1/* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22#include <linux/kernel.h> 23#include <linux/audit.h> 24#include <linux/kthread.h> 25#include <linux/mutex.h> 26#include <linux/fs.h> 27#include <linux/namei.h> 28#include <linux/netlink.h> 29#include <linux/sched.h> 30#include <linux/slab.h> 31#include <linux/security.h> 32#include "audit.h" 33 34/* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * LSM rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47/* Audit filter lists, defined in <linux/audit.h> */ 48struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 49 LIST_HEAD_INIT(audit_filter_list[0]), 50 LIST_HEAD_INIT(audit_filter_list[1]), 51 LIST_HEAD_INIT(audit_filter_list[2]), 52 LIST_HEAD_INIT(audit_filter_list[3]), 53 LIST_HEAD_INIT(audit_filter_list[4]), 54 LIST_HEAD_INIT(audit_filter_list[5]), 55#if AUDIT_NR_FILTERS != 6 56#error Fix audit_filter_list initialiser 57#endif 58}; 59static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 60 LIST_HEAD_INIT(audit_rules_list[0]), 61 LIST_HEAD_INIT(audit_rules_list[1]), 62 LIST_HEAD_INIT(audit_rules_list[2]), 63 LIST_HEAD_INIT(audit_rules_list[3]), 64 LIST_HEAD_INIT(audit_rules_list[4]), 65 LIST_HEAD_INIT(audit_rules_list[5]), 66}; 67 68DEFINE_MUTEX(audit_filter_mutex); 69 70static inline void audit_free_rule(struct audit_entry *e) 71{ 72 int i; 73 struct audit_krule *erule = &e->rule; 74 75 /* some rules don't have associated watches */ 76 if (erule->watch) 77 audit_put_watch(erule->watch); 78 if (erule->fields) 79 for (i = 0; i < erule->field_count; i++) { 80 struct audit_field *f = &erule->fields[i]; 81 kfree(f->lsm_str); 82 security_audit_rule_free(f->lsm_rule); 83 } 84 kfree(erule->fields); 85 kfree(erule->filterkey); 86 kfree(e); 87} 88 89void audit_free_rule_rcu(struct rcu_head *head) 90{ 91 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 92 audit_free_rule(e); 93} 94 95/* Initialize an audit filterlist entry. */ 96static inline struct audit_entry *audit_init_entry(u32 field_count) 97{ 98 struct audit_entry *entry; 99 struct audit_field *fields; 100 101 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 102 if (unlikely(!entry)) 103 return NULL; 104 105 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 106 if (unlikely(!fields)) { 107 kfree(entry); 108 return NULL; 109 } 110 entry->rule.fields = fields; 111 112 return entry; 113} 114 115/* Unpack a filter field's string representation from user-space 116 * buffer. */ 117char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 118{ 119 char *str; 120 121 if (!*bufp || (len == 0) || (len > *remain)) 122 return ERR_PTR(-EINVAL); 123 124 /* Of the currently implemented string fields, PATH_MAX 125 * defines the longest valid length. 126 */ 127 if (len > PATH_MAX) 128 return ERR_PTR(-ENAMETOOLONG); 129 130 str = kmalloc(len + 1, GFP_KERNEL); 131 if (unlikely(!str)) 132 return ERR_PTR(-ENOMEM); 133 134 memcpy(str, *bufp, len); 135 str[len] = 0; 136 *bufp += len; 137 *remain -= len; 138 139 return str; 140} 141 142/* Translate an inode field to kernel respresentation. */ 143static inline int audit_to_inode(struct audit_krule *krule, 144 struct audit_field *f) 145{ 146 if (krule->listnr != AUDIT_FILTER_EXIT || 147 krule->watch || krule->inode_f || krule->tree || 148 (f->op != Audit_equal && f->op != Audit_not_equal)) 149 return -EINVAL; 150 151 krule->inode_f = f; 152 return 0; 153} 154 155static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 156 157int __init audit_register_class(int class, unsigned *list) 158{ 159 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 160 if (!p) 161 return -ENOMEM; 162 while (*list != ~0U) { 163 unsigned n = *list++; 164 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 165 kfree(p); 166 return -EINVAL; 167 } 