1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/netlink.h> 26 #include "audit.h" 27 28 /* There are three lists of rules -- one to search at task creation 29 * time, one to search at syscall entry time, and another to search at 30 * syscall exit time. */ 31 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 32 LIST_HEAD_INIT(audit_filter_list[0]), 33 LIST_HEAD_INIT(audit_filter_list[1]), 34 LIST_HEAD_INIT(audit_filter_list[2]), 35 LIST_HEAD_INIT(audit_filter_list[3]), 36 LIST_HEAD_INIT(audit_filter_list[4]), 37 LIST_HEAD_INIT(audit_filter_list[5]), 38 #if AUDIT_NR_FILTERS != 6 39 #error Fix audit_filter_list initialiser 40 #endif 41 }; 42 43 static inline void audit_free_rule(struct audit_entry *e) 44 { 45 kfree(e->rule.fields); 46 kfree(e); 47 } 48 49 static inline void audit_free_rule_rcu(struct rcu_head *head) 50 { 51 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 52 audit_free_rule(e); 53 } 54 55 /* Unpack a filter field's string representation from user-space 56 * buffer. */ 57 static __attribute__((unused)) char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 58 { 59 char *str; 60 61 if (!*bufp || (len == 0) || (len > *remain)) 62 return ERR_PTR(-EINVAL); 63 64 /* Of the currently implemented string fields, PATH_MAX 65 * defines the longest valid length. 66 */ 67 if (len > PATH_MAX) 68 return ERR_PTR(-ENAMETOOLONG); 69 70 str = kmalloc(len + 1, GFP_KERNEL); 71 if (unlikely(!str)) 72 return ERR_PTR(-ENOMEM); 73 74 memcpy(str, *bufp, len); 75 str[len] = 0; 76 *bufp += len; 77 *remain -= len; 78 79 return str; 80 } 81 82 /* Common user-space to kernel rule translation. */ 83 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 84 { 85 unsigned listnr; 86 struct audit_entry *entry; 87 struct audit_field *fields; 88 int i, err; 89 90 err = -EINVAL; 91 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 92 switch(listnr) { 93 default: 94 goto exit_err; 95 case AUDIT_FILTER_USER: 96 case AUDIT_FILTER_TYPE: 97 #ifdef CONFIG_AUDITSYSCALL 98 case AUDIT_FILTER_ENTRY: 99 case AUDIT_FILTER_EXIT: 100 case AUDIT_FILTER_TASK: 101 #endif 102 ; 103 } 104 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_POSSIBLE && 105 rule->action != AUDIT_ALWAYS) 106 goto exit_err; 107 if (rule->field_count > AUDIT_MAX_FIELDS) 108 goto exit_err; 109 110 err = -ENOMEM; 111 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 112 if (unlikely(!entry)) 113 goto exit_err; 114 fields = kmalloc(sizeof(*fields) * rule->field_count, GFP_KERNEL); 115 if (unlikely(!fields)) { 116 kfree(entry); 117 goto exit_err; 118 } 119 120 memset(&entry->rule, 0, sizeof(struct audit_krule)); 121 memset(fields, 0, sizeof(struct audit_field)); 122 123 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 124 entry->rule.listnr = listnr; 125 entry->rule.action = rule->action; 126 entry->rule.field_count = rule->field_count; 127 entry->rule.fields = fields; 128 129 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 130 entry->rule.mask[i] = rule->mask[i]; 131 132 return entry; 133 134 exit_err: 135 return ERR_PTR(err); 136 } 137 138 /* Translate struct audit_rule to kernel's rule respresentation. 139 * Exists for backward compatibility with userspace. */ 140 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 141 { 142 struct audit_entry *entry; 143 int err = 0; 144 int i; 145 146 entry = audit_to_entry_common(rule); 147 if (IS_ERR(entry)) 148 goto exit_nofree; 149 150 for (i = 0; i < rule->field_count; i++) { 151 struct audit_field *f = &entry->rule.fields[i]; 152 153 if (rule->fields[i] & AUDIT_UNUSED_BITS) { 154 err = -EINVAL; 155 goto exit_free; 156 } 157 158 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 159 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 160 f->val = rule->values[i]; 161 162 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 163 164 /* Support for legacy operators where 165 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 166 if (f->op & AUDIT_NEGATE) 167 f->op = AUDIT_NOT_EQUAL; 168 else