auditfilter.c 33 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375
  1. /* auditfilter.c -- filtering of audit events
  2. *
  3. * Copyright 2003-2004 Red Hat, Inc.
  4. * Copyright 2005 Hewlett-Packard Development Company, L.P.
  5. * Copyright 2005 IBM Corporation
  6. *
  7. * This program is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * This program is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  20. */
  21. #include <linux/kernel.h>
  22. #include <linux/audit.h>
  23. #include <linux/kthread.h>
  24. #include <linux/mutex.h>
  25. #include <linux/fs.h>
  26. #include <linux/namei.h>
  27. #include <linux/netlink.h>
  28. #include <linux/sched.h>
  29. #include <linux/slab.h>
  30. #include <linux/security.h>
  31. #include "audit.h"
  32. /*
  33. * Locking model:
  34. *
  35. * audit_filter_mutex:
  36. * Synchronizes writes and blocking reads of audit's filterlist
  37. * data. Rcu is used to traverse the filterlist and access
  38. * contents of structs audit_entry, audit_watch and opaque
  39. * LSM rules during filtering. If modified, these structures
  40. * must be copied and replace their counterparts in the filterlist.
  41. * An audit_parent struct is not accessed during filtering, so may
  42. * be written directly provided audit_filter_mutex is held.
  43. */
  44. /* Audit filter lists, defined in <linux/audit.h> */
  45. struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  46. LIST_HEAD_INIT(audit_filter_list[0]),
  47. LIST_HEAD_INIT(audit_filter_list[1]),
  48. LIST_HEAD_INIT(audit_filter_list[2]),
  49. LIST_HEAD_INIT(audit_filter_list[3]),
  50. LIST_HEAD_INIT(audit_filter_list[4]),
  51. LIST_HEAD_INIT(audit_filter_list[5]),
  52. #if AUDIT_NR_FILTERS != 6
  53. #error Fix audit_filter_list initialiser
  54. #endif
  55. };
  56. static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  57. LIST_HEAD_INIT(audit_rules_list[0]),
  58. LIST_HEAD_INIT(audit_rules_list[1]),
  59. LIST_HEAD_INIT(audit_rules_list[2]),
  60. LIST_HEAD_INIT(audit_rules_list[3]),
  61. LIST_HEAD_INIT(audit_rules_list[4]),
  62. LIST_HEAD_INIT(audit_rules_list[5]),
  63. };
  64. DEFINE_MUTEX(audit_filter_mutex);
  65. static inline void audit_free_rule(struct audit_entry *e)
  66. {
  67. int i;
  68. struct audit_krule *erule = &e->rule;
  69. /* some rules don't have associated watches */
  70. if (erule->watch)
  71. audit_put_watch(erule->watch);
  72. if (erule->fields)
  73. for (i = 0; i < erule->field_count; i++) {
  74. struct audit_field *f = &erule->fields[i];
  75. kfree(f->lsm_str);
  76. security_audit_rule_free(f->lsm_rule);
  77. }
  78. kfree(erule->fields);
  79. kfree(erule->filterkey);
  80. kfree(e);
  81. }
  82. void audit_free_rule_rcu(struct rcu_head *head)
  83. {
  84. struct audit_entry *e = container_of(head, struct audit_entry, rcu);
  85. audit_free_rule(e);
  86. }
  87. /* Initialize an audit filterlist entry. */
  88. static inline struct audit_entry *audit_init_entry(u32 field_count)
  89. {
  90. struct audit_entry *entry;
  91. struct audit_field *fields;
  92. entry = kzalloc(sizeof(*entry), GFP_KERNEL);
  93. if (unlikely(!entry))
  94. return NULL;
  95. fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
  96. if (unlikely(!fields)) {
  97. kfree(entry);
  98. return NULL;
  99. }
  100. entry->rule.fields = fields;
  101. return entry;
  102. }
  103. /* Unpack a filter field's string representation from user-space
  104. * buffer. */
  105. char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
  106. {
  107. char *str;
  108. if (!*bufp || (len == 0) || (len > *remain))
  109. return ERR_PTR(-EINVAL);
  110. /* Of the currently implemented string fields, PATH_MAX
  111. * defines the longest valid length.
