1 /* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22 #include <linux/kernel.h> 23 #include <linux/audit.h> 24 #include <linux/kthread.h> 25 #include <linux/mutex.h> 26 #include <linux/fs.h> 27 #include <linux/namei.h> 28 #include <linux/netlink.h> 29 #include <linux/sched.h> 30 #include <linux/inotify.h> 31 #include <linux/selinux.h> 32 #include "audit.h" 33 34 /* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47 /* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59 struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64 }; 65 66 /* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75 #define AUDIT_PARENT_INVALID 0x001 76 77 /* Audit filter lists, defined in <linux/audit.h> */ 78 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85 #if AUDIT_NR_FILTERS != 6 86 #error Fix audit_filter_list initialiser 87 #endif 88 }; 89 90 static DEFINE_MUTEX(audit_filter_mutex); 91 92 /* Inotify handle */ 93 extern struct inotify_handle *audit_ih; 94 95 /* Inotify events we care about. */ 96 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98 void audit_free_parent(struct inotify_watch *i_watch) 99 { 100 struct audit_parent *parent; 101 102 parent = container_of(i_watch, struct audit_parent, wdata); 103 WARN_ON(!list_empty(&parent->watches)); 104 kfree(parent); 105 } 106 107 static inline void audit_get_watch(struct audit_watch *watch) 108 { 109 atomic_inc(&watch->count); 110 } 111 112 static void audit_put_watch(struct audit_watch *watch) 113 { 114 if (atomic_dec_and_test(&watch->count)) { 115 WARN_ON(watch->parent); 116 WARN_ON(!list_empty(&watch->rules)); 117 kfree(watch->path); 118 kfree(watch); 119 } 120 } 121 122 static void audit_remove_watch(struct audit_watch *watch) 123 { 124 list_del(&watch->wlist); 125 put_inotify_watch(&watch->parent->wdata); 126 watch->parent = NULL; 127 audit_put_watch(watch); /* match initial get */ 128 } 129 130 static inline void audit_free_rule(struct audit_entry *e) 131 { 132 int i; 133 134 /* some rules don't have associated watches */ 135 if (e->rule.watch) 136 audit_put_watch(e->rule.watch); 137 if (e->rule.fields) 138 for (i = 0; i < e->rule.field_count; i++) { 139 struct audit_field *f = &e->rule.fields[i]; 140 kfree(f->se_str); 141 selinux_audit_rule_free(f->se_rule); 142 } 143 kfree(e->rule.fields); 144 kfree(e); 145 } 146 147 static inline void audit_free_rule_rcu(struct rcu_head *head) 148 { 149 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 150 audit_free_rule(e); 151 } 152 153 /* Initialize a parent watch entry. */ 154 static struct audit_parent *audit_init_parent(struct nameidata *ndp) 155 { 156 struct audit_parent *parent; 157 s32 wd; 158 159 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 160 if (unlikely(!parent)) 161 return ERR_PTR(-ENOMEM); 162 163 INIT_LIST_HEAD(&parent->watches); 164 parent->flags = 0; 165 166 inotify_init_watch(&parent->wdata); 167 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 168 get_inotify_watch(&parent->wdata); 169 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 170 AUDIT_IN_WATCH); 171 if (wd < 0) { 172 audit_free_parent(&parent->wdata); 173 return ERR_PTR(wd); 174 } 175 176 return parent; 177 } 178 179 /* Initialize a watch entry. */ 180 static struct audit_watch *audit_init_watch(char *path) 181 { 182 struct audit_watch *watch; 183 184 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 185 if (unlikely(!watch)) 186 return ERR_PTR(-ENOMEM); 187 188 INIT_LIST_HEAD(&watch->rules); 189 atomic_set(&watch->count, 1); 190 watch->path = path; 191 watch->dev = (dev_t)-1; 192 watch->ino = (unsigned long)-1; 193 194 return watch; 195 } 196 197 /* Initialize an audit filterlist entry. */ 198 static inline struct audit_entry *audit_init_entry(u32 field_count) 199 { 200 struct audit_entry *entry; 201 struct audit_field *fields; 202 203 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 204 if (unlikely(!entry)) 205 return NULL; 206 207 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 208 if (unlikely(!fields)) { 209 kfree(entry); 210 return NULL; 211 } 212 entry->rule.fields = fields; 213 214 return entry; 215 } 216 217 /* Unpack a filter field's string representation from user-space 218 * buffer. */ 219 static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 220 { 221 char *str; 222 223 if (!*bufp || (len == 0) || (len > *remain)) 224 return ERR_PTR(-EINVAL); 225 226 /* Of the currently implemented string fields, PATH_MAX 227 * defines the longest valid length. 