1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/security.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify events we care about. */ 93 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 94 95 void audit_free_parent(struct inotify_watch *i_watch) 96 { 97 struct audit_parent *parent; 98 99 parent = container_of(i_watch, struct audit_parent, wdata); 100 WARN_ON(!list_empty(&parent->watches)); 101 kfree(parent); 102 } 103 104 static inline void audit_get_watch(struct audit_watch *watch) 105 { 106 atomic_inc(&watch->count); 107 } 108 109 static void audit_put_watch(struct audit_watch *watch) 110 { 111 if (atomic_dec_and_test(&watch->count)) { 112 WARN_ON(watch->parent); 113 WARN_ON(!list_empty(&watch->rules)); 114 kfree(watch->path); 115 kfree(watch); 116 } 117 } 118 119 static void audit_remove_watch(struct audit_watch *watch) 120 { 121 list_del(&watch->wlist); 122 put_inotify_watch(&watch->parent->wdata); 123 watch->parent = NULL; 124 audit_put_watch(watch); /* match initial get */ 125 } 126 127 static inline void audit_free_rule(struct audit_entry *e) 128 { 129 int i; 130 131 /* some rules don't have associated watches */ 132 if (e->rule.watch) 133 audit_put_watch(e->rule.watch); 134 if (e->rule.fields) 135 for (i = 0; i < e->rule.field_count; i++) { 136 struct audit_field *f = &e->rule.fields[i]; 137 kfree(f->lsm_str); 138 security_audit_rule_free(f->lsm_rule); 139 } 140 kfree(e->rule.fields); 141 kfree(e->rule.filterkey); 142 kfree(e); 143 } 144 145 void audit_free_rule_rcu(struct rcu_head *head) 146 { 147 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 148 audit_free_rule(e); 149 } 150 151 /* Initialize a parent watch entry. */ 152 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 153 { 154 struct audit_parent *parent; 155 s32 wd; 156 157 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 158 if (unlikely(!parent)) 159 return ERR_PTR(-ENOMEM); 160 161 INIT_LIST_HEAD(&parent->watches); 162 parent->flags = 0; 163 164 inotify_init_watch(&parent->wdata); 165 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 166 get_inotify_watch(&parent->wdata); 167 wd = inotify_add_watch(audit_ih, &parent->wdata, 168 ndp->path.dentry->d_inode, AUDIT_IN_WATCH); 169 if (wd < 0) { 170 audit_free_parent(&parent->wdata); 171 return ERR_PTR(wd); 172 } 173 174 return parent; 175 } 176 177 /* Initialize a watch entry. */ 178 static struct audit_watch *audit_init_watch(char *path) 179 { 180 struct audit_watch *watch; 181 182 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 183 if (unlikely(!watch)) 184 return ERR_PTR(-ENOMEM); 185 186 INIT_LIST_HEAD(&watch->rules); 187 atomic_set(&watch->count, 1); 188 watch->path = path; 189 watch->dev = (dev_t)-1; 190 watch->ino = (unsigned long)-1; 191 192 return watch; 193 } 194 195 /* Initialize an audit filterlist entry. */ 196 static inline struct audit_entry *audit_init_entry(u32 field_count) 197 { 198 struct audit_entry *entry; 199 struct audit_field *fields; 200 201 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 202 if (unlikely(!entry)) 203 return NULL; 204 205 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 206 if (unlikely(!fields)) { 207 kfree(entry); 208 return NULL; 209 } 210 entry->rule.fields = fields; 211 212 return entry; 213 } 214 215 /* Unpack a filter field's string representation from user-space 216 * buffer. */ 217 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 218 { 219 char *str; 220 221 if (!*bufp || (len == 0) || (len > *remain)) 222 return ERR_PTR(-EINVAL); 223 224 /* Of the currently implemented string fields, PATH_MAX 225 * defines the longest valid length. 226 */ 227 if (len > PATH_MAX) 228 return ERR_PTR(-ENAMETOOLONG); 229 230 str = kmalloc(len + 1, GFP_KERNEL); 231 if (unlikely(!str)) 232 return ERR_PTR(-ENOMEM); 233 234 memcpy(str, *bufp, len); 235 str[len] = 0; 236 *bufp += len; 237 *remain -= len; 238 239 return str; 240 } 241 242 /* Translate an inode field to kernel respresentation. */ 243 static inline int audit_to_inode(struct audit_krule *krule, 244 struct audit_field *f) 245 { 246 if (krule->listnr != AUDIT_FILTER_EXIT || 247 krule->watch || krule->inode_f || krule->tree) 248 return -EINVAL; 249 250 krule->inode_f = f; 251 return 0; 252 } 253 254 /* Translate a watch string to kernel respresentation. */ 255 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 256 u32 op) 257 { 258 struct audit_watch *watch; 259 260 if (!audit_ih) 261 return -EOPNOTSUPP; 262 263 if (path[0] != '/' || path[len-1] == '/' || 264 krule->listnr != AUDIT_FILTER_EXIT || 265 op & ~AUDIT_EQUAL || 266 krule->inode_f || krule->watch || krule->tree) 267 return -EINVAL; 268 269 watch = audit_init_watch(path); 270 if (IS_ERR(watch)) 271 return PTR_ERR(watch); 272 273 audit_get_watch(watch); 274 krule->watch = watch; 275 276 return 0; 277 } 278 279 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 280 281 int __init audit_register_class(int class, unsigned *list) 282 { 283 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 284 if (!p) 285 return -ENOMEM; 286 while (*list != ~0U) { 287 unsigned n = *list++; 288 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 289 kfree(p); 290 return -EINVAL; 291 } 292 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 293 } 294 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 295 kfree(p); 296 return -EINVAL; 297 } 298 classes[class] = p; 299 return 0; 300 } 301 302 int audit_match_class(int class, unsigned syscall) 303 { 304 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 305 return 0; 306 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 307 return 0; 308 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 309 } 310 311 #ifdef CONFIG_AUDITSYSCALL 312 static inline int audit_match_class_bits(int class, u32 *mask) 313 { 314 int i; 315 316 if (classes[class]) { 317 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 318 if (mask[i] & classes[class][i]) 319 return 0; 320 } 321 return 1; 322 } 