1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 extern int audit_enabled; 99 100 void audit_free_parent(struct inotify_watch *i_watch) 101 { 102 struct audit_parent *parent; 103 104 parent = container_of(i_watch, struct audit_parent, wdata); 105 WARN_ON(!list_empty(&parent->watches)); 106 kfree(parent); 107 } 108 109 static inline void audit_get_watch(struct audit_watch *watch) 110 { 111 atomic_inc(&watch->count); 112 } 113 114 static void audit_put_watch(struct audit_watch *watch) 115 { 116 if (atomic_dec_and_test(&watch->count)) { 117 WARN_ON(watch->parent); 118 WARN_ON(!list_empty(&watch->rules)); 119 kfree(watch->path); 120 kfree(watch); 121 } 122 } 123 124 static void audit_remove_watch(struct audit_watch *watch) 125 { 126 list_del(&watch->wlist); 127 put_inotify_watch(&watch->parent->wdata); 128 watch->parent = NULL; 129 audit_put_watch(watch); /* match initial get */ 130 } 131 132 static inline void audit_free_rule(struct audit_entry *e) 133 { 134 int i; 135 136 /* some rules don't have associated watches */ 137 if (e->rule.watch) 138 audit_put_watch(e->rule.watch); 139 if (e->rule.fields) 140 for (i = 0; i < e->rule.field_count; i++) { 141 struct audit_field *f = &e->rule.fields[i]; 142 kfree(f->se_str); 143 selinux_audit_rule_free(f->se_rule); 144 } 145 kfree(e->rule.fields); 146 kfree(e->rule.filterkey); 147 kfree(e); 148 } 149 150 void audit_free_rule_rcu(struct rcu_head *head) 151 { 152 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 153 audit_free_rule(e); 154 } 155 156 /* Initialize a parent watch entry. */ 157 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 158 { 159 struct audit_parent *parent; 160 s32 wd; 161 162 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 163 if (unlikely(!parent)) 164 return ERR_PTR(-ENOMEM); 165 166 INIT_LIST_HEAD(&parent->watches); 167 parent->flags = 0; 168 169 inotify_init_watch(&parent->wdata); 170 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 171 get_inotify_watch(&parent->wdata); 172 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 173 AUDIT_IN_WATCH); 174 if (wd < 0) { 175 audit_free_parent(&parent->wdata); 176 return ERR_PTR(wd); 177 } 178 179 return parent; 180 } 181 182 /* Initialize a watch entry. */ 183 static struct audit_watch *audit_init_watch(char *path) 184 { 185 struct audit_watch *watch; 186 187 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 188 if (unlikely(!watch)) 189 return ERR_PTR(-ENOMEM); 190 191 INIT_LIST_HEAD(&watch->rules); 192 atomic_set(&watch->count, 1); 193 watch->path = path; 194 watch->dev = (dev_t)-1; 195 watch->ino = (unsigned long)-1; 196 197 return watch; 198 } 199 200 /* Initialize an audit filterlist entry. */ 201 static inline struct audit_entry *audit_init_entry(u32 field_count) 202 { 203 struct audit_entry *entry; 204 struct audit_field *fields; 205 206 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 207 if (unlikely(!entry)) 208 return NULL; 209 210 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 211 if (unlikely(!fields)) { 212 kfree(entry); 213 return NULL; 214 } 215 entry->rule.fields = fields; 216 217 return entry; 218 } 219 220 /* Unpack a filter field's string representation from user-space 221 * buffer. */ 222 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 223 { 224 char *str; 225 226 if (!*bufp || (len == 0) || (len > *remain)) 227 return ERR_PTR(-EINVAL); 228 229 /* Of the currently implemented string fields, PATH_MAX 230 * defines the longest valid length. 231 */ 232 if (len > PATH_MAX) 233 return ERR_PTR(-ENAMETOOLONG); 234 235 str = kmalloc(len + 1, GFP_KERNEL); 236 if (unlikely(!str)) 237 return ERR_PTR(-ENOMEM); 238 239 memcpy(str, *bufp, len); 240 str[len] = 0; 241 *bufp += len; 242 *remain -= len; 243 244 return str; 245 } 246 247 /* Translate an inode field to kernel respresentation. */ 248 static inline int audit_to_inode(struct audit_krule *krule, 249 struct audit_field *f) 250 { 251 if (krule->listnr != AUDIT_FILTER_EXIT || 252 krule->watch || krule->inode_f || krule->tree) 253 return -EINVAL; 254 255 krule->inode_f = f; 256 return 0; 257 } 258 259 /* Translate a watch string to kernel respresentation. */ 260 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 261 u32 op) 262 { 263 struct audit_watch *watch; 264 265 if (!audit_ih) 266 return -EOPNOTSUPP; 267 268 if (path[0] != '/' || path[len-1] == '/' || 269 krule->listnr != AUDIT_FILTER_EXIT || 270 op & ~AUDIT_EQUAL || 271 krule->inode_f || krule->watch || krule->tree) 272 return -EINVAL; 273 274 watch = audit_init_watch(path); 275 if (unlikely(IS_ERR(watch))) 276 return PTR_ERR(watch); 277 278 audit_get_watch(watch); 279 krule->watch = watch; 280 281 return 0; 282 } 283 284 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 285 286 int __init audit_register_class(int class, unsigned *list) 287 { 288 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 289 if (!p) 290 return -ENOMEM; 291 while (*list != ~0U) { 292 unsigned n = *list++; 293 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 294 kfree(p); 295 return -EINVAL; 296 } 297 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 298 } 299 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 300 kfree(p); 301 return -EINVAL; 302 } 303 classes[class] = p; 304 return 0; 305 } 306 307 int audit_match_class(int class, unsigned syscall) 308 { 309 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 310 return 0; 311 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 312 return 0; 313 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 314 } 315 316 #ifdef CONFIG_AUDITSYSCALL 317 static inline int audit_match_class_bits(int class, u32 *mask) 318 { 319 int i; 320 321 if (classes[class]) { 322 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 323 if (mask[i] & classes[class][i]) 324 return 0; 325 } 326 return 1; 327 } 328 329 static int audit_match_signal(struct audit_entry *entry) 330 { 331 struct audit_field *arch = entry->rule.arch_f; 332 333 if (!arch) { 334 /* When arch is unspecified, we must check both masks on biarch 335 * as syscall number alone is ambiguous. */ 336 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 337 entry->rule.mask) && 338 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 339 entry->rule.mask)); 340 } 341 342 switch(audit_classify_arch(arch->val)) { 343 case 0: /* native */ 344 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 345 entry->rule.mask)); 346 case 1: /* 32bit on biarch */ 347 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 348 entry->rule.mask)); 349 default: 350 return 1; 351 } 352 } 353 #endif 354 355 /* Common user-space to kernel rule translation. */ 356 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 357 { 358 unsigned listnr; 359 struct audit_entry *entry; 360 int i, err; 361 362 err = -EINVAL; 363 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 364 switch(listnr) { 365 default: 366 goto exit_err; 367 case AUDIT_FILTER_USER: 368 case AUDIT_FILTER_TYPE: 369 #ifdef CONFIG_AUDITSYSCALL 370 case AUDIT_FILTER_ENTRY: 371 case AUDIT_FILTER_EXIT: 372 case AUDIT_FILTER_TASK: 373 #endif 374 ; 375 } 376 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 377 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 378 goto exit_err; 379 } 380 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 381 goto exit_err; 382 if (rule->field_count > AUDIT_MAX_FIELDS) 383 goto exit_err; 384 385 err = -ENOMEM; 386 entry = audit_init_entry(rule->field_count); 387 if (!entry) 388 goto exit_err; 389 390 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 391 entry->rule.listnr = listnr; 392 entry->rule.action = rule->action; 393 entry->rule.field_count = rule->field_count; 394 395 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 396 entry->rule.mask[i] = rule->mask[i]; 397 398 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 399 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 400 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 401 __u32 *class; 402 403 if (!(*p & AUDIT_BIT(bit))) 404 continue; 405 *p &= ~AUDIT_BIT(bit); 406 class = classes[i]; 407 if (class) { 408 int j; 409 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 410 entry->rule.mask[j] |= class[j]; 411 } 412 } 413 414 return entry; 415 416 exit_err: 417 return ERR_PTR(err); 418 } 419 420 /* Translate struct audit_rule to kernel's rule respresentation. 421 * Exists for backward compatibility with userspace. */ 422 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 423 { 424 struct audit_entry *entry; 425 struct audit_field *f; 426 int err = 0; 427 int i; 428 429 entry = audit_to_entry_common(rule); 430 if (IS_ERR(entry)) 431 goto exit_nofree; 432 433 for (i = 0; i < rule->field_count; i++) { 434 struct audit_field *f = &entry->rule.fields[i]; 435 436 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 437 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 438 f->val = rule->values[i]; 439 440 err = -EINVAL; 441 switch(f->type) { 442 default: 443 goto exit_free; 444 case AUDIT_PID: 445 case AUDIT_UID: 446 case AUDIT_EUID: 447 case AUDIT_SUID: 448 case AUDIT_FSUID: 449 case AUDIT_GID: 450 case AUDIT_EGID: 451 case AUDIT_SGID: 452 case AUDIT_FSGID: 453 case AUDIT_LOGINUID: 454 case AUDIT_PERS: 455 case AUDIT_MSGTYPE: 456 case AUDIT_PPID: 457 case AUDIT_DEVMAJOR: 458 case AUDIT_DEVMINOR: 459 case AUDIT_EXIT: 460 case AUDIT_SUCCESS: 461 /* bit ops are only useful on syscall args */ 462 if (f->op == AUDIT_BIT_MASK || 463 f->op == AUDIT_BIT_TEST) { 464 err = -EINVAL; 465 goto exit_free; 466 } 467 break; 468 case AUDIT_ARG0: 469 case AUDIT_ARG1: 470 case AUDIT_ARG2: 471 case AUDIT_ARG3: 472 break; 473 /* arch is only allowed to be = or != */ 474 case AUDIT_ARCH: 475 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 476 && (f->op != AUDIT_NEGATE) && (f->op)) { 477 err = -EINVAL; 478 goto exit_free; 479 } 480 entry->rule.arch_f = f; 481 break; 482 case AUDIT_PERM: 483 if (f->val & ~15) 484 goto exit_free; 485 break; 486 case AUDIT_INODE: 487 err = audit_to_inode(&entry->rule, f); 488 if (err) 489 goto exit_free; 490 break; 491 } 492 493 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 494 495 /* Support for legacy operators where 496 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 497 if (f->op & AUDIT_NEGATE) 498 f->op = AUDIT_NOT_EQUAL; 499 else if (!f->op) 500 f->op = AUDIT_EQUAL; 501 else if (f->op == AUDIT_OPERATORS) { 502 err = -EINVAL; 503 goto exit_free; 504 } 505 } 506 507 f = entry->rule.inode_f; 508 if (f) { 509 switch(f->op) { 510 case AUDIT_NOT_EQUAL: 511 entry->rule.inode_f = NULL; 512 case AUDIT_EQUAL: 513 break; 514 default: 515 err = -EINVAL; 516 goto exit_free; 517 } 518 } 519 520 exit_nofree: 521 return entry; 522 523 exit_free: 524 audit_free_rule(entry); 525 return ERR_PTR(err); 526 } 527 528 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 529 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 530 size_t datasz) 531 { 532 int err = 0; 533 struct audit_entry *entry; 534 struct audit_field *f; 535 void *bufp; 536 size_t remain = datasz - sizeof(struct audit_rule_data); 537 int i; 538 char *str; 539 540 entry = audit_to_entry_common((struct audit_rule *)data); 541 if (IS_ERR(entry)) 542 goto exit_nofree; 543 544 bufp = data->buf; 545 entry->rule.vers_ops = 2; 546 for (i = 0; i < data->field_count; i++) { 547 struct audit_field *f = &entry->rule.fields[i]; 548 549 err = -EINVAL; 550 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 551 data->fieldflags[i] & ~AUDIT_OPERATORS) 552 goto exit_free; 553 554 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 555 f->type = data->fields[i]; 556 f->val = data->values[i]; 557 f->se_str = NULL; 558 f->se_rule = NULL; 559 switch(f->type) { 560 case AUDIT_PID: 561 case AUDIT_UID: 562 case AUDIT_EUID: 563 case AUDIT_SUID: 564 case AUDIT_FSUID: 565 case AUDIT_GID: 566 case AUDIT_EGID: 567 case AUDIT_SGID: 568 case AUDIT_FSGID: 569 case AUDIT_LOGINUID: 570 case AUDIT_PERS: 571 case