228 */ 229 if (len > PATH_MAX) 230 return ERR_PTR(-ENAMETOOLONG); 231 232 str = kmalloc(len + 1, GFP_KERNEL); 233 if (unlikely(!str)) 234 return ERR_PTR(-ENOMEM); 235 236 memcpy(str, *bufp, len); 237 str[len] = 0; 238 *bufp += len; 239 *remain -= len; 240 241 return str; 242 } 243 244 /* Translate an inode field to kernel respresentation. */ 245 static inline int audit_to_inode(struct audit_krule *krule, 246 struct audit_field *f) 247 { 248 if (krule->listnr != AUDIT_FILTER_EXIT || 249 krule->watch || krule->inode_f) 250 return -EINVAL; 251 252 krule->inode_f = f; 253 return 0; 254 } 255 256 /* Translate a watch string to kernel respresentation. */ 257 static int audit_to_watch(struct audit_krule *krule, char *path, int len, 258 u32 op) 259 { 260 struct audit_watch *watch; 261 262 if (!audit_ih) 263 return -EOPNOTSUPP; 264 265 if (path[0] != '/' || path[len-1] == '/' || 266 krule->listnr != AUDIT_FILTER_EXIT || 267 op & ~AUDIT_EQUAL || 268 krule->inode_f || krule->watch) /* 1 inode # per rule, for hash */ 269 return -EINVAL; 270 271 watch = audit_init_watch(path); 272 if (unlikely(IS_ERR(watch))) 273 return PTR_ERR(watch); 274 275 audit_get_watch(watch); 276 krule->watch = watch; 277 278 return 0; 279 } 280 281 /* Common user-space to kernel rule translation. */ 282 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 283 { 284 unsigned listnr; 285 struct audit_entry *entry; 286 int i, err; 287 288 err = -EINVAL; 289 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 290 switch(listnr) { 291 default: 292 goto exit_err; 293 case AUDIT_FILTER_USER: 294 case AUDIT_FILTER_TYPE: 295 #ifdef CONFIG_AUDITSYSCALL 296 case AUDIT_FILTER_ENTRY: 297 case AUDIT_FILTER_EXIT: 298 case AUDIT_FILTER_TASK: 299 #endif 300 ; 301 } 302 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 303 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 304 goto exit_err; 305 } 306 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 307 goto exit_err; 308 if (rule->field_count > AUDIT_MAX_FIELDS) 309 goto exit_err; 310 311 err = -ENOMEM; 312 entry = audit_init_entry(rule->field_count); 313 if (!entry) 314 goto exit_err; 315 316 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 317 entry->rule.listnr = listnr; 318 entry->rule.action = rule->action; 319 entry->rule.field_count = rule->field_count; 320 321 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 322 entry->rule.mask[i] = rule->mask[i]; 323 324 return entry; 325 326 exit_err: 327 return ERR_PTR(err); 328 } 329 330 /* Translate struct audit_rule to kernel's rule respresentation. 331 * Exists for backward compatibility with userspace. */ 332 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 333 { 334 struct audit_entry *entry; 335 struct audit_field *f; 336 int err = 0; 337 int i; 338 339 entry = audit_to_entry_common(rule); 340 if (IS_ERR(entry)) 341 goto exit_nofree; 342 343 for (i = 0; i < rule->field_count; i++) { 344 struct audit_field *f = &entry->rule.fields[i]; 345 346 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 347 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 348 f->val = rule->values[i]; 349 350 err = -EINVAL; 351 switch(f->type) { 352 default: 353 goto exit_free; 354 case AUDIT_PID: 355 case AUDIT_UID: 356 case AUDIT_EUID: 357 case AUDIT_SUID: 358 case AUDIT_FSUID: 359 case AUDIT_GID: 360 case AUDIT_EGID: 361 case AUDIT_SGID: 362 case AUDIT_FSGID: 363 case AUDIT_LOGINUID: 364 case AUDIT_PERS: 365 case AUDIT_ARCH: 366 case AUDIT_MSGTYPE: 367 case AUDIT_DEVMAJOR: 368 case AUDIT_DEVMINOR: 369 case AUDIT_EXIT: 370 case AUDIT_SUCCESS: 371 case AUDIT_ARG0: 372 case AUDIT_ARG1: 373 case AUDIT_ARG2: 374 case AUDIT_ARG3: 375 break; 376 case AUDIT_INODE: 377 err = audit_to_inode(&entry->rule, f); 378 if (err) 379 goto exit_free; 380 break; 381 } 382 383 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 384 385 /* Support for legacy operators where 386 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 387 if (f->op & AUDIT_NEGATE) 388 f->op = AUDIT_NOT_EQUAL; 389 else if (!f->op) 390 f->op = AUDIT_EQUAL; 391 else if (f->op == AUDIT_OPERATORS) { 392 err = -EINVAL; 393 goto exit_free; 394 } 395 } 396 397 f = entry->rule.inode_f; 398 if (f) { 399 switch(f->op) { 400 case AUDIT_NOT_EQUAL: 401 entry->rule.inode_f = NULL; 402 case AUDIT_EQUAL: 403 break; 404 default: 405 goto exit_free; 406 } 407 } 408 409 exit_nofree: 410 return entry; 411 412 exit_free: 413 audit_free_rule(entry); 414 return ERR_PTR(err); 415 } 416 417 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 418 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 419 size_t datasz) 420 { 421 int err = 0; 422 struct audit_entry *entry; 423 struct audit_field *f; 424 void *bufp; 425 size_t remain = datasz - sizeof(struct audit_rule_data); 426 int i; 427 char *str; 428 429 entry = audit_to_entry_common((struct audit_rule *)data); 430 if (IS_ERR(entry)) 431 goto exit_nofree; 432 433 bufp = data->buf; 434 entry->rule.vers_ops = 2; 435 for (i = 0; i < data->field_count; i++) { 436 struct audit_field *f = &entry->rule.fields[i]; 437 438 err = -EINVAL; 439 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 440 data->fieldflags[i] & ~AUDIT_OPERATORS) 441 goto exit_free; 442 443 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 444 f->type = data->fields[i]; 445 f->val = data->values[i]; 446 f->se_str = NULL; 447 f->se_rule = NULL; 448 switch(f->type) { 449 case AUDIT_PID: 450 case AUDIT_UID: 451 case AUDIT_EUID: 452 case AUDIT_SUID: 453 case AUDIT_FSUID: 454 case AUDIT_GID: 455 case AUDIT_EGID: 456 case AUDIT_SGID: 457 case AUDIT_FSGID: 458 case AUDIT_LOGINUID: 459 case AUDIT_PERS: 460 case AUDIT_ARCH: 461 case AUDIT_MSGTYPE: 462 case AUDIT_PPID: 463 case AUDIT_DEVMAJOR: 464 case AUDIT_DEVMINOR: 465 case AUDIT_EXIT: 466 case AUDIT_SUCCESS: 467 case AUDIT_ARG0: 468 case AUDIT_ARG1: 469 case AUDIT_ARG2: 470 case AUDIT_ARG3: 471 break; 472 case AUDIT_SE_USER: 473 case AUDIT_SE_ROLE: 474 case AUDIT_SE_TYPE: 