  112. */
  113. if (len > PATH_MAX)
  114. return ERR_PTR(-ENAMETOOLONG);
  115. str = kmalloc(len + 1, GFP_KERNEL);
  116. if (unlikely(!str))
  117. return ERR_PTR(-ENOMEM);
  118. memcpy(str, *bufp, len);
  119. str[len] = 0;
  120. *bufp += len;
  121. *remain -= len;
  122. return str;
  123. }
  124. /* Translate an inode field to kernel respresentation. */
  125. static inline int audit_to_inode(struct audit_krule *krule,
  126. struct audit_field *f)
  127. {
  128. if (krule->listnr != AUDIT_FILTER_EXIT ||
  129. krule->watch || krule->inode_f || krule->tree ||
  130. (f->op != Audit_equal && f->op != Audit_not_equal))
  131. return -EINVAL;
  132. krule->inode_f = f;
  133. return 0;
  134. }
  135. static __u32 *classes[AUDIT_SYSCALL_CLASSES];
  136. int __init audit_register_class(int class, unsigned *list)
  137. {
  138. __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
  139. if (!p)
  140. return -ENOMEM;
  141. while (*list != ~0U) {
  142. unsigned n = *list++;
  143. if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
  144. kfree(p);
  145. return -EINVAL;
  146. }
  147. p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
  148. }
  149. if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
  150. kfree(p);
  151. return -EINVAL;
  152. }
  153. classes[class] = p;
  154. return 0;
  155. }
  156. int audit_match_class(int class, unsigned syscall)
  157. {
  158. if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
  159. return 0;
  160. if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
  161. return 0;
  162. return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
  163. }
  164. #ifdef CONFIG_AUDITSYSCALL
  165. static inline int audit_match_class_bits(int class, u32 *mask)
  166. {
  167. int i;
  168. if (classes[class]) {
  169. for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
  170. if (mask[i] & classes[class][i])
  171. return 0;
  172. }
  173. return 1;
  174. }
  175. static int audit_match_signal(struct audit_entry *entry)
  176. {
  177. struct audit_field *arch = entry->rule.arch_f;
  178. if (!arch) {
  179. /* When arch is unspecified, we must check both masks on biarch
  180. * as syscall number alone is ambiguous. */
  181. return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
  182. entry->rule.mask) &&
  183. audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
  184. entry->rule.mask));
  185. }
  186. switch(audit_classify_arch(arch->val)) {
  187. case 0: /* native */
  188. return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
  189. entry->rule.mask));
  190. case 1: /* 32bit on biarch */
  191. return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
  192. entry->rule.mask));
  193. default:
  194. return 1;
  195. }
  196. }
  197. #endif
  198. /* Common user-space to kernel rule translation. */
  199. static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
  200. {
  201. unsigned listnr;
  202. struct audit_entry *entry;
  203. int i, err;
  204. err = -EINVAL;
  205. listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
  206. switch(listnr) {
  207. default:
  208. goto exit_err;
  209. #ifdef CONFIG_AUDITSYSCALL
  210. case AUDIT_FILTER_ENTRY:
  211. if (rule->action == AUDIT_ALWAYS)
  212. goto exit_err;
  213. case AUDIT_FILTER_EXIT:
  214. case AUDIT_FILTER_TASK:
  215. #endif
  216. case AUDIT_FILTER_USER:
  217. case AUDIT_FILTER_TYPE:
  218. ;
  219. }
  220. if (unlikely(rule->action == AUDIT_POSSIBLE)) {
  221. printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
  222. goto exit_err;
  223. }
  224. if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
  225. goto exit_err;
  226. if (rule->field_count > AUDIT_MAX_FIELDS)
  227. goto exit_err;
  228. err = -ENOMEM;
  229. entry = audit_init_entry(rule->field_count);
  230. if (!entry)
  231. goto exit_err;
  232. entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
  233. entry->rule.listnr = listnr;
  234. entry->rule.action = rule->action;
  235. entry->rule.field_count = rule->field_count;
  236. for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
  237. entry->rule.mask[i] = rule->mask[i];
  238. for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
  239. int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
  240. __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
  241. __u32 *class;
  242. if (!(*p & AUDIT_BIT(bit)))
  243. continue;
  244. *p &= ~AUDIT_BIT(bit);
  245. class = classes[i];
  246. if (class) {
  247. int j;
  248. for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
  249. entry->rule.mask[j] |= class[j];
  250. }
  251. }
  252. return entry;
  253. exit_err:
  254. return ERR_PTR(err);
  255. }
  256. static u32 audit_ops[] =
  257. {
  258. [Audit_equal] = AUDIT_EQUAL,
  259. [Audit_not_equal] = AUDIT_NOT_EQUAL,
  260. [Audit_bitmask] = AUDIT_BIT_MASK,
  261. [Audit_bittest] = AUDIT_BIT_TEST,
  262. [Audit_lt] = AUDIT_LESS_THAN,
  263. [Audit_gt] = AUDIT_GREATER_THAN,
  264. [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
  265. [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
  266. };
  267. static u32 audit_to_op(u32 op)
  268. {
  269. u32 n;
  270. for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
  271. ;
  272. return n;
  273. }
  274. /* check if an audit field is valid */
  275. static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
  276. {
  277. switch(f->type) {
  278. case AUDIT_MSGTYPE:
  279. if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
  280. entry->rule.listnr != AUDIT_FILTER_USER)
  281. return -EINVAL;
  282. break;
