1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 static DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 void audit_free_parent(struct inotify_watch *i_watch) 99 { 100 struct audit_parent *parent; 101 102 parent = container_of(i_watch, struct audit_parent, wdata); 103 WARN_ON(!list_empty(&parent->watches)); 104 kfree(parent); 105 } 106 107 static inline void audit_get_watch(struct audit_watch *watch) 108 { 109 atomic_inc(&watch->count); 110 } 111 112 static void audit_put_watch(struct audit_watch *watch) 113 { 114 if (atomic_dec_and_test(&watch->count)) { 115 WARN_ON(watch->parent); 116 WARN_ON(!list_empty(&watch->rules)); 117 kfree(watch->path); 118 kfree(watch); 119 } 120 } 121 122 static void audit_remove_watch(struct audit_watch *watch) 123 { 124 list_del(&watch->wlist); 125 put_inotify_watch(&watch->parent->wdata); 126 watch->parent = NULL; 127 audit_put_watch(watch); /* match initial get */ 128 } 129 130 static inline void audit_free_rule(struct audit_entry *e) 131 { 132 int i; 133 134 /* some rules don't have associated watches */ 135 if (e->rule.watch) 136 audit_put_watch(e->rule.watch); 137 if (e->rule.fields) 138 for (i = 0; i < e->rule.field_count; i++) { 139 struct audit_field *f = &e->rule.fields[i]; 140 kfree(f->se_str); 141 selinux_audit_rule_free(f->se_rule); 142 } 143 kfree(e->rule.fields); 144 kfree(e->rule.filterkey); 145 kfree(e); 146 } 147 148 static inline void audit_free_rule_rcu(struct rcu_head *head) 149 { 150 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 151 audit_free_rule(e); 152 } 153 154 /* Initialize a parent watch entry. */ 155 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 156 { 157 struct audit_parent *parent; 158 s32 wd; 159 160 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 161 if (unlikely(!parent)) 162 return ERR_PTR(-ENOMEM); 163 164 INIT_LIST_HEAD(&parent->watches); 165 parent->flags = 0; 166 167 inotify_init_watch(&parent->wdata); 168 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 169 get_inotify_watch(&parent->wdata); 170 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 171 AUDIT_IN_WATCH); 172 if (wd < 0) { 173 audit_free_parent(&parent->wdata); 174 return ERR_PTR(wd); 175 } 176 177 return parent; 178 } 179 180 /* Initialize a watch entry. */ 181 static struct audit_watch *audit_init_watch(char *path) 182 { 183 struct audit_watch *watch; 184 185 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 186 if (unlikely(!watch)) 187 return ERR_PTR(-ENOMEM); 188 189 INIT_LIST_HEAD(&watch->rules); 190 atomic_set(&watch->count, 1); 191 watch->path = path; 192 watch->dev = (dev_t)-1; 193 watch->ino = (unsigned long)-1; 194 195 return watch; 196 } 197 198 /* Initialize an audit filterlist entry. */ 199 static inline struct audit_entry *audit_init_entry(u32 field_count) 200 { 201 struct audit_entry *entry; 202 struct audit_field *fields; 203 204 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 205 if (unlikely(!entry)) 206 return NULL; 207 208 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 209 if (unlikely(!fields)) { 210 kfree(entry); 211 return NULL; 212 } 213 entry->rule.fields = fields; 214 215 return entry; 216 } 217 218 /* Unpack a filter field's string representation from user-space 219 * buffer. */ 220 static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 221 { 222 char *str; 223 224 if (!*bufp || (len == 0) || (len > *remain)) 225 return ERR_PTR(-EINVAL); 226 227 /* Of the currently implemented string fields, PATH_MAX 228 * defines the longest valid length. 229 */ 230 if (len > PATH_MAX) 231 return ERR_PTR(-ENAMETOOLONG); 232 233 str = kmalloc(len + 1, GFP_KERNEL); 234 if (unlikely(!str)) 235 return ERR_PTR(-ENOMEM); 236 237 memcpy(str, *bufp, len); 238 str[len] = 0; 239 *bufp += len; 240 *remain -= len; 241 242 return str; 243 } 244 245 /* Translate an inode field to kernel respresentation. */ 246 static inline int audit_to_inode(struct audit_krule *krule, 247 struct audit_field *f) 248 { 249 if (krule->listnr != AUDIT_FILTER_EXIT || 250 krule->watch || krule->inode_f) 251 return -EINVAL; 252 253 krule->inode_f = f; 254 return 0; 255 } 256 257 /* Translate a watch string to kernel respresentation. */ 258 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 259 u32 op) 260 { 261 struct audit_watch *watch; 262 263 if (!audit_ih) 264 return -EOPNOTSUPP; 265 266 if (path[0] != '/' || path[len-1] == '/' || 267 krule->listnr != AUDIT_FILTER_EXIT || 268 op & ~AUDIT_EQUAL || 269 krule->inode_f || krule->watch) /* 1 inode # per rule, for hash */ 270 return -EINVAL; 271 272 watch = audit_init_watch(path); 273 if (unlikely(IS_ERR(watch))) 274 return PTR_ERR(watch); 275 276 audit_get_watch(watch); 277 krule->watch = watch; 278 279 return 0; 280 } 281 282 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 283 284 int __init audit_register_class(int class, unsigned *list) 285 { 286 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 287 if (!p) 288 return -ENOMEM; 289 while (*list != ~0U) { 290 unsigned n = *list++; 291 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 292 kfree(p); 293 return -EINVAL; 294 } 295 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 296 } 297 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 298 kfree(p); 299 return -EINVAL; 300 } 301 classes[class] = p; 302 return 0; 303 } 304 305 int audit_match_class(int class, unsigned syscall) 306 { 307 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) 308 return 0; 309 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 310 return 0; 