475 case AUDIT_SE_SEN: 476 case AUDIT_SE_CLR: 477 str = audit_unpack_string(&bufp, &remain, f->val); 478 if (IS_ERR(str)) 479 goto exit_free; 480 entry->rule.buflen += f->val; 481 482 err = selinux_audit_rule_init(f->type, f->op, str, 483 &f->se_rule); 484 /* Keep currently invalid fields around in case they 485 * become valid after a policy reload. */ 486 if (err == -EINVAL) { 487 printk(KERN_WARNING "audit rule for selinux " 488 "\'%s\' is invalid\n", str); 489 err = 0; 490 } 491 if (err) { 492 kfree(str); 493 goto exit_free; 494 } else 495 f->se_str = str; 496 break; 497 case AUDIT_WATCH: 498 str = audit_unpack_string(&bufp, &remain, f->val); 499 if (IS_ERR(str)) 500 goto exit_free; 501 entry->rule.buflen += f->val; 502 503 err = audit_to_watch(&entry->rule, str, f->val, f->op); 504 if (err) { 505 kfree(str); 506 goto exit_free; 507 } 508 break; 509 case AUDIT_INODE: 510 err = audit_to_inode(&entry->rule, f); 511 if (err) 512 goto exit_free; 513 break; 514 default: 515 goto exit_free; 516 } 517 } 518 519 f = entry->rule.inode_f; 520 if (f) { 521 switch(f->op) { 522 case AUDIT_NOT_EQUAL: 523 entry->rule.inode_f = NULL; 524 case AUDIT_EQUAL: 525 break; 526 default: 527 goto exit_free; 528 } 529 } 530 531 exit_nofree: 532 return entry; 533 534 exit_free: 535 audit_free_rule(entry); 536 return ERR_PTR(err); 537 } 538 539 /* Pack a filter field's string representation into data block. */ 540 static inline size_t audit_pack_string(void **bufp, char *str) 541 { 542 size_t len = strlen(str); 543 544 memcpy(*bufp, str, len); 545 *bufp += len; 546 547 return len; 548 } 549 550 /* Translate kernel rule respresentation to struct audit_rule. 551 * Exists for backward compatibility with userspace. */ 552 static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 553 { 554 struct audit_rule *rule; 555 int i; 556 557 rule = kmalloc(sizeof(*rule), GFP_KERNEL); 558 if (unlikely(!rule)) 559 return NULL; 560 memset(rule, 0, sizeof(*rule)); 561 562 rule->flags = krule->flags | krule->listnr; 563 rule->action = krule->action; 564 rule->field_count = krule->field_count; 565 for (i = 0; i < rule->field_count; i++) { 566 rule->values[i] = krule->fields[i].val; 567 rule->fields[i] = krule->fields[i].type; 568 569 if (krule->vers_ops == 1) { 570 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 571 rule->fields[i] |= AUDIT_NEGATE; 572 } else { 573 rule->fields[i] |= krule->fields[i].op; 574 } 575 } 576 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 577 578 return rule; 579 } 580 581 /* Translate kernel rule respresentation to struct audit_rule_data. */ 582 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 583 { 584 struct audit_rule_data *data; 585 void *bufp; 586 int i; 587 588 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 589 if (unlikely(!data)) 590 return NULL; 591 memset(data, 0, sizeof(*data)); 592 593 data->flags = krule->flags | krule->listnr; 594 data->action = krule->action; 595 data->field_count = krule->field_count; 596 bufp = data->buf; 597 for (i = 0; i < data->field_count; i++) { 598 struct audit_field *f = &krule->fields[i]; 599 600 data->fields[i] = f->type; 601 data->fieldflags[i] = f->op; 602 switch(f->type) { 603 case AUDIT_SE_USER: 604 case AUDIT_SE_ROLE: 605 case AUDIT_SE_TYPE: 606 case AUDIT_SE_SEN: 607 case AUDIT_SE_CLR: 608 data->buflen += data->values[i] = 609 audit_pack_string(&bufp, f->se_str); 610 break; 611 case AUDIT_WATCH: 612 data->buflen += data->values[i] = 613 audit_pack_string(&bufp, krule->watch->path); 614 break; 615 default: 616 data->values[i] = f->val; 617 } 618 } 619 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 620 621 return data; 622 } 623 624 /* Compare two rules in kernel format. Considered success if rules 625 * don't match. */ 626 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 627 { 628 int i; 629 630 if (a->flags != b->flags || 631 a->listnr != b->listnr || 632 a->action != b->action || 633 a->field_count != b->field_count) 634 return 1; 635 636 for (i = 0; i < a->field_count; i++) { 637 if (a->fields[i].type != b->fields[i].type || 638 a->fields[i].op != b->fields[i].op) 639 return 1; 640 641 switch(a->fields[i].type) { 642 case AUDIT_SE_USER: 643 case AUDIT_SE_ROLE: 644 case AUDIT_SE_TYPE: 645 case AUDIT_SE_SEN: 646 case AUDIT_SE_CLR: 647 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 648 return 1; 649 break; 650 case AUDIT_WATCH: 651 if (strcmp(a->watch->path, b->watch->path)) 652 return 1; 653 break; 654 default: 655 if (a->fields[i].val != b->fields[i].val) 656 return 1; 657 } 658 } 659 660 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 661 if (a->mask[i] != b->mask[i]) 662 return 1; 663 664 return 0; 665 } 666 667 /* Duplicate the given audit watch. The new watch's rules list is initialized 668 * to an empty list and wlist is undefined. */ 669 static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 670 { 671 char *path; 672 struct audit_watch *new; 673 674 path = kstrdup(old->path, GFP_KERNEL); 675 if (unlikely(!path)) 676 return ERR_PTR(-ENOMEM); 677 678 new = audit_init_watch(path); 679 if (unlikely(IS_ERR(new))) { 680 kfree(path); 681 goto out; 682 } 683 684 new->dev = old->dev; 685 new->ino = old->ino; 