1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 static DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 void audit_free_parent(struct inotify_watch *i_watch) 99 { 100 struct audit_parent *parent; 101 102 parent = container_of(i_watch, struct audit_parent, wdata); 103 WARN_ON(!list_empty(&parent->watches)); 104 kfree(parent); 105 } 106 107 static inline void audit_get_watch(struct audit_watch *watch) 108 { 109 atomic_inc(&watch->count); 110 } 111 112 static void audit_put_watch(struct audit_watch *watch) 113 { 114 if (atomic_dec_and_test(&watch->count)) { 115 WARN_ON(watch->parent); 116 WARN_ON(!list_empty(&watch->rules)); 117 kfree(watch->path); 118 kfree(watch); 119 } 120 } 121 122 static void audit_remove_watch(struct audit_watch *watch) 123 { 124 list_del(&watch->wlist); 125 put_inotify_watch(&watch->parent->wdata); 126 watch->parent = NULL; 127 audit_put_watch(watch); /* match initial get */ 128 } 129 130 static inline void audit_free_rule(struct audit_entry *e) 131 { 132 int i; 133 134 /* some rules don't have associated watches */ 135 if (e->rule.watch) 136 audit_put_watch(e->rule.watch); 137 if (e->rule.fields) 138 for (i = 0; i < e->rule.field_count; i++) { 139 struct audit_field *f = &e->rule.fields[i]; 140 kfree(f->se_str); 141 selinux_audit_rule_free(f->se_rule); 142 } 143 kfree(e->rule.fields); 144 kfree(e->rule.filterkey); 145 kfree(e); 146 } 147 148 static inline void audit_free_rule_rcu(struct rcu_head *head) 149 { 150 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 151 audit_free_rule(e); 152 } 153 154 /* Initialize a parent watch entry. */ 155 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 156 { 157 struct audit_parent *parent; 158 s32 wd; 159 160 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 161 if (unlikely(!parent)) 162 return ERR_PTR(-ENOMEM); 163 164 INIT_LIST_HEAD(&parent->watches); 165 parent->flags = 0; 166 167 inotify_init_watch(&parent->wdata); 168 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 169 get_inotify_watch(&parent->wdata); 170 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 171 AUDIT_IN_WATCH); 172 if (wd < 0) { 173 audit_free_parent(&parent->wdata); 174 return ERR_PTR(wd); 175 } 176 177 return parent; 178 } 179 180 /* Initialize a watch entry. */ 181 static struct audit_watch *audit_init_watch(char *path) 182 { 183 struct audit_watch *watch; 184 185 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 186 if (unlikely(!watch)) 187 return ERR_PTR(-ENOMEM); 188 189 INIT_LIST_HEAD(&watch->rules); 190 atomic_set(&watch->count, 1); 191 watch->path = path; 192 watch->dev = (dev_t)-1; 193 watch->ino = (unsigned long)-1; 194 195 return watch; 196 } 197 198 /* Initialize an audit filterlist entry. */ 199 static inline struct audit_entry *audit_init_entry(u32 field_count) 200 { 201 struct audit_entry *entry; 202 struct audit_field *fields; 203 204 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 205 if (unlikely(!entry)) 206 return NULL; 207 208 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 209 if (unlikely(!fields)) { 210 kfree(entry); 211 return NULL; 212 } 213 entry->rule.fields = fields; 214 215 return entry; 216 } 217 218 /* Unpack a filter field's string representation from user-space 219 * buffer. */ 220 static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 221 { 222 char *str; 223 224 if (!*bufp || (len == 0) || (len > *remain)) 225 return ERR_PTR(-EINVAL); 226 227 /* Of the currently implemented string fields, PATH_MAX 228 * defines the longest valid length. 229 */ 230 if (len > PATH_MAX) 231 return ERR_PTR(-ENAMETOOLONG); 232 233 str = kmalloc(len + 1, GFP_KERNEL); 234 if (unlikely(!str)) 235 return ERR_PTR(-ENOMEM); 236 237 memcpy(str, *bufp, len); 238 str[len] = 0; 239 *bufp += len; 240 *remain -= len; 241 242 return str; 243 } 244 245 /* Translate an inode field to kernel respresentation. */ 246 static inline int audit_to_inode(struct audit_krule *krule, 247 struct audit_field *f) 248 { 249 if (krule->listnr != AUDIT_FILTER_EXIT || 250 krule->watch || krule->inode_f) 251 return -EINVAL; 252 253 krule->inode_f = f; 254 return 0; 255 } 256 257 /* Translate a watch string to kernel respresentation. */ 258 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 259 u32 op) 260 { 261 struct audit_watch *watch; 262 263 if (!audit_ih) 264 return -EOPNOTSUPP; 265 266 if (path[0] != '/' || path[len-1] == '/' || 267 krule->listnr != AUDIT_FILTER_EXIT || 268 op & ~AUDIT_EQUAL || 269 krule->inode_f || krule->watch) /* 1 inode # per rule, for hash */ 270 return -EINVAL; 271 272 watch = audit_init_watch(path); 273 if (unlikely(IS_ERR(watch))) 274 return PTR_ERR(watch); 275 276 audit_get_watch(watch); 277 krule->watch = watch; 278 279 return 0; 280 } 281 282 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 283 284 int __init audit_register_class(int class, unsigned *list) 285 { 286 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 287 if (!p) 288 return -ENOMEM; 289 while (*list != ~0U) { 290 unsigned n = *list++; 291 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 292 kfree(p); 293 return -EINVAL; 294 } 295 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 296 } 297 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 298 kfree(p); 299 return -EINVAL; 300 } 301 classes[class] = p; 302 return 0; 303 } 304 305 int audit_match_class(int class, unsigned syscall) 306 { 307 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) 308 return 0; 309 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 310 return 0; 311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 