311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 312 } 313 314 /* Common user-space to kernel rule translation. */ 315 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 316 { 317 unsigned listnr; 318 struct audit_entry *entry; 319 int i, err; 320 321 err = -EINVAL; 322 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 323 switch(listnr) { 324 default: 325 goto exit_err; 326 case AUDIT_FILTER_USER: 327 case AUDIT_FILTER_TYPE: 328 #ifdef CONFIG_AUDITSYSCALL 329 case AUDIT_FILTER_ENTRY: 330 case AUDIT_FILTER_EXIT: 331 case AUDIT_FILTER_TASK: 332 #endif 333 ; 334 } 335 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 336 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 337 goto exit_err; 338 } 339 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 340 goto exit_err; 341 if (rule->field_count > AUDIT_MAX_FIELDS) 342 goto exit_err; 343 344 err = -ENOMEM; 345 entry = audit_init_entry(rule->field_count); 346 if (!entry) 347 goto exit_err; 348 349 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 350 entry->rule.listnr = listnr; 351 entry->rule.action = rule->action; 352 entry->rule.field_count = rule->field_count; 353 354 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 355 entry->rule.mask[i] = rule->mask[i]; 356 357 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 358 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 359 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 360 __u32 *class; 361 362 if (!(*p & AUDIT_BIT(bit))) 363 continue; 364 *p &= ~AUDIT_BIT(bit); 365 class = classes[i]; 366 if (class) { 367 int j; 368 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 369 entry->rule.mask[j] |= class[j]; 370 } 371 } 372 373 return entry; 374 375 exit_err: 376 return ERR_PTR(err); 377 } 378 379 /* Translate struct audit_rule to kernel's rule respresentation. 380 * Exists for backward compatibility with userspace. */ 381 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 382 { 383 struct audit_entry *entry; 384 struct audit_field *f; 385 int err = 0; 386 int i; 387 388 entry = audit_to_entry_common(rule); 389 if (IS_ERR(entry)) 390 goto exit_nofree; 391 392 for (i = 0; i < rule->field_count; i++) { 393 struct audit_field *f = &entry->rule.fields[i]; 394 395 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 396 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 397 f->val = rule->values[i]; 398 399 err = -EINVAL; 400 switch(f->type) { 401 default: 402 goto exit_free; 403 case AUDIT_PID: 404 case AUDIT_UID: 405 case AUDIT_EUID: 406 case AUDIT_SUID: 407 case AUDIT_FSUID: 408 case AUDIT_GID: 409 case AUDIT_EGID: 410 case AUDIT_SGID: 411 case AUDIT_FSGID: 412 case AUDIT_LOGINUID: 413 case AUDIT_PERS: 414 case AUDIT_ARCH: 415 case AUDIT_MSGTYPE: 416 case AUDIT_PPID: 417 case AUDIT_DEVMAJOR: 418 case AUDIT_DEVMINOR: 419 case AUDIT_EXIT: 420 case AUDIT_SUCCESS: 421 case AUDIT_ARG0: 422 case AUDIT_ARG1: 423 case AUDIT_ARG2: 424 case AUDIT_ARG3: 425 break; 426 case AUDIT_PERM: 427 if (f->val & ~15) 428 goto exit_free; 429 break; 430 case AUDIT_INODE: 431 err = audit_to_inode(&entry->rule, f); 432 if (err) 433 goto exit_free; 434 break; 435 } 436 437 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 438 439 /* Support for legacy operators where 440 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 441 if (f->op & AUDIT_NEGATE) 442 f->op = AUDIT_NOT_EQUAL; 443 else if (!f->op) 444 f->op = AUDIT_EQUAL; 445 else if (f->op == AUDIT_OPERATORS) { 446 err = -EINVAL; 447 goto exit_free; 448 } 449 } 450 451 f = entry->rule.inode_f; 452 if (f) { 453 switch(f->op) { 454 case AUDIT_NOT_EQUAL: 455 entry->rule.inode_f = NULL; 456 case AUDIT_EQUAL: 457 break; 458 default: 459 err = -EINVAL; 460 goto exit_free; 461 } 462 } 463 464 exit_nofree: 465 return entry; 466 467 exit_free: 468 audit_free_rule(entry); 469 return ERR_PTR(err); 470 } 471 472 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 473 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 474 size_t datasz) 475 { 476 int err = 0; 477 struct audit_entry *entry; 478 struct audit_field *f; 479 void *bufp; 480 size_t remain = datasz - sizeof(struct audit_rule_data); 481 int i; 482 char *str; 483 484 entry = audit_to_entry_common((struct audit_rule *)data); 485 if (IS_ERR(entry)) 486 goto exit_nofree; 487 488 bufp = data->buf; 489 entry->rule.vers_ops = 2; 490 for (i = 0; i < data->field_count; i++) { 491 struct audit_field *f = &entry->rule.fields[i]; 492 493 err = -EINVAL; 494 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 495 data->fieldflags[i] & ~AUDIT_OPERATORS) 496 goto exit_free; 497 498 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 499 f->type = data->fields[i]; 500 f->val = data->values[i]; 501 f->se_str = NULL; 502 f->se_rule = NULL; 503 switch(f->type) { 504 case AUDIT_PID: 505 case AUDIT_UID: 506 case AUDIT_EUID: 507 case AUDIT_SUID: 508 case AUDIT_FSUID: 509 case AUDIT_GID: 510 case AUDIT_EGID: 511 case AUDIT_SGID: 512 case AUDIT_FSGID: 513 case AUDIT_LOGINUID: 514 case AUDIT_PERS: 515 case AUDIT_ARCH: 516 case AUDIT_MSGTYPE: 517 case AUDIT_PPID: 518 case AUDIT_DEVMAJOR: 519 case AUDIT_DEVMINOR: 520 case AUDIT_EXIT: 521 case AUDIT_SUCCESS: 522 case AUDIT_ARG0: 523 case AUDIT_ARG1: 524 case AUDIT_ARG2: 525 case AUDIT_ARG3: 526 break; 527 case AUDIT_SUBJ_USER: 528 case AUDIT_SUBJ_ROLE: 529 case AUDIT_SUBJ_TYPE: 530 case AUDIT_SUBJ_SEN: 531 case AUDIT_SUBJ_CLR: 532 case AUDIT_OBJ_USER: 533 case AUDIT_OBJ_ROLE: 534 case AUDIT_OBJ_TYPE: 535 case AUDIT_OBJ_LEV_LOW: 536 case AUDIT_OBJ_LEV_HIGH: 537 str = audit_unpack_string(&bufp, &remain, f->val); 538 if (IS_ERR(str)) 539 goto exit_free; 540 entry->rule.buflen += f->val; 541 542 err = selinux_audit_rule_init(f->type, f->op, str, 543 &f->se_rule); 544 /* Keep currently invalid fields around in case they 545 * become valid after a policy reload. */ 546 if (err == -EINVAL) { 547 printk(KERN_WARNING "audit rule for selinux " 548 "\'%s\' is invalid\n", str); 549 err = 0; 550 } 551 if (err) { 552 kfree(str); 553 goto exit_free; 554 } else 555 f->se_str = str; 556 break; 557 case AUDIT_WATCH: 558 str = audit_unpack_string(&bufp, &remain, f->val); 559 if (IS_ERR(str)) 560 goto exit_free; 561 entry->rule.buflen += f->val; 562 563 err = audit_to_watch(&entry->rule, str, f->val, f->op); 564 if (err) { 565 kfree(str); 566 goto exit_free; 567 } 568 break; 569 case AUDIT_INODE: 570 err = audit_to_inode(&entry->rule, f); 571 if (err) 572 goto exit_free; 573 break; 574 case AUDIT_FILTERKEY: 575 err = -EINVAL; 576 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 577 goto exit_free; 578 str = audit_unpack_string(&bufp, &remain, f->val); 579 if (IS_ERR(str)) 580 goto exit_free; 581 entry->rule.buflen += f->val; 582 entry->rule.filterkey = str; 583 break; 584 case AUDIT_PERM: 585 if (f->val & ~15) 586 goto exit_free; 587 break; 588 default: 589 goto exit_free; 590 } 591 } 592 593 f = entry->rule.inode_f; 594 if (f) { 595 switch(f->op) { 596 case AUDIT_NOT_EQUAL: 597 entry->rule.inode_f = NULL; 598 case AUDIT_EQUAL: 599 break; 600 default: 601 err = -EINVAL; 602 goto exit_free; 603 } 604 } 605 606 exit_nofree: 607 return entry; 608 609 exit_free: 610 audit_free_rule(entry); 611 return ERR_PTR(err); 612 } 613 614 /* Pack a filter field's string representation into data block. */ 615 static inline size_t audit_pack_string(void **bufp, char *str) 616 { 617 size_t len = strlen(str); 618 619 memcpy(*bufp, str, len); 620 *bufp += len; 621 622 return len; 623 } 624 625 /* Translate kernel rule respresentation to struct audit_rule. 626 * Exists for backward compatibility with userspace. */ 627 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 628 { 629 struct audit_rule *rule; 630 int i; 631 632 rule = kmalloc(sizeof(*rule), GFP_KERNEL); 633 if (unlikely(!rule)) 634 return NULL; 635 memset(rule, 0, sizeof(*rule)); 636 637 rule->flags = krule->flags | krule->listnr; 638 rule->action = krule->action; 639 rule->field_count = krule->field_count; 640 for (i = 0; i < rule->field_count; i++) { 641 rule->values[i] = krule->fields[i].val; 642 rule->fields[i] = krule->fields[i].type; 643 644 if (krule->vers_ops == 1) { 645 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 646 rule->fields[i] |= AUDIT_NEGATE; 647 } else { 648 rule->fields[i] |= krule->fields[i].op; 649 } 650 } 651 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 652 653 return rule; 654 } 655 656 /* Translate kernel rule respresentation to struct audit_rule_data. */ 657 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 658 { 659 struct audit_rule_data *data; 660 void *bufp; 661 int i; 662 663 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 664 if (unlikely(!data)) 665 return NULL; 666 memset(data, 0, sizeof(*data)); 667 668 data->flags = krule->flags | krule->listnr; 669 data->action = krule->action; 670 data->field_count = krule->field_count; 671 bufp = data->buf; 672 for (i = 0; i < data->field_count; i++) { 673 struct audit_field *f = &krule->fields[i]; 674 675 data->fields[i] = f->type; 676 data->fieldflags[i] = f->op; 677 switch(f->type) { 678 case AUDIT_SUBJ_USER: 679 case AUDIT_SUBJ_ROLE: 680 case AUDIT_SUBJ_TYPE: 681 case AUDIT_SUBJ_SEN: 682 case AUDIT_SUBJ_CLR: 683 case AUDIT_OBJ_USER: 684 case AUDIT_OBJ_ROLE: 685 case AUDIT_OBJ_TYPE: 686 case AUDIT_OBJ_LEV_LOW: 687 case AUDIT_OBJ_LEV_HIGH: 688 data->buflen += data->values[i] = 689 audit_pack_string(&bufp, f->se_str); 690 break; 691 case AUDIT_WATCH: 692 data->buflen += data->values[i] = 693 audit_pack_string(&bufp, krule->watch->path); 694 break; 695 case AUDIT_FILTERKEY: 696 data->buflen += data->values[i] = 697 audit_pack_string(&bufp, krule->filterkey); 698 break; 699 default: 700 data->values[i] = f->val; 701 } 702 } 703 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 704 705 return data; 706 } 707 708 /* Compare two rules in kernel format. Considered success if rules 709 * don't match. */ 710 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 711 { 712 int i; 713 714 if (a->flags != b->flags || 715 a->listnr != b->listnr || 716 a->action != b->action || 717 a->field_count != b->field_count) 718 return 1; 719 720 for (i = 0; i < a->field_count; i++) { 721 if (a->fields[i].type != b->fields[i].type || 722 a->fields[i].op != b->fields[i].op) 723 return 1; 724 725 switch(a->fields[i].type) { 726 case AUDIT_SUBJ_USER: 727 case AUDIT_SUBJ_ROLE: 728 case AUDIT_SUBJ_TYPE: 729 case AUDIT_SUBJ_SEN: 730 case AUDIT_SUBJ_CLR: 731 case AUDIT_OBJ_USER: 732 case AUDIT_OBJ_ROLE: 733 case AUDIT_OBJ_TYPE: 734 case AUDIT_OBJ_LEV_LOW: 735 case AUDIT_OBJ_LEV_HIGH: 736 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 737 return 1; 738 break; 739 case AUDIT_WATCH: 740 if (strcmp(a->watch->path, b->watch->path)) 741 return 1; 742 break; 743 case AUDIT_FILTERKEY: 744 /* both filterkeys exist based on above type compare */ 745 if (strcmp(a->filterkey, b->filterkey)) 746 return 1; 747 break; 748 default: 749 if (a->fields[i].val != b->fields[i].val) 750 return 1; 751 } 752 } 753 754 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 755 if (a->mask[i] != b->mask[i]) 756 return 