if (!f->op) 169 f->op = AUDIT_EQUAL; 170 else if (f->op == AUDIT_OPERATORS) { 171 err = -EINVAL; 172 goto exit_free; 173 } 174 } 175 176 exit_nofree: 177 return entry; 178 179 exit_free: 180 audit_free_rule(entry); 181 return ERR_PTR(err); 182 } 183 184 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 185 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 186 size_t datasz) 187 { 188 int err = 0; 189 struct audit_entry *entry; 190 void *bufp; 191 /* size_t remain = datasz - sizeof(struct audit_rule_data); */ 192 int i; 193 194 entry = audit_to_entry_common((struct audit_rule *)data); 195 if (IS_ERR(entry)) 196 goto exit_nofree; 197 198 bufp = data->buf; 199 entry->rule.vers_ops = 2; 200 for (i = 0; i < data->field_count; i++) { 201 struct audit_field *f = &entry->rule.fields[i]; 202 203 err = -EINVAL; 204 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 205 data->fieldflags[i] & ~AUDIT_OPERATORS) 206 goto exit_free; 207 208 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 209 f->type = data->fields[i]; 210 switch(f->type) { 211 /* call type-specific conversion routines here */ 212 default: 213 f->val = data->values[i]; 214 } 215 } 216 217 exit_nofree: 218 return entry; 219 220 exit_free: 221 audit_free_rule(entry); 222 return ERR_PTR(err); 223 } 224 225 /* Pack a filter field's string representation into data block. */ 226 static inline size_t audit_pack_string(void **bufp, char *str) 227 { 228 size_t len = strlen(str); 229 230 memcpy(*bufp, str, len); 231 *bufp += len; 232 233 return len; 234 } 235 236 /* Translate kernel rule respresentation to struct audit_rule. 237 * Exists for backward compatibility with userspace. */ 238 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 239 { 240 struct audit_rule *rule; 241 int i; 242 243 rule = kmalloc(sizeof(*rule), GFP_KERNEL); 244 if (unlikely(!rule)) 245 return ERR_PTR(-ENOMEM); 246 memset(rule, 0, sizeof(*rule)); 247 248 rule->flags = krule->flags | krule->listnr; 249 rule->action = krule->action; 250 rule->field_count = krule->field_count; 251 for (i = 0; i < rule->field_count; i++) { 252 rule->values[i] = krule->fields[i].val; 253 rule->fields[i] = krule->fields[i].type; 254 255 if (krule->vers_ops == 1) { 256 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 257 rule->fields[i] |= AUDIT_NEGATE; 258 } else { 259 rule->fields[i] |= krule->fields[i].op; 260 } 261 } 262 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 263 264 return rule; 265 } 266 267 /* Translate kernel rule respresentation to struct audit_rule_data. */ 268 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 269 { 270 struct audit_rule_data *data; 271 void *bufp; 272 int i; 273 274 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 275 if (unlikely(!data)) 276 return ERR_PTR(-ENOMEM); 277 memset(data, 0, sizeof(*data)); 278 279 data->flags = krule->flags | krule->listnr; 280 data->action = krule->action; 281 data->field_count = krule->field_count; 282 bufp = data->buf; 283 for (i = 0; i < data->field_count; i++) { 284 struct audit_field *f = &krule->fields[i]; 285 286 data->fields[i] = f->type; 287 data->fieldflags[i] = f->op; 288 switch(f->type) { 289 /* call type-specific conversion routines here */ 290 default: 291 data->values[i] = f->val; 292 } 293 } 294 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 295 296 return data; 297 } 298 299 /* Compare two rules in kernel format. Considered success if rules 300 * don't match. */ 301 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 302 { 303 int i; 304 305 if (a->flags != b->flags || 306 a->listnr != b->listnr || 307 a->action != b->action || 308 a->field_count != b->field_count) 309 return 1; 310 311 for (i = 0; i < a->field_count; i++) { 312 if (a->fields[i].type != b->fields[i].type || 313 a->fields[i].op != b->fields[i].op) 314 return 1; 315 316 switch(a->fields[i].type) { 317 /* call type-specific comparison routines here */ 318 default: 319 if (a->fields[i].val != b->fields[i].val) 320 return 1; 