  283. };
  284. switch(f->type) {
  285. default:
  286. return -EINVAL;
  287. case AUDIT_UID:
  288. case AUDIT_EUID:
  289. case AUDIT_SUID:
  290. case AUDIT_FSUID:
  291. case AUDIT_LOGINUID:
  292. case AUDIT_OBJ_UID:
  293. case AUDIT_GID:
  294. case AUDIT_EGID:
  295. case AUDIT_SGID:
  296. case AUDIT_FSGID:
  297. case AUDIT_OBJ_GID:
  298. case AUDIT_PID:
  299. case AUDIT_PERS:
  300. case AUDIT_MSGTYPE:
  301. case AUDIT_PPID:
  302. case AUDIT_DEVMAJOR:
  303. case AUDIT_DEVMINOR:
  304. case AUDIT_EXIT:
  305. case AUDIT_SUCCESS:
  306. case AUDIT_INODE:
  307. /* bit ops are only useful on syscall args */
  308. if (f->op == Audit_bitmask || f->op == Audit_bittest)
  309. return -EINVAL;
  310. break;
  311. case AUDIT_ARG0:
  312. case AUDIT_ARG1:
  313. case AUDIT_ARG2:
  314. case AUDIT_ARG3:
  315. case AUDIT_SUBJ_USER:
  316. case AUDIT_SUBJ_ROLE:
  317. case AUDIT_SUBJ_TYPE:
  318. case AUDIT_SUBJ_SEN:
  319. case AUDIT_SUBJ_CLR:
  320. case AUDIT_OBJ_USER:
  321. case AUDIT_OBJ_ROLE:
  322. case AUDIT_OBJ_TYPE:
  323. case AUDIT_OBJ_LEV_LOW:
  324. case AUDIT_OBJ_LEV_HIGH:
  325. case AUDIT_WATCH:
  326. case AUDIT_DIR:
  327. case AUDIT_FILTERKEY:
  328. break;
  329. case AUDIT_LOGINUID_SET:
  330. if ((f->val != 0) && (f->val != 1))
  331. return -EINVAL;
  332. /* FALL THROUGH */
  333. case AUDIT_ARCH:
  334. if (f->op != Audit_not_equal && f->op != Audit_equal)
  335. return -EINVAL;
  336. break;
  337. case AUDIT_PERM:
  338. if (f->val & ~15)
  339. return -EINVAL;
  340. break;
  341. case AUDIT_FILETYPE:
  342. if (f->val & ~S_IFMT)
  343. return -EINVAL;
  344. break;
  345. case AUDIT_FIELD_COMPARE:
  346. if (f->val > AUDIT_MAX_FIELD_COMPARE)
  347. return -EINVAL;
  348. break;
  349. };
  350. return 0;
  351. }
  352. /* Translate struct audit_rule_data to kernel's rule respresentation. */
  353. static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
  354. size_t datasz)
  355. {
  356. int err = 0;
  357. struct audit_entry *entry;
  358. void *bufp;
  359. size_t remain = datasz - sizeof(struct audit_rule_data);
  360. int i;
  361. char *str;
  362. entry = audit_to_entry_common((struct audit_rule *)data);
  363. if (IS_ERR(entry))
  364. goto exit_nofree;
  365. bufp = data->buf;
  366. entry->rule.vers_ops = 2;
  367. for (i = 0; i < data->field_count; i++) {
  368. struct audit_field *f = &entry->rule.fields[i];
  369. err = -EINVAL;
  370. f->op = audit_to_op(data->fieldflags[i]);
  371. if (f->op == Audit_bad)
  372. goto exit_free;
  373. f->type = data->fields[i];
  374. f->val = data->values[i];
  375. f->uid = INVALID_UID;
  376. f->gid = INVALID_GID;
  377. f->lsm_str = NULL;
  378. f->lsm_rule = NULL;
  379. /* Support legacy tests for a valid loginuid */
  380. if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
  381. f->type = AUDIT_LOGINUID_SET;
  382. f->val = 0;
  383. }
  384. err = audit_field_valid(entry, f);
  385. if (err)
  386. goto exit_free;
  387. err = -EINVAL;
  388. switch (f->type) {
  389. case AUDIT_LOGINUID:
  390. case AUDIT_UID:
  391. case AUDIT_EUID:
  392. case AUDIT_SUID:
  393. case AUDIT_FSUID:
  394. case AUDIT_OBJ_UID:
  395. f->uid = make_kuid(current_user_ns(), f->val);
  396. if (!uid_valid(f->uid))
  397. goto exit_free;
  398. break;
  399. case AUDIT_GID:
  400. case AUDIT_EGID:
  401. case AUDIT_SGID:
  402. case AUDIT_FSGID:
  403. case AUDIT_OBJ_GID:
  404. f->gid = make_kgid(current_user_ns(), f->val);
  405. if (!gid_valid(f->gid))
  406. goto exit_free;
  407. break;
  408. case AUDIT_ARCH:
  409. entry->rule.arch_f = f;
  410. break;
  411. case AUDIT_SUBJ_USER:
  412. case AUDIT_SUBJ_ROLE:
  413. case AUDIT_SUBJ_TYPE:
  414. case AUDIT_SUBJ_SEN:
  415. case AUDIT_SUBJ_CLR:
  416. case AUDIT_OBJ_USER:
  417. case AUDIT_OBJ_ROLE:
  418. case AUDIT_OBJ_TYPE:
  419. case AUDIT_OBJ_LEV_LOW:
  420. case AUDIT_OBJ_LEV_HIGH:
  421. str = audit_unpack_string(&bufp, &remain, f->val);
  422. if (IS_ERR(str))
  423. goto exit_free;
  424. entry->rule.buflen += f->val;
  425. err = security_audit_rule_init(f->type, f->op, str,
  426. (void **)&f->lsm_rule);
  427. /* Keep currently invalid fields around in case they
  428. * become valid after a policy reload. */
  429. if (err == -EINVAL) {
  430. printk(KERN_WARNING "audit rule for LSM "
  431. "\'%s\' is invalid\n", str);
  432. err = 0;
  433. }
  434. if (err) {
  435. kfree(str);
  436. goto exit_free;
  437. } else
  438. f->lsm_str = str;
  439. break;
  440. case AUDIT_WATCH:
  441. str = audit_unpack_string(&bufp, &remain, f->val);
  442. if (IS_ERR(str))
  443. goto exit_free;
  444. entry->rule.buflen += f->val;
  445. err = audit_to_watch(&entry->rule, str, f->val, f->op);
  446. if (err) {
  447. kfree(str);
  448. goto exit_free;
  449. }
  450. break;
  451. case AUDIT_DIR:
  452. str = audit_unpack_string(&bufp, &remain, f->val);
  453. if (IS_ERR(str))
  454. goto exit_free;
  455. entry->rule.buflen += f->val;
  456. err = audit_make_tree(&entry->rule, str, f->op);
  457. kfree(str);
  458. if (err)
  459. goto exit_free;
  460. break;
  461. case AUDIT_INODE:
  462. err = audit_to_inode(&entry->rule, f);
  463. if (err)
  464. goto exit_free;
  465. break;
  466. case AUDIT_FILTERKEY:
  467. if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
  468. goto exit_free;
  469. str = audit_unpack_string(&bufp, &remain, f->val);
  470. if (IS_ERR(str))
  471. goto exit_free;
  472. entry->rule.buflen += f->val;
  473. entry->rule.filterkey = str;
  474. break;
  475. }
  476. }
  477. if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