1; 757 758 return 0; 759 } 760 761 /* Duplicate the given audit watch. The new watch's rules list is initialized 762 * to an empty list and wlist is undefined. */ 763 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 764 { 765 char *path; 766 struct audit_watch *new; 767 768 path = kstrdup(old->path, GFP_KERNEL); 769 if (unlikely(!path)) 770 return ERR_PTR(-ENOMEM); 771 772 new = audit_init_watch(path); 773 if (unlikely(IS_ERR(new))) { 774 kfree(path); 775 goto out; 776 } 777 778 new->dev = old->dev; 779 new->ino = old->ino; 780 get_inotify_watch(&old->parent->wdata); 781 new->parent = old->parent; 782 783 out: 784 return new; 785 } 786 787 /* Duplicate selinux field information. The se_rule is opaque, so must be 788 * re-initialized. */ 789 static inline int audit_dupe_selinux_field(struct audit_field *df, 790 struct audit_field *sf) 791 { 792 int ret = 0; 793 char *se_str; 794 795 /* our own copy of se_str */ 796 se_str = kstrdup(sf->se_str, GFP_KERNEL); 797 if (unlikely(IS_ERR(se_str))) 798 return -ENOMEM; 799 df->se_str = se_str; 800 801 /* our own (refreshed) copy of se_rule */ 802 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 803 &df->se_rule); 804 /* Keep currently invalid fields around in case they 805 * become valid after a policy reload. */ 806 if (ret == -EINVAL) { 807 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 808 "invalid\n", df->se_str); 809 ret = 0; 810 } 811 812 return ret; 813 } 814 815 /* Duplicate an audit rule. This will be a deep copy with the exception 816 * of the watch - that pointer is carried over. The selinux specific fields 817 * will be updated in the copy. The point is to be able to replace the old 818 * rule with the new rule in the filterlist, then free the old rule. 819 * The rlist element is undefined; list manipulations are handled apart from 820 * the initial copy. */ 821 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 822 struct audit_watch *watch) 823 { 824 u32 fcount = old->field_count; 825 struct audit_entry *entry; 826 struct audit_krule *new; 827 char *fk; 828 int i, err = 0; 829 830 entry = audit_init_entry(fcount); 831 if (unlikely(!entry)) 832 return ERR_PTR(-ENOMEM); 833 834 new = &entry->rule; 835 new->vers_ops = old->vers_ops; 836 new->flags = old->flags; 837 new->listnr = old->listnr; 838 new->action = old->action; 839 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 840 new->mask[i] = old->mask[i]; 841 new->buflen = old->buflen; 842 new->inode_f = old->inode_f; 843 new->watch = NULL; 844 new->field_count = old->field_count; 845 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 846 847 /* deep copy this information, updating the se_rule fields, because 848 * the originals will all be freed when the old rule is freed. */ 849 for (i = 0; i < fcount; i++) { 850 switch (new->fields[i].type) { 851 case AUDIT_SUBJ_USER: 852 case AUDIT_SUBJ_ROLE: 853 case AUDIT_SUBJ_TYPE: 854 case AUDIT_SUBJ_SEN: 855 case AUDIT_SUBJ_CLR: 856 case AUDIT_OBJ_USER: 857 case AUDIT_OBJ_ROLE: 858 case AUDIT_OBJ_TYPE: 859 case AUDIT_OBJ_LEV_LOW: 860 case AUDIT_OBJ_LEV_HIGH: 861 err = audit_dupe_selinux_field(&new->fields[i], 862 &old->fields[i]); 863 break; 864 case AUDIT_FILTERKEY: 865 fk = kstrdup(old->filterkey, GFP_KERNEL); 866 if (unlikely(!fk)) 867 err = -ENOMEM; 868 else 869 new->filterkey = fk; 870 } 871 if (err) { 872 audit_free_rule(entry); 873 return ERR_PTR(err); 874 } 875 } 876 877 if (watch) { 878 audit_get_watch(watch); 879 new->watch = watch; 880 } 881 882 return entry; 883 } 884 885 /* Update inode info in audit rules based on filesystem event. */ 886 static void audit_update_watch(struct audit_parent *parent, 887 const char *dname, dev_t dev, 888 unsigned long ino, unsigned invalidating) 889 { 890 struct audit_watch *owatch, *nwatch, *nextw; 891 struct audit_krule *r, *nextr; 892 struct audit_entry *oentry, *nentry; 893 struct audit_buffer *ab; 894 895 mutex_lock(&audit_filter_mutex); 896 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 897 if (audit_compare_dname_path(dname, owatch->path, NULL)) 898 continue; 899 900 /* If the update involves invalidating rules, do the inode-based 901 * filtering now, so we don't omit records. */ 902 if (invalidating && 903 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 904 audit_set_auditable(current->audit_context); 905 906 nwatch = audit_dupe_watch(owatch); 907 if (unlikely(IS_ERR(nwatch))) { 908 mutex_unlock(&audit_filter_mutex); 909 audit_panic("error updating watch, skipping"); 910 return; 911 } 912 nwatch->dev = dev; 913 nwatch->ino = ino; 914 915 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 916 917 oentry = container_of(r, struct audit_entry, rule); 918 list_del(&oentry->rule.rlist); 919 list_del_rcu(&oentry->list); 920 921 nentry = audit_dupe_rule(&oentry->rule, nwatch); 922 if (unlikely(IS_ERR(nentry))) 923 audit_panic("error updating watch, removing"); 924 else { 925 int h = audit_hash_ino((u32)ino); 926 list_add(&nentry->rule.rlist, &nwatch->rules); 927 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 928 } 929 930 call_rcu(&oentry->rcu, audit_free_rule_rcu); 931 } 932 933 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 934 audit_log_format(ab, "audit updated rules specifying path="); 935 audit_log_untrustedstring(ab, owatch->path); 936 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 937 audit_log_end(ab); 938 939 audit_remove_watch(owatch); 940 goto add_watch_to_parent; /* event applies to a single watch */ 941 } 942 mutex_unlock(&audit_filter_mutex); 943 return; 944 