323 324 static int audit_match_signal(struct audit_entry *entry) 325 { 326 struct audit_field *arch = entry->rule.arch_f; 327 328 if (!arch) { 329 /* When arch is unspecified, we must check both masks on biarch 330 * as syscall number alone is ambiguous. */ 331 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 332 entry->rule.mask) && 333 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 334 entry->rule.mask)); 335 } 336 337 switch(audit_classify_arch(arch->val)) { 338 case 0: /* native */ 339 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 340 entry->rule.mask)); 341 case 1: /* 32bit on biarch */ 342 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 343 entry->rule.mask)); 344 default: 345 return 1; 346 } 347 } 348 #endif 349 350 /* Common user-space to kernel rule translation. */ 351 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 352 { 353 unsigned listnr; 354 struct audit_entry *entry; 355 int i, err; 356 357 err = -EINVAL; 358 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 359 switch(listnr) { 360 default: 361 goto exit_err; 362 case AUDIT_FILTER_USER: 363 case AUDIT_FILTER_TYPE: 364 #ifdef CONFIG_AUDITSYSCALL 365 case AUDIT_FILTER_ENTRY: 366 case AUDIT_FILTER_EXIT: 367 case AUDIT_FILTER_TASK: 368 #endif 369 ; 370 } 371 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 372 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 373 goto exit_err; 374 } 375 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 376 goto exit_err; 377 if (rule->field_count > AUDIT_MAX_FIELDS) 378 goto exit_err; 379 380 err = -ENOMEM; 381 entry = audit_init_entry(rule->field_count); 382 if (!entry) 383 goto exit_err; 384 385 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 386 entry->rule.listnr = listnr; 387 entry->rule.action = rule->action; 388 entry->rule.field_count = rule->field_count; 389 390 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 391 entry->rule.mask[i] = rule->mask[i]; 392 393 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 394 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 395 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 396 __u32 *class; 397 398 if (!(*p & AUDIT_BIT(bit))) 399 continue; 400 *p &= ~AUDIT_BIT(bit); 401 class = classes[i]; 402 if (class) { 403 int j; 404 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 405 entry->rule.mask[j] |= class[j]; 406 } 407 } 408 409 return entry; 410 411 exit_err: 412 return ERR_PTR(err); 413 } 414 415 /* Translate struct audit_rule to kernel's rule respresentation. 416 * Exists for backward compatibility with userspace. */ 417 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 418 { 419 struct audit_entry *entry; 420 struct audit_field *ino_f; 421 int err = 0; 422 int i; 423 424 entry = audit_to_entry_common(rule); 425 if (IS_ERR(entry)) 426 goto exit_nofree; 427 428 for (i = 0; i < rule->field_count; i++) { 429 struct audit_field *f = &entry->rule.fields[i]; 430 431 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 432 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 433 f->val = rule->values[i]; 434 435 err = -EINVAL; 436 switch(f->type) { 437 default: 438 goto exit_free; 439 case AUDIT_PID: 440 case AUDIT_UID: 441 case AUDIT_EUID: 442 case AUDIT_SUID: 443 case AUDIT_FSUID: 444 case AUDIT_GID: 445 case AUDIT_EGID: 446 case AUDIT_SGID: 447 case AUDIT_FSGID: 448 case AUDIT_LOGINUID: 449 case AUDIT_PERS: 450 case AUDIT_MSGTYPE: 451 case AUDIT_PPID: 452 case AUDIT_DEVMAJOR: 453 case AUDIT_DEVMINOR: 454 case AUDIT_EXIT: 455 case AUDIT_SUCCESS: 456 /* bit ops are only useful on syscall args */ 457 if (f->op == AUDIT_BIT_MASK || 458 f->op == AUDIT_BIT_TEST) { 459 err = -EINVAL; 460 goto exit_free; 461 } 462 break; 463 case AUDIT_ARG0: 464 case AUDIT_ARG1: 465 case AUDIT_ARG2: 466 case AUDIT_ARG3: 467 break; 468 /* arch is only allowed to be = or != */ 469 case AUDIT_ARCH: 470 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 471 && (f->op != AUDIT_NEGATE) && (f->op)) { 472 err = -EINVAL; 473 goto exit_free; 474 } 475 entry->rule.arch_f = f; 476 break; 477 case AUDIT_PERM: 478 if (f->val & ~15) 479 goto exit_free; 480 break; 481 case AUDIT_FILETYPE: 482 if ((f->val & ~S_IFMT) > S_IFMT) 483 goto exit_free; 484 break; 485 case AUDIT_INODE: 486 err = audit_to_inode(&entry->rule, f); 487 if (err) 488 goto exit_free; 489 break; 490 } 491 492 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 493 494 /* Support for legacy operators where 495 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 496 if (f->op & AUDIT_NEGATE) 497 f->op = AUDIT_NOT_EQUAL; 498 else if (!f->op) 499 f->op = AUDIT_EQUAL; 500 else if (f->op == AUDIT_OPERATORS) { 501 err = -EINVAL; 502 goto exit_free; 503 } 504 } 505 506 ino_f = entry->rule.inode_f; 507 if (ino_f) { 508 switch(ino_f->op) { 509 case AUDIT_NOT_EQUAL: 510 entry->rule.inode_f = NULL; 511 case AUDIT_EQUAL: 512 break; 513 default: 514 err = -EINVAL; 515 goto exit_free; 516 } 517 } 518 519 exit_nofree: 520 return entry; 521 522 exit_free: 523 audit_free_rule(entry); 524 return ERR_PTR(err); 525 } 526 527 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 528 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 529 size_t datasz) 530 { 531 int err = 0; 532 struct audit_entry *entry; 533 struct audit_field *ino_f; 534 void *bufp; 535 size_t remain = datasz - sizeof(struct audit_rule_data); 536 int i; 537 char *str; 538 539 entry = audit_to_entry_common((struct audit_rule *)data); 540 if (IS_ERR(entry)) 541 goto exit_nofree; 542 543 bufp = data->buf; 544 entry->rule.vers_ops = 2; 545 for (i = 0; i < data->field_count; i++) { 546 struct audit_field *f = &entry->rule.fields[i]; 547 548 err = -EINVAL; 549 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 550 data->fieldflags[i] & ~AUDIT_OPERATORS) 551 goto exit_free; 552 553 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 554 f->type = data->fields[i]; 555 f->val = data->values[i]; 556 f->lsm_str = NULL; 557 f->lsm_rule = NULL; 558 switch(f->type) { 559 case AUDIT_PID: 560 case AUDIT_UID: 561 case AUDIT_EUID: 562 case AUDIT_SUID: 563 case AUDIT_FSUID: 564 case AUDIT_GID: 565 case AUDIT_EGID: 566 case AUDIT_SGID: 567 case AUDIT_FSGID: 568 case AUDIT_LOGINUID: 569 case AUDIT_PERS: 570 case AUDIT_MSGTYPE: 571 case AUDIT_PPID: 572 case AUDIT_DEVMAJOR: 573 case AUDIT_DEVMINOR: 574 case AUDIT_EXIT: 575 case AUDIT_SUCCESS: 576 case AUDIT_ARG0: 577 case AUDIT_ARG1: 578 case AUDIT_ARG2: 579 case AUDIT_ARG3: 580 break; 581 case AUDIT_ARCH: 582 entry->rule.arch_f = f; 583 break; 584 case AUDIT_SUBJ_USER: 585 case AUDIT_SUBJ_ROLE: 586 case AUDIT_SUBJ_TYPE: 587 case AUDIT_SUBJ_SEN: 588 case AUDIT_SUBJ_CLR: 589 case AUDIT_OBJ_USER: 590 case AUDIT_OBJ_ROLE: 591 case AUDIT_OBJ_TYPE: 592 case AUDIT_OBJ_LEV_LOW: 593 case AUDIT_OBJ_LEV_HIGH: 594 str = audit_unpack_string(&bufp, &remain, f->val); 595 if (IS_ERR(str)) 596 goto exit_free; 597 entry->rule.buflen += f->val; 598 599 err = security_audit_rule_init(f->type, f->op, str, 600 (void **)&f->lsm_rule); 601 /* Keep currently invalid fields around in case they 602 * become valid after a policy reload. */ 603 if (err == -EINVAL) { 604 printk(KERN_WARNING "audit rule for LSM " 605 "\'%s\' is invalid\n", str); 606 err = 0; 607 } 608 if (err) { 609 kfree(str); 610 goto exit_free; 611 } else 612 f->lsm_str = str; 613 break; 614 case AUDIT_WATCH: 615 str = audit_unpack_string(&bufp, &remain, f->val); 616 if (IS_ERR(str)) 617 goto exit_free; 618 entry->rule.buflen += f->val; 619 620 err = audit_to_watch(&entry->rule, str, f->val, f->op); 621 if (err) { 622 kfree(str); 623 goto exit_free; 624 } 625 break; 626 case AUDIT_DIR: 627 str = audit_unpack_string(&bufp, &remain, f->val); 628 if (IS_ERR(str)) 629 goto exit_free; 630 entry->rule.buflen += f->val; 631 632 err = audit_make_tree(&entry->rule, str, f->op); 633 kfree(str); 634 if (err) 635 goto exit_free; 636 break; 637 case AUDIT_INODE: 638 err = audit_to_inode(&entry->rule, f); 639 if (err) 640 goto exit_free; 641 break; 642 case AUDIT_FILTERKEY: 643 err = -EINVAL; 644 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 645 goto exit_free; 646 str = audit_unpack_string(&bufp, &remain, f->val); 647 if (IS_ERR(str)) 648 goto exit_free; 649 entry->rule.buflen += f->val; 650 entry->rule.filterkey = str; 651 break; 652 case AUDIT_PERM: 653 if (f->val & ~15) 654 goto exit_free; 655 break; 656 case AUDIT_FILETYPE: 657 if ((f->val & ~S_IFMT) > S_IFMT) 658 goto exit_free; 659 break; 660 default: 661 goto exit_free; 662 } 663 } 664 665 ino_f = entry->rule.inode_f; 666 if (ino_f) { 667 switch(ino_f->op) { 668 case AUDIT_NOT_EQUAL: 669 entry->rule.inode_f = NULL; 670 case AUDIT_EQUAL: 671 break; 672 default: 673 err = -EINVAL; 674 goto exit_free; 675 } 676 } 677 678 exit_nofree: 679 return entry; 680 681 exit_free: 682 audit_free_rule(entry); 683 return ERR_PTR(err); 684 } 685 686 /* Pack a filter field's string representation into data block. */ 687 static inline size_t audit_pack_string(void **bufp, const char *str) 688 { 689 size_t len = strlen(str); 690 691 memcpy(*bufp, str, len); 692 *bufp += len; 693 694 return len; 695 } 696 697 /* Translate kernel rule respresentation to struct audit_rule. 698 * Exists for backward compatibility with userspace. */ 699 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 700 { 701 struct audit_rule *rule; 702 int i; 703 704 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 705 if (unlikely(!rule)) 706 return NULL; 707 708 rule->flags = krule->flags | krule->listnr; 709 rule->action = krule->action; 710 rule->field_count = krule->field_count; 711 for (i = 0; i < rule->field_count; i++) { 712 rule->values[i] = krule->fields[i].val; 713 rule->fields[i] = krule->fields[i].type; 714 715 if (krule->vers_ops == 1) { 716 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 717 rule->fields[i] |= AUDIT_NEGATE; 718 } else { 719 rule->fields[i] |= krule->fields[i].op; 720 } 721 } 722 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 723 724 return rule; 725 } 726 727 /* Translate kernel rule respresentation to struct audit_rule_data. */ 728 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 729 { 730 struct audit_rule_data *data; 731 void *bufp; 732 int i; 733 734 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 735 if (unlikely(!data)) 736 return NULL; 737 memset(data, 0, sizeof(*data)); 738 739 data->flags = krule->flags | krule->listnr; 740 data->action = krule->action; 741 data->field_count = krule->field_count; 742 bufp = data->buf; 743 for (i = 0; i < data->field_count; i++) { 744 struct audit_field *f = &krule->fields[i]; 745 746 data->fields[i] = f->type; 747 data->fieldflags[i] = f->op; 748 switch(f->type) { 749 case AUDIT_SUBJ_USER: 750 case AUDIT_SUBJ_ROLE: 751 case AUDIT_SUBJ_TYPE: 752 case AUDIT_SUBJ_SEN: 753 case AUDIT_SUBJ_CLR: 754 case AUDIT_OBJ_USER: 755 case AUDIT_OBJ_ROLE: 756 case AUDIT_OBJ_TYPE: 757 case AUDIT_OBJ_LEV_LOW: 758 case AUDIT_OBJ_LEV_HIGH: 759 data->buflen += data->values[i] = 760 audit_pack_string(&bufp, f->lsm_str); 761 break; 762 case AUDIT_WATCH: 763 data->buflen += data->values[i] = 764 audit_pack_string(&bufp, krule->watch->path); 765 break; 766 case AUDIT_DIR: 767 data->buflen += data->values[i] = 768 audit_pack_string(&bufp, 769 audit_tree_path(krule->tree)); 770 break; 771 case AUDIT_FILTERKEY: 772 data->buflen += data->values[i] = 773 audit_pack_string(&bufp, krule->filterkey); 774 break; 775 default: 776 data->values[i] = f->val; 777 } 778 } 779 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 780 781 return data; 782 } 783 784 /* Compare two rules in kernel format. Considered success if rules 785 * don't match. */ 786 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 787 { 788 int i; 789 790 if (a->flags != b->flags || 791 a->listnr != b->listnr || 792 a->action != b->action || 793 a->field_count != b->field_count) 794 return 1; 795 796 for (i = 0; i < a->field_count; i++) { 797 if (a->fields[i].type != b->fields[i].type || 798 a->fields[i].op != b->fields[i].op) 799 return 1; 800 801 switch(a->fields[i].type) { 802 case AUDIT_SUBJ_USER: 803 case AUDIT_SUBJ_ROLE: 804 case AUDIT_SUBJ_TYPE: 805 case AUDIT_SUBJ_SEN: 806 case AUDIT_SUBJ_CLR: 807 case AUDIT_OBJ_USER: 808 case AUDIT_OBJ_ROLE: 809 case AUDIT_OBJ_TYPE: 810 case AUDIT_OBJ_LEV_LOW: 811 case AUDIT_OBJ_LEV_HIGH: 812 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 813 return 1; 814 break; 815 case AUDIT_WATCH: 816 if (strcmp(a->watch->path, b->watch->path)) 817 return 1; 818 break; 819 case AUDIT_DIR: 820 if (strcmp(audit_tree_path(a->tree), 821 audit_tree_path(b->tree))) 822 return 1; 823 break; 824 case AUDIT_FILTERKEY: 825 /* both filterkeys exist based on above type compare */ 826 if (strcmp(a->filterkey, b->filterkey)) 827 return 1; 828 break; 829 default: 830 if (a->fields[i].val != b->fields[i].val) 831 return 1; 832 } 833 } 834 835 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 836 if (a->mask[i] != b->mask[i]) 837 return 1; 838 839 return 0; 840 } 841 842 /* Duplicate the given audit watch. The new watch's rules list is initialized 843 * to an empty list and wlist is undefined. */ 844 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 845 { 846 char *path; 847 struct audit_watch *new; 848 849 path = kstrdup(old->path, GFP_KERNEL); 850 if (unlikely(!path)) 851 return ERR_PTR(-ENOMEM); 852 853 new = audit_init_watch(path); 854 if (IS_ERR(new)) { 855 kfree(path); 856 goto out; 857 } 858 859 new->dev = old->dev; 860 new->ino = old->ino; 861 get_inotify_watch(&old->parent->wdata); 862 new->parent = old->parent; 863 864 out: 865 return new; 866 } 867 868 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 869 * re-initialized. */ 870 static inline int audit_dupe_lsm_field(struct audit_field *df, 871 struct audit_field *sf) 872 { 873 int ret = 0; 874 char *lsm_str; 875 876 /* our own copy of lsm_str */ 877 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 878 if (unlikely(!lsm_str)) 879 return -ENOMEM; 880 df->lsm_str = lsm_str; 881 882 /* our own (refreshed) copy of lsm_rule */ 883 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 884 (void **)&df->lsm_rule); 885 /* Keep currently invalid fields around in case they 886 * become valid after a policy reload. */ 887 if (ret == -EINVAL) { 888 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 889 "invalid\n", df->lsm_str); 890 ret = 0; 891 } 892 893 return ret; 894 } 895 896 /* Duplicate an audit rule. This will be a deep copy with the exception 897 * of the watch - that pointer is carried over. The LSM specific fields 898 * will be updated in the copy. The point is to be able to replace the old 899 * rule with the new rule in the filterlist, then free the old rule. 900 * The rlist element is undefined; list manipulations are handled apart from 901 * the initial copy. */ 902 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 903 struct audit_watch *watch) 904 { 905 u32 fcount = old->field_count; 906 struct audit_entry *entry; 907 struct audit_krule *new; 908 char *fk; 909 int i, err = 0; 910 911 entry = audit_init_entry(fcount); 912 if (unlikely(!entry)) 913 return ERR_PTR(-ENOMEM); 914 915 new = &entry->rule; 916 new->vers_ops = old->vers_ops; 917 new->flags = old->flags; 918 new->listnr = old->listnr; 919 new->action = old->action; 920 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 921 new->mask[i] = old->mask[i]; 922 new->buflen = old->buflen; 923 new->inode_f = old->inode_f; 924 new->watch = NULL; 925 new->field_count = old->field_count; 926 /* 927 * note that we are OK with not refcounting here; audit_match_tree() 928 * never dereferences tree and we can't get false positives there 929 * since we'd have to have rule gone from the list *and* removed 930 * before the chunks found by lookup had been allocated, i.e. before 931 * the beginning of list scan. 932 */ 933 new->tree = old->tree; 934 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 935 936 /* deep copy this information, updating the lsm_rule fields, because 937 * the originals will all be freed when the old rule is freed. */ 938 for (i = 0; i < fcount; i++) { 939 switch (new->fields[i].type) { 940 case AUDIT_SUBJ_USER: 941 case AUDIT_SUBJ_ROLE: 942 case AUDIT_SUBJ_TYPE: 943 case AUDIT_SUBJ_SEN: 944 case AUDIT_SUBJ_CLR: 945 case AUDIT_OBJ_USER: 946 case AUDIT_OBJ_ROLE: 947 case AUDIT_OBJ_TYPE: 948 case AUDIT_OBJ_LEV_LOW: 949 case AUDIT_OBJ_LEV_HIGH: 950 err = audit_dupe_lsm_field(&new->fields[i], 951 &old->fields[i]); 952 break; 953 case AUDIT_FILTERKEY: 954 fk = kstrdup(old->filterkey, GFP_KERNEL); 955 if (unlikely(!fk)) 956 err = -ENOMEM; 957 else 958 new->filterkey = fk; 959 } 960 if (err) { 961 audit_free_rule(entry); 962 return ERR_PTR(err); 963 } 964 } 965 966 if (watch) { 967 audit_get_watch(watch); 968 new->watch = watch; 969 } 970 971 return entry; 972 } 973 974 /* Update inode info in audit rules based on filesystem event. */ 975 static void audit_update_watch(struct audit_parent *parent, 976 const char *dname, dev_t dev, 977 unsigned long ino, unsigned invalidating) 978 { 979 struct audit_watch *owatch, *nwatch, *nextw; 980 struct audit_krule *r, *nextr; 981 struct audit_entry *oentry, *nentry; 982 983 mutex_lock(&audit_filter_mutex); 984 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 985 if (audit_compare_dname_path(dname, owatch->path, NULL)) 986 continue; 987 988 /* If the update involves invalidating rules, do the inode-based 989 * filtering now, so we don't omit records. */ 990 if (invalidating && current->audit_context && 991 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 992 audit_set_auditable(current->audit_context); 993 994 nwatch = audit_dupe_watch(owatch); 995 if (IS_ERR(nwatch)) { 996 mutex_unlock(&audit_filter_mutex); 997 audit_panic("error updating watch, skipping"); 998 return; 999 } 1000 nwatch->dev = dev; 1001 nwatch->ino = ino; 1002 1003 