AUDIT_MSGTYPE: 572 case AUDIT_PPID: 573 case AUDIT_DEVMAJOR: 574 case AUDIT_DEVMINOR: 575 case AUDIT_EXIT: 576 case AUDIT_SUCCESS: 577 case AUDIT_ARG0: 578 case AUDIT_ARG1: 579 case AUDIT_ARG2: 580 case AUDIT_ARG3: 581 break; 582 case AUDIT_ARCH: 583 entry->rule.arch_f = f; 584 break; 585 case AUDIT_SUBJ_USER: 586 case AUDIT_SUBJ_ROLE: 587 case AUDIT_SUBJ_TYPE: 588 case AUDIT_SUBJ_SEN: 589 case AUDIT_SUBJ_CLR: 590 case AUDIT_OBJ_USER: 591 case AUDIT_OBJ_ROLE: 592 case AUDIT_OBJ_TYPE: 593 case AUDIT_OBJ_LEV_LOW: 594 case AUDIT_OBJ_LEV_HIGH: 595 str = audit_unpack_string(&bufp, &remain, f->val); 596 if (IS_ERR(str)) 597 goto exit_free; 598 entry->rule.buflen += f->val; 599 600 err = selinux_audit_rule_init(f->type, f->op, str, 601 &f->se_rule); 602 /* Keep currently invalid fields around in case they 603 * become valid after a policy reload. */ 604 if (err == -EINVAL) { 605 printk(KERN_WARNING "audit rule for selinux " 606 "\'%s\' is invalid\n", str); 607 err = 0; 608 } 609 if (err) { 610 kfree(str); 611 goto exit_free; 612 } else 613 f->se_str = str; 614 break; 615 case AUDIT_WATCH: 616 str = audit_unpack_string(&bufp, &remain, f->val); 617 if (IS_ERR(str)) 618 goto exit_free; 619 entry->rule.buflen += f->val; 620 621 err = audit_to_watch(&entry->rule, str, f->val, f->op); 622 if (err) { 623 kfree(str); 624 goto exit_free; 625 } 626 break; 627 case AUDIT_DIR: 628 str = audit_unpack_string(&bufp, &remain, f->val); 629 if (IS_ERR(str)) 630 goto exit_free; 631 entry->rule.buflen += f->val; 632 633 err = audit_make_tree(&entry->rule, str, f->op); 634 kfree(str); 635 if (err) 636 goto exit_free; 637 break; 638 case AUDIT_INODE: 639 err = audit_to_inode(&entry->rule, f); 640 if (err) 641 goto exit_free; 642 break; 643 case AUDIT_FILTERKEY: 644 err = -EINVAL; 645 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 646 goto exit_free; 647 str = audit_unpack_string(&bufp, &remain, f->val); 648 if (IS_ERR(str)) 649 goto exit_free; 650 entry->rule.buflen += f->val; 651 entry->rule.filterkey = str; 652 break; 653 case AUDIT_PERM: 654 if (f->val & ~15) 655 goto exit_free; 656 break; 657 default: 658 goto exit_free; 659 } 660 } 661 662 f = entry->rule.inode_f; 663 if (f) { 664 switch(f->op) { 665 case AUDIT_NOT_EQUAL: 666 entry->rule.inode_f = NULL; 667 case AUDIT_EQUAL: 668 break; 669 default: 670 err = -EINVAL; 671 goto exit_free; 672 } 673 } 674 675 exit_nofree: 676 return entry; 677 678 exit_free: 679 audit_free_rule(entry); 680 return ERR_PTR(err); 681 } 682 683 /* Pack a filter field's string representation into data block. */ 684 static inline size_t audit_pack_string(void **bufp, const char *str) 685 { 686 size_t len = strlen(str); 687 688 memcpy(*bufp, str, len); 689 *bufp += len; 690 691 return len; 692 } 693 694 /* Translate kernel rule respresentation to struct audit_rule. 695 * Exists for backward compatibility with userspace. */ 696 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 697 { 698 struct audit_rule *rule; 699 int i; 700 701 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 702 if (unlikely(!rule)) 703 return NULL; 704 705 rule->flags = krule->flags | krule->listnr; 706 rule->action = krule->action; 707 rule->field_count = krule->field_count; 708 for (i = 0; i < rule->field_count; i++) { 709 rule->values[i] = krule->fields[i].val; 710 rule->fields[i] = krule->fields[i].type; 711 712 if (krule->vers_ops == 1) { 713 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 714 rule->fields[i] |= AUDIT_NEGATE; 715 } else { 716 rule->fields[i] |= krule->fields[i].op; 717 } 718 } 719 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 720 721 return rule; 722 } 723 724 /* Translate kernel rule respresentation to struct audit_rule_data. */ 725 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 726 { 727 struct audit_rule_data *data; 728 void *bufp; 729 int i; 730 731 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 732 if (unlikely(!data)) 733 return NULL; 734 memset(data, 0, sizeof(*data)); 735 736 data->flags = krule->flags | krule->listnr; 737 data->action = krule->action; 738 data->field_count = krule->field_count; 739 bufp = data->buf; 740 for (i = 0; i < data->field_count; i++) { 741 struct audit_field *f = &krule->fields[i]; 742 743 data->fields[i] = f->type; 744 data->fieldflags[i] = f->op; 745 switch(f->type) { 746 case AUDIT_SUBJ_USER: 747 case AUDIT_SUBJ_ROLE: 748 case AUDIT_SUBJ_TYPE: 749 case AUDIT_SUBJ_SEN: 750 case AUDIT_SUBJ_CLR: 751 case AUDIT_OBJ_USER: 752 case AUDIT_OBJ_ROLE: 753 case AUDIT_OBJ_TYPE: 754 case AUDIT_OBJ_LEV_LOW: 755 case AUDIT_OBJ_LEV_HIGH: 756 data->buflen += data->values[i] = 757 audit_pack_string(&bufp, f->se_str); 758 break; 759 case AUDIT_WATCH: 760 data->buflen += data->values[i] = 761 audit_pack_string(&bufp, krule->watch->path); 762 break; 763 case AUDIT_DIR: 764 data->buflen += data->values[i] = 765 audit_pack_string(&bufp, 766 audit_tree_path(krule->tree)); 767 break; 768 case AUDIT_FILTERKEY: 769 data->buflen += data->values[i] = 770 audit_pack_string(&bufp, krule->filterkey); 771 break; 772 default: 773 data->values[i] = f->val; 774 } 775 } 776 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 777 778 return data; 779 } 780 781 /* Compare two rules in kernel format. Considered success if rules 782 * don't match. */ 783 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 784 { 785 int i; 786 787 if (a->flags != b->flags || 788 a->listnr != b->listnr || 789 a->action != b->action || 790 a->field_count != b->field_count) 791 return 1; 792 793 for (i = 0; i < a->field_count; i++) { 794 if (a->fields[i].type != b->fields[i].type || 795 a->fields[i].op != b->fields[i].op) 796 return 1; 797 798 switch(a->fields[i].type) { 799 case AUDIT_SUBJ_USER: 800 case AUDIT_SUBJ_ROLE: 801 case AUDIT_SUBJ_TYPE: 802 case AUDIT_SUBJ_SEN: 803 case AUDIT_SUBJ_CLR: 804 case AUDIT_OBJ_USER: 805 case AUDIT_OBJ_ROLE: 806 case AUDIT_OBJ_TYPE: 807 case AUDIT_OBJ_LEV_LOW: 808 case AUDIT_OBJ_LEV_HIGH: 809 