945 add_watch_to_parent: 946 list_add(&nwatch->wlist, &parent->watches); 947 mutex_unlock(&audit_filter_mutex); 948 return; 949 } 950 951 /* Remove all watches & rules associated with a parent that is going away. */ 952 static void audit_remove_parent_watches(struct audit_parent *parent) 953 { 954 struct audit_watch *w, *nextw; 955 struct audit_krule *r, *nextr; 956 struct audit_entry *e; 957 struct audit_buffer *ab; 958 959 mutex_lock(&audit_filter_mutex); 960 parent->flags |= AUDIT_PARENT_INVALID; 961 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 962 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 963 e = container_of(r, struct audit_entry, rule); 964 965 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 966 audit_log_format(ab, "audit implicitly removed rule path="); 967 audit_log_untrustedstring(ab, w->path); 968 if (r->filterkey) { 969 audit_log_format(ab, " key="); 970 audit_log_untrustedstring(ab, r->filterkey); 971 } else 972 audit_log_format(ab, " key=(null)"); 973 audit_log_format(ab, " list=%d", r->listnr); 974 audit_log_end(ab); 975 976 list_del(&r->rlist); 977 list_del_rcu(&e->list); 978 call_rcu(&e->rcu, audit_free_rule_rcu); 979 } 980 audit_remove_watch(w); 981 } 982 mutex_unlock(&audit_filter_mutex); 983 } 984 985 /* Unregister inotify watches for parents on in_list. 986 * Generates an IN_IGNORED event. */ 987 static void audit_inotify_unregister(struct list_head *in_list) 988 { 989 struct audit_parent *p, *n; 990 991 list_for_each_entry_safe(p, n, in_list, ilist) { 992 list_del(&p->ilist); 993 inotify_rm_watch(audit_ih, &p->wdata); 994 /* the put matching the get in audit_do_del_rule() */ 995 put_inotify_watch(&p->wdata); 996 } 997 } 998 999 /* Find an existing audit rule. 1000 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1001 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1002 struct list_head *list) 1003 { 1004 struct audit_entry *e, *found = NULL; 1005 int h; 1006 1007 if (entry->rule.watch) { 1008 /* we don't know the inode number, so must walk entire hash */ 1009 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1010 list = &audit_inode_hash[h]; 1011 list_for_each_entry(e, list, list) 1012 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1013 found = e; 1014 goto out; 1015 } 1016 } 1017 goto out; 1018 } 1019 1020 list_for_each_entry(e, list, list) 1021 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1022 found = e; 1023 goto out; 1024 } 1025 1026 out: 1027 return found; 1028 } 1029 1030 /* Get path information necessary for adding watches. */ 1031 static int audit_get_nd(char *path, struct nameidata **ndp, 1032 struct nameidata **ndw) 1033 { 1034 struct nameidata *ndparent, *ndwatch; 1035 int err; 1036 1037 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1038 if (unlikely(!ndparent)) 1039 return -ENOMEM; 1040 1041 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1042 if (unlikely(!ndwatch)) { 1043 kfree(ndparent); 1044 return -ENOMEM; 1045 } 1046 1047 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1048 if (err) { 1049 kfree(ndparent); 1050 kfree(ndwatch); 1051 return err; 1052 } 1053 1054 err = path_lookup(path, 0, ndwatch); 1055 if (err) { 1056 kfree(ndwatch); 1057 ndwatch = NULL; 1058 } 1059 1060 *ndp = ndparent; 1061 *ndw = ndwatch; 1062 1063 return 0; 1064 } 1065 1066 /* Release resources used for watch path information. */ 1067 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1068 { 1069 if (ndp) { 1070 path_release(ndp); 1071 kfree(ndp); 1072 } 1073 if (ndw) { 1074 path_release(ndw); 1075 kfree(ndw); 1076 } 1077 } 1078 1079 /* Associate the given rule with an existing parent inotify_watch. 1080 * Caller must hold audit_filter_mutex. */ 1081 static void audit_add_to_parent(struct audit_krule *krule, 1082 struct audit_parent *parent) 1083 { 1084 struct audit_watch *w, *watch = krule->watch; 1085 int watch_found = 0; 1086 1087 list_for_each_entry(w, &parent->watches, wlist) { 1088 if (strcmp(watch->path, w->path)) 1089 continue; 1090 1091 watch_found = 1; 1092 1093 /* put krule's and initial refs to temporary watch */ 1094 audit_put_watch(watch); 1095 audit_put_watch(watch); 1096 1097 audit_get_watch(w); 1098 krule->watch = watch = w; 1099 break; 1100 } 1101 1102 if (!watch_found) { 1103 get_inotify_watch(&parent->wdata); 1104 watch->parent = parent; 1105 1106 list_add(&watch->wlist, &parent->watches); 1107 } 1108 list_add(&krule->rlist, &watch->rules); 1109 } 1110 1111 /* Find a matching watch entry, or add this one. 1112 * Caller must hold audit_filter_mutex. */ 1113 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1114 struct nameidata *ndw) 1115 { 1116 struct audit_watch *watch = krule->watch; 1117 struct inotify_watch *i_watch; 1118 struct audit_parent *parent; 1119 int ret = 0; 1120 1121 /* update watch filter fields */ 1122 if (ndw) { 1123 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1124 watch->ino = ndw->dentry->d_inode->i_ino; 1125 } 1126 1127 /* The audit_filter_mutex must not be held during inotify calls because 1128 * we hold it during inotify event callback processing. If an existing 1129 * inotify watch is found, inotify_find_watch() grabs a reference before 1130 * returning. 