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 1004 1005 oentry = container_of(r, struct audit_entry, rule); 1006 list_del(&oentry->rule.rlist); 1007 list_del_rcu(&oentry->list); 1008 1009 nentry = audit_dupe_rule(&oentry->rule, nwatch); 1010 if (IS_ERR(nentry)) 1011 audit_panic("error updating watch, removing"); 1012 else { 1013 int h = audit_hash_ino((u32)ino); 1014 list_add(&nentry->rule.rlist, &nwatch->rules); 1015 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 1016 } 1017 1018 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1019 } 1020 1021 if (audit_enabled) { 1022 struct audit_buffer *ab; 1023 ab = audit_log_start(NULL, GFP_KERNEL, 1024 AUDIT_CONFIG_CHANGE); 1025 audit_log_format(ab, 1026 "op=updated rules specifying path="); 1027 audit_log_untrustedstring(ab, owatch->path); 1028 audit_log_format(ab, " with dev=%u ino=%lu\n", 1029 dev, ino); 1030 audit_log_format(ab, " list=%d res=1", r->listnr); 1031 audit_log_end(ab); 1032 } 1033 audit_remove_watch(owatch); 1034 goto add_watch_to_parent; /* event applies to a single watch */ 1035 } 1036 mutex_unlock(&audit_filter_mutex); 1037 return; 1038 1039 add_watch_to_parent: 1040 list_add(&nwatch->wlist, &parent->watches); 1041 mutex_unlock(&audit_filter_mutex); 1042 return; 1043 } 1044 1045 /* Remove all watches & rules associated with a parent that is going away. */ 1046 static void audit_remove_parent_watches(struct audit_parent *parent) 1047 { 1048 struct audit_watch *w, *nextw; 1049 struct audit_krule *r, *nextr; 1050 struct audit_entry *e; 1051 1052 mutex_lock(&audit_filter_mutex); 1053 parent->flags |= AUDIT_PARENT_INVALID; 1054 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1055 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1056 e = container_of(r, struct audit_entry, rule); 1057 if (audit_enabled) { 1058 struct audit_buffer *ab; 1059 ab = audit_log_start(NULL, GFP_KERNEL, 1060 AUDIT_CONFIG_CHANGE); 1061 audit_log_format(ab, "op=remove rule path="); 1062 audit_log_untrustedstring(ab, w->path); 1063 if (r->filterkey) { 1064 audit_log_format(ab, " key="); 1065 audit_log_untrustedstring(ab, 1066 r->filterkey); 1067 } else 1068 audit_log_format(ab, " key=(null)"); 1069 audit_log_format(ab, " list=%d res=1", 1070 r->listnr); 1071 audit_log_end(ab); 1072 } 1073 list_del(&r->rlist); 1074 list_del_rcu(&e->list); 1075 call_rcu(&e->rcu, audit_free_rule_rcu); 1076 } 1077 audit_remove_watch(w); 1078 } 1079 mutex_unlock(&audit_filter_mutex); 1080 } 1081 1082 /* Unregister inotify watches for parents on in_list. 1083 * Generates an IN_IGNORED event. */ 1084 static void audit_inotify_unregister(struct list_head *in_list) 1085 { 1086 struct audit_parent *p, *n; 1087 1088 list_for_each_entry_safe(p, n, in_list, ilist) { 1089 list_del(&p->ilist); 1090 inotify_rm_watch(audit_ih, &p->wdata); 1091 /* the put matching the get in audit_do_del_rule() */ 1092 put_inotify_watch(&p->wdata); 1093 } 1094 } 1095 1096 /* Find an existing audit rule. 1097 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1098 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1099 struct list_head *list) 1100 { 1101 struct audit_entry *e, *found = NULL; 1102 int h; 1103 1104 if (entry->rule.watch) { 1105 /* we don't know the inode number, so must walk entire hash */ 1106 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1107 list = &audit_inode_hash[h]; 1108 list_for_each_entry(e, list, list) 1109 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1110 found = e; 1111 goto out; 1112 } 1113 } 1114 goto out; 1115 } 1116 1117 list_for_each_entry(e, list, list) 1118 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1119 found = e; 1120 goto out; 1121 } 1122 1123 out: 1124 return found; 1125 } 1126 1127 /* Get path information necessary for adding watches. */ 1128 static int audit_get_nd(char *path, struct nameidata **ndp, 1129 struct nameidata **ndw) 1130 { 1131 struct nameidata *ndparent, *ndwatch; 1132 int err; 1133 1134 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1135 if (unlikely(!ndparent)) 1136 return -ENOMEM; 1137 1138 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1139 if (unlikely(!ndwatch)) { 1140 kfree(ndparent); 1141 return -ENOMEM; 1142 } 1143 1144 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1145 if (err) { 1146 kfree(ndparent); 1147 kfree(ndwatch); 1148 return err; 1149 } 1150 1151 err = path_lookup(path, 0, ndwatch); 1152 if (err) { 1153 kfree(ndwatch); 1154 ndwatch = NULL; 1155 } 1156 1157 *ndp = ndparent; 1158 *ndw = ndwatch; 1159 1160 return 0; 1161 } 1162 1163 /* Release resources used for watch path information. */ 1164 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1165 { 1166 if (ndp) { 1167 path_put(&ndp->path); 1168 kfree(ndp); 1169 } 1170 if (ndw) { 1171 path_put(&ndw->path); 1172 kfree(ndw); 1173 } 1174 } 1175 1176 /* Associate the given rule with an existing parent inotify_watch. 1177 * Caller must hold audit_filter_mutex. */ 1178 static void audit_add_to_parent(struct audit_krule *krule, 1179 struct audit_parent *parent) 1180 { 1181 struct audit_watch *w, *watch = krule->watch; 1182 int watch_found = 0; 1183 1184 list_for_each_entry(w, &parent->watches, wlist) { 1185 if (strcmp(watch->path, w->path)) 1186 continue; 1187 1188 watch_found = 1; 1189 1190 /* put krule's and initial refs to temporary watch */ 1191 audit_put_watch(watch); 1192 audit_put_watch(watch); 1193 1194 audit_get_watch(w); 1195 krule->watch = watch = w; 1196 break; 1197 } 1198 1199 if (!watch_found) { 1200 get_inotify_watch(&parent->wdata); 1201 watch->parent = parent; 1202 1203 list_add(&watch->wlist, &parent->watches); 1204 } 1205 list_add(&krule->rlist, &watch->rules); 1206 } 1207 1208 /* Find a matching watch entry, or add this one. 1209 * Caller must hold audit_filter_mutex. */ 1210 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1211 struct nameidata *ndw) 1212 { 1213 struct audit_watch *watch = krule->watch; 1214 struct inotify_watch *i_watch; 1215 struct audit_parent *parent; 1216 int ret = 0; 1217 1218 /* update watch filter fields */ 1219 if (ndw) { 1220 watch->dev = ndw->path.dentry->d_inode->i_sb->s_dev; 1221 watch->ino = ndw->path.dentry->d_inode->i_ino; 1222 } 1223 1224 /* The audit_filter_mutex must not be held during inotify calls because 1225 * we hold it during inotify event callback processing. If an existing 1226 * inotify watch is found, inotify_find_watch() grabs a reference before 1227 * returning. 