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 810 return 1; 811 break; 812 case AUDIT_WATCH: 813 if (strcmp(a->watch->path, b->watch->path)) 814 return 1; 815 break; 816 case AUDIT_DIR: 817 if (strcmp(audit_tree_path(a->tree), 818 audit_tree_path(b->tree))) 819 return 1; 820 break; 821 case AUDIT_FILTERKEY: 822 /* both filterkeys exist based on above type compare */ 823 if (strcmp(a->filterkey, b->filterkey)) 824 return 1; 825 break; 826 default: 827 if (a->fields[i].val != b->fields[i].val) 828 return 1; 829 } 830 } 831 832 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 833 if (a->mask[i] != b->mask[i]) 834 return 1; 835 836 return 0; 837 } 838 839 /* Duplicate the given audit watch. The new watch's rules list is initialized 840 * to an empty list and wlist is undefined. */ 841 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 842 { 843 char *path; 844 struct audit_watch *new; 845 846 path = kstrdup(old->path, GFP_KERNEL); 847 if (unlikely(!path)) 848 return ERR_PTR(-ENOMEM); 849 850 new = audit_init_watch(path); 851 if (unlikely(IS_ERR(new))) { 852 kfree(path); 853 goto out; 854 } 855 856 new->dev = old->dev; 857 new->ino = old->ino; 858 get_inotify_watch(&old->parent->wdata); 859 new->parent = old->parent; 860 861 out: 862 return new; 863 } 864 865 /* Duplicate selinux field information. The se_rule is opaque, so must be 866 * re-initialized. */ 867 static inline int audit_dupe_selinux_field(struct audit_field *df, 868 struct audit_field *sf) 869 { 870 int ret = 0; 871 char *se_str; 872 873 /* our own copy of se_str */ 874 se_str = kstrdup(sf->se_str, GFP_KERNEL); 875 if (unlikely(!se_str)) 876 return -ENOMEM; 877 df->se_str = se_str; 878 879 /* our own (refreshed) copy of se_rule */ 880 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 881 &df->se_rule); 882 /* Keep currently invalid fields around in case they 883 * become valid after a policy reload. */ 884 if (ret == -EINVAL) { 885 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 886 "invalid\n", df->se_str); 887 ret = 0; 888 } 889 890 return ret; 891 } 892 893 /* Duplicate an audit rule. This will be a deep copy with the exception 894 * of the watch - that pointer is carried over. The selinux specific fields 895 * will be updated in the copy. The point is to be able to replace the old 896 * rule with the new rule in the filterlist, then free the old rule. 897 * The rlist element is undefined; list manipulations are handled apart from 898 * the initial copy. */ 899 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 900 struct audit_watch *watch) 901 { 902 u32 fcount = old->field_count; 903 struct audit_entry *entry; 904 struct audit_krule *new; 905 char *fk; 906 int i, err = 0; 907 908 entry = audit_init_entry(fcount); 909 if (unlikely(!entry)) 910 return ERR_PTR(-ENOMEM); 911 912 new = &entry->rule; 913 new->vers_ops = old->vers_ops; 914 new->flags = old->flags; 915 new->listnr = old->listnr; 916 new->action = old->action; 917 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 918 new->mask[i] = old->mask[i]; 919 new->buflen = old->buflen; 920 new->inode_f = old->inode_f; 921 new->watch = NULL; 922 new->field_count = old->field_count; 923 /* 924 * note that we are OK with not refcounting here; audit_match_tree() 925 * never dereferences tree and we can't get false positives there 926 * since we'd have to have rule gone from the list *and* removed 927 * before the chunks found by lookup had been allocated, i.e. before 928 * the beginning of list scan. 929 */ 930 new->tree = old->tree; 931 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 932 933 /* deep copy this information, updating the se_rule fields, because 934 * the originals will all be freed when the old rule is freed. */ 935 for (i = 0; i < fcount; i++) { 936 switch (new->fields[i].type) { 937 case AUDIT_SUBJ_USER: 938 case AUDIT_SUBJ_ROLE: 939 case AUDIT_SUBJ_TYPE: 940 case AUDIT_SUBJ_SEN: 941 case AUDIT_SUBJ_CLR: 942 case AUDIT_OBJ_USER: 943 case AUDIT_OBJ_ROLE: 944 case AUDIT_OBJ_TYPE: 945 case AUDIT_OBJ_LEV_LOW: 946 case AUDIT_OBJ_LEV_HIGH: 947 err = audit_dupe_selinux_field(&new->fields[i], 948 &old->fields[i]); 949 break; 950 case AUDIT_FILTERKEY: 951 fk = kstrdup(old->filterkey, GFP_KERNEL); 952 if (unlikely(!fk)) 953 err = -ENOMEM; 954 else 955 new->filterkey = fk; 956 } 957 if (err) { 958 audit_free_rule(entry); 959 return ERR_PTR(err); 960 } 961 } 962 963 if (watch) { 964 audit_get_watch(watch); 965 new->watch = watch; 966 } 967 968 return entry; 969 } 970 971 /* Update inode info in audit rules based on filesystem event. */ 972 static void audit_update_watch(struct audit_parent *parent, 973 const char *dname, dev_t dev, 974 unsigned long ino, unsigned invalidating) 975 { 976 struct audit_watch *owatch, *nwatch, *nextw; 977 struct audit_krule *r, *nextr; 978 struct audit_entry *oentry, *nentry; 979 980 mutex_lock(&audit_filter_mutex); 981 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 982 if (audit_compare_dname_path(dname, owatch->path, NULL)) 983 continue; 984 985 /* If the update involves invalidating rules, do the inode-based 986 * filtering now, so we don't omit records. */ 987 if (invalidating && current->audit_context && 988 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 989 audit_set_auditable(current->audit_context); 990 991 nwatch = audit_dupe_watch(owatch); 992 if (unlikely(IS_ERR(nwatch))) { 993 mutex_unlock(&audit_filter_mutex); 994 audit_panic("error updating watch, skipping"); 995 return; 996 } 997 nwatch->dev = dev; 998 nwatch->ino = ino; 999 1000 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 1001 1002 oentry = container_of(r, struct audit_entry, rule); 1003 list_del(&oentry->rule.rlist); 1004 list_del_rcu(&oentry->list); 1005 1006 nentry = audit_dupe_rule(&oentry->rule, nwatch); 1007 if (unlikely(IS_ERR(nentry))) 1008 audit_panic("error updating watch, removing"); 1009 else { 1010 int h = audit_hash_ino((u32)ino); 1011 list_add(&nentry->rule.rlist, &nwatch->rules); 