1131 */ 1132 mutex_unlock(&audit_filter_mutex); 1133 1134 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1135 parent = audit_init_parent(ndp); 1136 if (IS_ERR(parent)) { 1137 /* caller expects mutex locked */ 1138 mutex_lock(&audit_filter_mutex); 1139 return PTR_ERR(parent); 1140 } 1141 } else 1142 parent = container_of(i_watch, struct audit_parent, wdata); 1143 1144 mutex_lock(&audit_filter_mutex); 1145 1146 /* parent was moved before we took audit_filter_mutex */ 1147 if (parent->flags & AUDIT_PARENT_INVALID) 1148 ret = -ENOENT; 1149 else 1150 audit_add_to_parent(krule, parent); 1151 1152 /* match get in audit_init_parent or inotify_find_watch */ 1153 put_inotify_watch(&parent->wdata); 1154 return ret; 1155 } 1156 1157 /* Add rule to given filterlist if not a duplicate. */ 1158 static inline int audit_add_rule(struct audit_entry *entry, 1159 struct list_head *list) 1160 { 1161 struct audit_entry *e; 1162 struct audit_field *inode_f = entry->rule.inode_f; 1163 struct audit_watch *watch = entry->rule.watch; 1164 struct nameidata *ndp, *ndw; 1165 int h, err, putnd_needed = 0; 1166 #ifdef CONFIG_AUDITSYSCALL 1167 int dont_count = 0; 1168 1169 /* If either of these, don't count towards total */ 1170 if (entry->rule.listnr == AUDIT_FILTER_USER || 1171 entry->rule.listnr == AUDIT_FILTER_TYPE) 1172 dont_count = 1; 1173 #endif 1174 1175 if (inode_f) { 1176 h = audit_hash_ino(inode_f->val); 1177 list = &audit_inode_hash[h]; 1178 } 1179 1180 mutex_lock(&audit_filter_mutex); 1181 e = audit_find_rule(entry, list); 1182 mutex_unlock(&audit_filter_mutex); 1183 if (e) { 1184 err = -EEXIST; 1185 goto error; 1186 } 1187 1188 /* Avoid calling path_lookup under audit_filter_mutex. */ 1189 if (watch) { 1190 err = audit_get_nd(watch->path, &ndp, &ndw); 1191 if (err) 1192 goto error; 1193 putnd_needed = 1; 1194 } 1195 1196 mutex_lock(&audit_filter_mutex); 1197 if (watch) { 1198 /* audit_filter_mutex is dropped and re-taken during this call */ 1199 err = audit_add_watch(&entry->rule, ndp, ndw); 1200 if (err) { 1201 mutex_unlock(&audit_filter_mutex); 1202 goto error; 1203 } 1204 h = audit_hash_ino((u32)watch->ino); 1205 list = &audit_inode_hash[h]; 1206 } 1207 1208 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1209 list_add_rcu(&entry->list, list); 1210 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1211 } else { 1212 list_add_tail_rcu(&entry->list, list); 1213 } 1214 #ifdef CONFIG_AUDITSYSCALL 1215 if (!dont_count) 1216 audit_n_rules++; 1217 #endif 1218 mutex_unlock(&audit_filter_mutex); 1219 1220 if (putnd_needed) 1221 audit_put_nd(ndp, ndw); 1222 1223 return 0; 1224 1225 error: 1226 if (putnd_needed) 1227 audit_put_nd(ndp, ndw); 1228 if (watch) 1229 audit_put_watch(watch); /* tmp watch, matches initial get */ 1230 return err; 1231 } 1232 1233 /* Remove an existing rule from filterlist. */ 1234 static inline int audit_del_rule(struct audit_entry *entry, 1235 struct list_head *list) 1236 { 1237 struct audit_entry *e; 1238 struct audit_field *inode_f = entry->rule.inode_f; 1239 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1240 LIST_HEAD(inotify_list); 1241 int h, ret = 0; 1242 #ifdef CONFIG_AUDITSYSCALL 1243 int dont_count = 0; 1244 1245 /* If either of these, don't count towards total */ 1246 if (entry->rule.listnr == AUDIT_FILTER_USER || 1247 entry->rule.listnr == AUDIT_FILTER_TYPE) 1248 dont_count = 1; 1249 #endif 1250 1251 if (inode_f) { 1252 h = audit_hash_ino(inode_f->val); 1253 list = &audit_inode_hash[h]; 1254 } 1255 1256 mutex_lock(&audit_filter_mutex); 1257 e = audit_find_rule(entry, list); 1258 if (!e) { 1259 mutex_unlock(&audit_filter_mutex); 1260 ret = -ENOENT; 1261 goto out; 1262 } 1263 1264 watch = e->rule.watch; 1265 if (watch) { 1266 struct audit_parent *parent = watch->parent; 1267 1268 list_del(&e->rule.rlist); 1269 1270 if (list_empty(&watch->rules)) { 1271 audit_remove_watch(watch); 1272 1273 if (list_empty(&parent->watches)) { 1274 /* Put parent on the inotify un-registration 1275 * list. Grab a reference before releasing 1276 * audit_filter_mutex, to be released in 1277 * audit_inotify_unregister(). */ 1278 list_add(&parent->ilist, &inotify_list); 1279 get_inotify_watch(&parent->wdata); 1280 } 1281 } 1282 } 1283 1284 list_del_rcu(&e->list); 1285 call_rcu(&e->rcu, audit_free_rule_rcu); 1286 1287 #ifdef CONFIG_AUDITSYSCALL 1288 if (!dont_count) 1289 audit_n_rules--; 1290 #endif 1291 mutex_unlock(&audit_filter_mutex); 1292 1293 if (!list_empty(&inotify_list)) 1294 audit_inotify_unregister(&inotify_list); 1295 1296 out: 1297 if (tmp_watch) 1298 audit_put_watch(tmp_watch); /* match initial get */ 1299 1300 return ret; 1301 } 1302 1303 /* List rules using struct audit_rule. Exists for backward 1304 * compatibility with userspace. */ 1305 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1306 { 1307 struct sk_buff *skb; 1308 struct audit_entry *entry; 1309 int i; 1310 1311 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1312 * iterator to sync with list writers. */ 1313 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1314 list_for_each_entry(entry, &audit_filter_list[i], list) { 1315 struct audit_rule *rule; 1316 1317 rule = audit_krule_to_rule(&entry->rule); 1318 if (unlikely(!rule)) 1319 break; 1320 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1321 rule, sizeof(*rule)); 1322 if (skb) 1323 skb_queue_tail(q, skb); 1324 kfree(rule); 1325 } 1326 } 1327 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1328 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1329 struct audit_rule *rule; 1330 1331 rule = audit_krule_to_rule(&entry->rule); 1332 if (unlikely(!rule)) 1333 break; 1334 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1335 rule, sizeof(*rule)); 1336 if (skb) 1337 skb_queue_tail(q, skb); 1338 kfree(rule); 1339 } 1340 } 1341 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1342 if (skb) 1343 skb_queue_tail(q, skb); 