312 } 313 314 /* Common user-space to kernel rule translation. */ 315 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 316 { 317 unsigned listnr; 318 struct audit_entry *entry; 319 int i, err; 320 321 err = -EINVAL; 322 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 323 switch(listnr) { 324 default: 325 goto exit_err; 326 case AUDIT_FILTER_USER: 327 case AUDIT_FILTER_TYPE: 328 #ifdef CONFIG_AUDITSYSCALL 329 case AUDIT_FILTER_ENTRY: 330 case AUDIT_FILTER_EXIT: 331 case AUDIT_FILTER_TASK: 332 #endif 333 ; 334 } 335 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 336 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 337 goto exit_err; 338 } 339 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 340 goto exit_err; 341 if (rule->field_count > AUDIT_MAX_FIELDS) 342 goto exit_err; 343 344 err = -ENOMEM; 345 entry = audit_init_entry(rule->field_count); 346 if (!entry) 347 goto exit_err; 348 349 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 350 entry->rule.listnr = listnr; 351 entry->rule.action = rule->action; 352 entry->rule.field_count = rule->field_count; 353 354 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 355 entry->rule.mask[i] = rule->mask[i]; 356 357 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 358 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 359 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 360 __u32 *class; 361 362 if (!(*p & AUDIT_BIT(bit))) 363 continue; 364 *p &= ~AUDIT_BIT(bit); 365 class = classes[i]; 366 if (class) { 367 int j; 368 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 369 entry->rule.mask[j] |= class[j]; 370 } 371 } 372 373 return entry; 374 375 exit_err: 376 return ERR_PTR(err); 377 } 378 379 /* Translate struct audit_rule to kernel's rule respresentation. 380 * Exists for backward compatibility with userspace. */ 381 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 382 { 383 struct audit_entry *entry; 384 struct audit_field *f; 385 int err = 0; 386 int i; 387 388 entry = audit_to_entry_common(rule); 389 if (IS_ERR(entry)) 390 goto exit_nofree; 391 392 for (i = 0; i < rule->field_count; i++) { 393 struct audit_field *f = &entry->rule.fields[i]; 394 395 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 396 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 397 f->val = rule->values[i]; 398 399 err = -EINVAL; 400 switch(f->type) { 401 default: 402 goto exit_free; 403 case AUDIT_PID: 404 case AUDIT_UID: 405 case AUDIT_EUID: 406 case AUDIT_SUID: 407 case AUDIT_FSUID: 408 case AUDIT_GID: 409 case AUDIT_EGID: 410 case AUDIT_SGID: 411 case AUDIT_FSGID: 412 case AUDIT_LOGINUID: 413 case AUDIT_PERS: 414 case AUDIT_MSGTYPE: 415 case AUDIT_PPID: 416 case AUDIT_DEVMAJOR: 417 case AUDIT_DEVMINOR: 418 case AUDIT_EXIT: 419 case AUDIT_SUCCESS: 420 case AUDIT_ARG0: 421 case AUDIT_ARG1: 422 case AUDIT_ARG2: 423 case AUDIT_ARG3: 424 break; 425 /* arch is only allowed to be = or != */ 426 case AUDIT_ARCH: 427 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 428 && (f->op != AUDIT_NEGATE) && (f->op)) { 429 err = -EINVAL; 430 goto exit_free; 431 } 432 break; 433 case AUDIT_PERM: 434 if (f->val & ~15) 435 goto exit_free; 436 break; 437 case AUDIT_INODE: 438 err = audit_to_inode(&entry->rule, f); 439 if (err) 440 goto exit_free; 441 break; 442 } 443 444 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 445 446 /* Support for legacy operators where 447 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 448 if (f->op & AUDIT_NEGATE) 449 f->op = AUDIT_NOT_EQUAL; 450 else if (!f->op) 451 f->op = AUDIT_EQUAL; 452 else if (f->op == AUDIT_OPERATORS) { 453 err = -EINVAL; 454 goto exit_free; 455 } 456 } 457 458 f = entry->rule.inode_f; 459 if (f) { 460 switch(f->op) { 461 case AUDIT_NOT_EQUAL: 462 entry->rule.inode_f = NULL; 463 case AUDIT_EQUAL: 464 break; 465 default: 466 err = -EINVAL; 467 goto exit_free; 468 } 469 } 470 471 exit_nofree: 472 return entry; 473 474 exit_free: 475 audit_free_rule(entry); 476 return ERR_PTR(err); 477 } 478 479 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 480 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 481 size_t datasz) 482 { 483 int err = 0; 484 struct audit_entry *entry; 485 struct audit_field *f; 486 void *bufp; 487 size_t remain = datasz - sizeof(struct audit_rule_data); 488 int i; 489 char *str; 490 491 entry = audit_to_entry_common((struct audit_rule *)data); 492 if (IS_ERR(entry)) 493 goto exit_nofree; 494 495 bufp = data->buf; 496 entry->rule.vers_ops = 2; 497 for (i = 0; i < data->field_count; i++) { 498 struct audit_field *f = &entry->rule.fields[i]; 499 500 err = -EINVAL; 501 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 502 data->fieldflags[i] & ~AUDIT_OPERATORS) 503 goto exit_free; 504 505 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 506 f->type = data->fields[i]; 507 f->val = data->values[i]; 508 f->se_str = NULL; 509 f->se_rule = NULL; 510 switch(f->type) { 511 case AUDIT_PID: 512 case AUDIT_UID: 513 case AUDIT_EUID: 514 case AUDIT_SUID: 515 case AUDIT_FSUID: 516 case AUDIT_GID: 517 case AUDIT_EGID: 518 case AUDIT_SGID: 519 case AUDIT_FSGID: 520 case AUDIT_LOGINUID: 521 case AUDIT_PERS: 522 case AUDIT_ARCH: 523 case AUDIT_MSGTYPE: 524 case AUDIT_PPID: 525 case AUDIT_DEVMAJOR: 526 case AUDIT_DEVMINOR: 527 case AUDIT_EXIT: 528 case AUDIT_SUCCESS: 529 case AUDIT_ARG0: 530 case AUDIT_ARG1: 531 case AUDIT_ARG2: 532 case AUDIT_ARG3: 533 break; 534 case AUDIT_SUBJ_USER: 535 case AUDIT_SUBJ_ROLE: 536 case AUDIT_SUBJ_TYPE: 537 case AUDIT_SUBJ_SEN: 538 case AUDIT_SUBJ_CLR: 