168 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 169 } 170 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 171 kfree(p); 172 return -EINVAL; 173 } 174 classes[class] = p; 175 return 0; 176} 177 178int audit_match_class(int class, unsigned syscall) 179{ 180 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 181 return 0; 182 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 183 return 0; 184 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 185} 186 187#ifdef CONFIG_AUDITSYSCALL 188static inline int audit_match_class_bits(int class, u32 *mask) 189{ 190 int i; 191 192 if (classes[class]) { 193 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 194 if (mask[i] & classes[class][i]) 195 return 0; 196 } 197 return 1; 198} 199 200static int audit_match_signal(struct audit_entry *entry) 201{ 202 struct audit_field *arch = entry->rule.arch_f; 203 204 if (!arch) { 205 /* When arch is unspecified, we must check both masks on biarch 206 * as syscall number alone is ambiguous. */ 207 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 208 entry->rule.mask) && 209 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 210 entry->rule.mask)); 211 } 212 213 switch(audit_classify_arch(arch->val)) { 214 case 0: /* native */ 215 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 216 entry->rule.mask)); 217 case 1: /* 32bit on biarch */ 218 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 219 entry->rule.mask)); 220 default: 221 return 1; 222 } 223} 224#endif 225 226/* Common user-space to kernel rule translation. */ 227static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 228{ 229 unsigned listnr; 230 struct audit_entry *entry; 231 int i, err; 232 233 err = -EINVAL; 234 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 235 switch(listnr) { 236 default: 237 goto exit_err; 238 case AUDIT_FILTER_USER: 239 case AUDIT_FILTER_TYPE: 240#ifdef CONFIG_AUDITSYSCALL 241 case AUDIT_FILTER_ENTRY: 242 case AUDIT_FILTER_EXIT: 243 case AUDIT_FILTER_TASK: 244#endif 245 ; 246 } 247 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 248 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 249 goto exit_err; 250 } 251 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 252 goto exit_err; 253 if (rule->field_count > AUDIT_MAX_FIELDS) 254 goto exit_err; 255 256 err = -ENOMEM; 257 entry = audit_init_entry(rule->field_count); 258 if (!entry) 259 goto exit_err; 260 261 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 262 entry->rule.listnr = listnr; 263 entry->rule.action = rule->action; 264 entry->rule.field_count = rule->field_count; 265 266 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 267 entry->rule.mask[i] = rule->mask[i]; 268 269 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 270 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 271 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 272 __u32 *class; 273 274 if (!(*p & AUDIT_BIT(bit))) 275 continue; 276 *p &= ~AUDIT_BIT(bit); 277 class = classes[i]; 278 if (class) { 279 int j; 280 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 281 entry->rule.mask[j] |= class[j]; 282 } 283 } 284 285 return entry; 286 287exit_err: 288 return ERR_PTR(err); 289} 290 291static u32 audit_ops[] = 292{ 293 [Audit_equal] = AUDIT_EQUAL, 294 [Audit_not_equal] = AUDIT_NOT_EQUAL, 295 [Audit_bitmask] = AUDIT_BIT_MASK, 296 [Audit_bittest] = AUDIT_BIT_TEST, 297 [Audit_lt] = AUDIT_LESS_THAN, 298 [Audit_gt] = AUDIT_GREATER_THAN, 299 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 300 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 301}; 302 303static u32 audit_to_op(u32 op) 304{ 305 u32 n; 306 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 307 ; 308 return n; 309} 310 311 312/* Translate struct audit_rule to kernel's rule respresentation. 