1344 } 1345 1346 /* List rules using struct audit_rule_data. */ 1347 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1348 { 1349 struct sk_buff *skb; 1350 struct audit_entry *e; 1351 int i; 1352 1353 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1354 * iterator to sync with list writers. */ 1355 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1356 list_for_each_entry(e, &audit_filter_list[i], list) { 1357 struct audit_rule_data *data; 1358 1359 data = audit_krule_to_data(&e->rule); 1360 if (unlikely(!data)) 1361 break; 1362 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1363 data, sizeof(*data) + data->buflen); 1364 if (skb) 1365 skb_queue_tail(q, skb); 1366 kfree(data); 1367 } 1368 } 1369 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1370 list_for_each_entry(e, &audit_inode_hash[i], list) { 1371 struct audit_rule_data *data; 1372 1373 data = audit_krule_to_data(&e->rule); 1374 if (unlikely(!data)) 1375 break; 1376 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1377 data, sizeof(*data) + data->buflen); 1378 if (skb) 1379 skb_queue_tail(q, skb); 1380 kfree(data); 1381 } 1382 } 1383 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1384 if (skb) 1385 skb_queue_tail(q, skb); 1386 } 1387 1388 /* Log rule additions and removals */ 1389 static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1390 struct audit_krule *rule, int res) 1391 { 1392 struct audit_buffer *ab; 1393 1394 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1395 if (!ab) 1396 return; 1397 audit_log_format(ab, "auid=%u", loginuid); 1398 if (sid) { 1399 char *ctx = NULL; 1400 u32 len; 1401 if (selinux_ctxid_to_string(sid, &ctx, &len)) 1402 audit_log_format(ab, " ssid=%u", sid); 1403 else 1404 audit_log_format(ab, " subj=%s", ctx); 1405 kfree(ctx); 1406 } 1407 audit_log_format(ab, " %s rule key=", action); 1408 if (rule->filterkey) 1409 audit_log_untrustedstring(ab, rule->filterkey); 1410 else 1411 audit_log_format(ab, "(null)"); 1412 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1413 audit_log_end(ab); 1414 } 1415 1416 /** 1417 * audit_receive_filter - apply all rules to the specified message type 1418 * @type: audit message type 1419 * @pid: target pid for netlink audit messages 1420 * @uid: target uid for netlink audit messages 1421 * @seq: netlink audit message sequence (serial) number 1422 * @data: payload data 1423 * @datasz: size of payload data 1424 * @loginuid: loginuid of sender 1425 * @sid: SE Linux Security ID of sender 1426 */ 1427 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1428 size_t datasz, uid_t loginuid, u32 sid) 1429 { 1430 struct task_struct *tsk; 1431 struct audit_netlink_list *dest; 1432 int err = 0; 1433 struct audit_entry *entry; 1434 1435 switch (type) { 1436 case AUDIT_LIST: 1437 case AUDIT_LIST_RULES: 1438 /* We can't just spew out the rules here because we might fill 1439 * the available socket buffer space and deadlock waiting for 1440 * auditctl to read from it... which isn't ever going to 1441 * happen if we're actually running in the context of auditctl 1442 * trying to _send_ the stuff */ 1443 1444 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1445 if (!dest) 1446 return -ENOMEM; 1447 dest->pid = pid; 1448 skb_queue_head_init(&dest->q); 1449 1450 mutex_lock(&audit_filter_mutex); 1451 if (type == AUDIT_LIST) 1452 audit_list(pid, seq, &dest->q); 1453 else 1454 audit_list_rules(pid, seq, &dest->q); 1455 mutex_unlock(&audit_filter_mutex); 1456 1457 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1458 if (IS_ERR(tsk)) { 1459 skb_queue_purge(&dest->q); 1460 kfree(dest); 1461 err = PTR_ERR(tsk); 1462 } 1463 break; 1464 case AUDIT_ADD: 1465 case AUDIT_ADD_RULE: 1466 if (type == AUDIT_ADD) 1467 entry = audit_rule_to_entry(data); 1468 else 1469 entry = audit_data_to_entry(data, datasz); 1470 if (IS_ERR(entry)) 1471 return PTR_ERR(entry); 1472 1473 err = audit_add_rule(entry, 1474 &audit_filter_list[entry->rule.listnr]); 1475 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1476 1477 if (err) 1478 audit_free_rule(entry); 1479 break; 1480 case AUDIT_DEL: 1481 case AUDIT_DEL_RULE: 1482 if (type == AUDIT_DEL) 1483 entry = audit_rule_to_entry(data); 1484 else 1485 entry = audit_data_to_entry(data, datasz); 1486 if (IS_ERR(entry)) 1487 return PTR_ERR(entry); 1488 1489 err = audit_del_rule(entry, 1490 &audit_filter_list[entry->rule.listnr]); 1491 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1492 !err); 1493 1494 audit_free_rule(entry); 1495 break; 1496 default: 1497 return -EINVAL; 1498 } 1499 1500 return err; 1501 } 1502 1503 int audit_comparator(const u32 left, const u32 op, const u32 right) 1504 { 1505 switch (op) { 1506 case AUDIT_EQUAL: 1507 return (left == right); 1508 case AUDIT_NOT_EQUAL: 1509 return (left != right); 1510 case AUDIT_LESS_THAN: 1511 return (left < right); 1512 case AUDIT_LESS_THAN_OR_EQUAL: 1513 return (left <= right); 1514 case AUDIT_GREATER_THAN: 1515 return (left > right); 1516 case AUDIT_GREATER_THAN_OR_EQUAL: 1517 return (left >= right); 1518 } 1519 BUG(); 1520 return 0; 1521 } 1522 1523 /* Compare given dentry name with last component in given path, 1524 * return of 0 indicates a match. */ 1525 int audit_compare_dname_path(const char *dname, const char *path, 1526 int *dirlen) 1527 { 1528 int dlen, plen; 1529 const char *p; 1530 1531 if (!dname || !path) 1532 return 1; 1533 1534 dlen = strlen(dname); 1535 plen = strlen(path); 1536 if (plen < dlen) 1537 return 1; 1538 1539 /* disregard trailing slashes */ 1540 p = path + plen - 