539 case AUDIT_OBJ_USER: 540 case AUDIT_OBJ_ROLE: 541 case AUDIT_OBJ_TYPE: 542 case AUDIT_OBJ_LEV_LOW: 543 case AUDIT_OBJ_LEV_HIGH: 544 str = audit_unpack_string(&bufp, &remain, f->val); 545 if (IS_ERR(str)) 546 goto exit_free; 547 entry->rule.buflen += f->val; 548 549 err = selinux_audit_rule_init(f->type, f->op, str, 550 &f->se_rule); 551 /* Keep currently invalid fields around in case they 552 * become valid after a policy reload. */ 553 if (err == -EINVAL) { 554 printk(KERN_WARNING "audit rule for selinux " 555 "\'%s\' is invalid\n", str); 556 err = 0; 557 } 558 if (err) { 559 kfree(str); 560 goto exit_free; 561 } else 562 f->se_str = str; 563 break; 564 case AUDIT_WATCH: 565 str = audit_unpack_string(&bufp, &remain, f->val); 566 if (IS_ERR(str)) 567 goto exit_free; 568 entry->rule.buflen += f->val; 569 570 err = audit_to_watch(&entry->rule, str, f->val, f->op); 571 if (err) { 572 kfree(str); 573 goto exit_free; 574 } 575 break; 576 case AUDIT_INODE: 577 err = audit_to_inode(&entry->rule, f); 578 if (err) 579 goto exit_free; 580 break; 581 case AUDIT_FILTERKEY: 582 err = -EINVAL; 583 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 584 goto exit_free; 585 str = audit_unpack_string(&bufp, &remain, f->val); 586 if (IS_ERR(str)) 587 goto exit_free; 588 entry->rule.buflen += f->val; 589 entry->rule.filterkey = str; 590 break; 591 case AUDIT_PERM: 592 if (f->val & ~15) 593 goto exit_free; 594 break; 595 default: 596 goto exit_free; 597 } 598 } 599 600 f = entry->rule.inode_f; 601 if (f) { 602 switch(f->op) { 603 case AUDIT_NOT_EQUAL: 604 entry->rule.inode_f = NULL; 605 case AUDIT_EQUAL: 606 break; 607 default: 608 err = -EINVAL; 609 goto exit_free; 610 } 611 } 612 613 exit_nofree: 614 return entry; 615 616 exit_free: 617 audit_free_rule(entry); 618 return ERR_PTR(err); 619 } 620 621 /* Pack a filter field's string representation into data block. */ 622 static inline size_t audit_pack_string(void **bufp, char *str) 623 { 624 size_t len = strlen(str); 625 626 memcpy(*bufp, str, len); 627 *bufp += len; 628 629 return len; 630 } 631 632 /* Translate kernel rule respresentation to struct audit_rule. 633 * Exists for backward compatibility with userspace. */ 634 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 635 { 636 struct audit_rule *rule; 637 int i; 638 639 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 640 if (unlikely(!rule)) 641 return NULL; 642 643 rule->flags = krule->flags | krule->listnr; 644 rule->action = krule->action; 645 rule->field_count = krule->field_count; 646 for (i = 0; i < rule->field_count; i++) { 647 rule->values[i] = krule->fields[i].val; 648 rule->fields[i] = krule->fields[i].type; 649 650 if (krule->vers_ops == 1) { 651 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 652 rule->fields[i] |= AUDIT_NEGATE; 653 } else { 654 rule->fields[i] |= krule->fields[i].op; 655 } 656 } 657 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 658 659 return rule; 660 } 661 662 /* Translate kernel rule respresentation to struct audit_rule_data. */ 663 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 664 { 665 struct audit_rule_data *data; 666 void *bufp; 667 int i; 668 669 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 670 if (unlikely(!data)) 671 return NULL; 672 memset(data, 0, sizeof(*data)); 673 674 data->flags = krule->flags | krule->listnr; 675 data->action = krule->action; 676 data->field_count = krule->field_count; 677 bufp = data->buf; 678 for (i = 0; i < data->field_count; i++) { 679 struct audit_field *f = &krule->fields[i]; 680 681 data->fields[i] = f->type; 682 data->fieldflags[i] = f->op; 683 switch(f->type) { 684 case AUDIT_SUBJ_USER: 685 case AUDIT_SUBJ_ROLE: 686 case AUDIT_SUBJ_TYPE: 687 case AUDIT_SUBJ_SEN: 688 case AUDIT_SUBJ_CLR: 689 case AUDIT_OBJ_USER: 690 case AUDIT_OBJ_ROLE: 691 case AUDIT_OBJ_TYPE: 692 case AUDIT_OBJ_LEV_LOW: 693 case AUDIT_OBJ_LEV_HIGH: 694 data->buflen += data->values[i] = 695 audit_pack_string(&bufp, f->se_str); 696 break; 697 case AUDIT_WATCH: 698 data->buflen += data->values[i] = 699 audit_pack_string(&bufp, krule->watch->path); 700 break; 701 case AUDIT_FILTERKEY: 702 data->buflen += data->values[i] = 703 audit_pack_string(&bufp, krule->filterkey); 704 break; 705 default: 706 data->values[i] = f->val; 707 } 708 } 709 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 710 711 return data; 712 } 713 714 /* Compare two rules in kernel format. Considered success if rules 715 * don't match. */ 716 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 717 { 718 int i; 719 720 if (a->flags != b->flags || 721 a->listnr != b->listnr || 722 a->action != b->action || 723 a->field_count != b->field_count) 724 return 1; 725 726 for (i = 0; i < a->field_count; i++) { 727 if (a->fields[i].type != b->fields[i].type || 728 a->fields[i].op != b->fields[i].op) 729 return 1; 730 731 switch(a->fields[i].type) { 732 case AUDIT_SUBJ_USER: 733 case AUDIT_SUBJ_ROLE: 734 case AUDIT_SUBJ_TYPE: 735 case AUDIT_SUBJ_SEN: 736 case AUDIT_SUBJ_CLR: 737 case AUDIT_OBJ_USER: 738 case AUDIT_OBJ_ROLE: 739 case AUDIT_OBJ_TYPE: 740 case AUDIT_OBJ_LEV_LOW: 741 case AUDIT_OBJ_LEV_HIGH: 742 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 743 return 1; 744 break; 745 case AUDIT_WATCH: 746 if (strcmp(a->watch->path, b->watch->path)) 747 return 1; 748 break; 749 case AUDIT_FILTERKEY: 750 /* both filterkeys exist based on above type compare */ 751 if (strcmp(a->filterkey, b->filterkey)) 752 return 1; 753 break; 754 default: 755 if (a->fields[i].val != b->fields[i].val) 756 return 1; 757 } 758 } 