321 } 322 } 323 324 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 325 if (a->mask[i] != b->mask[i]) 326 return 1; 327 328 return 0; 329 } 330 331 /* Add rule to given filterlist if not a duplicate. Protected by 332 * audit_netlink_mutex. */ 333 static inline int audit_add_rule(struct audit_entry *entry, 334 struct list_head *list) 335 { 336 struct audit_entry *e; 337 338 /* Do not use the _rcu iterator here, since this is the only 339 * addition routine. */ 340 list_for_each_entry(e, list, list) { 341 if (!audit_compare_rule(&entry->rule, &e->rule)) 342 return -EEXIST; 343 } 344 345 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 346 list_add_rcu(&entry->list, list); 347 } else { 348 list_add_tail_rcu(&entry->list, list); 349 } 350 351 return 0; 352 } 353 354 /* Remove an existing rule from filterlist. Protected by 355 * audit_netlink_mutex. */ 356 static inline int audit_del_rule(struct audit_entry *entry, 357 struct list_head *list) 358 { 359 struct audit_entry *e; 360 361 /* Do not use the _rcu iterator here, since this is the only 362 * deletion routine. */ 363 list_for_each_entry(e, list, list) { 364 if (!audit_compare_rule(&entry->rule, &e->rule)) { 365 list_del_rcu(&e->list); 366 call_rcu(&e->rcu, audit_free_rule_rcu); 367 return 0; 368 } 369 } 370 return -ENOENT; /* No matching rule */ 371 } 372 373 /* List rules using struct audit_rule. Exists for backward 374 * compatibility with userspace. */ 375 static int audit_list(void *_dest) 376 { 377 int pid, seq; 378 int *dest = _dest; 379 struct audit_entry *entry; 380 int i; 381 382 pid = dest[0]; 383 seq = dest[1]; 384 kfree(dest); 385 386 mutex_lock(&audit_netlink_mutex); 387 388 /* The *_rcu iterators not needed here because we are 389 always called with audit_netlink_mutex held. */ 390 for (i=0; i<AUDIT_NR_FILTERS; i++) { 391 list_for_each_entry(entry, &audit_filter_list[i], list) { 392 struct audit_rule *rule; 393 394 rule = audit_krule_to_rule(&entry->rule); 395 if (unlikely(!rule)) 396 break; 397 audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, 398 rule, sizeof(*rule)); 399 kfree(rule); 400 } 401 } 402 audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 403 404 mutex_unlock(&audit_netlink_mutex); 405 return 0; 406 } 407 408 /* List rules using struct audit_rule_data. */ 409 static int audit_list_rules(void *_dest) 410 { 411 int pid, seq; 412 int *dest = _dest; 413 struct audit_entry *e; 414 int i; 415 416 pid = dest[0]; 417 seq = dest[1]; 418 kfree(dest); 419 420 mutex_lock(&audit_netlink_mutex); 421 422 /* The *_rcu iterators not needed here because we are 423 always called with audit_netlink_mutex held. */ 424 for (i=0; i<AUDIT_NR_FILTERS; i++) { 425 list_for_each_entry(e, &audit_filter_list[i], list) { 426 struct audit_rule_data *data; 427 428 data = audit_krule_to_data(&e->rule); 429 if (unlikely(!data)) 430 break; 431 audit_send_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 432 data, sizeof(*data)); 433 kfree(data); 434 } 435 } 436 audit_send_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 437 438 mutex_unlock(&audit_netlink_mutex); 439 return 0; 440 } 441 442 /** 443 * audit_receive_filter - apply all rules to the specified message type 444 * @type: audit message type 445 * @pid: target pid for netlink audit messages 446 * @uid: target uid for netlink audit messages 447 * @seq: netlink audit message sequence (serial) number 448 * @data: payload data 449 * @datasz: size of payload data 450 * @loginuid: loginuid of sender 451 */ 452 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 453 size_t datasz, uid_t loginuid) 454 { 455 struct task_struct *tsk; 456 int *dest; 457 int err = 0; 458 struct audit_entry *entry; 459 460 switch (type) { 461 case AUDIT_LIST: 462 case AUDIT_LIST_RULES: 463 /* We can't just spew out the rules here because we might fill 464 * the available socket buffer space and deadlock waiting for 465 * auditctl to read from it... which isn't ever going to 466 * happen if we're actually