1; 1541 while ((*p == '/') && (p > path)) 1542 p--; 1543 1544 /* find last path component */ 1545 p = p - dlen + 1; 1546 if (p < path) 1547 return 1; 1548 else if (p > path) { 1549 if (*--p != '/') 1550 return 1; 1551 else 1552 p++; 1553 } 1554 1555 /* return length of path's directory component */ 1556 if (dirlen) 1557 *dirlen = p - path; 1558 return strncmp(p, dname, dlen); 1559 } 1560 1561 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1562 struct audit_krule *rule, 1563 enum audit_state *state) 1564 { 1565 int i; 1566 1567 for (i = 0; i < rule->field_count; i++) { 1568 struct audit_field *f = &rule->fields[i]; 1569 int result = 0; 1570 1571 switch (f->type) { 1572 case AUDIT_PID: 1573 result = audit_comparator(cb->creds.pid, f->op, f->val); 1574 break; 1575 case AUDIT_UID: 1576 result = audit_comparator(cb->creds.uid, f->op, f->val); 1577 break; 1578 case AUDIT_GID: 1579 result = audit_comparator(cb->creds.gid, f->op, f->val); 1580 break; 1581 case AUDIT_LOGINUID: 1582 result = audit_comparator(cb->loginuid, f->op, f->val); 1583 break; 1584 } 1585 1586 if (!result) 1587 return 0; 1588 } 1589 switch (rule->action) { 1590 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1591 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1592 } 1593 return 1; 1594 } 1595 1596 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1597 { 1598 struct audit_entry *e; 1599 enum audit_state state; 1600 int ret = 1; 1601 1602 rcu_read_lock(); 1603 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1604 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1605 if (state == AUDIT_DISABLED) 1606 ret = 0; 1607 break; 1608 } 1609 } 1610 rcu_read_unlock(); 1611 1612 return ret; /* Audit by default */ 1613 } 1614 1615 int audit_filter_type(int type) 1616 { 1617 struct audit_entry *e; 1618 int result = 0; 1619 1620 rcu_read_lock(); 1621 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1622 goto unlock_and_return; 1623 1624 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1625 list) { 1626 int i; 1627 for (i = 0; i < e->rule.field_count; i++) { 1628 struct audit_field *f = &e->rule.fields[i]; 1629 if (f->type == AUDIT_MSGTYPE) { 1630 result = audit_comparator(type, f->op, f->val); 1631 if (!result) 1632 break; 1633 } 1634 } 1635 if (result) 1636 goto unlock_and_return; 1637 } 1638 unlock_and_return: 1639 rcu_read_unlock(); 1640 return result; 1641 } 1642 1643 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1644 are selinux fields specified in the rule, 0 otherwise. */ 1645 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1646 { 1647 int i; 1648 1649 for (i = 0; i < rule->field_count; i++) { 1650 struct audit_field *f = &rule->fields[i]; 1651 switch (f->type) { 1652 case AUDIT_SUBJ_USER: 1653 case AUDIT_SUBJ_ROLE: 1654 case AUDIT_SUBJ_TYPE: 1655 case AUDIT_SUBJ_SEN: 1656 case AUDIT_SUBJ_CLR: 1657 case AUDIT_OBJ_USER: 1658 case AUDIT_OBJ_ROLE: 1659 case AUDIT_OBJ_TYPE: 1660 case AUDIT_OBJ_LEV_LOW: 1661 case AUDIT_OBJ_LEV_HIGH: 1662 return 1; 1663 } 1664 } 1665 1666 return 0; 1667 } 1668 1669 /* This function will re-initialize the se_rule field of all applicable rules. 1670 * It will traverse the filter lists serarching for rules that contain selinux 1671 * specific filter fields. When such a rule is found, it is copied, the 1672 * selinux field is re-initialized, and the old rule is replaced with the 1673 * updated rule. */ 1674 int selinux_audit_rule_update(void) 1675 { 1676 struct audit_entry *entry, *n, *nentry; 1677 struct audit_watch *watch; 1678 int i, err = 0; 1679 1680 /* audit_filter_mutex synchronizes the writers */ 1681 mutex_lock(&audit_filter_mutex); 1682 1683 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1684 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1685 if (!audit_rule_has_selinux(&entry->rule)) 1686 continue; 1687 1688 watch = entry->rule.watch; 1689 nentry = audit_dupe_rule(&entry->rule, watch); 1690 if (unlikely(IS_ERR(nentry))) { 1691 /* save the first error encountered for the 1692 * return value */ 1693 if (!err) 1694 err = PTR_ERR(nentry); 1695 audit_panic("error updating selinux filters"); 1696 if (watch) 1697 list_del(&entry->rule.rlist); 1698 list_del_rcu(&entry->list); 1699 } else { 1700 if (watch) { 1701 list_add(&nentry->rule.rlist, 1702 &watch->rules); 1703 list_del(&entry->rule.rlist); 1704 } 1705 list_replace_rcu(&entry->list, &nentry->list); 1706 } 1707 call_rcu(&entry->rcu, audit_free_rule_rcu); 1708 } 1709 } 1710 1711 mutex_unlock(&audit_filter_mutex); 1712 1713 return err; 1714 } 1715 1716 /* Update watch data in audit rules based on inotify events. */ 1717 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1718 u32 cookie, const char *dname, struct inode *inode) 1719 { 1720 struct audit_parent *parent; 1721 1722 parent = container_of(i_watch, struct audit_parent, wdata); 1723 1724 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1725 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1726 inode->i_ino, 0); 1727 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1728 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1729 /* inotify automatically removes the watch and sends IN_IGNORED */ 1730 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1731 audit_remove_parent_watches(parent); 1732 /* inotify does not remove the watch, so remove it manually */ 1733 else if(mask & IN_MOVE_SELF) { 1734 audit_remove_parent_watches(parent); 1735 inotify_remove_watch_locked(audit_ih, i_watch); 1736 } else if (mask & IN_IGNORED) 1737 put_inotify_watch(i_watch); 1738 } 1739