759 760 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 761 if (a->mask[i] != b->mask[i]) 762 return 1; 763 764 return 0; 765 } 766 767 /* Duplicate the given audit watch. The new watch's rules list is initialized 768 * to an empty list and wlist is undefined. */ 769 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 770 { 771 char *path; 772 struct audit_watch *new; 773 774 path = kstrdup(old->path, GFP_KERNEL); 775 if (unlikely(!path)) 776 return ERR_PTR(-ENOMEM); 777 778 new = audit_init_watch(path); 779 if (unlikely(IS_ERR(new))) { 780 kfree(path); 781 goto out; 782 } 783 784 new->dev = old->dev; 785 new->ino = old->ino; 786 get_inotify_watch(&old->parent->wdata); 787 new->parent = old->parent; 788 789 out: 790 return new; 791 } 792 793 /* Duplicate selinux field information. The se_rule is opaque, so must be 794 * re-initialized. */ 795 static inline int audit_dupe_selinux_field(struct audit_field *df, 796 struct audit_field *sf) 797 { 798 int ret = 0; 799 char *se_str; 800 801 /* our own copy of se_str */ 802 se_str = kstrdup(sf->se_str, GFP_KERNEL); 803 if (unlikely(!se_str)) 804 return -ENOMEM; 805 df->se_str = se_str; 806 807 /* our own (refreshed) copy of se_rule */ 808 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 809 &df->se_rule); 810 /* Keep currently invalid fields around in case they 811 * become valid after a policy reload. */ 812 if (ret == -EINVAL) { 813 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 814 "invalid\n", df->se_str); 815 ret = 0; 816 } 817 818 return ret; 819 } 820 821 /* Duplicate an audit rule. This will be a deep copy with the exception 822 * of the watch - that pointer is carried over. The selinux specific fields 823 * will be updated in the copy. The point is to be able to replace the old 824 * rule with the new rule in the filterlist, then free the old rule. 825 * The rlist element is undefined; list manipulations are handled apart from 826 * the initial copy. */ 827 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 828 struct audit_watch *watch) 829 { 830 u32 fcount = old->field_count; 831 struct audit_entry *entry; 832 struct audit_krule *new; 833 char *fk; 834 int i, err = 0; 835 836 entry = audit_init_entry(fcount); 837 if (unlikely(!entry)) 838 return ERR_PTR(-ENOMEM); 839 840 new = &entry->rule; 841 new->vers_ops = old->vers_ops; 842 new->flags = old->flags; 843 new->listnr = old->listnr; 844 new->action = old->action; 845 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 846 new->mask[i] = old->mask[i]; 847 new->buflen = old->buflen; 848 new->inode_f = old->inode_f; 849 new->watch = NULL; 850 new->field_count = old->field_count; 851 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 852 853 /* deep copy this information, updating the se_rule fields, because 854 * the originals will all be freed when the old rule is freed. */ 855 for (i = 0; i < fcount; i++) { 856 switch (new->fields[i].type) { 857 case AUDIT_SUBJ_USER: 858 case AUDIT_SUBJ_ROLE: 859 case AUDIT_SUBJ_TYPE: 860 case AUDIT_SUBJ_SEN: 861 case AUDIT_SUBJ_CLR: 862 case AUDIT_OBJ_USER: 863 case AUDIT_OBJ_ROLE: 864 case AUDIT_OBJ_TYPE: 865 case AUDIT_OBJ_LEV_LOW: 866 case AUDIT_OBJ_LEV_HIGH: 867 err = audit_dupe_selinux_field(&new->fields[i], 868 &old->fields[i]); 869 break; 870 case AUDIT_FILTERKEY: 871 fk = kstrdup(old->filterkey, GFP_KERNEL); 872 if (unlikely(!fk)) 873 err = -ENOMEM; 874 else 875 new->filterkey = fk; 876 } 877 if (err) { 878 audit_free_rule(entry); 879 return ERR_PTR(err); 880 } 881 } 882 883 if (watch) { 884 audit_get_watch(watch); 885 new->watch = watch; 886 } 887 888 return entry; 889 } 890 891 /* Update inode info in audit rules based on filesystem event. */ 892 static void audit_update_watch(struct audit_parent *parent, 893 const char *dname, dev_t dev, 894 unsigned long ino, unsigned invalidating) 895 { 896 struct audit_watch *owatch, *nwatch, *nextw; 897 struct audit_krule *r, *nextr; 898 struct audit_entry *oentry, *nentry; 899 struct audit_buffer *ab; 900 901 mutex_lock(&audit_filter_mutex); 902 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 903 if (audit_compare_dname_path(dname, owatch->path, NULL)) 904 continue; 905 906 /* If the update involves invalidating rules, do the inode-based 907 * filtering now, so we don't omit records. */ 908 if (invalidating && 909 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 910 audit_set_auditable(current->audit_context); 911 912 nwatch = audit_dupe_watch(owatch); 913 if (unlikely(IS_ERR(nwatch))) { 914 mutex_unlock(&audit_filter_mutex); 915 audit_panic("error updating watch, skipping"); 916 return; 917 } 918 nwatch->dev = dev; 919 nwatch->ino = ino; 920 921 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 922 923 oentry = container_of(r, struct audit_entry, rule); 924 list_del(&oentry->rule.rlist); 925 list_del_rcu(&oentry->list); 926 927 nentry = audit_dupe_rule(&oentry->rule, nwatch); 928 if (unlikely(IS_ERR(nentry))) 929 audit_panic("error updating watch, removing"); 930 else { 931 int h = audit_hash_ino((u32)ino); 932 list_add(&nentry->rule.rlist, &nwatch->rules); 933 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 934 } 935 936 call_rcu(&oentry->rcu, audit_free_rule_rcu); 937 } 938 939 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 940 audit_log_format(ab, "audit updated rules specifying path="); 941 audit_log_untrustedstring(ab, owatch->path); 942 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 943 audit_log_end(ab); 944 945 audit_remove_watch(owatch); 946 goto add_watch_to_parent; /* event applies to a