686 get_inotify_watch(&old->parent->wdata); 687 new->parent = old->parent; 688 689 out: 690 return new; 691 } 692 693 /* Duplicate selinux field information. The se_rule is opaque, so must be 694 * re-initialized. */ 695 static inline int audit_dupe_selinux_field(struct audit_field *df, 696 struct audit_field *sf) 697 { 698 int ret = 0; 699 char *se_str; 700 701 /* our own copy of se_str */ 702 se_str = kstrdup(sf->se_str, GFP_KERNEL); 703 if (unlikely(IS_ERR(se_str))) 704 return -ENOMEM; 705 df->se_str = se_str; 706 707 /* our own (refreshed) copy of se_rule */ 708 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 709 &df->se_rule); 710 /* Keep currently invalid fields around in case they 711 * become valid after a policy reload. */ 712 if (ret == -EINVAL) { 713 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 714 "invalid\n", df->se_str); 715 ret = 0; 716 } 717 718 return ret; 719 } 720 721 /* Duplicate an audit rule. This will be a deep copy with the exception 722 * of the watch - that pointer is carried over. The selinux specific fields 723 * will be updated in the copy. The point is to be able to replace the old 724 * rule with the new rule in the filterlist, then free the old rule. 725 * The rlist element is undefined; list manipulations are handled apart from 726 * the initial copy. */ 727 static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 728 struct audit_watch *watch) 729 { 730 u32 fcount = old->field_count; 731 struct audit_entry *entry; 732 struct audit_krule *new; 733 int i, err = 0; 734 735 entry = audit_init_entry(fcount); 736 if (unlikely(!entry)) 737 return ERR_PTR(-ENOMEM); 738 739 new = &entry->rule; 740 new->vers_ops = old->vers_ops; 741 new->flags = old->flags; 742 new->listnr = old->listnr; 743 new->action = old->action; 744 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 745 new->mask[i] = old->mask[i]; 746 new->buflen = old->buflen; 747 new->inode_f = old->inode_f; 748 new->watch = NULL; 749 new->field_count = old->field_count; 750 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 751 752 /* deep copy this information, updating the se_rule fields, because 753 * the originals will all be freed when the old rule is freed. */ 754 for (i = 0; i < fcount; i++) { 755 switch (new->fields[i].type) { 756 case AUDIT_SE_USER: 757 case AUDIT_SE_ROLE: 758 case AUDIT_SE_TYPE: 759 case AUDIT_SE_SEN: 760 case AUDIT_SE_CLR: 761 err = audit_dupe_selinux_field(&new->fields[i], 762 &old->fields[i]); 763 } 764 if (err) { 765 audit_free_rule(entry); 766 return ERR_PTR(err); 767 } 768 } 769 770 if (watch) { 771 audit_get_watch(watch); 772 new->watch = watch; 773 } 774 775 return entry; 776 } 777 778 /* Update inode info in audit rules based on filesystem event. */ 779 static void audit_update_watch(struct audit_parent *parent, 780 const char *dname, dev_t dev, 781 unsigned long ino, unsigned invalidating) 782 { 783 struct audit_watch *owatch, *nwatch, *nextw; 784 struct audit_krule *r, *nextr; 785 struct audit_entry *oentry, *nentry; 786 struct audit_buffer *ab; 787 788 mutex_lock(&audit_filter_mutex); 789 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 790 if (audit_compare_dname_path(dname, owatch->path, NULL)) 791 continue; 792 793 /* If the update involves invalidating rules, do the inode-based 794 * filtering now, so we don't omit records. */ 795 if (invalidating && 796 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 797 audit_set_auditable(current->audit_context); 798 799 nwatch = audit_dupe_watch(owatch); 800 if (unlikely(IS_ERR(nwatch))) { 801 mutex_unlock(&audit_filter_mutex); 802 audit_panic("error updating watch, skipping"); 803 return; 804 } 805 nwatch->dev = dev; 806 nwatch->ino = ino; 807 808 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 809 810 oentry = container_of(r, struct audit_entry, rule); 811 list_del(&oentry->rule.rlist); 812 list_del_rcu(&oentry->list); 813 814 nentry = audit_dupe_rule(&oentry->rule, nwatch); 815 if (unlikely(IS_ERR(nentry))) 816 audit_panic("error updating watch, removing"); 817 else { 818 int h = audit_hash_ino((u32)ino); 819 list_add(&nentry->rule.rlist, &nwatch->rules); 820 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 821 } 822 823 call_rcu(&oentry->rcu, audit_free_rule_rcu); 824 } 825 826 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 827 audit_log_format(ab, "audit updated rules specifying watch="); 828 audit_log_untrustedstring(ab, owatch->path); 829 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 830 audit_log_end(ab); 831 832 audit_remove_watch(owatch); 833 goto add_watch_to_parent; /* event applies to a single watch */ 834 } 835 mutex_unlock(&audit_filter_mutex); 836 return; 837 838 add_watch_to_parent: 839 list_add(&nwatch->wlist, &parent->watches); 840 mutex_unlock(&audit_filter_mutex); 841 return; 842 } 843 844 /* Remove all watches & rules associated with a parent that is going away. */ 845 static void audit_remove_parent_watches(struct audit_parent *parent) 846 { 847 struct audit_watch *w, *nextw; 848 struct audit_krule *r, *nextr; 849 struct audit_entry *e; 850 851 mutex_lock(&audit_filter_mutex); 852 parent->flags |= AUDIT_PARENT_INVALID; 853 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 