313 * Exists for backward compatibility with userspace. */ 314static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 315{ 316 struct audit_entry *entry; 317 int err = 0; 318 int i; 319 320 entry = audit_to_entry_common(rule); 321 if (IS_ERR(entry)) 322 goto exit_nofree; 323 324 for (i = 0; i < rule->field_count; i++) { 325 struct audit_field *f = &entry->rule.fields[i]; 326 u32 n; 327 328 n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 329 330 /* Support for legacy operators where 331 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 332 if (n & AUDIT_NEGATE) 333 f->op = Audit_not_equal; 334 else if (!n) 335 f->op = Audit_equal; 336 else 337 f->op = audit_to_op(n); 338 339 entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1; 340 341 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 342 f->val = rule->values[i]; 343 344 err = -EINVAL; 345 if (f->op == Audit_bad) 346 goto exit_free; 347 348 switch(f->type) { 349 default: 350 goto exit_free; 351 case AUDIT_PID: 352 case AUDIT_UID: 353 case AUDIT_EUID: 354 case AUDIT_SUID: 355 case AUDIT_FSUID: 356 case AUDIT_GID: 357 case AUDIT_EGID: 358 case AUDIT_SGID: 359 case AUDIT_FSGID: 360 case AUDIT_LOGINUID: 361 case AUDIT_PERS: 362 case AUDIT_MSGTYPE: 363 case AUDIT_PPID: 364 case AUDIT_DEVMAJOR: 365 case AUDIT_DEVMINOR: 366 case AUDIT_EXIT: 367 case AUDIT_SUCCESS: 368 /* bit ops are only useful on syscall args */ 369 if (f->op == Audit_bitmask || f->op == Audit_bittest) 370 goto exit_free; 371 break; 372 case AUDIT_ARG0: 373 case AUDIT_ARG1: 374 case AUDIT_ARG2: 375 case AUDIT_ARG3: 376 break; 377 /* arch is only allowed to be = or != */ 378 case AUDIT_ARCH: 379 if (f->op != Audit_not_equal && f->op != Audit_equal) 380 goto exit_free; 381 entry->rule.arch_f = f; 382 break; 383 case AUDIT_PERM: 384 if (f->val & ~15) 385 goto exit_free; 386 break; 387 case AUDIT_FILETYPE: 388 if ((f->val & ~S_IFMT) > S_IFMT) 389 goto exit_free; 390 break; 391 case AUDIT_INODE: 392 err = audit_to_inode(&entry->rule, f); 393 if (err) 394 goto exit_free; 395 break; 396 } 397 } 398 399 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 400 entry->rule.inode_f = NULL; 401 402exit_nofree: 403 return entry; 404 405exit_free: 406 audit_free_rule(entry); 407 return ERR_PTR(err); 408} 409 410/* Translate struct audit_rule_data to kernel's rule respresentation. */ 411static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 412 size_t datasz) 413{ 414 int err = 0; 415 struct audit_entry *entry; 416 void *bufp; 417 size_t remain = datasz - sizeof(struct audit_rule_data); 418 int i; 419 char *str; 420 421 entry = audit_to_entry_common((struct audit_rule *)data); 422 if (IS_ERR(entry)) 423 goto exit_nofree; 424 425 bufp = data->buf; 426 entry->rule.vers_ops = 2; 427 for (i = 0; i < data->field_count; i++) { 428 struct audit_field *f = &entry->rule.fields[i]; 429 430 err = -EINVAL; 431 432 f->op = audit_to_op(data->fieldflags[i]); 433 if (f->op == Audit_bad) 434 goto exit_free; 435 436 f->type = data->fields[i]; 437 f->val = data->values[i]; 438 f->lsm_str = NULL; 439 f->lsm_rule = NULL; 440 switch(f->type) { 441 case AUDIT_PID: 442 case AUDIT_UID: 443 case AUDIT_EUID: 444 case AUDIT_SUID: 445 case AUDIT_FSUID: 446 case AUDIT_GID: 447 case AUDIT_EGID: 448 case AUDIT_SGID: 449 case AUDIT_FSGID: 450 case AUDIT_LOGINUID: 451 case AUDIT_PERS: 452 case AUDIT_MSGTYPE: 453 case AUDIT_PPID: 454 case AUDIT_DEVMAJOR: 455 case AUDIT_DEVMINOR: 456 case AUDIT_EXIT: 457 case AUDIT_SUCCESS: 458 case AUDIT_ARG0: 459 case AUDIT_ARG1: 460 case AUDIT_ARG2: 461 case AUDIT_ARG3: 462 break; 463 case AUDIT_ARCH: 464 entry->rule.arch_f = f; 465 break; 466 case AUDIT_SUBJ_USER: 467 case AUDIT_SUBJ_ROLE: 468 case AUDIT_SUBJ_TYPE: 469 case