  478. entry->rule.inode_f = NULL;
  479. exit_nofree:
  480. return entry;
  481. exit_free:
  482. if (entry->rule.watch)
  483. audit_put_watch(entry->rule.watch); /* matches initial get */
  484. if (entry->rule.tree)
  485. audit_put_tree(entry->rule.tree); /* that's the temporary one */
  486. audit_free_rule(entry);
  487. return ERR_PTR(err);
  488. }
  489. /* Pack a filter field's string representation into data block. */
  490. static inline size_t audit_pack_string(void **bufp, const char *str)
  491. {
  492. size_t len = strlen(str);
  493. memcpy(*bufp, str, len);
  494. *bufp += len;
  495. return len;
  496. }
  497. /* Translate kernel rule respresentation to struct audit_rule_data. */
  498. static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
  499. {
  500. struct audit_rule_data *data;
  501. void *bufp;
  502. int i;
  503. data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
  504. if (unlikely(!data))
  505. return NULL;
  506. memset(data, 0, sizeof(*data));
  507. data->flags = krule->flags | krule->listnr;
  508. data->action = krule->action;
  509. data->field_count = krule->field_count;
  510. bufp = data->buf;
  511. for (i = 0; i < data->field_count; i++) {
  512. struct audit_field *f = &krule->fields[i];
  513. data->fields[i] = f->type;
  514. data->fieldflags[i] = audit_ops[f->op];
  515. switch(f->type) {
  516. case AUDIT_SUBJ_USER:
  517. case AUDIT_SUBJ_ROLE:
  518. case AUDIT_SUBJ_TYPE:
  519. case AUDIT_SUBJ_SEN:
  520. case AUDIT_SUBJ_CLR:
  521. case AUDIT_OBJ_USER:
  522. case AUDIT_OBJ_ROLE:
  523. case AUDIT_OBJ_TYPE:
  524. case AUDIT_OBJ_LEV_LOW:
  525. case AUDIT_OBJ_LEV_HIGH:
  526. data->buflen += data->values[i] =
  527. audit_pack_string(&bufp, f->lsm_str);
  528. break;
  529. case AUDIT_WATCH:
  530. data->buflen += data->values[i] =
  531. audit_pack_string(&bufp,
  532. audit_watch_path(krule->watch));
  533. break;
  534. case AUDIT_DIR:
  535. data->buflen += data->values[i] =
  536. audit_pack_string(&bufp,
  537. audit_tree_path(krule->tree));
  538. break;
  539. case AUDIT_FILTERKEY:
  540. data->buflen += data->values[i] =
  541. audit_pack_string(&bufp, krule->filterkey);
  542. break;
  543. default:
  544. data->values[i] = f->val;
  545. }
  546. }
  547. for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
  548. return data;
  549. }
  550. /* Compare two rules in kernel format. Considered success if rules
  551. * don't match. */
  552. static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
  553. {
  554. int i;
  555. if (a->flags != b->flags ||
  556. a->listnr != b->listnr ||
  557. a->action != b->action ||
  558. a->field_count != b->field_count)
  559. return 1;
  560. for (i = 0; i < a->field_count; i++) {
  561. if (a->fields[i].type != b->fields[i].type ||
  562. a->fields[i].op != b->fields[i].op)
  563. return 1;
  564. switch(a->fields[i].type) {
  565. case AUDIT_SUBJ_USER:
  566. case AUDIT_SUBJ_ROLE:
  567. case AUDIT_SUBJ_TYPE:
  568. case AUDIT_SUBJ_SEN:
  569. case AUDIT_SUBJ_CLR:
  570. case AUDIT_OBJ_USER:
  571. case AUDIT_OBJ_ROLE:
  572. case AUDIT_OBJ_TYPE:
  573. case AUDIT_OBJ_LEV_LOW:
  574. case AUDIT_OBJ_LEV_HIGH:
  575. if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
  576. return 1;
  577. break;
  578. case AUDIT_WATCH:
  579. if (strcmp(audit_watch_path(a->watch),
  580. audit_watch_path(b->watch)))
  581. return 1;
  582. break;
  583. case AUDIT_DIR:
  584. if (strcmp(audit_tree_path(a->tree),
  585. audit_tree_path(b->tree)))
  586. return 1;
  587. break;
  588. case AUDIT_FILTERKEY:
  589. /* both filterkeys exist based on above type compare */
  590. if (strcmp(a->filterkey, b->filterkey))
  591. return 1;
  592. break;
  593. case AUDIT_UID:
  594. case AUDIT_EUID:
  595. case AUDIT_SUID:
  596. case AUDIT_FSUID:
  597. case AUDIT_LOGINUID:
  598. case AUDIT_OBJ_UID:
  599. if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
  600. return 1;
  601. break;
  602. case AUDIT_GID:
  603. case AUDIT_EGID:
  604. case AUDIT_SGID:
  605. case AUDIT_FSGID:
  606. case AUDIT_OBJ_GID:
  607. if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
  608. return 1;
  609. break;
  610. default:
  611. if (a->fields[i].val != b->fields[i].val)
  612. return 1;
  613. }
  614. }
  615. for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
  616. if (a->mask[i] != b->mask[i])
  617. return 1;
  618. return 0;
  619. }
  620. /* Duplicate LSM field information. The lsm_rule is opaque, so must be
  621. * re-initialized. */
  622. static inline int audit_dupe_lsm_field(struct audit_field *df,
  623. struct audit_field *sf)
  624. {
  625. int ret = 0;
  626. char *lsm_str;
  627. /* our own copy of lsm_str */
  628. lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
  629. if (unlikely(!lsm_str))
  630. return -ENOMEM;
  631. df->lsm_str = lsm_str;
  632. /* our own (refreshed) copy of lsm_rule */
  633. ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
  634. (void **)&df->lsm_rule);
  635. /* Keep currently invalid fields around in case they
  636. * become valid after a policy reload. */
  637. if (ret == -EINVAL) {
  638. printk(KERN_WARNING "audit rule for LSM \'%s\' is "
  639. "invalid\n", df->lsm_str);
  640. ret = 0;
  641. }
  642. return ret;
  643. }
  644. /* Duplicate an audit rule. This will be a deep copy with the exception
  645. * of the watch - that pointer is carried over. The LSM specific fields
  646. * will be updated in the copy. The point is to be able to replace the old
  647. * rule with the new rule in the filterlist, then free the old rule.