1012 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 1013 } 1014 1015 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1016 } 1017 1018 if (audit_enabled) { 1019 struct audit_buffer *ab; 1020 ab = audit_log_start(NULL, GFP_KERNEL, 1021 AUDIT_CONFIG_CHANGE); 1022 audit_log_format(ab, 1023 "op=updated rules specifying path="); 1024 audit_log_untrustedstring(ab, owatch->path); 1025 audit_log_format(ab, " with dev=%u ino=%lu\n", 1026 dev, ino); 1027 audit_log_format(ab, " list=%d res=1", r->listnr); 1028 audit_log_end(ab); 1029 } 1030 audit_remove_watch(owatch); 1031 goto add_watch_to_parent; /* event applies to a single watch */ 1032 } 1033 mutex_unlock(&audit_filter_mutex); 1034 return; 1035 1036 add_watch_to_parent: 1037 list_add(&nwatch->wlist, &parent->watches); 1038 mutex_unlock(&audit_filter_mutex); 1039 return; 1040 } 1041 1042 /* Remove all watches & rules associated with a parent that is going away. */ 1043 static void audit_remove_parent_watches(struct audit_parent *parent) 1044 { 1045 struct audit_watch *w, *nextw; 1046 struct audit_krule *r, *nextr; 1047 struct audit_entry *e; 1048 1049 mutex_lock(&audit_filter_mutex); 1050 parent->flags |= AUDIT_PARENT_INVALID; 1051 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1052 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1053 e = container_of(r, struct audit_entry, rule); 1054 if (audit_enabled) { 1055 struct audit_buffer *ab; 1056 ab = audit_log_start(NULL, GFP_KERNEL, 1057 AUDIT_CONFIG_CHANGE); 1058 audit_log_format(ab, "op=remove rule path="); 1059 audit_log_untrustedstring(ab, w->path); 1060 if (r->filterkey) { 1061 audit_log_format(ab, " key="); 1062 audit_log_untrustedstring(ab, 1063 r->filterkey); 1064 } else 1065 audit_log_format(ab, " key=(null)"); 1066 audit_log_format(ab, " list=%d res=1", 1067 r->listnr); 1068 audit_log_end(ab); 1069 } 1070 list_del(&r->rlist); 1071 list_del_rcu(&e->list); 1072 call_rcu(&e->rcu, audit_free_rule_rcu); 1073 } 1074 audit_remove_watch(w); 1075 } 1076 mutex_unlock(&audit_filter_mutex); 1077 } 1078 1079 /* Unregister inotify watches for parents on in_list. 1080 * Generates an IN_IGNORED event. */ 1081 static void audit_inotify_unregister(struct list_head *in_list) 1082 { 1083 struct audit_parent *p, *n; 1084 1085 list_for_each_entry_safe(p, n, in_list, ilist) { 1086 list_del(&p->ilist); 1087 inotify_rm_watch(audit_ih, &p->wdata); 1088 /* the put matching the get in audit_do_del_rule() */ 1089 put_inotify_watch(&p->wdata); 1090 } 1091 } 1092 1093 /* Find an existing audit rule. 1094 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1095 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1096 struct list_head *list) 1097 { 1098 struct audit_entry *e, *found = NULL; 1099 int h; 1100 1101 if (entry->rule.watch) { 1102 /* we don't know the inode number, so must walk entire hash */ 1103 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1104 list = &audit_inode_hash[h]; 1105 list_for_each_entry(e, list, list) 1106 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1107 found = e; 1108 goto out; 1109 } 1110 } 1111 goto out; 1112 } 1113 1114 list_for_each_entry(e, list, list) 1115 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1116 found = e; 1117 goto out; 1118 } 1119 1120 out: 1121 return found; 1122 } 1123 1124 /* Get path information necessary for adding watches. */ 1125 static int audit_get_nd(char *path, struct nameidata **ndp, 1126 struct nameidata **ndw) 1127 { 1128 struct nameidata *ndparent, *ndwatch; 1129 int err; 1130 1131 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1132 if (unlikely(!ndparent)) 1133 return -ENOMEM; 1134 1135 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1136 if (unlikely(!ndwatch)) { 1137 kfree(ndparent); 1138 return -ENOMEM; 1139 } 1140 1141 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1142 if (err) { 1143 kfree(ndparent); 1144 kfree(ndwatch); 1145 return err; 1146 } 1147 1148 err = path_lookup(path, 0, ndwatch); 1149 if (err) { 1150 kfree(ndwatch); 1151 ndwatch = NULL; 1152 } 1153 1154 *ndp = ndparent; 1155 *ndw = ndwatch; 1156 1157 return 0; 1158 } 1159 1160 /* Release resources used for watch path information. */ 1161 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1162 { 1163 if (ndp) { 1164 path_release(ndp); 1165 kfree(ndp); 1166 } 1167 if (ndw) { 1168 path_release(ndw); 1169 kfree(ndw); 1170 } 1171 } 1172 1173 /* Associate the given rule with an existing parent inotify_watch. 1174 * Caller must hold audit_filter_mutex. */ 1175 static void audit_add_to_parent(struct audit_krule *krule, 1176 struct audit_parent *parent) 1177 { 1178 struct audit_watch *w, *watch = krule->watch; 1179 int watch_found = 0; 1180 1181 list_for_each_entry(w, &parent->watches, wlist) { 1182 if (strcmp(watch->path, w->path)) 1183 continue; 1184 1185 watch_found = 1; 1186 1187 /* put krule's and initial refs to temporary watch */ 1188 audit_put_watch(watch); 1189 audit_put_watch(watch); 1190 1191 audit_get_watch(w); 1192 krule->watch = watch = w; 1193 break; 1194 } 1195 1196 if (!watch_found) { 1197 get_inotify_watch(&parent->wdata); 1198 watch->parent = parent; 1199 1200 list_add(&watch->wlist, &parent->watches); 1201 } 1202 list_add(&krule->rlist, &watch->rules); 1203 } 1204 1205 /* Find a matching watch entry, or add this one. 1206 * Caller must hold audit_filter_mutex. */ 1207 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1208 struct nameidata *ndw) 1209 { 1210 struct audit_watch *watch = krule->watch; 1211 struct inotify_watch *i_watch; 1212 struct audit_parent *parent; 1213 int ret = 0; 1214 1215 /* update watch filter fields */ 1216 if (ndw) { 1217 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1218 watch->ino = ndw->dentry->d_inode->i_ino; 1219 } 1220 1221 /* The audit_filter_mutex must not be held during inotify calls because 1222 * we hold it during inotify event callback processing. If an existing 1223 * inotify watch is found, inotify_find_watch() grabs a reference before 1224 * returning. 