single watch */ 947 } 948 mutex_unlock(&audit_filter_mutex); 949 return; 950 951 add_watch_to_parent: 952 list_add(&nwatch->wlist, &parent->watches); 953 mutex_unlock(&audit_filter_mutex); 954 return; 955 } 956 957 /* Remove all watches & rules associated with a parent that is going away. */ 958 static void audit_remove_parent_watches(struct audit_parent *parent) 959 { 960 struct audit_watch *w, *nextw; 961 struct audit_krule *r, *nextr; 962 struct audit_entry *e; 963 struct audit_buffer *ab; 964 965 mutex_lock(&audit_filter_mutex); 966 parent->flags |= AUDIT_PARENT_INVALID; 967 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 968 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 969 e = container_of(r, struct audit_entry, rule); 970 971 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 972 audit_log_format(ab, "audit implicitly removed rule path="); 973 audit_log_untrustedstring(ab, w->path); 974 if (r->filterkey) { 975 audit_log_format(ab, " key="); 976 audit_log_untrustedstring(ab, r->filterkey); 977 } else 978 audit_log_format(ab, " key=(null)"); 979 audit_log_format(ab, " list=%d", r->listnr); 980 audit_log_end(ab); 981 982 list_del(&r->rlist); 983 list_del_rcu(&e->list); 984 call_rcu(&e->rcu, audit_free_rule_rcu); 985 } 986 audit_remove_watch(w); 987 } 988 mutex_unlock(&audit_filter_mutex); 989 } 990 991 /* Unregister inotify watches for parents on in_list. 992 * Generates an IN_IGNORED event. */ 993 static void audit_inotify_unregister(struct list_head *in_list) 994 { 995 struct audit_parent *p, *n; 996 997 list_for_each_entry_safe(p, n, in_list, ilist) { 998 list_del(&p->ilist); 999 inotify_rm_watch(audit_ih, &p->wdata); 1000 /* the put matching the get in audit_do_del_rule() */ 1001 put_inotify_watch(&p->wdata); 1002 } 1003 } 1004 1005 /* Find an existing audit rule. 1006 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1007 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1008 struct list_head *list) 1009 { 1010 struct audit_entry *e, *found = NULL; 1011 int h; 1012 1013 if (entry->rule.watch) { 1014 /* we don't know the inode number, so must walk entire hash */ 1015 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1016 list = &audit_inode_hash[h]; 1017 list_for_each_entry(e, list, list) 1018 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1019 found = e; 1020 goto out; 1021 } 1022 } 1023 goto out; 1024 } 1025 1026 list_for_each_entry(e, list, list) 1027 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1028 found = e; 1029 goto out; 1030 } 1031 1032 out: 1033 return found; 1034 } 1035 1036 /* Get path information necessary for adding watches. */ 1037 static int audit_get_nd(char *path, struct nameidata **ndp, 1038 struct nameidata **ndw) 1039 { 1040 struct nameidata *ndparent, *ndwatch; 1041 int err; 1042 1043 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1044 if (unlikely(!ndparent)) 1045 return -ENOMEM; 1046 1047 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1048 if (unlikely(!ndwatch)) { 1049 kfree(ndparent); 1050 return -ENOMEM; 1051 } 1052 1053 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1054 if (err) { 1055 kfree(ndparent); 1056 kfree(ndwatch); 1057 return err; 1058 } 1059 1060 err = path_lookup(path, 0, ndwatch); 1061 if (err) { 1062 kfree(ndwatch); 1063 ndwatch = NULL; 1064 } 1065 1066 *ndp = ndparent; 1067 *ndw = ndwatch; 1068 1069 return 0; 1070 } 1071 1072 /* Release resources used for watch path information. */ 1073 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1074 { 1075 if (ndp) { 1076 path_release(ndp); 1077 kfree(ndp); 1078 } 1079 if (ndw) { 1080 path_release(ndw); 1081 kfree(ndw); 1082 } 1083 } 1084 1085 /* Associate the given rule with an existing parent inotify_watch. 1086 * Caller must hold audit_filter_mutex. */ 1087 static void audit_add_to_parent(struct audit_krule *krule, 1088 struct audit_parent *parent) 1089 { 1090 struct audit_watch *w, *watch = krule->watch; 1091 int watch_found = 0; 1092 1093 list_for_each_entry(w, &parent->watches, wlist) { 1094 if (strcmp(watch->path, w->path)) 1095 continue; 1096 1097 watch_found = 1; 1098 1099 /* put krule's and initial refs to temporary watch */ 1100 audit_put_watch(watch); 1101 audit_put_watch(watch); 1102 1103 audit_get_watch(w); 1104 krule->watch = watch = w; 1105 break; 1106 } 1107 1108 if (!watch_found) { 1109 get_inotify_watch(&parent->wdata); 1110 watch->parent = parent; 1111 1112 list_add(&watch->wlist, &parent->watches); 1113 } 1114 list_add(&krule->rlist, &watch->rules); 1115 } 1116 1117 /* Find a matching watch entry, or add this one. 1118 * Caller must hold audit_filter_mutex. */ 1119 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1120 struct nameidata *ndw) 1121 { 1122 struct audit_watch *watch = krule->watch; 1123 struct inotify_watch *i_watch; 1124 struct audit_parent *parent; 1125 int ret = 0; 1126 1127 /* update watch filter fields */ 1128 if (ndw) { 1129 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1130 watch->ino = ndw->dentry->d_inode->i_ino; 1131 } 1132 1133 /* The audit_filter_mutex must not be held during inotify calls because 1134 * we hold it during inotify event callback processing. If an existing 1135 * inotify watch is found, inotify_find_watch() grabs a reference before 1136 * returning. 