  648. * The rlist element is undefined; list manipulations are handled apart from
  649. * the initial copy. */
  650. struct audit_entry *audit_dupe_rule(struct audit_krule *old)
  651. {
  652. u32 fcount = old->field_count;
  653. struct audit_entry *entry;
  654. struct audit_krule *new;
  655. char *fk;
  656. int i, err = 0;
  657. entry = audit_init_entry(fcount);
  658. if (unlikely(!entry))
  659. return ERR_PTR(-ENOMEM);
  660. new = &entry->rule;
  661. new->vers_ops = old->vers_ops;
  662. new->flags = old->flags;
  663. new->listnr = old->listnr;
  664. new->action = old->action;
  665. for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
  666. new->mask[i] = old->mask[i];
  667. new->prio = old->prio;
  668. new->buflen = old->buflen;
  669. new->inode_f = old->inode_f;
  670. new->field_count = old->field_count;
  671. /*
  672. * note that we are OK with not refcounting here; audit_match_tree()
  673. * never dereferences tree and we can't get false positives there
  674. * since we'd have to have rule gone from the list *and* removed
  675. * before the chunks found by lookup had been allocated, i.e. before
  676. * the beginning of list scan.
  677. */
  678. new->tree = old->tree;
  679. memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
  680. /* deep copy this information, updating the lsm_rule fields, because
  681. * the originals will all be freed when the old rule is freed. */
  682. for (i = 0; i < fcount; i++) {
  683. switch (new->fields[i].type) {
  684. case AUDIT_SUBJ_USER:
  685. case AUDIT_SUBJ_ROLE:
  686. case AUDIT_SUBJ_TYPE:
  687. case AUDIT_SUBJ_SEN:
  688. case AUDIT_SUBJ_CLR:
  689. case AUDIT_OBJ_USER:
  690. case AUDIT_OBJ_ROLE:
  691. case AUDIT_OBJ_TYPE:
  692. case AUDIT_OBJ_LEV_LOW:
  693. case AUDIT_OBJ_LEV_HIGH:
  694. err = audit_dupe_lsm_field(&new->fields[i],
  695. &old->fields[i]);
  696. break;
  697. case AUDIT_FILTERKEY:
  698. fk = kstrdup(old->filterkey, GFP_KERNEL);
  699. if (unlikely(!fk))
  700. err = -ENOMEM;
  701. else
  702. new->filterkey = fk;
  703. }
  704. if (err) {
  705. audit_free_rule(entry);
  706. return ERR_PTR(err);
  707. }
  708. }
  709. if (old->watch) {
  710. audit_get_watch(old->watch);
  711. new->watch = old->watch;
  712. }
  713. return entry;
  714. }
  715. /* Find an existing audit rule.