1225 */ 1226 mutex_unlock(&audit_filter_mutex); 1227 1228 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1229 parent = audit_init_parent(ndp); 1230 if (IS_ERR(parent)) { 1231 /* caller expects mutex locked */ 1232 mutex_lock(&audit_filter_mutex); 1233 return PTR_ERR(parent); 1234 } 1235 } else 1236 parent = container_of(i_watch, struct audit_parent, wdata); 1237 1238 mutex_lock(&audit_filter_mutex); 1239 1240 /* parent was moved before we took audit_filter_mutex */ 1241 if (parent->flags & AUDIT_PARENT_INVALID) 1242 ret = -ENOENT; 1243 else 1244 audit_add_to_parent(krule, parent); 1245 1246 /* match get in audit_init_parent or inotify_find_watch */ 1247 put_inotify_watch(&parent->wdata); 1248 return ret; 1249 } 1250 1251 /* Add rule to given filterlist if not a duplicate. */ 1252 static inline int audit_add_rule(struct audit_entry *entry, 1253 struct list_head *list) 1254 { 1255 struct audit_entry *e; 1256 struct audit_field *inode_f = entry->rule.inode_f; 1257 struct audit_watch *watch = entry->rule.watch; 1258 struct audit_tree *tree = entry->rule.tree; 1259 struct nameidata *ndp = NULL, *ndw = NULL; 1260 int h, err; 1261 #ifdef CONFIG_AUDITSYSCALL 1262 int dont_count = 0; 1263 1264 /* If either of these, don't count towards total */ 1265 if (entry->rule.listnr == AUDIT_FILTER_USER || 1266 entry->rule.listnr == AUDIT_FILTER_TYPE) 1267 dont_count = 1; 1268 #endif 1269 1270 if (inode_f) { 1271 h = audit_hash_ino(inode_f->val); 1272 list = &audit_inode_hash[h]; 1273 } 1274 1275 mutex_lock(&audit_filter_mutex); 1276 e = audit_find_rule(entry, list); 1277 mutex_unlock(&audit_filter_mutex); 1278 if (e) { 1279 err = -EEXIST; 1280 /* normally audit_add_tree_rule() will free it on failure */ 1281 if (tree) 1282 audit_put_tree(tree); 1283 goto error; 1284 } 1285 1286 /* Avoid calling path_lookup under audit_filter_mutex. */ 1287 if (watch) { 1288 err = audit_get_nd(watch->path, &ndp, &ndw); 1289 if (err) 1290 goto error; 1291 } 1292 1293 mutex_lock(&audit_filter_mutex); 1294 if (watch) { 1295 /* audit_filter_mutex is dropped and re-taken during this call */ 1296 err = audit_add_watch(&entry->rule, ndp, ndw); 1297 if (err) { 1298 mutex_unlock(&audit_filter_mutex); 1299 goto error; 1300 } 1301 h = audit_hash_ino((u32)watch->ino); 1302 list = &audit_inode_hash[h]; 1303 } 1304 if (tree) { 1305 err = audit_add_tree_rule(&entry->rule); 1306 if (err) { 1307 mutex_unlock(&audit_filter_mutex); 1308 goto error; 1309 } 1310 } 1311 1312 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1313 list_add_rcu(&entry->list, list); 1314 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1315 } else { 1316 list_add_tail_rcu(&entry->list, list); 1317 } 1318 #ifdef CONFIG_AUDITSYSCALL 1319 if (!dont_count) 1320 audit_n_rules++; 1321 1322 if (!audit_match_signal(entry)) 1323 audit_signals++; 1324 #endif 1325 mutex_unlock(&audit_filter_mutex); 1326 1327 audit_put_nd(ndp, ndw); /* NULL args OK */ 1328 return 0; 1329 1330 error: 1331 audit_put_nd(ndp, ndw); /* NULL args OK */ 1332 if (watch) 1333 audit_put_watch(watch); /* tmp watch, matches initial get */ 1334 return err; 1335 } 1336 1337 /* Remove an existing rule from filterlist. */ 1338 static inline int audit_del_rule(struct audit_entry *entry, 1339 struct list_head *list) 1340 { 1341 struct audit_entry *e; 1342 struct audit_field *inode_f = entry->rule.inode_f; 1343 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1344 struct audit_tree *tree = entry->rule.tree; 1345 LIST_HEAD(inotify_list); 1346 int h, ret = 0; 1347 #ifdef CONFIG_AUDITSYSCALL 1348 int dont_count = 0; 1349 1350 /* If either of these, don't count towards total */ 1351 if (entry->rule.listnr == AUDIT_FILTER_USER || 1352 entry->rule.listnr == AUDIT_FILTER_TYPE) 1353 dont_count = 1; 1354 #endif 1355 1356 if (inode_f) { 1357 h = audit_hash_ino(inode_f->val); 1358 list = &audit_inode_hash[h]; 1359 } 1360 1361 mutex_lock(&audit_filter_mutex); 1362 e = audit_find_rule(entry, list); 1363 if (!e) { 1364 mutex_unlock(&audit_filter_mutex); 1365 ret = -ENOENT; 1366 goto out; 1367 } 1368 1369 watch = e->rule.watch; 1370 if (watch) { 1371 struct audit_parent *parent = watch->parent; 1372 1373 list_del(&e->rule.rlist); 1374 1375 if (list_empty(&watch->rules)) { 1376 audit_remove_watch(watch); 1377 1378 if (list_empty(&parent->watches)) { 1379 /* Put parent on the inotify un-registration 1380 * list. Grab a reference before releasing 1381 * audit_filter_mutex, to be released in 1382 * audit_inotify_unregister(). */ 1383 list_add(&parent->ilist, &inotify_list); 1384 get_inotify_watch(&parent->wdata); 1385 } 1386 } 1387 } 1388 1389 if (e->rule.tree) 1390 audit_remove_tree_rule(&e->rule); 1391 1392 list_del_rcu(&e->list); 1393 call_rcu(&e->rcu, audit_free_rule_rcu); 1394 1395 #ifdef CONFIG_AUDITSYSCALL 1396 if (!dont_count) 1397 audit_n_rules--; 1398 1399 if (!audit_match_signal(entry)) 1400 audit_signals--; 1401 #endif 1402 mutex_unlock(&audit_filter_mutex); 1403 1404 if (!list_empty(&inotify_list)) 1405 audit_inotify_unregister(&inotify_list); 1406 1407 out: 1408 if (tmp_watch) 1409 audit_put_watch(tmp_watch); /* match initial get */ 1410 if (tree) 1411 audit_put_tree(tree); /* that's the temporary one */ 1412 1413 return ret; 1414 } 1415 1416 /* List rules using struct audit_rule. Exists for backward 1417 * compatibility with userspace. */ 1418 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1419 { 1420 struct sk_buff *skb; 1421 struct audit_entry *entry; 1422 int i; 1423 1424 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1425 * iterator to sync with list writers. */ 1426 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1427 list_for_each_entry(entry, &audit_filter_list[i], list) { 1428 struct audit_rule *rule; 1429 1430 rule = audit_krule_to_rule(&entry->rule); 1431 if (unlikely(!rule)) 1432 break; 1433 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1434 rule, sizeof(*rule)); 1435 if (skb) 1436 