1228 */ 1229 mutex_unlock(&audit_filter_mutex); 1230 1231 if (inotify_find_watch(audit_ih, ndp->path.dentry->d_inode, 1232 &i_watch) < 0) { 1233 parent = audit_init_parent(ndp); 1234 if (IS_ERR(parent)) { 1235 /* caller expects mutex locked */ 1236 mutex_lock(&audit_filter_mutex); 1237 return PTR_ERR(parent); 1238 } 1239 } else 1240 parent = container_of(i_watch, struct audit_parent, wdata); 1241 1242 mutex_lock(&audit_filter_mutex); 1243 1244 /* parent was moved before we took audit_filter_mutex */ 1245 if (parent->flags & AUDIT_PARENT_INVALID) 1246 ret = -ENOENT; 1247 else 1248 audit_add_to_parent(krule, parent); 1249 1250 /* match get in audit_init_parent or inotify_find_watch */ 1251 put_inotify_watch(&parent->wdata); 1252 return ret; 1253 } 1254 1255 /* Add rule to given filterlist if not a duplicate. */ 1256 static inline int audit_add_rule(struct audit_entry *entry, 1257 struct list_head *list) 1258 { 1259 struct audit_entry *e; 1260 struct audit_field *inode_f = entry->rule.inode_f; 1261 struct audit_watch *watch = entry->rule.watch; 1262 struct audit_tree *tree = entry->rule.tree; 1263 struct nameidata *ndp = NULL, *ndw = NULL; 1264 int h, err; 1265 #ifdef CONFIG_AUDITSYSCALL 1266 int dont_count = 0; 1267 1268 /* If either of these, don't count towards total */ 1269 if (entry->rule.listnr == AUDIT_FILTER_USER || 1270 entry->rule.listnr == AUDIT_FILTER_TYPE) 1271 dont_count = 1; 1272 #endif 1273 1274 if (inode_f) { 1275 h = audit_hash_ino(inode_f->val); 1276 list = &audit_inode_hash[h]; 1277 } 1278 1279 mutex_lock(&audit_filter_mutex); 1280 e = audit_find_rule(entry, list); 1281 mutex_unlock(&audit_filter_mutex); 1282 if (e) { 1283 err = -EEXIST; 1284 /* normally audit_add_tree_rule() will free it on failure */ 1285 if (tree) 1286 audit_put_tree(tree); 1287 goto error; 1288 } 1289 1290 /* Avoid calling path_lookup under audit_filter_mutex. */ 1291 if (watch) { 1292 err = audit_get_nd(watch->path, &ndp, &ndw); 1293 if (err) 1294 goto error; 1295 } 1296 1297 mutex_lock(&audit_filter_mutex); 1298 if (watch) { 1299 /* audit_filter_mutex is dropped and re-taken during this call */ 1300 err = audit_add_watch(&entry->rule, ndp, ndw); 1301 if (err) { 1302 mutex_unlock(&audit_filter_mutex); 1303 goto error; 1304 } 1305 h = audit_hash_ino((u32)watch->ino); 1306 list = &audit_inode_hash[h]; 1307 } 1308 if (tree) { 1309 err = audit_add_tree_rule(&entry->rule); 1310 if (err) { 1311 mutex_unlock(&audit_filter_mutex); 1312 goto error; 1313 } 1314 } 1315 1316 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1317 list_add_rcu(&entry->list, list); 1318 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1319 } else { 1320 list_add_tail_rcu(&entry->list, list); 1321 } 1322 #ifdef CONFIG_AUDITSYSCALL 1323 if (!dont_count) 1324 audit_n_rules++; 1325 1326 if (!audit_match_signal(entry)) 1327 audit_signals++; 1328 #endif 1329 mutex_unlock(&audit_filter_mutex); 1330 1331 audit_put_nd(ndp, ndw); /* NULL args OK */ 1332 return 0; 1333 1334 error: 1335 audit_put_nd(ndp, ndw); /* NULL args OK */ 1336 if (watch) 1337 audit_put_watch(watch); /* tmp watch, matches initial get */ 1338 return err; 1339 } 1340 1341 /* Remove an existing rule from filterlist. */ 1342 static inline int audit_del_rule(struct audit_entry *entry, 1343 struct list_head *list) 1344 { 1345 struct audit_entry *e; 1346 struct audit_field *inode_f = entry->rule.inode_f; 1347 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1348 struct audit_tree *tree = entry->rule.tree; 1349 LIST_HEAD(inotify_list); 1350 int h, ret = 0; 1351 #ifdef CONFIG_AUDITSYSCALL 1352 int dont_count = 0; 1353 1354 /* If either of these, don't count towards total */ 1355 if (entry->rule.listnr == AUDIT_FILTER_USER || 1356 entry->rule.listnr == AUDIT_FILTER_TYPE) 1357 dont_count = 1; 1358 #endif 1359 1360 if (inode_f) { 1361 h = audit_hash_ino(inode_f->val); 1362 list = &audit_inode_hash[h]; 1363 } 1364 1365 mutex_lock(&audit_filter_mutex); 1366 e = audit_find_rule(entry, list); 1367 if (!e) { 1368 mutex_unlock(&audit_filter_mutex); 1369 ret = -ENOENT; 1370 goto out; 1371 } 1372 1373 watch = e->rule.watch; 1374 if (watch) { 1375 struct audit_parent *parent = watch->parent; 1376 1377 list_del(&e->rule.rlist); 1378 1379 if (list_empty(&watch->rules)) { 1380 audit_remove_watch(watch); 1381 1382 if (list_empty(&parent->watches)) { 1383 /* Put parent on the inotify un-registration 1384 * list. Grab a reference before releasing 1385 * audit_filter_mutex, to be released in 1386 * audit_inotify_unregister(). */ 1387 list_add(&parent->ilist, &inotify_list); 1388 get_inotify_watch(&parent->wdata); 1389 } 1390 } 1391 } 1392 1393 if (e->rule.tree) 1394 audit_remove_tree_rule(&e->rule); 1395 1396 list_del_rcu(&e->list); 1397 call_rcu(&e->rcu, audit_free_rule_rcu); 1398 1399 #ifdef CONFIG_AUDITSYSCALL 1400 if (!dont_count) 1401 audit_n_rules--; 1402 1403 if (!audit_match_signal(entry)) 1404 audit_signals--; 1405 #endif 1406 mutex_unlock(&audit_filter_mutex); 1407 1408 if (!list_empty(&inotify_list)) 1409 audit_inotify_unregister(&inotify_list); 1410 1411 out: 1412 if (tmp_watch) 1413 audit_put_watch(tmp_watch); /* match initial get */ 1414 if (tree) 1415 audit_put_tree(tree); /* that's the temporary one */ 1416 1417 return ret; 1418 } 1419 1420 /* List rules using struct audit_rule. Exists for backward 1421 * compatibility with userspace. */ 1422 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1423 { 1424 struct sk_buff *skb; 1425 struct audit_entry *entry; 1426 int i; 1427 