854 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 855 e = container_of(r, struct audit_entry, rule); 856 list_del(&r->rlist); 857 list_del_rcu(&e->list); 858 call_rcu(&e->rcu, audit_free_rule_rcu); 859 860 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 861 "audit implicitly removed rule from list=%d\n", 862 AUDIT_FILTER_EXIT); 863 } 864 audit_remove_watch(w); 865 } 866 mutex_unlock(&audit_filter_mutex); 867 } 868 869 /* Unregister inotify watches for parents on in_list. 870 * Generates an IN_IGNORED event. */ 871 static void audit_inotify_unregister(struct list_head *in_list) 872 { 873 struct audit_parent *p, *n; 874 875 list_for_each_entry_safe(p, n, in_list, ilist) { 876 list_del(&p->ilist); 877 inotify_rm_watch(audit_ih, &p->wdata); 878 /* the put matching the get in audit_do_del_rule() */ 879 put_inotify_watch(&p->wdata); 880 } 881 } 882 883 /* Find an existing audit rule. 884 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 885 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 886 struct list_head *list) 887 { 888 struct audit_entry *e, *found = NULL; 889 int h; 890 891 if (entry->rule.watch) { 892 /* we don't know the inode number, so must walk entire hash */ 893 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 894 list = &audit_inode_hash[h]; 895 list_for_each_entry(e, list, list) 896 if (!audit_compare_rule(&entry->rule, &e->rule)) { 897 found = e; 898 goto out; 899 } 900 } 901 goto out; 902 } 903 904 list_for_each_entry(e, list, list) 905 if (!audit_compare_rule(&entry->rule, &e->rule)) { 906 found = e; 907 goto out; 908 } 909 910 out: 911 return found; 912 } 913 914 /* Get path information necessary for adding watches. */ 915 static int audit_get_nd(char *path, struct nameidata **ndp, 916 struct nameidata **ndw) 917 { 918 struct nameidata *ndparent, *ndwatch; 919 int err; 920 921 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 922 if (unlikely(!ndparent)) 923 return -ENOMEM; 924 925 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 926 if (unlikely(!ndwatch)) { 927 kfree(ndparent); 928 return -ENOMEM; 929 } 930 931 err = path_lookup(path, LOOKUP_PARENT, ndparent); 932 if (err) { 933 kfree(ndparent); 934 kfree(ndwatch); 935 return err; 936 } 937 938 err = path_lookup(path, 0, ndwatch); 939 if (err) { 940 kfree(ndwatch); 941 ndwatch = NULL; 942 } 943 944 *ndp = ndparent; 945 *ndw = ndwatch; 946 947 return 0; 948 } 949 950 /* Release resources used for watch path information. */ 951 static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 952 { 953 if (ndp) { 954 path_release(ndp); 955 kfree(ndp); 956 } 957 if (ndw) { 958 path_release(ndw); 959 kfree(ndw); 960 } 961 } 962 963 /* Associate the given rule with an existing parent inotify_watch. 964 * Caller must hold audit_filter_mutex. */ 965 static void audit_add_to_parent(struct audit_krule *krule, 966 struct audit_parent *parent) 967 { 968 struct audit_watch *w, *watch = krule->watch; 969 int watch_found = 0; 970 971 list_for_each_entry(w, &parent->watches, wlist) { 972 if (strcmp(watch->path, w->path)) 973 continue; 974 975 watch_found = 1; 976 977 /* put krule's and initial refs to temporary watch */ 978 audit_put_watch(watch); 979 audit_put_watch(watch); 980 981 audit_get_watch(w); 982 krule->watch = watch = w; 983 break; 984 } 985 986 if (!watch_found) { 987 get_inotify_watch(&parent->wdata); 988 watch->parent = parent; 989 990 list_add(&watch->wlist, &parent->watches); 991 } 992 list_add(&krule->rlist, &watch->rules); 993 } 994 995 /* Find a matching watch entry, or add this one. 996 * Caller must hold audit_filter_mutex. */ 997 static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 998 struct nameidata *ndw) 999 { 1000 struct audit_watch *watch = krule->watch; 1001 struct inotify_watch *i_watch; 1002 struct audit_parent *parent; 1003 int ret = 0; 1004 1005 /* update watch filter fields */ 1006 if (ndw) { 1007 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1008 watch->ino = ndw->dentry->d_inode->i_ino; 1009 } 1010 1011 /* The audit_filter_mutex must not be held during inotify calls because 1012 * we hold it during inotify event callback processing. If an existing 1013 * inotify watch is found, inotify_find_watch() grabs a reference before 1014 * returning. 1015 */ 1016 mutex_unlock(&audit_filter_mutex); 1017 1018 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1019 parent = audit_init_parent(ndp); 1020 if (IS_ERR(parent)) { 1021 /* caller expects mutex locked */ 1022 mutex_lock(&audit_filter_mutex); 1023 return PTR_ERR(parent); 1024 } 1025 } else 1026 parent = container_of(i_watch, struct audit_parent, wdata); 1027 1028 mutex_lock(&audit_filter_mutex); 1029 1030 /* parent was moved before we took audit_filter_mutex */ 1031 if (parent->flags & AUDIT_PARENT_INVALID) 1032 ret = -ENOENT; 1033 else 1034 audit_add_to_parent(krule, parent); 1035 1036 /* match get in audit_init_parent or inotify_find_watch */ 1037 put_inotify_watch(&parent->wdata); 1038 return ret; 1039 } 1040 1041 /* Add rule to given filterlist if not a duplicate. */ 1042 static inline int audit_add_rule(struct audit_entry *entry, 1043 struct list_head *list) 1044 { 1045 struct audit_entry *e; 1046 struct