  716. * Caller must hold audit_filter_mutex to prevent stale rule data. */
  717. static struct audit_entry *audit_find_rule(struct audit_entry *entry,
  718. struct list_head **p)
  719. {
  720. struct audit_entry *e, *found = NULL;
  721. struct list_head *list;
  722. int h;
  723. if (entry->rule.inode_f) {
  724. h = audit_hash_ino(entry->rule.inode_f->val);
  725. *p = list = &audit_inode_hash[h];
  726. } else if (entry->rule.watch) {
  727. /* we don't know the inode number, so must walk entire hash */
  728. for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
  729. list = &audit_inode_hash[h];
  730. list_for_each_entry(e, list, list)
  731. if (!audit_compare_rule(&entry->rule, &e->rule)) {
  732. found = e;
  733. goto out;
  734. }
  735. }
  736. goto out;
  737. } else {
  738. *p = list = &audit_filter_list[entry->rule.listnr];
  739. }
  740. list_for_each_entry(e, list, list)
  741. if (!audit_compare_rule(&entry->rule, &e->rule)) {
  742. found = e;
  743. goto out;
  744. }
  745. out:
  746. return found;
  747. }
  748. static u64 prio_low = ~0ULL/2;
  749. static u64 prio_high = ~0ULL/2 - 1;
  750. /* Add rule to given filterlist if not a duplicate. */
  751. static inline int audit_add_rule(struct audit_entry *entry)
  752. {
  753. struct audit_entry *e;
  754. struct audit_watch *watch = entry->rule.watch;
  755. struct audit_tree *tree = entry->rule.tree;
  756. struct list_head *list;
  757. int err;
  758. #ifdef CONFIG_AUDITSYSCALL
  759. int dont_count = 0;
  760. /* If either of these, don't count towards total */
  761. if (entry->rule.listnr == AUDIT_FILTER_USER ||
  762. entry->rule.listnr == AUDIT_FILTER_TYPE)
  763. dont_count = 1;
  764. #endif
  765. mutex_lock(&audit_filter_mutex);
  766. e = audit_find_rule(entry, &list);
  767. if (e) {
  768. mutex_unlock(&audit_filter_mutex);
  769. err = -EEXIST;
  770. /* normally audit_add_tree_rule() will free it on failure */
  771. if (tree)
  772. audit_put_tree(tree);
  773. goto error;
  774. }
  775. if (watch) {
  776. /* audit_filter_mutex is dropped and re-taken during this call */
  777. err = audit_add_watch(&entry->rule, &list);
  778. if (err) {
  779. mutex_unlock(&audit_filter_mutex);
  780. /*
  781. * normally audit_add_tree_rule() will free it
  782. * on failure
  783. */
  784. if (tree)
  785. audit_put_tree(tree);
  786. goto error;
  787. }
  788. }
  789. if (tree) {
  790. err = audit_add_tree_rule(&entry->rule);
  791. if (err) {
  792. mutex_unlock(&audit_filter_mutex);
  793. goto error;
  794. }
  795. }
  796. entry->rule.prio = ~0ULL;
  797. if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
  798. if (entry->rule.flags & AUDIT_FILTER_PREPEND)
  799. entry->rule.prio = ++prio_high;
  800. else
  801. entry->rule.prio = --prio_low;
  802. }
  803. if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
  804. list_add(&entry->rule.list,
  805. &audit_rules_list[entry->rule.listnr]);
  806. list_add_rcu(&entry->list, list);
  807. entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
  808. } else {
  809. list_add_tail(&entry->rule.list,
  810. &audit_rules_list[entry->rule.listnr]);
  811. list_add_tail_rcu(&entry->list, list);
  812. }
  813. #ifdef CONFIG_AUDITSYSCALL
  814. if (!dont_count)
  815. audit_n_rules++;
  816. if (!audit_match_signal(entry))
  817. audit_signals++;
  818. #endif
  819. mutex_unlock(&audit_filter_mutex);
  820. return 0;
  821. error:
  822. if (watch)
  823. audit_put_watch(watch); /* tmp watch, matches initial get */
  824. return err;
  825. }
  826. /* Remove an existing rule from filterlist. */
  827. static inline int audit_del_rule(struct audit_entry *entry)
  828. {
  829. struct audit_entry *e;
  830. struct audit_watch *watch = entry->rule.watch;
  831. struct audit_tree *tree = entry->rule.tree;
  832. struct list_head *list;
  833. int ret = 0;
  834. #ifdef CONFIG_AUDITSYSCALL
  835. int dont_count = 0;
  836. /* If either of these, don't count towards total */
  837. if (entry->rule.listnr == AUDIT_FILTER_USER ||
  838. entry->rule.listnr == AUDIT_FILTER_TYPE)
  839. dont_count = 1;
  840. #endif
  841. mutex_lock(&audit_filter_mutex);
  842. e = audit_find_rule(entry, &list);
  843. if (!e) {
  844. mutex_unlock(&audit_filter_mutex);
  845. ret = -ENOENT;
  846. goto out;
  847. }
  848. if (e->rule.watch)
  849. audit_remove_watch_rule(&e->rule);
  850. if (e->rule.tree)
  851. audit_remove_tree_rule(&e->rule);
  852. list_del_rcu(&e->list);
  853. list_del(&e->rule.list);
  854. call_rcu(&e->rcu, audit_free_rule_rcu);
  855. #ifdef CONFIG_AUDITSYSCALL
  856. if (!dont_count)
  857. audit_n_rules--;
  858. if (!audit_match_signal(entry))
  859. audit_signals--;
  860. #endif
  861. mutex_unlock(&audit_filter_mutex);
  862. out:
  863. if (watch)
  864. audit_put_watch(watch); /* match initial get */
  865. if (tree)
  866. audit_put_tree(tree); /* that's the temporary one */
  867. return ret;
  868. }
  869. /* List rules using struct audit_rule_data. */
  870. static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
  871. {
  872. struct sk_buff *skb;
  873. struct audit_krule *r;
  874. int i;
  875. /* This is a blocking read, so use audit_filter_mutex instead of rcu
  876. * iterator to sync with list writers. */
  877. for (i=0; i<AUDIT_NR_FILTERS; i++) {
  878. list_for_each_entry(r, &audit_rules_list[i], list) {
  879. struct audit_rule_data *data;
  880. data = audit_krule_to_data(r);
  881. if (unlikely(!data))
  882. break;
  883. skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
  884. data, sizeof(*data) + data->buflen);
  885. if (skb)
  886. skb_queue_tail(q, skb);
  887. kfree(data);
  888. }
  889. }