AUDIT_SUBJ_SEN: 470 case AUDIT_SUBJ_CLR: 471 case AUDIT_OBJ_USER: 472 case AUDIT_OBJ_ROLE: 473 case AUDIT_OBJ_TYPE: 474 case AUDIT_OBJ_LEV_LOW: 475 case AUDIT_OBJ_LEV_HIGH: 476 str = audit_unpack_string(&bufp, &remain, f->val); 477 if (IS_ERR(str)) 478 goto exit_free; 479 entry->rule.buflen += f->val; 480 481 err = security_audit_rule_init(f->type, f->op, str, 482 (void **)&f->lsm_rule); 483 /* Keep currently invalid fields around in case they 484 * become valid after a policy reload. */ 485 if (err == -EINVAL) { 486 printk(KERN_WARNING "audit rule for LSM " 487 "\'%s\' is invalid\n", str); 488 err = 0; 489 } 490 if (err) { 491 kfree(str); 492 goto exit_free; 493 } else 494 f->lsm_str = str; 495 break; 496 case AUDIT_WATCH: 497 str = audit_unpack_string(&bufp, &remain, f->val); 498 if (IS_ERR(str)) 499 goto exit_free; 500 entry->rule.buflen += f->val; 501 502 err = audit_to_watch(&entry->rule, str, f->val, f->op); 503 if (err) { 504 kfree(str); 505 goto exit_free; 506 } 507 break; 508 case AUDIT_DIR: 509 str = audit_unpack_string(&bufp, &remain, f->val); 510 if (IS_ERR(str)) 511 goto exit_free; 512 entry->rule.buflen += f->val; 513 514 err = audit_make_tree(&entry->rule, str, f->op); 515 kfree(str); 516 if (err) 517 goto exit_free; 518 break; 519 case AUDIT_INODE: 520 err = audit_to_inode(&entry->rule, f); 521 if (err) 522 goto exit_free; 523 break; 524 case AUDIT_FILTERKEY: 525 err = -EINVAL; 526 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 527 goto exit_free; 528 str = audit_unpack_string(&bufp, &remain, f->val); 529 if (IS_ERR(str)) 530 goto exit_free; 531 entry->rule.buflen += f->val; 532 entry->rule.filterkey = str; 533 break; 534 case AUDIT_PERM: 535 if (f->val & ~15) 536 goto exit_free; 537 break; 538 case AUDIT_FILETYPE: 539 if ((f->val & ~S_IFMT) > S_IFMT) 540 goto exit_free; 541 break; 542 default: 543 goto exit_free; 544 } 545 } 546 547 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 548 entry->rule.inode_f = NULL; 549 550exit_nofree: 551 return entry; 552 553exit_free: 554 audit_free_rule(entry); 555 return ERR_PTR(err); 556} 557 558/* Pack a filter field's string representation into data block. */ 559static inline size_t audit_pack_string(void **bufp, const char *str) 560{ 561 size_t len = strlen(str); 562 563 memcpy(*bufp, str, len); 564 *bufp += len; 565 566 return len; 567} 568 569/* Translate kernel rule respresentation to struct audit_rule. 570 * Exists for backward compatibility with userspace. */ 571static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 572{ 573 struct audit_rule *rule; 574 int i; 575 576 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 577 if (unlikely(!rule)) 578 return NULL; 579 580 rule->flags = krule->flags | krule->listnr; 581 rule->action = krule->action; 582 rule->field_count = krule->field_count; 583 for (i = 0; i < rule->field_count; i++) { 584 rule->values[i] = krule->fields[i].val; 585 rule->fields[i] = krule->fields[i].type; 586 587 if (krule->vers_ops == 1) { 588 if (krule->fields[i].op == Audit_not_equal) 589 rule->fields[i] |= AUDIT_NEGATE; 590 } else { 591 rule->fields[i] |= audit_ops[krule->fields[i].op]; 592 } 593 } 594 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 595 596 return rule; 597} 598 599/* Translate kernel rule respresentation to struct audit_rule_data. */ 600static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 601{ 602 struct audit_rule_data *data; 603 void *bufp; 604 int i; 605 606 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 607 if (unlikely(!data)) 608 return NULL; 609 memset(data, 0, sizeof(*data)); 610 611 data->flags = krule->flags | krule->listnr; 612 data->action = krule->action; 613 data->field_count = krule->field_count; 614 bufp = data->buf; 615 for (i = 0; i < data->field_count; i++) { 616 struct audit_field *f = &krule->fields[i]; 617 618 data->fields[i] = f->type; 619 data->fieldflags[i] = audit_ops[f->op]; 620 switch(f->type) { 621 case AUDIT_SUBJ_USER: 622 case AUDIT_SUBJ_ROLE: 623 case AUDIT_SUBJ_TYPE: 624 case AUDIT_SUBJ_SEN: 625 case AUDIT_SUBJ_CLR: 626 case AUDIT_OBJ_USER: 627 case AUDIT_OBJ_ROLE: 628 case AUDIT_OBJ_TYPE: 629 case AUDIT_OBJ_LEV_LOW: 630 case AUDIT_OBJ_LEV_HIGH: 631 data->buflen += data->values[i] = 632 audit_pack_string(&bufp, f->lsm_str); 633 break; 634 case AUDIT_WATCH: 635 data->buflen += data->values[i] = 636 audit_pack_string(&bufp, 637 audit_watch_path(krule->watch)); 638 break; 639 case AUDIT_DIR: 640 data->buflen += data->values[i] = 641 audit_pack_string(&bufp, 642 audit_tree_path(krule->tree)); 643 break; 644 case AUDIT_FILTERKEY: 645 data->buflen += data->values[i] = 646 audit_pack_string(&bufp, krule->filterkey); 647 break; 648 default: 649 data->values[i] = f->val; 650 } 651 } 652 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 653 654 return data; 655} 656 657/* Compare two rules in kernel format. Considered success if rules 658 * don't match. */ 659static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 660{ 661 int i; 662 663 if (a->flags != b->flags || 664 a->listnr != b->listnr || 665 a->action != b->action || 666 a->field_count != b->field_count) 667 return 1; 668 669 for (i = 0; i < a->field_count; i++) { 670 if (a->fields[i].type != b->fields[i].type || 671 a->fields[i].op != b->fields[i].op) 672 return 1; 673 674 switch(a->fields[i].type) { 675 case AUDIT_SUBJ_USER: 676 case AUDIT_SUBJ_ROLE: 677 case AUDIT_SUBJ_TYPE: 678 case AUDIT_SUBJ_SEN: 679 case AUDIT_SUBJ_CLR: 680 case AUDIT_OBJ_USER: 681 case AUDIT_OBJ_ROLE: 682 case AUDIT_OBJ_TYPE: 683 case AUDIT_OBJ_LEV_LOW: 684 case AUDIT_OBJ_LEV_HIGH: 685 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 686 return 1; 687 break; 688 case AUDIT_WATCH: 689 if (strcmp(audit_watch_path(a->watch), 690 audit_watch_path(b->watch))) 691 return 1; 692 break; 693 case AUDIT_DIR: 694 if (strcmp(audit_tree_path(a->tree), 695 audit_tree_path(b->tree))) 696 return 1; 697 break; 698 case AUDIT_FILTERKEY: 699 /* both filterkeys exist based on above type compare */ 700 if (strcmp(a->filterkey, b->filterkey)) 701 return 1; 702 break; 703 default: 704 if (a->fields[i].val != b->fields[i].val) 705 return 1; 706 } 707 } 708 709 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 710 if (a->mask[i] != b->mask[i]) 711 return 1; 712 713 return 0; 714} 715 716/* Duplicate LSM field information. The lsm_rule is opaque, so must be 717 * re-initialized. */ 718static inline int audit_dupe_lsm_field(struct audit_field *df, 719 struct audit_field *sf) 720{ 721 int ret = 0; 722 char *lsm_str; 723 724 /* our own copy of lsm_str */ 725 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 726 if (unlikely(!lsm_str)) 727 return -ENOMEM; 728 df->lsm_str = lsm_str; 729 730 /* our own (refreshed) copy of lsm_rule */ 731 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 732 (void **)&df->lsm_rule); 733 /* Keep currently invalid fields around in case they 734 * become valid after a policy reload. */ 735 if (ret == -EINVAL) { 736 printk(KERN_WARNING "audit rule for LSM \'%s\' is " 737 "invalid\n", df->lsm_str); 738 ret = 0; 739 } 740 741 return ret; 742} 743 744/* Duplicate an audit rule. This will be a deep copy with the exception 745 * of the watch - that pointer is carried over. The LSM specific fields 746 * will be updated in the copy. The point is to be able to replace the old 747 * rule with the new rule in the filterlist, then free the old rule. 748 * The rlist element is undefined; list manipulations are handled apart from 749 * the initial copy. */ 750struct audit_entry *audit_dupe_rule(struct audit_krule *old) 751{ 752 u32 fcount = old->field_count; 753 struct audit_entry *entry; 754 struct audit_krule *new; 755 char *fk; 756 int i, err = 0; 757 758 entry = audit_init_entry(fcount); 759 if (unlikely(!entry)) 760 return ERR_PTR(-ENOMEM); 761 762 new = &entry->rule; 763 new->vers_ops = old->vers_ops; 764 new->flags = old->flags; 765 new->listnr = old->listnr; 766 new->action = old->action; 767 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 768 new->mask[i] = old->mask[i]; 769 new->prio = old->prio; 770 new->buflen = old->buflen; 771 new->inode_f = old->inode_f; 772 new->field_count = old->field_count; 773 774 /* 775 * note that we are OK with not refcounting here; audit_match_tree() 776 * never dereferences tree and we can't get false positives there 777 * since we'd have to have rule gone from the list *and* removed 778 * before the chunks found by lookup had been allocated, i.e. before 779 * the beginning of list scan. 780 */ 781 new->tree = old->tree; 782 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 783 784 /* deep copy this information, updating the lsm_rule fields, because 785 * the originals will all be freed when the old rule is freed. */ 786 for (i = 0; i < fcount; i++) { 787 switch (new->fields[i].type) { 788 case AUDIT_SUBJ_USER: 789 case AUDIT_SUBJ_ROLE: 790 case AUDIT_SUBJ_TYPE: 791 case AUDIT_SUBJ_SEN: 792 case AUDIT_SUBJ_CLR: 793 case AUDIT_OBJ_USER: 794 case AUDIT_OBJ_ROLE: 795 case AUDIT_OBJ_TYPE: 796 case AUDIT_OBJ_LEV_LOW: 797 case AUDIT_OBJ_LEV_HIGH: 798 err = audit_dupe_lsm_field(&new->fields[i], 799 &old->fields[i]); 800 break; 801 case AUDIT_FILTERKEY: 802 fk = kstrdup(old->filterkey, GFP_KERNEL); 803 if (unlikely(!fk)) 804 err = -ENOMEM; 805 else 806 new->filterkey = fk; 807 } 808 if (err) { 809 audit_free_rule(entry); 810 return ERR_PTR(err); 811 } 812 } 813 814 if (old->watch) { 815 audit_get_watch(old->watch); 816 new->watch = old->watch; 817 } 818 819 return entry; 820} 821 822/* Find an existing audit rule. 823 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 824static struct audit_entry *audit_find_rule(struct audit_entry *entry, 825 struct list_head **p) 826{ 827 struct audit_entry *e, *found = NULL; 828 struct list_head *list; 829 int h; 830 831 if (entry->rule.inode_f) { 832 h = audit_hash_ino(entry->rule.inode_f->val); 833 *p = list = &audit_inode_hash[h]; 834 } else if (entry->rule.watch) { 835 /* we don't know the inode number, so must walk entire hash */ 836 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 837 list = &audit_inode_hash[h]; 838 list_for_each_entry(e, list, list) 839 if (!audit_compare_rule(&entry->rule, &e->rule)) { 840 found = e; 841 goto out; 842 } 843 } 844 goto out; 845 } else { 846 *p = list = &audit_filter_list[entry->rule.listnr]; 847 } 848 849 list_for_each_entry(e, list, list) 850 if (!audit_compare_rule(&entry->rule, &e->rule)) { 851 found = e; 852 goto out; 853 } 854 855out: 856 return found; 857} 858 859static u64 prio_low = ~0ULL/2; 860static u64 prio_high = ~0ULL/2 - 1; 861 862/* Add rule to given filterlist if not a duplicate. */ 863static inline int audit_add_rule(struct audit_entry *entry) 864{ 865 struct audit_entry *e; 866 struct audit_watch *watch = entry->rule.watch; 867 struct audit_tree *tree = entry->rule.tree; 868 struct list_head *list; 869 int err; 870#ifdef CONFIG_AUDITSYSCALL 871 int dont_count = 0; 872 873 /* If either of these, don't count towards total */ 874 if (entry->rule.listnr == AUDIT_FILTER_USER || 875 entry->rule.listnr == AUDIT_FILTER_TYPE) 876 dont_count = 1; 877#endif 878 879 mutex_lock(&audit_filter_mutex); 880 e = audit_find_rule(entry, &list); 881 if (e) { 882 mutex_unlock(&audit_filter_mutex); 883 err = -EEXIST; 884 /* normally audit_add_tree_rule() will