch->path, w->path)) 1096 continue; 1097 1098 watch_found = 1; 1099 1100 /* put krule's and initial refs to temporary watch */ 1101 audit_put_watch(watch); 1102 audit_put_watch(watch); 1103 1104 audit_get_watch(w); 1105 krule->watch = watch = w; 1106 break; 1107 } 1108 1109 if (!watch_found) { 1110 get_inotify_watch(&parent->wdata); 1111 watch->parent = parent; 1112 1113 list_add(&watch->wlist, &parent->watches); 1114 } 1115 list_add(&krule->rlist, &watch->rules); 1116 } 1117 1118 /* Find a matching watch entry, or add this one. 1119 * Caller must hold audit_filter_mutex. */ 1120 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1121 struct nameidata *ndw) 1122 { 1123 struct audit_watch *watch = krule->watch; 1124 struct inotify_watch *i_watch; 1125 struct audit_parent *parent; 1126 int ret = 0; 1127 1128 /* update watch filter fields */ 1129 if (ndw) { 1130 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1131 watch->ino = ndw->dentry->d_inode->i_ino; 1132 } 1133 1134 /* The audit_filter_mutex must not be held during inotify calls because 1135 * we hold it during inotify event callback processing. If an existing 1136 * inotify watch is found, inotify_find_watch() grabs a reference before 1137 * returning. 1138 */ 1139 mutex_unlock(&audit_filter_mutex); 1140 1141 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1142 parent = audit_init_parent(ndp); 1143 if (IS_ERR(parent)) { 1144 /* caller expects mutex locked */ 1145 mutex_lock(&audit_filter_mutex); 1146 return PTR_ERR(parent); 1147 } 1148 } else 1149 parent = container_of(i_watch, struct audit_parent, wdata); 1150 1151 mutex_lock(&audit_filter_mutex); 1152 1153 /* parent was moved before we took audit_filter_mutex */ 1154 if (parent->flags & AUDIT_PARENT_INVALID) 1155 ret = -ENOENT; 1156 else 1157 audit_add_to_parent(krule, parent); 1158 1159 /* match get in audit_init_parent or inotify_find_watch */ 1160 put_inotify_watch(&parent->wdata); 1161 return ret; 1162 } 1163 1164 /* Add rule to given filterlist if not a duplicate. */ 1165 static inline int audit_add_rule(struct audit_entry *entry, 1166 struct list_head *list) 1167 { 1168 struct audit_entry *e; 1169 struct audit_field *inode_f = entry->rule.inode_f; 1170 struct audit_watch *watch = entry->rule.watch; 1171 struct nameidata *ndp, *ndw; 1172 int h, err, putnd_needed = 0; 1173 #ifdef CONFIG_AUDITSYSCALL 1174 int dont_count = 0; 1175 1176 /* If either of these, don't count towards total */ 1177 if (entry->rule.listnr == AUDIT_FILTER_USER || 1178 entry->rule.listnr == AUDIT_FILTER_TYPE) 1179 dont_count = 1; 1180 #endif 1181 1182 if (inode_f) { 1183 h = audit_hash_ino(inode_f->val); 1184 list = &audit_inode_hash[h]; 1185 } 1186 1187 mutex_lock(&audit_filter_mutex); 1188 e = audit_find_rule(entry, list); 1189 mutex_unlock(&audit_filter_mutex); 1190 if (e) { 1191 err = -EEXIST; 1192 goto error; 1193 } 1194 1195 /* Avoid calling path_lookup under audit_filter_mutex. */ 1196 if (watch) { 1197 err = audit_get_nd(watch->path, &ndp, &ndw); 1198 if (err) 1199 goto error; 1200 putnd_needed = 1; 1201 } 1202 1203 mutex_lock(&audit_filter_mutex); 1204 if (watch) { 1205 /* audit_filter_mutex is dropped and re-taken during this call */ 1206 err = audit_add_watch(&entry->rule, ndp, ndw); 1207 if (err) { 1208 mutex_unlock(&audit_filter_mutex); 1209 goto error; 1210 } 1211 h = audit_hash_ino((u32)watch->ino); 1212 list = &audit_inode_hash[h]; 1213 } 1214 1215 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1216 list_add_rcu(&entry->list, list); 1217 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1218 } else { 1219 list_add_tail_rcu(&entry->list, list); 1220 } 1221 #ifdef CONFIG_AUDITSYSCALL 1222 if (!dont_count) 1223 audit_n_rules++; 1224 #endif 1225 mutex_unlock(&audit_filter_mutex); 1226 1227 if (putnd_needed) 1228 audit_put_nd(ndp, ndw); 1229 1230 return 0; 1231 1232 error: 1233 if (putnd_needed) 1234 audit_put_nd(ndp, ndw); 1235 if (watch) 1236 audit_put_watch(watch); /* tmp watch, matches initial get */ 1237 return err; 1238 } 1239 1240 /* Remove an existing rule from filterlist. */ 1241 static inline int audit_del_rule(struct audit_entry *entry, 1242 struct list_head *list) 1243 { 1244 struct audit_entry *e; 1245 struct audit_field *inode_f = entry->rule.inode_f; 1246 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1247 LIST_HEAD(inotify_list); 1248 int h, ret = 0; 1249 #ifdef CONFIG_AUDITSYSCALL 1250 int dont_count = 0; 1251 1252 /* If either of these, don't count towards total */ 1253 if (entry->rule.listnr == AUDIT_FILTER_USER || 1254 entry->rule.listnr == AUDIT_FILTER_TYPE) 1255 dont_count = 1; 1256 #endif 1257 1258 if (inode_f) { 1259 h = audit_hash_ino(inode_f->val); 1260 list = &audit_inode_hash[h]; 1261 } 1262 1263 mutex_lock(&audit_filter_mutex); 1264 e = audit_find_rule(entry, list); 1265 if (!e) { 1266 mutex_unlock(&audit_filter_mutex); 1267 ret = -ENOENT; 1268 goto out; 1269 } 1270 1271 watch = e->rule.watch; 1272 if (watch) { 1273 struct audit_parent *parent = watch->parent; 1274 1275 list_del(&e->rule.rlist); 1276 1277 if (list_empty(&watch->rules)) { 1278 audit_remove_watch(watch); 1279 1280 if (list_empty(&parent->watches)) { 1281 /* Put parent on the inotify un-registration 1282 * list. Grab a reference before releasing 1283 * audit_filter_mutex, to be released in 1284 * audit_inotify_unregister(). */ 1285 list_add(&parent->ilist, &inotify_list); 1286 get_inotify_watch(&parent->wdata); 1287 } 1288 } 1289 } 1290 1291 list_del_rcu(&e->list); 1292 call_rcu(&e->rcu, audit_free_rule_rcu); 1293 1294 #ifdef CONFIG_AUDITSYSCALL 1295 if (!dont_count) 1296 audit_n_rules--; 1297 #endif 1298 mutex_unlock(&audit_filter_mutex); 1299 1300 if (!list_empty(&inotify_list)) 1301 audit_inotify_unregister(&inotify_list); 1302 1303 out: 1304 if (tmp_watch) 1305 audit_put_watch(tmp_watch); /* match initial get */ 1306 1307 return ret; 1308 } 1309 1310 /* List rules using struct audit_rule. Exists for backward 1311 * compatibility with userspace. */ 1312 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1313 { 1314 struct sk_buff *skb; 1315 struct audit_entry *entry; 1316 int i; 1317 1318 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1319 * iterator to sync with list writers. */ 1320 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1321 list_for_each_entry(entry, &audit_filter_list[i], list) { 1322 struct audit_rule *rule; 1323 1324 rule = audit_krule_to_rule(&entry->rule); 1325 if (unlikely(!rule)) 1326 break; 1327 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1328 rule, sizeof(*rule)); 1329 if (skb) 1330 skb_queue_tail(q, skb); 1331 kfree(rule); 1332 } 1333 } 1334 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1335 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1336 struct audit_rule *rule; 1337 1338 rule = audit_krule_to_rule(&entry->rule); 1339 if (unlikely(!rule)) 1340 break; 1341 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1342 rule, sizeof(*rule)); 1343 if (skb) 1344 skb_queue_tail(q, skb); 1345 kfree(rule); 1346 } 1347 } 1348 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1349 if (skb) 1350 skb_queue_tail(q, skb); 1351 } 1352 1353 /* List rules using struct audit_rule_data. */ 1354 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1355 { 1356 struct sk_buff *skb; 