audit_field *inode_f = entry->rule.inode_f; 1047 struct audit_watch *watch = entry->rule.watch; 1048 struct nameidata *ndp, *ndw; 1049 int h, err, putnd_needed = 0; 1050 1051 if (inode_f) { 1052 h = audit_hash_ino(inode_f->val); 1053 list = &audit_inode_hash[h]; 1054 } 1055 1056 mutex_lock(&audit_filter_mutex); 1057 e = audit_find_rule(entry, list); 1058 mutex_unlock(&audit_filter_mutex); 1059 if (e) { 1060 err = -EEXIST; 1061 goto error; 1062 } 1063 1064 /* Avoid calling path_lookup under audit_filter_mutex. */ 1065 if (watch) { 1066 err = audit_get_nd(watch->path, &ndp, &ndw); 1067 if (err) 1068 goto error; 1069 putnd_needed = 1; 1070 } 1071 1072 mutex_lock(&audit_filter_mutex); 1073 if (watch) { 1074 /* audit_filter_mutex is dropped and re-taken during this call */ 1075 err = audit_add_watch(&entry->rule, ndp, ndw); 1076 if (err) { 1077 mutex_unlock(&audit_filter_mutex); 1078 goto error; 1079 } 1080 h = audit_hash_ino((u32)watch->ino); 1081 list = &audit_inode_hash[h]; 1082 } 1083 1084 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1085 list_add_rcu(&entry->list, list); 1086 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1087 } else { 1088 list_add_tail_rcu(&entry->list, list); 1089 } 1090 mutex_unlock(&audit_filter_mutex); 1091 1092 if (putnd_needed) 1093 audit_put_nd(ndp, ndw); 1094 1095 return 0; 1096 1097 error: 1098 if (putnd_needed) 1099 audit_put_nd(ndp, ndw); 1100 if (watch) 1101 audit_put_watch(watch); /* tmp watch, matches initial get */ 1102 return err; 1103 } 1104 1105 /* Remove an existing rule from filterlist. */ 1106 static inline int audit_del_rule(struct audit_entry *entry, 1107 struct list_head *list) 1108 { 1109 struct audit_entry *e; 1110 struct audit_field *inode_f = entry->rule.inode_f; 1111 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1112 LIST_HEAD(inotify_list); 1113 int h, ret = 0; 1114 1115 if (inode_f) { 1116 h = audit_hash_ino(inode_f->val); 1117 list = &audit_inode_hash[h]; 1118 } 1119 1120 mutex_lock(&audit_filter_mutex); 1121 e = audit_find_rule(entry, list); 1122 if (!e) { 1123 mutex_unlock(&audit_filter_mutex); 1124 ret = -ENOENT; 1125 goto out; 1126 } 1127 1128 watch = e->rule.watch; 1129 if (watch) { 1130 struct audit_parent *parent = watch->parent; 1131 1132 list_del(&e->rule.rlist); 1133 1134 if (list_empty(&watch->rules)) { 1135 audit_remove_watch(watch); 1136 1137 if (list_empty(&parent->watches)) { 1138 /* Put parent on the inotify un-registration 1139 * list. Grab a reference before releasing 1140 * audit_filter_mutex, to be released in 1141 * audit_inotify_unregister(). */ 1142 list_add(&parent->ilist, &inotify_list); 1143 get_inotify_watch(&parent->wdata); 1144 } 1145 } 1146 } 1147 1148 list_del_rcu(&e->list); 1149 call_rcu(&e->rcu, audit_free_rule_rcu); 1150 1151 mutex_unlock(&audit_filter_mutex); 1152 1153 if (!list_empty(&inotify_list)) 1154 audit_inotify_unregister(&inotify_list); 1155 1156 out: 1157 if (tmp_watch) 1158 audit_put_watch(tmp_watch); /* match initial get */ 1159 1160 return ret; 1161 } 1162 1163 /* List rules using struct audit_rule. Exists for backward 1164 * compatibility with userspace. */ 1165 static void audit_list(int pid, int seq, struct sk_buff_head *q) 1166 { 1167 struct sk_buff *skb; 1168 struct audit_entry *entry; 1169 int i; 1170 1171 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1172 * iterator to sync with list writers. */ 1173 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1174 list_for_each_entry(entry, &audit_filter_list[i], list) { 1175 struct audit_rule *rule; 1176 1177 rule = audit_krule_to_rule(&entry->rule); 1178 if (unlikely(!rule)) 1179 break; 1180 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1181 rule, sizeof(*rule)); 1182 if (skb) 1183 skb_queue_tail(q, skb); 1184 kfree(rule); 1185 } 1186 } 1187 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1188 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1189 struct audit_rule *rule; 1190 1191 rule = audit_krule_to_rule(&entry->rule); 1192 if (unlikely(!rule)) 1193 break; 1194 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1195 rule, sizeof(*rule)); 1196 if (skb) 1197 skb_queue_tail(q, skb); 1198 kfree(rule); 1199 } 1200 } 1201 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1202 if (skb) 1203 skb_queue_tail(q, skb); 1204 } 1205 1206 /* List rules using struct audit_rule_data. */ 1207 static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1208 { 1209 struct sk_buff *skb; 1210 struct audit_entry *e; 1211 int i; 1212 1213 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1214 * iterator to sync with list writers. */ 1215 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1216 list_for_each_entry(e, &audit_filter_list[i], list) { 1217 struct audit_rule_data *data; 1218 1219 data = audit_krule_to_data(&e->rule); 1220 if (unlikely(!data)) 1221 break; 1222 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1223 data, sizeof(*data) + data->buflen); 1224 if (skb) 1225 skb_queue_tail(q, skb); 1226 kfree(data); 1227 } 1228 } 1229 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1230 list_for_each_entry(e, &audit_inode_hash[i], list) { 1231 struct audit_rule_data *data; 1232 1233 data = audit_krule_to_data(&e->rule); 