free it on failure */ 885 if (tree) 886 audit_put_tree(tree); 887 goto error; 888 } 889 890 if (watch) { 891 /* audit_filter_mutex is dropped and re-taken during this call */ 892 err = audit_add_watch(&entry->rule, &list); 893 if (err) { 894 mutex_unlock(&audit_filter_mutex); 895 goto error; 896 } 897 } 898 if (tree) { 899 err = audit_add_tree_rule(&entry->rule); 900 if (err) { 901 mutex_unlock(&audit_filter_mutex); 902 goto error; 903 } 904 } 905 906 entry->rule.prio = ~0ULL; 907 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 908 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 909 entry->rule.prio = ++prio_high; 910 else 911 entry->rule.prio = --prio_low; 912 } 913 914 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 915 list_add(&entry->rule.list, 916 &audit_rules_list[entry->rule.listnr]); 917 list_add_rcu(&entry->list, list); 918 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 919 } else { 920 list_add_tail(&entry->rule.list, 921 &audit_rules_list[entry->rule.listnr]); 922 list_add_tail_rcu(&entry->list, list); 923 } 924#ifdef CONFIG_AUDITSYSCALL 925 if (!dont_count) 926 audit_n_rules++; 927 928 if (!audit_match_signal(entry)) 929 audit_signals++; 930#endif 931 mutex_unlock(&audit_filter_mutex); 932 933 return 0; 934 935error: 936 if (watch) 937 audit_put_watch(watch); /* tmp watch, matches initial get */ 938 return err; 939} 940 941/* Remove an existing rule from filterlist. */ 942static inline int audit_del_rule(struct audit_entry *entry) 943{ 944 struct audit_entry *e; 945 struct audit_watch *watch = entry->rule.watch; 946 struct audit_tree *tree = entry->rule.tree; 947 struct list_head *list; 948 int ret = 0; 949#ifdef CONFIG_AUDITSYSCALL 950 int dont_count = 0; 951 952 /* If either of these, don't count towards total */ 953 if (entry->rule.listnr == AUDIT_FILTER_USER || 954 entry->rule.listnr == AUDIT_FILTER_TYPE) 955 dont_count = 1; 956#endif 957 958 mutex_lock(&audit_filter_mutex); 959 e = audit_find_rule(entry, &list); 960 if (!e) { 961 mutex_unlock(&audit_filter_mutex); 962 ret = -ENOENT; 963 goto out; 964 } 965 966 if (e->rule.watch) 967 audit_remove_watch_rule(&e->rule); 968 969 if (e->rule.tree) 970 audit_remove_tree_rule(&e->rule); 971 972 list_del_rcu(&e->list); 973 list_del(&e->rule.list); 974 call_rcu(&e->rcu, audit_free_rule_rcu); 975 976#ifdef CONFIG_AUDITSYSCALL 977 if (!dont_count) 978 audit_n_rules--; 979 980 if (!audit_match_signal(entry)) 981 audit_signals--; 982#endif 983 mutex_unlock(&audit_filter_mutex); 984 985out: 986 if (watch) 987 audit_put_watch(watch); /* match initial get */ 988 if (tree) 989 audit_put_tree(tree); /* that's the temporary one */ 990 991 return ret; 992} 993 994/* List rules using struct audit_rule. Exists for backward 995 * compatibility with userspace. */ 996static void audit_list(int pid, int seq, struct sk_buff_head *q) 997{ 998 struct sk_buff *skb; 999 struct audit_krule *r; 1000 int i; 1001 1002 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1003 * iterator to sync with list writers. */ 1004 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1005 list_for_each_entry(r, &audit_rules_list[i], list) { 1006 struct audit_rule *rule; 1007 1008 rule = audit_krule_to_rule(r); 1009 if (unlikely(!rule)) 1010 break; 1011 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1012 rule, sizeof(*rule)); 1013 if (skb) 1014 skb_queue_tail(q, skb); 1015 kfree(rule); 1016 } 1017 } 1018 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1019 if (skb) 1020 skb_queue_tail(q, skb); 1021} 1022 1023/* List rules using struct audit_rule_data. */ 1024static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1025{ 1026 struct sk_buff *skb; 1027 struct audit_krule *r; 1028 int i; 1029 1030 