1428 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1429 * iterator to sync with list writers. */ 1430 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1431 list_for_each_entry(entry, &audit_filter_list[i], list) { 1432 struct audit_rule *rule; 1433 1434 rule = audit_krule_to_rule(&entry->rule); 1435 if (unlikely(!rule)) 1436 break; 1437 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1438 rule, sizeof(*rule)); 1439 if (skb) 1440 skb_queue_tail(q, skb); 1441 kfree(rule); 1442 } 1443 } 1444 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1445 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1446 struct audit_rule *rule; 1447 1448 rule = audit_krule_to_rule(&entry->rule); 1449 if (unlikely(!rule)) 1450 break; 1451 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1452 rule, sizeof(*rule)); 1453 if (skb) 1454 skb_queue_tail(q, skb); 1455 kfree(rule); 1456 } 1457 } 1458 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1459 if (skb) 1460 skb_queue_tail(q, skb); 1461 } 1462 1463 /* List rules using struct audit_rule_data. */ 1464 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1465 { 1466 struct sk_buff *skb; 1467 struct audit_entry *e; 1468 int i; 1469 1470 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1471 * iterator to sync with list writers. */ 1472 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1473 list_for_each_entry(e, &audit_filter_list[i], list) { 1474 struct audit_rule_data *data; 1475 1476 data = audit_krule_to_data(&e->rule); 1477 if (unlikely(!data)) 1478 break; 1479 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1480 data, sizeof(*data) + data->buflen); 1481 if (skb) 1482 skb_queue_tail(q, skb); 1483 kfree(data); 1484 } 1485 } 1486 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1487 list_for_each_entry(e, &audit_inode_hash[i], list) { 1488 struct audit_rule_data *data; 1489 1490 data = audit_krule_to_data(&e->rule); 1491 if (unlikely(!data)) 1492 break; 1493 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1494 data, sizeof(*data) + data->buflen); 1495 if (skb) 1496 skb_queue_tail(q, skb); 1497 kfree(data); 1498 } 1499 } 1500 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1501 if (skb) 1502 skb_queue_tail(q, skb); 1503 } 1504 1505 /* Log rule additions and removals */ 1506 static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, 1507 char *action, struct audit_krule *rule, 1508 int res) 1509 { 1510 struct audit_buffer *ab; 1511 1512 if (!audit_enabled) 1513 return; 1514 1515 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1516 if (!ab) 1517 return; 1518 audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid); 1519 if (sid) { 1520 char *ctx = NULL; 1521 u32 len; 1522 if (security_secid_to_secctx(sid, &ctx, &len)) 1523 audit_log_format(ab, " ssid=%u", sid); 1524 else { 1525 audit_log_format(ab, " subj=%s", ctx); 1526 security_release_secctx(ctx, len); 1527 } 1528 } 1529 audit_log_format(ab, " op=%s rule key=", action); 1530 if (rule->filterkey) 1531 audit_log_untrustedstring(ab, rule->filterkey); 1532 else 1533 audit_log_format(ab, "(null)"); 1534 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1535 audit_log_end(ab); 1536 } 1537 1538 /** 1539 * audit_receive_filter - apply all rules to the specified message type 1540 * @type: audit message type 1541 * @pid: target pid for netlink audit messages 1542 * @uid: target uid for netlink audit messages 1543 * @seq: netlink audit message sequence (serial) number 1544 * @data: payload data 1545 * @datasz: size of payload data 1546 * @loginuid: loginuid of sender 1547 * @sessionid: sessionid for netlink audit message 1548 * @sid: SE Linux Security ID of sender 1549 */ 1550 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1551 size_t datasz, uid_t loginuid, u32 sessionid, u32 sid) 1552 { 1553 struct task_struct *tsk; 1554 struct audit_netlink_list *dest; 1555 int err = 0; 1556 struct audit_entry *entry; 1557 1558 switch (type) { 1559 case AUDIT_LIST: 1560 case AUDIT_LIST_RULES: 1561 /* We can't just spew out the rules here because we might fill 1562 * the available socket buffer space and deadlock waiting for 1563 * auditctl to read from it... which isn't ever going to 1564 * happen if we're actually running in the context of auditctl 1565 * trying to _send_ the stuff */ 1566 1567 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1568 if (!dest) 1569 return -ENOMEM; 1570 dest->pid = pid; 1571 skb_queue_head_init(&dest->q); 1572 1573 mutex_lock(&audit_filter_mutex); 1574 if (type == AUDIT_LIST) 1575 audit_list(pid, seq, &dest->q); 1576 else 1577 audit_list_rules(pid, seq, &dest->q); 1578 mutex_unlock(&audit_filter_mutex); 1579 1580 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1581 if (IS_ERR(tsk)) { 1582 skb_queue_purge(&dest->q); 1583 kfree(dest); 1584 err = PTR_ERR(tsk); 1585 } 1586 break; 1587 case AUDIT_ADD: 1588 case AUDIT_ADD_RULE: 1589 if (type == AUDIT_ADD) 1590 entry = audit_rule_to_entry(data); 1591 else 1592 entry = audit_data_to_entry(data, datasz); 1593 if (IS_ERR(entry)) 1594 return PTR_ERR(entry); 1595 1596 err = audit_add_rule(entry, 1597 &audit_filter_list[entry->rule.listnr]); 1598 audit_log_rule_change(loginuid, sessionid, sid, "add", 1599 &entry->rule, !err); 1600 1601 if (err) 1602 audit_free_rule(entry); 1603 break; 1604 case AUDIT_DEL: 1605 case AUDIT_DEL_RULE: 1606 if (type == AUDIT_DEL) 1607 entry = audit_rule_to_entry(data); 1608 else 1609 entry = audit_data_to_entry(data, datasz); 1610 if (IS_ERR(entry)) 1611 return PTR_ERR(entry); 1612 1613 err = audit_del_rule(entry, 1614 &audit_filter_list[entry->rule.listnr]); 1615 audit_log_rule_change(loginuid, sessionid, sid, "remove", 1616 &entry->rule, !err); 1617 1618 audit_free_rule(entry); 1619 break; 1620 default: 1621 return -EINVAL; 1622 } 1623 1624 return err; 1625 } 1626 1627 int audit_comparator(const u32 left, const u32 op, const u32 right) 1628 { 1629 switch (op) { 1630 case AUDIT_EQUAL: 1631 return (left == right); 1632 case AUDIT_NOT_EQUAL: 1633 return (left != right); 1634 case AUDIT_LESS_THAN: 1635 return (left < right); 1636 case AUDIT_LESS_THAN_OR_EQUAL: 1637 return (left <= right); 1638 case AUDIT_GREATER_THAN: 1639 return (left > right); 1640 case AUDIT_GREATER_THAN_OR_EQUAL: 1641 return (left >= right); 1642 case AUDIT_BIT_MASK: 1643 return (left & right); 1644 case AUDIT_BIT_TEST: 1645 return ((left & right) == right); 1646 } 1647 BUG(); 1648 return 0; 1649 } 1650 1651 /* Compare given dentry name with last component in given path, 1652 * return of 0 indicates a match. */ 1653 int audit_compare_dname_path(const char *dname, const char *path, 1654 int *dirlen) 1655 { 1656 int dlen, plen; 1657 const char *p; 1658 1659 if (!dname || !path) 1660 return 1; 1661 1662 dlen = strlen(dname); 1663 plen = strlen(path); 1664 if (plen < dlen) 1665 return 1; 1666 1667 /* disregard trailing slashes */ 1668 p = path + plen - 1; 1669 while ((*p == '/') && (p > path)) 1670 p--; 1671 1672 /* find last path component */ 1673 p = p - dlen + 1; 1674 if (p < path) 1675 return 1; 1676 else if (p > path) { 1677 if (*--p != '/') 1678 return 1; 1679 else 1680 p++; 1681 } 1682 1683 /* return length of path's directory component */ 1684 if (dirlen) 1685 *dirlen = p - path; 1686 return strncmp(p, dname, dlen); 1687 } 1688 1689 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1690 struct audit_krule *rule, 1691 enum audit_state *state) 1692 { 1693 int i; 1694 1695 for (i = 0; i < rule->field_count; i++) { 1696 struct audit_field *f = &rule->fields[i]; 1697 int result = 0; 1698 1699 switch (f->type) { 1700 case AUDIT_PID: 1701 result = audit_comparator(cb->creds.pid, f->op, f->val); 1702 break; 1703 case AUDIT_UID: 1704 result = audit_comparator(cb->creds.uid, f->op, f->val); 1705 break; 1706 case AUDIT_GID: 1707 result = audit_comparator(cb->creds.gid, f->op, f->val); 1708 break; 1709 case AUDIT_LOGINUID: 1710 result = audit_comparator(cb->loginuid, f->op, f->val); 1711 break; 1712 } 1713 1714 if (!result) 1715 return 0; 1716 } 1717 switch (rule->action) { 1718 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1719 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1720 } 1721 return 1; 1722 } 1723 1724 int audit_filter_user(struct netlink_skb_parms *cb) 1725 { 1726 enum audit_state state = AUDIT_DISABLED; 1727 struct audit_entry *e; 1728 int ret = 1; 1729 1730 rcu_read_lock(); 1731 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1732 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1733 if (state == AUDIT_DISABLED) 1734 ret = 0; 1735 break; 1736 } 1737 } 1738 rcu_read_unlock(); 1739 1740 return ret; /* Audit by default */ 1741 } 1742 1743 int audit_filter_type(int type) 1744 { 1745 struct audit_entry *e; 1746 int result = 0; 1747 1748 rcu_read_lock(); 1749 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1750 goto unlock_and_return; 1751 1752 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1753 list) { 1754 int i; 1755 for (i = 0; i < e->rule.field_count; i++) { 1756 struct audit_field *f = &e->rule.fields[i]; 1757 if (f->type == AUDIT_MSGTYPE) { 1758 result = audit_comparator(type, f->op, f->val); 1759 if (!result) 1760 break; 1761 } 1762 } 1763 if (result) 1764 goto unlock_and_return; 1765 } 1766 unlock_and_return: 1767 rcu_read_unlock(); 1768 return result; 1769 } 1770 1771 /* This function will re-initialize the lsm_rule field of all applicable rules. 1772 * It will traverse the filter lists serarching for rules that contain LSM 1773 * specific filter fields. When such a rule is found, it is copied, the 1774 * LSM field is re-initialized, and the old rule is replaced with the 1775 * updated rule. */ 1776 int audit_update_lsm_rules(void) 1777 { 1778 struct audit_entry *entry, *n, *nentry; 1779 struct audit_watch *watch; 1780 struct audit_tree *tree; 1781 int i, err = 0; 1782 1783 /* audit_filter_mutex synchronizes the writers */ 1784 mutex_lock(&audit_filter_mutex); 1785 1786 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1787 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1788 if (!security_audit_rule_known(&entry->rule)) 1789 continue; 1790 1791 watch = entry->rule.watch; 1792 tree = entry->rule.tree; 1793 nentry = audit_dupe_rule(&entry->rule, watch); 1794 if (IS_ERR(nentry)) { 1795 /* save the first error encountered for the 1796 * return value */ 1797 if (!err) 1798 err = PTR_ERR(nentry); 1799 audit_panic("error updating LSM filters"); 1800 if (watch) 1801 list_del(&entry->rule.rlist); 1802 list_del_rcu(&entry->list); 1803 } else { 1804 if (watch) { 1805 list_add(&nentry->rule.rlist, 1806 &watch->rules); 1807 list_del(&entry->rule.rlist); 1808 } else if (tree) 1809 list_replace_init(&entry->rule.rlist, 1810 &nentry->rule.rlist); 1811 list_replace_rcu(&entry->list, &nentry->list); 1812 } 1813 call_rcu(&entry->rcu, audit_free_rule_rcu); 1814 } 1815 } 1816 1817 mutex_unlock(&audit_filter_mutex); 1818 1819 return err; 1820 } 1821 1822 /* Update watch data in audit rules based on inotify events. */ 1823 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1824 u32 cookie, const char *dname, struct inode *inode) 1825 { 1826 struct audit_parent *parent; 1827 1828 parent = container_of(i_watch, struct audit_parent, wdata); 1829 1830 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1831 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1832 inode->i_ino, 0); 1833 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1834 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1835 /* inotify automatically removes the watch and sends IN_IGNORED */ 1836 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1837 audit_remove_parent_watches(parent); 1838 /* inotify does not remove the watch, so remove it manually */ 1839 else if(mask & IN_MOVE_SELF) { 1840 audit_remove_parent_watches(parent); 1841 inotify_remove_watch_locked(audit_ih, i_watch); 1842 } else if (mask & IN_IGNORED) 1843 put_inotify_watch(i_watch); 1844 } 1845