1234 if (unlikely(!data)) 1235 break; 1236 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1237 data, sizeof(*data) + data->buflen); 1238 if (skb) 1239 skb_queue_tail(q, skb); 1240 kfree(data); 1241 } 1242 } 1243 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1244 if (skb) 1245 skb_queue_tail(q, skb); 1246 } 1247 1248 /** 1249 * audit_receive_filter - apply all rules to the specified message type 1250 * @type: audit message type 1251 * @pid: target pid for netlink audit messages 1252 * @uid: target uid for netlink audit messages 1253 * @seq: netlink audit message sequence (serial) number 1254 * @data: payload data 1255 * @datasz: size of payload data 1256 * @loginuid: loginuid of sender 1257 * @sid: SE Linux Security ID of sender 1258 */ 1259 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1260 size_t datasz, uid_t loginuid, u32 sid) 1261 { 1262 struct task_struct *tsk; 1263 struct audit_netlink_list *dest; 1264 int err = 0; 1265 struct audit_entry *entry; 1266 1267 switch (type) { 1268 case AUDIT_LIST: 1269 case AUDIT_LIST_RULES: 1270 /* We can't just spew out the rules here because we might fill 1271 * the available socket buffer space and deadlock waiting for 1272 * auditctl to read from it... which isn't ever going to 1273 * happen if we're actually running in the context of auditctl 1274 * trying to _send_ the stuff */ 1275 1276 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1277 if (!dest) 1278 return -ENOMEM; 1279 dest->pid = pid; 1280 skb_queue_head_init(&dest->q); 1281 1282 mutex_lock(&audit_filter_mutex); 1283 if (type == AUDIT_LIST) 1284 audit_list(pid, seq, &dest->q); 1285 else 1286 audit_list_rules(pid, seq, &dest->q); 1287 mutex_unlock(&audit_filter_mutex); 1288 1289 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1290 if (IS_ERR(tsk)) { 1291 skb_queue_purge(&dest->q); 1292 kfree(dest); 1293 err = PTR_ERR(tsk); 1294 } 1295 break; 1296 case AUDIT_ADD: 1297 case AUDIT_ADD_RULE: 1298 if (type == AUDIT_ADD) 1299 entry = audit_rule_to_entry(data); 1300 else 1301 entry = audit_data_to_entry(data, datasz); 1302 if (IS_ERR(entry)) 1303 return PTR_ERR(entry); 1304 1305 err = audit_add_rule(entry, 1306 &audit_filter_list[entry->rule.listnr]); 1307 1308 if (sid) { 1309 char *ctx = NULL; 1310 u32 len; 1311 if (selinux_ctxid_to_string(sid, &ctx, &len)) { 1312 /* Maybe call audit_panic? */ 1313 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 1314 "auid=%u ssid=%u add rule to list=%d res=%d", 1315 loginuid, sid, entry->rule.listnr, !err); 1316 } else 1317 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 1318 "auid=%u subj=%s add rule to list=%d res=%d", 1319 loginuid, ctx, entry->rule.listnr, !err); 1320 kfree(ctx); 1321 } else 1322 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 1323 "auid=%u add rule to list=%d res=%d", 1324 loginuid, entry->rule.listnr, !err); 1325 1326 if (err) 1327 audit_free_rule(entry); 1328 break; 1329 case AUDIT_DEL: 1330 case AUDIT_DEL_RULE: 1331 if (type == AUDIT_DEL) 1332 entry = audit_rule_to_entry(data); 1333 else 1334 entry = audit_data_to_entry(data, datasz); 1335 if (IS_ERR(entry)) 1336 return PTR_ERR(entry); 1337 1338 err = audit_del_rule(entry, 1339 &audit_filter_list[entry->rule.listnr]); 1340 1341 if (sid) { 1342 char *ctx = NULL; 1343 u32 len; 1344 if (selinux_ctxid_to_string(sid, &ctx, &len)) { 1345 /* Maybe call audit_panic? */ 1346 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 1347 "auid=%u ssid=%u remove rule from list=%d res=%d", 1348 loginuid, sid, entry->rule.listnr, !err); 1349 } else 1350 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 1351 "auid=%u subj=%s remove rule from list=%d res=%d", 1352 loginuid, ctx, entry->rule.listnr, !err); 1353 kfree(ctx); 1354 } else 1355 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 1356 "auid=%u remove rule from list=%d res=%d", 1357 loginuid, entry->rule.listnr, !err); 1358 1359 audit_free_rule(entry); 1360 break; 1361 default: 1362 return -EINVAL; 1363 } 1364 1365 return err; 1366 } 1367 1368 int audit_comparator(const u32 left, const u32 op, const u32 right) 1369 { 1370 switch (op) { 1371 case AUDIT_EQUAL: 1372 return (left == right); 1373 case AUDIT_NOT_EQUAL: 1374 return (left != right); 1375 case AUDIT_LESS_THAN: 1376 return (left < right); 1377 case AUDIT_LESS_THAN_OR_EQUAL: 1378 return (left <= right); 1379 case AUDIT_GREATER_THAN: 1380 return (left > right); 1381 case AUDIT_GREATER_THAN_OR_EQUAL: 1382 return (left >= right); 1383 } 1384 BUG(); 1385 return 0; 1386 } 1387 1388 /* Compare given dentry name with last component in given path, 1389 * return of 0 indicates a match. */ 1390 int audit_compare_dname_path(const char *dname, const char *path, 1391 int *dirlen) 1392 { 1393 int dlen, plen; 1394 const char *p; 1395 1396 if (!dname || !path) 1397 return 1; 1398 1399 dlen = strlen(dname); 1400 plen = strlen(path); 1401 if (plen < dlen) 1402 return 1; 1403 1404 /* disregard trailing slashes */ 1405 p = path + plen - 1; 1406 while ((*p == '/') && (p > path)) 1407 p--; 1408 1409 /* find last path component */ 1410 p = p - dlen + 1; 1411 if (p < path) 1412 return 1; 1413 else if (p > path) { 1414 if (*--p != '/') 1415 return 1; 1416 else 1417 p++; 