86 	struct audit_krule *erule = &e->rule;
120 	entry->rule.fields = fields;
213 	struct audit_field *arch = entry->rule.arch_f;
219 					       entry->rule.mask) &&
221 					       entry->rule.mask));
227 					       entry->rule.mask));
230 					       entry->rule.mask));
237 /* Common user-space to kernel rule translation. */
238 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
245 	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
262 	if (unlikely(rule->action == AUDIT_POSSIBLE)) {
266 	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
268 	if (rule->field_count > AUDIT_MAX_FIELDS)
272 	entry = audit_init_entry(rule->field_count);
276 	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
277 	entry->rule.listnr = listnr;
278 	entry->rule.action = rule->action;
279 	entry->rule.field_count = rule->field_count;
282 		entry->rule.mask[i] = rule->mask[i];
286 		__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
296 				entry->rule.mask[j] |= class[j];
331 		if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE &&
332 		    entry->rule.listnr != AUDIT_FILTER_USER)
336 		if (entry->rule.listnr != AUDIT_FILTER_FS)
340 		if (entry->rule.listnr == AUDIT_FILTER_URING_EXIT)
345 	switch (entry->rule.listnr) {
448 /* Translate struct audit_rule_data to kernel's rule representation. */
466 		struct audit_field *f = &entry->rule.fields[i];
482 			entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
512 			entry->rule.arch_f = f;
529 			entry->rule.buflen += f_val;
536 				pr_warn("audit rule for LSM \'%s\' is invalid\n",
548 			err = audit_to_watch(&entry->rule, str, f_val, f->op);
553 			entry->rule.buflen += f_val;
561 			err = audit_make_tree(&entry->rule, str, f->op);
565 			entry->rule.buflen += f_val;
569 			err = audit_to_inode(&entry->rule, f);
574 			if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN)
581 			entry->rule.buflen += f_val;
582 			entry->rule.filterkey = str;
585 			if (entry->rule.exe || f_val > PATH_MAX)
592 			audit_mark = audit_alloc_mark(&entry->rule, str, f_val);
598 			entry->rule.buflen += f_val;
599 			entry->rule.exe = audit_mark;
607 	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
608 		entry->rule.inode_f = NULL;
614 	if (entry->rule.tree)
615 		audit_put_tree(entry->rule.tree); /* that's the temporary one */
616 	if (entry->rule.exe)
617 		audit_remove_mark(entry->rule.exe); /* that's the template one */
633 /* Translate kernel rule representation to struct audit_rule_data. */
806 		pr_warn("audit rule for LSM \'%s\' is invalid\n",
814 /* Duplicate an audit rule.  This will be a deep copy with the exception
817  * rule with the new rule in the filterlist, then free the old rule.
832 	new = &entry->rule;
847 	 * since we'd have to have rule gone from the list *and* removed
855 	 * the originals will all be freed when the old rule is freed. */
898 /* Find an existing audit rule.
899  * Caller must hold audit_filter_mutex to prevent stale rule data. */
907 	if (entry->rule.inode_f) {
908 		h = audit_hash_ino(entry->rule.inode_f->val);
910 	} else if (entry->rule.watch) {
915 				if (!audit_compare_rule(&entry->rule, &e->rule)) {
922 		*p = list = &audit_filter_list[entry->rule.listnr];
926 		if (!audit_compare_rule(&entry->rule, &e->rule)) {
938 /* Add rule to given filterlist if not a duplicate. */
942 	struct audit_watch *watch = entry->rule.watch;
943 	struct audit_tree *tree = entry->rule.tree;
950 	switch (entry->rule.listnr) {
971 		err = audit_add_watch(&entry->rule, &list);
984 		err = audit_add_tree_rule(&entry->rule);
991 	entry->rule.prio = ~0ULL;
992 	if (entry->rule.listnr == AUDIT_FILTER_EXIT ||
993 	    entry->rule.listnr == AUDIT_FILTER_URING_EXIT) {
994 		if (entry->rule.flags & AUDIT_FILTER_PREPEND)
995 			entry->rule.prio = ++prio_high;
997 			entry->rule.prio = --prio_low;
1000 	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
1001 		list_add(&entry->rule.list,
1002 			 &audit_rules_list[entry->rule.listnr]);
1004 		entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
1006 		list_add_tail(&entry->rule.list,
1007 			      &audit_rules_list[entry->rule.listnr]);
1022 /* Remove an existing rule from filterlist. */
1026 	struct audit_tree *tree = entry->rule.tree;
1033 	switch (entry->rule.listnr) {
1048 	if (e->rule.watch)
1049 		audit_remove_watch_rule(&e->rule);
1051 	if (e->rule.tree)
1052 		audit_remove_tree_rule(&e->rule);
1054 	if (e->rule.exe)
1055 		audit_remove_mark_rule(&e->rule);
1066 	list_del(&e->rule.list);
1107 /* Log rule additions and removals */
1108 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1121 	audit_log_key(ab, rule->filterkey);
1122 	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1144 		audit_log_rule_change("add_rule", &entry->rule, !err);
1151 		audit_log_rule_change("remove_rule", &entry->rule, !err);
1159 		if (entry->rule.exe)
1160 			audit_remove_mark(entry->rule.exe);
1339 		for (i = 0; i < e->rule.field_count; i++) {
1340 			struct audit_field *f = &e->rule.fields[i];
1378 				result = audit_exe_compare(current, e->rule.exe);
1391 			if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCLUDE)
1403 	struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1411 	if (entry->rule.exe)
1412 		audit_remove_mark(entry->rule.exe);
1424 			list_replace_init(&r->rlist, &nentry->rule.rlist);
1426 		list_replace(&r->list, &nentry->rule.list);
1435  * specific filter fields.  When such a rule is found, it is copied, the
1436  * LSM field is re-initialized, and the old rule is replaced with the
1437  * updated rule. */

Indexes created Fri May 10 11:38:11 MDT 2024