  890. skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
  891. if (skb)
  892. skb_queue_tail(q, skb);
  893. }
  894. /* Log rule additions and removals */
  895. static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
  896. {
  897. struct audit_buffer *ab;
  898. uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
  899. u32 sessionid = audit_get_sessionid(current);
  900. if (!audit_enabled)
  901. return;
  902. ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
  903. if (!ab)
  904. return;
  905. audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
  906. audit_log_task_context(ab);
  907. audit_log_format(ab, " op=");
  908. audit_log_string(ab, action);
  909. audit_log_key(ab, rule->filterkey);
  910. audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
  911. audit_log_end(ab);
  912. }
  913. /**
  914. * audit_receive_filter - apply all rules to the specified message type
  915. * @type: audit message type
  916. * @pid: target pid for netlink audit messages
  917. * @seq: netlink audit message sequence (serial) number
  918. * @data: payload data
  919. * @datasz: size of payload data
  920. */
  921. int audit_receive_filter(int type, int pid, int seq, void *data, size_t datasz)
  922. {
  923. struct task_struct *tsk;
  924. struct audit_netlink_list *dest;
  925. int err = 0;
  926. struct audit_entry *entry;
  927. switch (type) {
  928. case AUDIT_LIST_RULES:
  929. /* We can't just spew out the rules here because we might fill
  930. * the available socket buffer space and deadlock waiting for
  931. * auditctl to read from it... which isn't ever going to
  932. * happen if we're actually running in the context of auditctl
  933. * trying to _send_ the stuff */
  934. dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
  935. if (!dest)
  936. return -ENOMEM;
  937. dest->pid = pid;
  938. skb_queue_head_init(&dest->q);
  939. mutex_lock(&audit_filter_mutex);
  940. audit_list_rules(pid, seq, &dest->q);
  941. mutex_unlock(&audit_filter_mutex);
  942. tsk = kthread_run(audit_send_list, dest, "audit_send_list");
  943. if (IS_ERR(tsk)) {
  944. skb_queue_purge(&dest->q);
  945. kfree(dest);
  946. err = PTR_ERR(tsk);
  947. }
  948. break;
  949. case AUDIT_ADD_RULE:
  950. entry = audit_data_to_entry(data, datasz);
  951. if (IS_ERR(entry))
  952. return PTR_ERR(entry);
  953. err = audit_add_rule(entry);
  954. audit_log_rule_change("add rule", &entry->rule, !err);
  955. if (err)
  956. audit_free_rule(entry);
  957. break;
  958. case AUDIT_DEL_RULE:
  959. entry = audit_data_to_entry(data, datasz);
  960. if (IS_ERR(entry))
  961. return PTR_ERR(entry);
  962. err = audit_del_rule(entry);
  963. audit_log_rule_change("remove rule", &entry->rule, !err);
  964. audit_free_rule(entry);
  965. break;
  966. default:
  967. return -EINVAL;
  968. }
  969. return err;
  970. }
  971. int audit_comparator(u32 left, u32 op, u32 right)
  972. {
  973. switch (op) {
  974. case Audit_equal:
  975. return (left == right);
  976. case Audit_not_equal:
  977. return (left != right);
  978. case Audit_lt:
  979. return (left < right);
  980. case Audit_le:
  981. return (left <= right);
  982. case Audit_gt:
  983. return (left > right);
  984. case Audit_ge:
  985. return (left >= right);
  986. case Audit_bitmask:
  987. return (left & right);
  988. case Audit_bittest:
  989. return ((left & right) == right);
  990. default:
  991. BUG();
  992. return 0;
  993. }
  994. }
  995. int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
  996. {
  997. switch (op) {
  998. case Audit_equal:
  999. return uid_eq(left, right);
  1000. case Audit_not_equal:
  1001. return !uid_eq(left, right);
  1002. case Audit_lt:
  1003. return uid_lt(left, right);
  1004. case Audit_le:
  1005. return uid_lte(left, right);
  1006. case Audit_gt:
  1007. return uid_gt(left, right);
  1008. case Audit_ge:
  1009. return uid_gte(left, right);
  1010. case Audit_bitmask:
  1011. case Audit_bittest:
  1012. default:
  1013. BUG();
  1014. return 0;
  1015. }
  1016. }
  1017. int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
  1018. {
  1019. switch (op) {
  1020. case Audit_equal:
  1021. return gid_eq(left, right);
  1022. case Audit_not_equal:
  1023. return !gid_eq(left, right);
  1024. case Audit_lt:
  1025. return gid_lt(left, right);
  1026. case Audit_le:
  1027. return gid_lte(left, right);
  1028. case Audit_gt:
  1029. return gid_gt(left, right);
  1030. case Audit_ge:
  1031. return gid_gte(left, right);
  1032. case Audit_bitmask:
  1033. case Audit_bittest:
  1034. default:
  1035. BUG();
  1036. return 0;
  1037. }
  1038. }
  1039. /**
  1040. * parent_len - find the length of the parent portion of a pathname
  1041. * @path: pathname of which to determine length
  1042. */
  1043. int parent_len(const char *path)
  1044. {
  1045. int plen;
  1046. const char *p;
  1047. plen = strlen(path);
  1048. if (plen == 0)
  1049. return plen;
  1050. /* disregard trailing slashes */
  1051. p = path + plen - 1;
  1052. while ((*p == '/') && (p > path))
  1053. p--;
  1054. /* walk backward until we find the next slash or hit beginning */
  1055. while ((*p != '/') && (p > path))
  1056. p--;
  1057. /* did we find a slash? Then increment to include it in path */
  1058. if (*p == '/')
  1059. p++;
  1060. return p - path;
  1061. }
  1062. /**
  1063. * audit_compare_dname_path - compare given dentry name with last component in
  1064. * given path. Return of 0 indicates a match.
  1065. * @dname: dentry name that we're comparing
  1066. * @path: full pathname that we're comparing
  1067. * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL
  1068. * here indicates that we must compute this value.