1418 } 1419 1420 /* return length of path's directory component */ 1421 if (dirlen) 1422 *dirlen = p - path; 1423 return strncmp(p, dname, dlen); 1424 } 1425 1426 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1427 struct audit_krule *rule, 1428 enum audit_state *state) 1429 { 1430 int i; 1431 1432 for (i = 0; i < rule->field_count; i++) { 1433 struct audit_field *f = &rule->fields[i]; 1434 int result = 0; 1435 1436 switch (f->type) { 1437 case AUDIT_PID: 1438 result = audit_comparator(cb->creds.pid, f->op, f->val); 1439 break; 1440 case AUDIT_UID: 1441 result = audit_comparator(cb->creds.uid, f->op, f->val); 1442 break; 1443 case AUDIT_GID: 1444 result = audit_comparator(cb->creds.gid, f->op, f->val); 1445 break; 1446 case AUDIT_LOGINUID: 1447 result = audit_comparator(cb->loginuid, f->op, f->val); 1448 break; 1449 } 1450 1451 if (!result) 1452 return 0; 1453 } 1454 switch (rule->action) { 1455 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1456 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1457 } 1458 return 1; 1459 } 1460 1461 int audit_filter_user(struct netlink_skb_parms *cb, int type) 1462 { 1463 struct audit_entry *e; 1464 enum audit_state state; 1465 int ret = 1; 1466 1467 rcu_read_lock(); 1468 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1469 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1470 if (state == AUDIT_DISABLED) 1471 ret = 0; 1472 break; 1473 } 1474 } 1475 rcu_read_unlock(); 1476 1477 return ret; /* Audit by default */ 1478 } 1479 1480 int audit_filter_type(int type) 1481 { 1482 struct audit_entry *e; 1483 int result = 0; 1484 1485 rcu_read_lock(); 1486 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1487 goto unlock_and_return; 1488 1489 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1490 list) { 1491 int i; 1492 for (i = 0; i < e->rule.field_count; i++) { 1493 struct audit_field *f = &e->rule.fields[i]; 1494 if (f->type == AUDIT_MSGTYPE) { 1495 result = audit_comparator(type, f->op, f->val); 1496 if (!result) 1497 break; 1498 } 1499 } 1500 if (result) 1501 goto unlock_and_return; 1502 } 1503 unlock_and_return: 1504 rcu_read_unlock(); 1505 return result; 1506 } 1507 1508 /* Check to see if the rule contains any selinux fields. Returns 1 if there 1509 are selinux fields specified in the rule, 0 otherwise. */ 1510 static inline int audit_rule_has_selinux(struct audit_krule *rule) 1511 { 1512 int i; 1513 1514 for (i = 0; i < rule->field_count; i++) { 1515 struct audit_field *f = &rule->fields[i]; 1516 switch (f->type) { 1517 case AUDIT_SE_USER: 1518 case AUDIT_SE_ROLE: 1519 case AUDIT_SE_TYPE: 1520 case AUDIT_SE_SEN: 1521 case AUDIT_SE_CLR: 1522 return 1; 1523 } 1524 } 1525 1526 return 0; 1527 } 1528 1529 /* This function will re-initialize the se_rule field of all applicable rules. 1530 * It will traverse the filter lists serarching for rules that contain selinux 1531 * specific filter fields. When such a rule is found, it is copied, the 1532 * selinux field is re-initialized, and the old rule is replaced with the 1533 * updated rule. */ 1534 int selinux_audit_rule_update(void) 1535 { 1536 struct audit_entry *entry, *n, *nentry; 1537 struct audit_watch *watch; 1538 int i, err = 0; 1539 1540 /* audit_filter_mutex synchronizes the writers */ 1541 mutex_lock(&audit_filter_mutex); 1542 1543 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1544 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1545 if (!audit_rule_has_selinux(&entry->rule)) 1546 continue; 1547 1548 watch = entry->rule.watch; 1549 nentry = audit_dupe_rule(&entry->rule, watch); 1550 if (unlikely(IS_ERR(nentry))) { 1551 /* save the first error encountered for the 1552 * return value */ 1553 if (!err) 1554 err = PTR_ERR(nentry); 1555 audit_panic("error updating selinux filters"); 1556 if (watch) 1557 list_del(&entry->rule.rlist); 1558 list_del_rcu(&entry->list); 1559 } else { 1560 if (watch) { 1561 list_add(&nentry->rule.rlist, 1562 &watch->rules); 1563 list_del(&entry->rule.rlist); 1564 } 1565 list_replace_rcu(&entry->list, &nentry->list); 1566 } 1567 call_rcu(&entry->rcu, audit_free_rule_rcu); 1568 } 1569 } 1570 1571 mutex_unlock(&audit_filter_mutex); 1572 1573 return err; 1574 } 1575 1576 /* Update watch data in audit rules based on inotify events. */ 1577 void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1578 u32 cookie, const char *dname, struct inode *inode) 1579 { 1580 struct audit_parent *parent; 1581 1582 parent = container_of(i_watch, struct audit_parent, wdata); 1583 1584 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1585 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1586 inode->i_ino, 0); 1587 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1588 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1589 /* inotify automatically removes the watch and sends IN_IGNORED */ 1590 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1591 audit_remove_parent_watches(parent); 1592 /* inotify does not remove the watch, so remove it manually */ 1593 else if(mask & IN_MOVE_SELF) { 1594 audit_remove_parent_watches(parent); 1595 inotify_remove_watch_locked(audit_ih, i_watch); 1596 } else if (mask & IN_IGNORED) 1597 put_inotify_watch(i_watch); 1598 } 1599