1137 */ 1138 mutex_unlock(&audit_filter_mutex); 1139 1140 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1141 parent = audit_init_parent(ndp); 1142 if (IS_ERR(parent)) { 1143 /* caller expects mutex locked */ 1144 mutex_lock(&audit_filter_mutex); 1145 return PTR_ERR(parent); 1146 } 1147 } else 1148 parent = container_of(i_watch, struct audit_parent, wdata); 1149 1150 mutex_lock(&audit_filter_mutex); 1151 1152 /* parent was moved before we took audit_filter_mutex */ 1153 if (parent->flags & AUDIT_PARENT_INVALID) 1154 ret = -ENOENT; 1155 else 1156 audit_add_to_parent(krule, parent); 1157 1158 /* match get in audit_init_parent or inotify_find_watch */ 1159 put_inotify_watch(&parent->wdata); 1160 return ret; 1161 } 1162 1163 /* Add rule to given filterlist if not a duplicate. */ 1164 static inline int audit_add_rule(struct audit_entry *entry, 1165 struct list_head *list) 1166 { 1167 struct audit_entry *e; 1168 struct audit_field *inode_f = entry->rule.inode_f; 1169 struct audit_watch *watch = entry->rule.watch; 1170 struct nameidata *ndp, *ndw; 1171 int h, err, putnd_needed = 0; 1172 #ifdef CONFIG_AUDITSYSCALL 1173 int dont_count = 0; 1174 1175 /* If either of these, don't count towards total */ 1176 if (entry->rule.listnr == AUDIT_FILTER_USER || 1177 entry->rule.listnr == AUDIT_FILTER_TYPE) 1178 dont_count = 1; 1179 #endif 1180 1181 if (inode_f) { 1182 h = audit_hash_ino(inode_f->val); 1183 list = &audit_inode_hash[h]; 1184 } 1185 1186 mutex_lock(&audit_filter_mutex); 1187 e = audit_find_rule(entry, list); 1188 mutex_unlock(&audit_filter_mutex); 1189 if (e) { 1190 err = -EEXIST; 1191 goto error; 1192 } 1193 1194 /* Avoid calling path_lookup under audit_filter_mutex. */ 1195 if (watch) { 1196 err = audit_get_nd(watch->path, &ndp, &ndw); 1197 if (err) 1198 goto error; 1199 putnd_needed = 1; 1200 } 1201 1202 mutex_lock(&audit_filter_mutex); 1203 if (watch) { 1204 /* audit_filter_mutex is dropped and re-taken during this call */ 1205 err = audit_add_watch(&entry->rule, ndp, ndw); 1206 if (err) { 1207 mutex_unlock(&audit_filter_mutex); 1208 goto error; 1209 } 1210 h = audit_hash_ino((u32)watch->ino); 1211 list = &audit_inode_hash[h]; 1212 } 1213 1214 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1215 list_add_rcu(&entry->list, list); 1216 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1217 } else { 1218 list_add_tail_rcu(&entry->list, list); 1219 } 1220 #ifdef CONFIG_AUDITSYSCALL 1221 if (!dont_count) 1222 audit_n_rules++; 1223 #endif 1224 mutex_unlock(&audit_filter_mutex); 1225 1226 if (putnd_needed) 1227 audit_put_nd(ndp, ndw); 1228 1229 return 0; 1230 1231 error: 1232 if (putnd_needed) 1233 audit_put_nd(ndp, ndw); 1234 if (watch) 1235 audit_put_watch(watch); /* tmp watch, matches initial get */ 1236 return err; 1237 } 1238 1239 /* Remove an existing rule from filterlist. */ 1240 static inline int audit_del_rule(struct audit_entry *entry, 1241 struct list_head *list) 1242 { 1243 struct audit_entry *e; 1244 struct audit_field *inode_f = entry->rule.inode_f; 1245 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1246 LIST_HEAD(inotify_list); 1247 int h, ret = 0; 1248 #ifdef CONFIG_AUDITSYSCALL 1249 int dont_count = 0; 1250 1251 /* If either of these, don't count towards total */ 1252 if (entry->rule.listnr == AUDIT_FILTER_USER || 1253 entry->rule.listnr == AUDIT_FILTER_TYPE) 1254 dont_count = 1; 1255 #endif 1256 1257 if (inode_f) { 1258 h = audit_hash_ino(inode_f->val); 1259 list = &audit_inode_hash[h]; 1260 } 1261 1262 mutex_lock(&audit_filter_mutex); 1263 e = audit_find_rule(entry, list); 1264 if (!e) { 1265 mutex_unlock(&audit_filter_mutex); 1266 ret = -ENOENT; 1267 goto out; 1268 } 1269 1270 watch = e->rule.watch; 1271 if (watch) { 1272 struct audit_parent *parent = watch->parent; 1273 1274 list_del(&e->rule.rlist); 1275 1276 if (list_empty(&watch->rules)) { 1277 audit_remove_watch(watch); 1278 1279 if (list_empty(&parent->watches)) { 1280 /* Put parent on the inotify un-registration 1281 * list. Grab a reference before releasing 1282 * audit_filter_mutex, to be released in 1283 * audit_inotify_unregister(). */ 1284 list_add(&parent->ilist, &inotify_list); 1285 get_inotify_watch(&parent->wdata); 1286 } 1287 } 1288 } 1289 1290 list_del_rcu(&e->list); 1291 call_rcu(&e->rcu, audit_free_rule_rcu); 1292 1293 #ifdef CONFIG_AUDITSYSCALL 1294 if (!dont_count) 1295 audit_n_rules--; 1296 #endif 1297 mutex_unlock(&audit_filter_mutex); 1298 1299 if (!list_empty(&inotify_list)) 1300 audit_inotify_unregister(&inotify_list); 1301 1302 out: 1303 if (tmp_watch) 1304 audit_put_watch(tmp_watch); /* match initial get */ 1305 1306 return ret; 1307 } 1308 1309 /* List rules using struct audit_rule. Exists for backward 1310 * compatibility with userspace. */ 1311 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1312 { 1313 struct sk_buff *skb; 1314 struct audit_entry *entry; 1315 int i; 1316 1317 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1318 * iterator to sync with list writers. */ 1319 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1320 list_for_each_entry(entry, &audit_filter_list[i], list) { 1321 struct audit_rule *rule; 1322 1323 rule = audit_krule_to_rule(&entry->rule); 1324 if (unlikely(!rule)) 1325 break; 1326 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1327 rule, sizeof(*rule)); 1328 if (skb) 1329 skb_queue_tail(q, skb); 1330 kfree(rule); 1331 } 1332 } 1333 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1334 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1335 struct audit_rule *rule; 1336 1337 rule = audit_krule_to_rule(&entry->rule); 1338 if (unlikely(!rule)) 1339 break; 1340 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1341 rule, sizeof(*rule)); 1342 if (skb) 1343 skb_queue_tail(q, skb); 1344 kfree(rule); 1345 } 1346 } 1347 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1348 