  1069. */
  1070. int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
  1071. {
  1072. int dlen, pathlen;
  1073. const char *p;
  1074. dlen = strlen(dname);
  1075. pathlen = strlen(path);
  1076. if (pathlen < dlen)
  1077. return 1;
  1078. parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
  1079. if (pathlen - parentlen != dlen)
  1080. return 1;
  1081. p = path + parentlen;
  1082. return strncmp(p, dname, dlen);
  1083. }
  1084. static int audit_filter_user_rules(struct audit_krule *rule, int type,
  1085. enum audit_state *state)
  1086. {
  1087. int i;
  1088. for (i = 0; i < rule->field_count; i++) {
  1089. struct audit_field *f = &rule->fields[i];
  1090. int result = 0;
  1091. u32 sid;
  1092. switch (f->type) {
  1093. case AUDIT_PID:
  1094. result = audit_comparator(task_pid_vnr(current), f->op, f->val);
  1095. break;
  1096. case AUDIT_UID:
  1097. result = audit_uid_comparator(current_uid(), f->op, f->uid);
  1098. break;
  1099. case AUDIT_GID:
  1100. result = audit_gid_comparator(current_gid(), f->op, f->gid);
  1101. break;
  1102. case AUDIT_LOGINUID:
  1103. result = audit_uid_comparator(audit_get_loginuid(current),
  1104. f->op, f->uid);
  1105. break;
  1106. case AUDIT_LOGINUID_SET:
  1107. result = audit_comparator(audit_loginuid_set(current),
  1108. f->op, f->val);
  1109. break;
  1110. case AUDIT_MSGTYPE:
  1111. result = audit_comparator(type, f->op, f->val);
  1112. break;
  1113. case AUDIT_SUBJ_USER:
  1114. case AUDIT_SUBJ_ROLE:
  1115. case AUDIT_SUBJ_TYPE:
  1116. case AUDIT_SUBJ_SEN:
  1117. case AUDIT_SUBJ_CLR:
  1118. if (f->lsm_rule) {
  1119. security_task_getsecid(current, &sid);
  1120. result = security_audit_rule_match(sid,
  1121. f->type,
  1122. f->op,
  1123. f->lsm_rule,
  1124. NULL);
  1125. }
  1126. break;
  1127. }
  1128. if (!result)
  1129. return 0;
  1130. }
  1131. switch (rule->action) {
  1132. case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
  1133. case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
  1134. }
  1135. return 1;
  1136. }
  1137. int audit_filter_user(int type)
  1138. {
  1139. enum audit_state state = AUDIT_DISABLED;
  1140. struct audit_entry *e;
  1141. int ret = 1;
  1142. rcu_read_lock();
  1143. list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
  1144. if (audit_filter_user_rules(&e->rule, type, &state)) {
  1145. if (state == AUDIT_DISABLED)
  1146. ret = 0;
  1147. break;
  1148. }
  1149. }
  1150. rcu_read_unlock();
  1151. return ret; /* Audit by default */
  1152. }
  1153. int audit_filter_type(int type)
  1154. {
  1155. struct audit_entry *e;
  1156. int result = 0;
  1157. rcu_read_lock();
  1158. if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
  1159. goto unlock_and_return;
  1160. list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
  1161. list) {
  1162. int i;
  1163. for (i = 0; i < e->rule.field_count; i++) {
  1164. struct audit_field *f = &e->rule.fields[i];
  1165. if (f->type == AUDIT_MSGTYPE) {
  1166. result = audit_comparator(type, f->op, f->val);
  1167. if (!result)
  1168. break;
  1169. }
  1170. }
  1171. if (result)
  1172. goto unlock_and_return;
  1173. }
  1174. unlock_and_return:
  1175. rcu_read_unlock();
  1176. return result;
  1177. }
  1178. static int update_lsm_rule(struct audit_krule *r)
  1179. {
  1180. struct audit_entry *entry = container_of(r, struct audit_entry, rule);
  1181. struct audit_entry *nentry;
  1182. int err = 0;
  1183. if (!security_audit_rule_known(r))
  1184. return 0;
  1185. nentry = audit_dupe_rule(r);
  1186. if (IS_ERR(nentry)) {
  1187. /* save the first error encountered for the
  1188. * return value */
  1189. err = PTR_ERR(nentry);
  1190. audit_panic("error updating LSM filters");
  1191. if (r->watch)
  1192. list_del(&r->rlist);
  1193. list_del_rcu(&entry->list);
  1194. list_del(&r->list);
  1195. } else {
  1196. if (r->watch || r->tree)
  1197. list_replace_init(&r->rlist, &nentry->rule.rlist);
  1198. list_replace_rcu(&entry->list, &nentry->list);
  1199. list_replace(&r->list, &nentry->rule.list);
  1200. }
  1201. call_rcu(&entry->rcu, audit_free_rule_rcu);
  1202. return err;
  1203. }
  1204. /* This function will re-initialize the lsm_rule field of all applicable rules.
  1205. * It will traverse the filter lists serarching for rules that contain LSM
  1206. * specific filter fields. When such a rule is found, it is copied, the
  1207. * LSM field is re-initialized, and the old rule is replaced with the
  1208. * updated rule. */
  1209. int audit_update_lsm_rules(void)
  1210. {
  1211. struct audit_krule *r, *n;
  1212. int i, err = 0;
  1213. /* audit_filter_mutex synchronizes the writers */
  1214. mutex_lock(&audit_filter_mutex);
  1215. for (i = 0; i < AUDIT_NR_FILTERS; i++) {
  1216. list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
  1217. int res = update_lsm_rule(r);
  1218. if (!err)
  1219. err = res;
  1220. }
  1221. }
  1222. mutex_unlock(&audit_filter_mutex);
  1223. return err;
  1224. }