running in the context of auditctl 467 * trying to _send_ the stuff */ 468 469 dest = kmalloc(2 * sizeof(int), GFP_KERNEL); 470 if (!dest) 471 return -ENOMEM; 472 dest[0] = pid; 473 dest[1] = seq; 474 475 if (type == AUDIT_LIST) 476 tsk = kthread_run(audit_list, dest, "audit_list"); 477 else 478 tsk = kthread_run(audit_list_rules, dest, 479 "audit_list_rules"); 480 if (IS_ERR(tsk)) { 481 kfree(dest); 482 err = PTR_ERR(tsk); 483 } 484 break; 485 case AUDIT_ADD: 486 case AUDIT_ADD_RULE: 487 if (type == AUDIT_ADD) 488 entry = audit_rule_to_entry(data); 489 else 490 entry = audit_data_to_entry(data, datasz); 491 if (IS_ERR(entry)) 492 return PTR_ERR(entry); 493 494 err = audit_add_rule(entry, 495 &audit_filter_list[entry->rule.listnr]); 496 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 497 "auid=%u add rule to list=%d res=%d\n", 498 loginuid, entry->rule.listnr, !err); 499 500 if (err) 501 audit_free_rule(entry); 502 break; 503 case AUDIT_DEL: 504 case AUDIT_DEL_RULE: 505 if (type == AUDIT_DEL) 506 entry = audit_rule_to_entry(data); 507 else 508 entry = audit_data_to_entry(data, datasz); 509 if (IS_ERR(entry)) 510 return PTR_ERR(entry); 511 512 err = audit_del_rule(entry, 513 &audit_filter_list[entry->rule.listnr]); 514 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 515 "auid=%u remove rule from list=%d res=%d\n", 516 loginuid, entry->rule.listnr, !err); 517 518 audit_free_rule(entry); 519 break; 520 default: 521 return -EINVAL; 522 } 523 524 return err; 525 } 526 527 int audit_comparator(const u32 left, const u32 op, const u32 right) 528 { 529 switch (op) { 530 case AUDIT_EQUAL: 531 return (left == right); 532 case AUDIT_NOT_EQUAL: 533 return (left != right); 534 case AUDIT_LESS_THAN: 535 return (left < right); 536 case AUDIT_LESS_THAN_OR_EQUAL: 537 return (left <= right); 538 case AUDIT_GREATER_THAN: 539 return (left > right); 540 case AUDIT_GREATER_THAN_OR_EQUAL: 541 return (left >= right); 542 } 543 BUG(); 544 return 0; 545 } 546 547 548 549 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 550 struct audit_krule *rule, 551 enum audit_state *state) 552 { 553 int i; 554 555 for (i = 0; i < rule->field_count; i++) { 556 struct audit_field *f = &rule->fields[i]; 557 int result = 0; 558 559 switch (f->type) { 560 case AUDIT_PID: 561 result = audit_comparator(cb->creds.pid, f->op, f->val); 562 break; 563 case AUDIT_UID: 564 result = audit_comparator(cb->creds.uid, f->op, f->val); 565 break; 566 case AUDIT_GID: 567 result = audit_comparator(cb->creds.gid, f->op, f->val); 568 break; 569 case AUDIT_LOGINUID: 570 result = audit_comparator(cb->loginuid, f->op, f->val); 571 break; 572 } 573 574 if (!result) 575 return 0; 576 } 577 switch (rule->action) { 578 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 579 case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; 580 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 581 } 582 return 1; 583 } 584 585 int audit_filter_user(struct netlink_skb_parms *cb, int type) 586 { 587 struct audit_entry *e; 588 enum audit_state state; 589 int ret = 1; 590 591 rcu_read_lock(); 592 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 593 if (audit_filter_user_rules(cb, &e->rule, &state)) { 594 if (state == AUDIT_DISABLED) 595 ret = 0; 596 break; 597 } 598 } 599 rcu_read_unlock(); 600 601 return ret; /* Audit by default */ 602 } 603 604 int audit_filter_type(int type) 605 { 606 struct audit_entry *e; 607 int result = 0; 608 609 rcu_read_lock(); 610 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 611 goto unlock_and_return; 612 613 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 614 list) { 615 int i; 616 for (i = 0; i < e->rule.field_count; i++) { 617 struct audit_field *f = &e->rule.fields[i]; 618 if (f->type == AUDIT_MSGTYPE) { 619 result = audit_comparator(type, f->op, f->val); 620 if (!result) 621 break; 622 } 623 } 624 if (result) 625 goto unlock_and_return; 626 } 627 unlock_and_return: 628 rcu_read_unlock(); 629 return result; 630 } 631