1357 struct audit_entry *e; 1358 int i; 1359 1360 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1361 * iterator to sync with list writers. */ 1362 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1363 list_for_each_entry(e, &audit_filter_list[i], list) { 1364 struct audit_rule_data *data; 1365 1366 data = audit_krule_to_data(&e->rule); 1367 if (unlikely(!data)) 1368 break; 1369 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1370 data, sizeof(*data) + data->buflen); 1371 if (skb) 1372 skb_queue_tail(q, skb); 1373 kfree(data); 1374 } 1375 } 1376 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1377 list_for_each_entry(e, &audit_inode_hash[i], list) { 1378 struct audit_rule_data *data; 1379 1380 data = audit_krule_to_data(&e->rule); 1381 if (unlikely(!data)) 1382 break; 1383 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1384 data, sizeof(*data) + data->buflen); 1385 if (skb) 1386 skb_queue_tail(q, skb); 1387 kfree(data); 1388 } 1389 } 1390 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1391 if (skb) 1392 skb_queue_tail(q, skb); 1393 } 1394 1395 /* Log rule additions and removals */ 1396 static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1397 struct audit_krule *rule, int res) 1398 { 1399 struct audit_buffer *ab; 1400 1401 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1402 if (!ab) 1403 return; 1404 audit_log_format(ab, "auid=%u", loginuid); 1405 if (sid) { 1406 char *ctx = NULL; 1407 u32 len; 1408 if (selinux_sid_to_string(sid, &ctx, &len)) 1409 audit_log_format(ab, " ssid=%u", sid); 1410 else 1411 audit_log_format(ab, " subj=%s", ctx); 1412 kfree(ctx); 1413 } 1414 audit_log_format(ab, " op=%s rule key=", action); 1415 if (rule->filterkey) 1416 audit_log_untrustedstring(ab, rule->filterkey); 1417 else 1418 audit_log_format(ab, "(null)"); 1419 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1420 audit_log_end(ab); 1421 } 1422 1423 /** 1424 * audit_receive_filter - apply all rules to the specified message type 1425 * @type: audit message type 1426 * @pid: target pid for netlink audit messages 1427 * @uid: target uid for netlink audit messages 1428 * @seq: netlink audit message sequence (serial) number 1429 * @data: payload data 1430 * @datasz: size of payload data 1431 * @loginuid: loginuid of sender 1432 * @sid: SE Linux Security ID of sender 1433 */ 1434 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1435 size_t datasz, uid_t loginuid, u32 sid) 1436 { 1437 struct task_struct *tsk; 1438 struct audit_netlink_list *dest; 1439 int err = 0; 1440 struct audit_entry *entry; 1441 1442 switch (type) { 1443 case AUDIT_LIST: 1444 case AUDIT_LIST_RULES: 1445 /* We can't just spew out the rules here because we might fill 1446 * the available socket buffer space and deadlock waiting for 1447 * auditctl to read from it... which isn't ever going to 1448 * happen if we're actually running in the context of auditctl 1449 * trying to _send_ the stuff */ 1450 1451 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1452 if (!dest) 1453 return -ENOMEM; 1454 dest->pid = pid; 1455 skb_queue_head_init(&dest->q); 1456 1457 mutex_lock(&audit_filter_mutex); 1458 if (type == AUDIT_LIST) 1459 audit_list(pid, seq, &dest->q); 1460 else 1461 audit_list_rules(pid, seq, &dest->q); 1462 mutex_unlock(&audit_filter_mutex); 1463 1464 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1465 if (IS_ERR(tsk)) { 1466 skb_queue_purge(&dest->q); 1467 kfree(dest); 1468 err = PTR_ERR(tsk); 1469 } 1470 break; 1471 case AUDIT_ADD: 1472 case AUDIT_ADD_RULE: 1473 if (type == AUDIT_ADD) 1474 entry = audit_rule_to_entry(data); 1475 else 1476 entry = audit_data_to_entry(data, datasz); 1477 if (IS_ERR(entry)) 1478 return PTR_ERR(entry); 1479 1480 err = audit_add_rule(entry, 1481 &audit_filter_list[entry->rule.listnr]); 1482 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1483 1484 if (err) 1485 audit_free_rule(entry); 1486 break; 1487 case AUDIT_DEL: 1488 case AUDIT_DEL_RULE: 1489 if (type == AUDIT_DEL) 1490 entry = audit_rule_to_entry(data); 1491 else 1492 entry = audit_data_to_entry(data, datasz); 1493 if (IS_ERR(entry)) 1494 return PTR_ERR(entry); 1495 1496 err = audit_del_rule(entry, 1497 &audit_filter_list[entry->rule.listnr]); 1498 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1499 !err); 1500 1501 audit_free_rule(entry); 1502 break; 1503 default: 1504 return -EINVAL; 1505 } 1506 1507 return err; 1508 } 1509 1510 int audit_comparator(const u32 left, const u32 op, const u32 right) 1511 { 1512 switch (op) { 1513 case AUDIT_EQUAL: 1514 return (left == right); 1515 case AUDIT_NOT_EQUAL: 1516 return (left != right); 1517 case AUDIT_LESS_THAN: 1518 return (left < right); 1519 case AUDIT_LESS_THAN_OR_EQUAL: 1520 return (left <= right); 1521 case AUDIT_GREATER_THAN: 1522 return (left > right); 1523 case AUDIT_GREATER_THAN_OR_EQUAL: 1524 return (left >= right); 1525 } 1526 BUG(); 1527 return 0; 1528 } 1529 1530 /* Compare given dentry name with last component in given path, 1531 * return of 0 indicates a match. */ 1532 int audit_compare_dname_path(const char *dname, const char *path, 1533 int *dirlen) 1534 { 1535 int dlen, plen; 1536 const char *p; 1537 1538 if (!dname || !path) 1539 return 1; 1540 1541 dlen = strlen(dname); 1542 plen = strlen(path); 1543 if (plen < dlen) 1544 return 1; 1545 1546 /* disregard trailing slashes */ 1547 p = path + plen - 1; 1548 while ((*p == '/') && (p > path)) 1549 p--; 1550 1551 /* find last path component */ 1552 p = p - dlen + 1; 1553 if (p < path) 1554 return 1; 1555 else if (p > path) { 1556 if (*--p != '/') 1557 return 1; 1558 else 1559 p++; 1560 } 1561 1562 /* return length of path's directory component */ 1563 if (dirlen) 1564 *dirlen = p - path; 1565 return strncmp(p, dname, dlen); 1566 } 1567 1568 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1569 struct audit_krule *rule, 1570 enum audit_state *state) 1571 { 1572 int i; 1573 1574 for (i = 0; i < rule->field_count; i++) { 1575 struct audit_field *f = &rule->fields[i]; 1576 int result = 0; 1577 1578 switch (f->type) { 1579 case AUDIT_PID: 1580 result = audit_comparator(cb->creds.pid, f->op, f->val); 1581 break; 1582 case AUDIT_UID: 1583 result = audit_comparator(cb->creds.uid, f->op, f->val); 1584 break; 1585 case AUDIT_GID: 1586 result = audit_comparator(cb->creds.gid, f->op, f->val); 1587 break; 1588 case AUDIT_LOGINUID: 1589 result = audit_comparator(cb->loginuid, f->op, f->val); 1590 break; 1591 } 1592 1593 if (!result) 1594 return 0; 1595 } 1596 switch (rule->action) { 1597 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1598 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1599 } 1600 return 1; 1601 } 1602 1603 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1604 { 1605 enum audit_state state = AUDIT_DISABLED; 1606 struct audit_entry *e; 1607 int ret = 1; 1608 1609 rcu_read_lock(); 1610 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1611 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1612 if (state == AUDIT_DISABLED) 1613 ret = 0; 1614 break; 1615 } 1616 } 1617 rcu_read_unlock(); 1618 1619 return ret; /* Audit by default */ 1620 } 1621 1622 int audit_filter_type(int type) 1623 { 1624 struct audit_entry *e; 1625 int result = 0; 1626 1627 rcu_read_lock(); 1628 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1629 