if (skb) 1349 skb_queue_tail(q, skb); 1350 } 1351 1352 /* List rules using struct audit_rule_data. */ 1353 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1354 { 1355 struct sk_buff *skb; 1356 struct audit_entry *e; 1357 int i; 1358 1359 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1360 * iterator to sync with list writers. */ 1361 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1362 list_for_each_entry(e, &audit_filter_list[i], list) { 1363 struct audit_rule_data *data; 1364 1365 data = audit_krule_to_data(&e->rule); 1366 if (unlikely(!data)) 1367 break; 1368 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1369 data, sizeof(*data) + data->buflen); 1370 if (skb) 1371 skb_queue_tail(q, skb); 1372 kfree(data); 1373 } 1374 } 1375 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1376 list_for_each_entry(e, &audit_inode_hash[i], list) { 1377 struct audit_rule_data *data; 1378 1379 data = audit_krule_to_data(&e->rule); 1380 if (unlikely(!data)) 1381 break; 1382 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1383 data, sizeof(*data) + data->buflen); 1384 if (skb) 1385 skb_queue_tail(q, skb); 1386 kfree(data); 1387 } 1388 } 1389 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1390 if (skb) 1391 skb_queue_tail(q, skb); 1392 } 1393 1394 /* Log rule additions and removals */ 1395 static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1396 struct audit_krule *rule, int res) 1397 { 1398 struct audit_buffer *ab; 1399 1400 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1401 if (!ab) 1402 return; 1403 audit_log_format(ab, "auid=%u", loginuid); 1404 if (sid) { 1405 char *ctx = NULL; 1406 u32 len; 1407 if (selinux_sid_to_string(sid, &ctx, &len)) 1408 audit_log_format(ab, " ssid=%u", sid); 1409 else 1410 audit_log_format(ab, " subj=%s", ctx); 1411 kfree(ctx); 1412 } 1413 audit_log_format(ab, " %s rule key=", action); 1414 if (rule->filterkey) 1415 audit_log_untrustedstring(ab, rule->filterkey); 1416 else 1417 audit_log_format(ab, "(null)"); 1418 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1419 audit_log_end(ab); 1420 } 1421 1422 /** 1423 * audit_receive_filter - apply all rules to the specified message type 1424 * @type: audit message type 1425 * @pid: target pid for netlink audit messages 1426 * @uid: target uid for netlink audit messages 1427 * @seq: netlink audit message sequence (serial) number 1428 * @data: payload data 1429 * @datasz: size of payload data 1430 * @loginuid: loginuid of sender 1431 * @sid: SE Linux Security ID of sender 1432 */ 1433 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1434 size_t datasz, uid_t loginuid, u32 sid) 1435 { 1436 struct task_struct *tsk; 1437 struct audit_netlink_list *dest; 1438 int err = 0; 1439 struct audit_entry *entry; 1440 1441 switch (type) { 1442 case AUDIT_LIST: 1443 case AUDIT_LIST_RULES: 1444 /* We can't just spew out the rules here because we might fill 1445 * the available socket buffer space and deadlock waiting for 1446 * auditctl to read from it... which isn't ever going to 1447 * happen if we're actually running in the context of auditctl 1448 * trying to _send_ the stuff */ 1449 1450 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1451 if (!dest) 1452 return -ENOMEM; 1453 dest->pid = pid; 1454 skb_queue_head_init(&dest->q); 1455 1456 mutex_lock(&audit_filter_mutex); 1457 if (type == AUDIT_LIST) 1458 audit_list(pid, seq, &dest->q); 1459 else 1460 audit_list_rules(pid, seq, &dest->q); 1461 mutex_unlock(&audit_filter_mutex); 1462 1463 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1464 if (IS_ERR(tsk)) { 1465 skb_queue_purge(&dest->q); 1466 kfree(dest); 1467 err = PTR_ERR(tsk); 1468 } 1469 break; 1470 case AUDIT_ADD: 1471 case AUDIT_ADD_RULE: 1472 if (type == AUDIT_ADD) 1473 entry = audit_rule_to_entry(data); 1474 else 1475 entry = audit_data_to_entry(data, datasz); 1476 if (IS_ERR(entry)) 1477 return PTR_ERR(entry); 1478 1479 err = audit_add_rule(entry, 1480 &audit_filter_list[entry->rule.listnr]); 1481 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1482 1483 if (err) 1484 audit_free_rule(entry); 1485 break; 1486 case AUDIT_DEL: 1487 case AUDIT_DEL_RULE: 1488 if (type == AUDIT_DEL) 1489 entry = audit_rule_to_entry(data); 1490 else 1491 entry = audit_data_to_entry(data, datasz); 1492 if (IS_ERR(entry)) 1493 return PTR_ERR(entry); 1494 1495 err = audit_del_rule(entry, 1496 &audit_filter_list[entry->rule.listnr]); 1497 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1498 !err); 1499 1500 audit_free_rule(entry); 1501 break; 1502 default: 1503 return -EINVAL; 1504 } 1505 1506 return err; 1507 } 1508 1509 int audit_comparator(const u32 left, const u32 op, const u32 right) 1510 { 1511 switch (op) { 1512 case AUDIT_EQUAL: 1513 return (left == right); 1514 case AUDIT_NOT_EQUAL: 1515 return (left != right); 1516 case AUDIT_LESS_THAN: 1517 return (left < right); 1518 case AUDIT_LESS_THAN_OR_EQUAL: 1519 return (left <= right); 1520 case AUDIT_GREATER_THAN: 1521 return (left > right); 1522 case AUDIT_GREATER_THAN_OR_EQUAL: 1523 return (left >= right); 1524 } 1525 BUG(); 1526 return 0; 1527 } 1528 1529 /* Compare given dentry name with last component in given path, 1530 * return of 0 indicates a match. */ 1531 int audit_compare_dname_path(const char *dname, const char *path, 1532 int *dirlen) 1533 { 1534 int dlen, plen; 1535 const char *p; 1536 1537 if (!dname || !path) 1538 return 1; 1539 1540 dlen = strlen(dname); 1541 plen = strlen(path); 1542 if (plen < dlen) 1543 return 1; 1544 1545 /* disregard trailing slashes */ 1546 p = path + plen - 1; 1547 while ((*p == '/') && (p > path)) 1548 p--; 1549 1550 /* find last path component */ 1551 p = p - dlen + 1; 1552 if (p < path) 1553 return 1; 1554 else if (p > path) { 1555 if (*--p != '/') 1556 return 1; 1557 else 1558 p++; 1559 } 1560 1561 /* return length of path's directory component */ 1562 if (dirlen) 1563 *dirlen = p - path; 1564 return strncmp(p, dname, dlen); 1565 } 1566 1567 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1568 struct audit_krule *rule, 1569 enum audit_state *state) 1570 { 1571 int i; 1572 1573 for (i = 0; i < rule->field_count; i++) { 1574 struct audit_field *f = &rule->fields[i]; 1575 int result = 0; 1576 1577 switch (f->type) { 1578 case AUDIT_PID: 1579 result = audit_comparator(cb->creds.pid, f->op, f->val); 1580 break; 1581 case AUDIT_UID: 1582 result = audit_comparator(cb->creds.uid, f->op, f->val); 1583 break; 1584 case AUDIT_GID: 1585 result = audit_comparator(cb->creds.gid, f->op, f->val); 1586 break; 1587 case AUDIT_LOGINUID: 1588 result = audit_comparator(cb->loginuid, f->op, f->val); 1589 break; 1590 } 1591 1592 if (!result) 1593 return 0; 1594 } 1595 switch (rule->action) { 1596 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1597 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1598 } 1599 return 1; 1600 } 1601 1602 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1603 { 1604 enum audit_state state = AUDIT_DISABLED; 1605 struct audit_entry *e; 1606 int ret = 1; 1607 1608 rcu_read_lock(); 1609 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1610 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1611 if (state == AUDIT_DISABLED) 1612 ret = 0; 1613 break; 1614 } 1615 } 1616 rcu_read_unlock(); 1617 1618 return ret; /* Audit by default */ 1619 } 1620 1621 int audit_filter_type(int type) 1622 { 1623 struct audit_entry *e; 1624 int result = 0; 1625 1626 rcu_read_lock(); 1627 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1628 goto unlock_and_return; 1629 1630 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1631 list) { 1632 int i; 1633 for (i = 0; i < e->rule.field_count; i++) { 1634 struct audit_field *f = &e->rule.fields[i]; 1635 if (f->type == AUDIT_MSGTYPE) { 1636 result = audit_comparator(type, f->op, f->val); 1637 if (!result) 1638 break; 1639 } 1640 } 1641 if (result) 1642 goto unlock_and_return; 1643 } 1644 unlock_and_return: 1645 rcu_read_unlock(); 1646 return result; 1647 } 1648 1649 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1650 are selinux fields specified in the rule, 0 otherwise. */ 1651 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1652 { 1653 int i; 1654 1655 for (i = 0; i < rule->field_count; i++) { 1656 struct audit_field *f = &rule->fields[i]; 1657 switch (f->type) { 1658 case AUDIT_SUBJ_USER: 1659 case AUDIT_SUBJ_ROLE: 1660 case AUDIT_SUBJ_TYPE: 1661 case AUDIT_SUBJ_SEN: 1662 case AUDIT_SUBJ_CLR: 1663 case AUDIT_OBJ_USER: 1664 case AUDIT_OBJ_ROLE: 1665 case AUDIT_OBJ_TYPE: 1666 case AUDIT_OBJ_LEV_LOW: 1667 case AUDIT_OBJ_LEV_HIGH: 1668 return 1; 1669 } 1670 } 1671 1672 return 0; 1673 } 1674 1675 /* This function will re-initialize the se_rule field of all applicable rules. 1676 * It will traverse the filter lists serarching for rules that contain selinux 1677 * specific filter fields. When such a rule is found, it is copied, the 1678 * selinux field is re-initialized, and the old rule is replaced with the 1679 * updated rule. */ 1680 int selinux_audit_rule_update(void) 1681 { 1682 struct audit_entry *entry, *n, *nentry; 1683 struct audit_watch *watch; 1684 int i, err = 0; 1685 1686 /* audit_filter_mutex synchronizes the writers */ 1687 mutex_lock(&audit_filter_mutex); 1688 1689 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1690 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1691 if (!audit_rule_has_selinux(&entry->rule)) 1692 continue; 1693 1694 watch = entry->rule.watch; 1695 nentry = audit_dupe_rule(&entry->rule, watch); 1696 if (unlikely(IS_ERR(nentry))) { 1697 /* save the first error encountered for the 1698 * return value */ 1699 if (!err) 1700 err = PTR_ERR(nentry); 1701 audit_panic("error updating selinux filters"); 1702 if (watch) 1703 list_del(&entry->rule.rlist); 1704 list_del_rcu(&entry->list); 1705 } else { 1706 if (watch) { 1707 list_add(&nentry->rule.rlist, 1708 &watch->rules); 1709 list_del(&entry->rule.rlist); 1710 } 1711 list_replace_rcu(&entry->list, &nentry->list); 1712 } 1713 call_rcu(&entry->rcu, audit_free_rule_rcu); 1714 } 1715 } 1716 1717 mutex_unlock(&audit_filter_mutex); 1718 1719 return err; 1720 } 1721 1722 /* Update watch data in audit rules based on inotify events. */ 1723 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1724 u32 cookie, const char *dname, struct inode *inode) 1725 { 1726 struct audit_parent *parent; 1727 1728 parent = container_of(i_watch, struct audit_parent, wdata); 1729 1730 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1731 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1732 inode->i_ino, 0); 1733 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1734 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1735 /* inotify automatically removes the watch and sends IN_IGNORED */ 1736 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1737 audit_remove_parent_watches(parent); 1738 /* inotify does not remove the watch, so remove it manually */ 1739 else if(mask & IN_MOVE_SELF) { 1740 audit_remove_parent_watches(parent); 1741 inotify_remove_watch_locked(audit_ih, i_watch); 1742 } else if (mask & IN_IGNORED) 1743 put_inotify_watch(i_watch); 1744 } 1745