skb_queue_tail(q, skb); 1437 kfree(rule); 1438 } 1439 } 1440 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1441 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1442 struct audit_rule *rule; 1443 1444 rule = audit_krule_to_rule(&entry->rule); 1445 if (unlikely(!rule)) 1446 break; 1447 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1448 rule, sizeof(*rule)); 1449 if (skb) 1450 skb_queue_tail(q, skb); 1451 kfree(rule); 1452 } 1453 } 1454 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1455 if (skb) 1456 skb_queue_tail(q, skb); 1457 } 1458 1459 /* List rules using struct audit_rule_data. */ 1460 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1461 { 1462 struct sk_buff *skb; 1463 struct audit_entry *e; 1464 int i; 1465 1466 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1467 * iterator to sync with list writers. */ 1468 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1469 list_for_each_entry(e, &audit_filter_list[i], list) { 1470 struct audit_rule_data *data; 1471 1472 data = audit_krule_to_data(&e->rule); 1473 if (unlikely(!data)) 1474 break; 1475 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1476 data, sizeof(*data) + data->buflen); 1477 if (skb) 1478 skb_queue_tail(q, skb); 1479 kfree(data); 1480 } 1481 } 1482 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1483 list_for_each_entry(e, &audit_inode_hash[i], list) { 1484 struct audit_rule_data *data; 1485 1486 data = audit_krule_to_data(&e->rule); 1487 if (unlikely(!data)) 1488 break; 1489 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1490 data, sizeof(*data) + data->buflen); 1491 if (skb) 1492 skb_queue_tail(q, skb); 1493 kfree(data); 1494 } 1495 } 1496 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1497 if (skb) 1498 skb_queue_tail(q, skb); 1499 } 1500 1501 /* Log rule additions and removals */ 1502 static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1503 struct audit_krule *rule, int res) 1504 { 1505 struct audit_buffer *ab; 1506 1507 if (!audit_enabled) 1508 return; 1509 1510 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1511 if (!ab) 1512 return; 1513 audit_log_format(ab, "auid=%u", loginuid); 1514 if (sid) { 1515 char *ctx = NULL; 1516 u32 len; 1517 if (selinux_sid_to_string(sid, &ctx, &len)) 1518 audit_log_format(ab, " ssid=%u", sid); 1519 else 1520 audit_log_format(ab, " subj=%s", ctx); 1521 kfree(ctx); 1522 } 1523 audit_log_format(ab, " op=%s rule key=", action); 1524 if (rule->filterkey) 1525 audit_log_untrustedstring(ab, rule->filterkey); 1526 else 1527 audit_log_format(ab, "(null)"); 1528 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1529 audit_log_end(ab); 1530 } 1531 1532 /** 1533 * audit_receive_filter - apply all rules to the specified message type 1534 * @type: audit message type 1535 * @pid: target pid for netlink audit messages 1536 * @uid: target uid for netlink audit messages 1537 * @seq: netlink audit message sequence (serial) number 1538 * @data: payload data 1539 * @datasz: size of payload data 1540 * @loginuid: loginuid of sender 1541 * @sid: SE Linux Security ID of sender 1542 */ 1543 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1544 size_t datasz, uid_t loginuid, u32 sid) 1545 { 1546 struct task_struct *tsk; 1547 struct audit_netlink_list *dest; 1548 int err = 0; 1549 struct audit_entry *entry; 1550 1551 switch (type) { 1552 case AUDIT_LIST: 1553 case AUDIT_LIST_RULES: 1554 /* We can't just spew out the rules here because we might fill 1555 * the available socket buffer space and deadlock waiting for 1556 * auditctl to read from it... which isn't ever going to 1557 * happen if we're actually running in the context of auditctl 1558 * trying to _send_ the stuff */ 1559 1560 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1561 if (!dest) 1562 return -ENOMEM; 1563 dest->pid = pid; 1564 skb_queue_head_init(&dest->q); 1565 1566 mutex_lock(&audit_filter_mutex); 1567 if (type == AUDIT_LIST) 1568 audit_list(pid, seq, &dest->q); 1569 else 1570 audit_list_rules(pid, seq, &dest->q); 1571 mutex_unlock(&audit_filter_mutex); 1572 1573 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1574 if (IS_ERR(tsk)) { 1575 skb_queue_purge(&dest->q); 1576 kfree(dest); 1577 err = PTR_ERR(tsk); 1578 } 1579 break; 1580 case AUDIT_ADD: 1581 case AUDIT_ADD_RULE: 1582 if (type == AUDIT_ADD) 1583 entry = audit_rule_to_entry(data); 1584 else 1585 entry = audit_data_to_entry(data, datasz); 1586 if (IS_ERR(entry)) 1587 return PTR_ERR(entry); 1588 1589 err = audit_add_rule(entry, 1590 &audit_filter_list[entry->rule.listnr]); 1591 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1592 1593 if (err) 1594 audit_free_rule(entry); 1595 break; 1596 case AUDIT_DEL: 1597 case AUDIT_DEL_RULE: 1598 if (type == AUDIT_DEL) 1599 entry = audit_rule_to_entry(data); 1600 else 1601 entry = audit_data_to_entry(data, datasz); 1602 if (IS_ERR(entry)) 1603 return PTR_ERR(entry); 1604 1605 err = audit_del_rule(entry, 1606 &audit_filter_list[entry->rule.listnr]); 1607 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1608 !err); 1609 1610 audit_free_rule(entry); 1611 break; 1612 default: 1613 return -EINVAL; 1614 } 1615 1616 return err; 1617 } 1618 1619 int audit_comparator(const u32 left, const u32 op, const u32 right) 1620 { 1621 switch (op) { 1622 case AUDIT_EQUAL: 1623 return (left == right); 1624 case AUDIT_NOT_EQUAL: 1625 return (left != right); 1626 case AUDIT_LESS_THAN: 1627 return (left < right); 1628 case AUDIT_LESS_THAN_OR_EQUAL: 1629 return (left <= right); 1630 case AUDIT_GREATER_THAN: 1631 return (left > right); 1632 case AUDIT_GREATER_THAN_OR_EQUAL: 1633 return (left >= right); 1634 case AUDIT_BIT_MASK: 1635 return (left & right); 1636 case AUDIT_BIT_TEST: 1637 return ((left & right) == right); 1638 } 1639 BUG(); 1640 return 0; 1641 } 1642 1643 /* Compare given dentry name with last component in given path, 1644 * return of 0 indicates a match. */ 1645 int audit_compare_dname_path(const char *dname, const char *path, 1646 