goto unlock_and_return; 1630 1631 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1632 list) { 1633 int i; 1634 for (i = 0; i < e->rule.field_count; i++) { 1635 struct audit_field *f = &e->rule.fields[i]; 1636 if (f->type == AUDIT_MSGTYPE) { 1637 result = audit_comparator(type, f->op, f->val); 1638 if (!result) 1639 break; 1640 } 1641 } 1642 if (result) 1643 goto unlock_and_return; 1644 } 1645 unlock_and_return: 1646 rcu_read_unlock(); 1647 return result; 1648 } 1649 1650 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1651 are selinux fields specified in the rule, 0 otherwise. */ 1652 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1653 { 1654 int i; 1655 1656 for (i = 0; i < rule->field_count; i++) { 1657 struct audit_field *f = &rule->fields[i]; 1658 switch (f->type) { 1659 case AUDIT_SUBJ_USER: 1660 case AUDIT_SUBJ_ROLE: 1661 case AUDIT_SUBJ_TYPE: 1662 case AUDIT_SUBJ_SEN: 1663 case AUDIT_SUBJ_CLR: 1664 case AUDIT_OBJ_USER: 1665 case AUDIT_OBJ_ROLE: 1666 case AUDIT_OBJ_TYPE: 1667 case AUDIT_OBJ_LEV_LOW: 1668 case AUDIT_OBJ_LEV_HIGH: 1669 return 1; 1670 } 1671 } 1672 1673 return 0; 1674 } 1675 1676 /* This function will re-initialize the se_rule field of all applicable rules. 1677 * It will traverse the filter lists serarching for rules that contain selinux 1678 * specific filter fields. When such a rule is found, it is copied, the 1679 * selinux field is re-initialized, and the old rule is replaced with the 1680 * updated rule. */ 1681 int selinux_audit_rule_update(void) 1682 { 1683 struct audit_entry *entry, *n, *nentry; 1684 struct audit_watch *watch; 1685 int i, err = 0; 1686 1687 /* audit_filter_mutex synchronizes the writers */ 1688 mutex_lock(&audit_filter_mutex); 1689 1690 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1691 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1692 if (!audit_rule_has_selinux(&entry->rule)) 1693 continue; 1694 1695 watch = entry->rule.watch; 1696 nentry = audit_dupe_rule(&entry->rule, watch); 1697 if (unlikely(IS_ERR(nentry))) { 1698 /* save the first error encountered for the 1699 * return value */ 1700 if (!err) 1701 err = PTR_ERR(nentry); 1702 audit_panic("error updating selinux filters"); 1703 if (watch) 1704 list_del(&entry->rule.rlist); 1705 list_del_rcu(&entry->list); 1706 } else { 1707 if (watch) { 1708 list_add(&nentry->rule.rlist, 1709 &watch->rules); 1710 list_del(&entry->rule.rlist); 1711 } 1712 list_replace_rcu(&entry->list, &nentry->list); 1713 } 1714 call_rcu(&entry->rcu, audit_free_rule_rcu); 1715 } 1716 } 1717 1718 mutex_unlock(&audit_filter_mutex); 1719 1720 return err; 1721 } 1722 1723 /* Update watch data in audit rules based on inotify events. */ 1724 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1725 u32 cookie, const char *dname, struct inode *inode) 1726 { 1727 struct audit_parent *parent; 1728 1729 parent = container_of(i_watch, struct audit_parent, wdata); 1730 1731 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1732 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1733 inode->i_ino, 0); 1734 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1735 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1736 /* inotify automatically removes the watch and sends IN_IGNORED */ 1737 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1738 audit_remove_parent_watches(parent); 1739 /* inotify does not remove the watch, so remove it manually */ 1740 else if(mask & IN_MOVE_SELF) { 1741 audit_remove_parent_watches(parent); 1742 inotify_remove_watch_locked(audit_ih, i_watch); 1743 } else if (mask & IN_IGNORED) 1744 put_inotify_watch(i_watch); 1745 } 1746