int *dirlen) 1647 { 1648 int dlen, plen; 1649 const char *p; 1650 1651 if (!dname || !path) 1652 return 1; 1653 1654 dlen = strlen(dname); 1655 plen = strlen(path); 1656 if (plen < dlen) 1657 return 1; 1658 1659 /* disregard trailing slashes */ 1660 p = path + plen - 1; 1661 while ((*p == '/') && (p > path)) 1662 p--; 1663 1664 /* find last path component */ 1665 p = p - dlen + 1; 1666 if (p < path) 1667 return 1; 1668 else if (p > path) { 1669 if (*--p != '/') 1670 return 1; 1671 else 1672 p++; 1673 } 1674 1675 /* return length of path's directory component */ 1676 if (dirlen) 1677 *dirlen = p - path; 1678 return strncmp(p, dname, dlen); 1679 } 1680 1681 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1682 struct audit_krule *rule, 1683 enum audit_state *state) 1684 { 1685 int i; 1686 1687 for (i = 0; i < rule->field_count; i++) { 1688 struct audit_field *f = &rule->fields[i]; 1689 int result = 0; 1690 1691 switch (f->type) { 1692 case AUDIT_PID: 1693 result = audit_comparator(cb->creds.pid, f->op, f->val); 1694 break; 1695 case AUDIT_UID: 1696 result = audit_comparator(cb->creds.uid, f->op, f->val); 1697 break; 1698 case AUDIT_GID: 1699 result = audit_comparator(cb->creds.gid, f->op, f->val); 1700 break; 1701 case AUDIT_LOGINUID: 1702 result = audit_comparator(cb->loginuid, f->op, f->val); 1703 break; 1704 } 1705 1706 if (!result) 1707 return 0; 1708 } 1709 switch (rule->action) { 1710 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1711 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1712 } 1713 return 1; 1714 } 1715 1716 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1717 { 1718 enum audit_state state = AUDIT_DISABLED; 1719 struct audit_entry *e; 1720 int ret = 1; 1721 1722 rcu_read_lock(); 1723 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1724 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1725 if (state == AUDIT_DISABLED) 1726 ret = 0; 1727 break; 1728 } 1729 } 1730 rcu_read_unlock(); 1731 1732 return ret; /* Audit by default */ 1733 } 1734 1735 int audit_filter_type(int type) 1736 { 1737 struct audit_entry *e; 1738 int result = 0; 1739 1740 rcu_read_lock(); 1741 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1742 goto unlock_and_return; 1743 1744 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1745 list) { 1746 int i; 1747 for (i = 0; i < e->rule.field_count; i++) { 1748 struct audit_field *f = &e->rule.fields[i]; 1749 if (f->type == AUDIT_MSGTYPE) { 1750 result = audit_comparator(type, f->op, f->val); 1751 if (!result) 1752 break; 1753 } 1754 } 1755 if (result) 1756 goto unlock_and_return; 1757 } 1758 unlock_and_return: 1759 rcu_read_unlock(); 1760 return result; 1761 } 1762 1763 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1764 are selinux fields specified in the rule, 0 otherwise. */ 1765 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1766 { 1767 int i; 1768 1769 for (i = 0; i < rule->field_count; i++) { 1770 struct audit_field *f = &rule->fields[i]; 1771 switch (f->type) { 1772 case AUDIT_SUBJ_USER: 1773 case AUDIT_SUBJ_ROLE: 1774 case AUDIT_SUBJ_TYPE: 1775 case AUDIT_SUBJ_SEN: 1776 case AUDIT_SUBJ_CLR: 1777 case AUDIT_OBJ_USER: 1778 case AUDIT_OBJ_ROLE: 1779 case AUDIT_OBJ_TYPE: 1780 case AUDIT_OBJ_LEV_LOW: 1781 case AUDIT_OBJ_LEV_HIGH: 1782 return 1; 1783 } 1784 } 1785 1786 return 0; 1787 } 1788 1789 /* This function will re-initialize the se_rule field of all applicable rules. 1790 * It will traverse the filter lists serarching for rules that contain selinux 1791 * specific filter fields. When such a rule is found, it is copied, the 1792 * selinux field is re-initialized, and the old rule is replaced with the 1793 * updated rule. */ 1794 int selinux_audit_rule_update(void) 1795 { 1796 struct audit_entry *entry, *n, *nentry; 1797 struct audit_watch *watch; 1798 struct audit_tree *tree; 1799 int i, err = 0; 1800 1801 /* audit_filter_mutex synchronizes the writers */ 1802 mutex_lock(&audit_filter_mutex); 1803 1804 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1805 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1806 if (!audit_rule_has_selinux(&entry->rule)) 1807 continue; 1808 1809 watch = entry->rule.watch; 1810 tree = entry->rule.tree; 1811 nentry = audit_dupe_rule(&entry->rule, watch); 1812 if (unlikely(IS_ERR(nentry))) { 1813 /* save the first error encountered for the 1814 * return value */ 1815 if (!err) 1816 err = PTR_ERR(nentry); 1817 audit_panic("error updating selinux filters"); 1818 if (watch) 1819 list_del(&entry->rule.rlist); 1820 list_del_rcu(&entry->list); 1821 } else { 1822 if (watch) { 1823 list_add(&nentry->rule.rlist, 1824 &watch->rules); 1825 list_del(&entry->rule.rlist); 1826 } else if (tree) 1827 list_replace_init(&entry->rule.rlist, 1828 &nentry->rule.rlist); 1829 list_replace_rcu(&entry->list, &nentry->list); 1830 } 1831 call_rcu(&entry->rcu, audit_free_rule_rcu); 1832 } 1833 } 1834 1835 mutex_unlock(&audit_filter_mutex); 1836 1837 return err; 1838 } 1839 1840 /* Update watch data in audit rules based on inotify events. */ 1841 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1842 u32 cookie, const char *dname, struct inode *inode) 1843 { 1844 struct audit_parent *parent; 1845 1846 parent = container_of(i_watch, struct audit_parent, wdata); 1847 1848 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1849 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1850 inode->i_ino, 0); 1851 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1852 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1853 /* inotify automatically removes the watch and sends IN_IGNORED */ 1854 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1855 audit_remove_parent_watches(parent); 1856 /* inotify does not remove the watch, so remove it manually */ 1857 else if(mask & IN_MOVE_SELF) { 1858 audit_remove_parent_watches(parent); 1859 inotify_remove_watch_locked(audit_ih, i_watch); 1860 } else if (mask & IN_IGNORED) 1861 put_inotify_watch(i_watch); 1862 } 1863