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1031 * iterator to sync with list writers. */ 1032 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1033 list_for_each_entry(r, &audit_rules_list[i], list) { 1034 struct audit_rule_data *data; 1035 1036 data = audit_krule_to_data(r); 1037 if (unlikely(!data)) 1038 break; 1039 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1040 data, sizeof(*data) + data->buflen); 1041 if (skb) 1042 skb_queue_tail(q, skb); 1043 kfree(data); 1044 } 1045 } 1046 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1047 if (skb) 1048 skb_queue_tail(q, skb); 1049} 1050 1051/* Log rule additions and removals */ 1052static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, 1053 char *action, struct audit_krule *rule, 1054 int res) 1055{ 1056 struct audit_buffer *ab; 1057 1058 if (!audit_enabled) 1059 return; 1060 1061 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1062 if (!ab) 1063 return; 1064 audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid); 1065 if (sid) { 1066 char *ctx = NULL; 1067 u32 len; 1068 if (security_secid_to_secctx(sid, &ctx, &len)) 1069 audit_log_format(ab, " ssid=%u", sid); 1070 else { 1071 audit_log_format(ab, " subj=%s", ctx); 1072 security_release_secctx(ctx, len); 1073 } 1074 } 1075 audit_log_format(ab, " op="); 1076 audit_log_string(ab, action); 1077 audit_log_key(ab, rule->filterkey); 1078 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1079 audit_log_end(ab); 1080} 1081 1082/** 1083 * audit_receive_filter - apply all rules to the specified message type 1084 * @type: audit message type 1085 * @pid: target pid for netlink audit messages 1086 * @uid: target uid for netlink audit messages 1087 * @seq: netlink audit message sequence (serial) number 1088 * @data: payload data 1089 * @datasz: size of payload data 1090 * @loginuid: loginuid of sender 1091 * @sessionid: sessionid for netlink audit message 1092 * @sid: SE Linux Security ID of sender 1093 */ 1094int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1095 size_t datasz, uid_t loginuid, u32 sessionid, u32 sid) 1096{ 1097 struct task_struct *tsk; 1098 struct audit_netlink_list *dest; 1099 int err = 0; 1100 struct audit_entry *entry; 1101 1102 switch (type) { 1103 case AUDIT_LIST: 1104 case AUDIT_LIST_RULES: 1105 /* We can't just spew out the rules here because we might fill 1106 * the available socket buffer space and deadlock waiting for 1107 * auditctl to read from it... which isn't ever going to 1108 * happen if we're actually running in the context of auditctl 1109 * trying to _send_ the stuff */ 1110 1111 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1112 if (!dest) 1113 return -ENOMEM; 1114 dest->pid = pid; 1115 skb_queue_head_init(&dest->q); 1116 1117 mutex_lock(&audit_filter_mutex); 1118 if (type == AUDIT_LIST) 1119 audit_list(pid, seq, &dest->q); 1120 else 1121 audit_list_rules(pid, seq, &dest->q); 1122 mutex_unlock(&audit_filter_mutex); 1123 1124 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1125 if (IS_ERR(tsk)) { 1126 skb_queue_purge(&dest->q); 1127 kfree(dest); 1128 err = PTR_ERR(tsk); 1129 } 1130 break; 1131 case AUDIT_ADD: 1132 case AUDIT_ADD_RULE: 1133 if (type == AUDIT_ADD) 1134 entry = audit_rule_to_entry(data); 1135 else 1136 entry = audit_data_to_entry(data, datasz); 1137 if (IS_ERR(entry)) 1138 return PTR_ERR(entry); 1139 1140 err = audit_add_rule(entry); 1141 audit_log_rule_change(loginuid, sessionid, sid, "add rule", 1142 &entry->rule, !err); 1143 1144 if (err) 1145 audit_free_rule(entry); 1146 break; 1147 case AUDIT_DEL: 1148 case AUDIT_DEL_RULE: 1149 if (type == AUDIT_DEL) 1150 entry = audit_rule_to_entry(data); 1151 else 1152 entry = audit_data_to_entry(data, datasz); 1153 if (IS_ERR(entry)) 1154 return PTR_ERR(entry); 1155 1156 err = audit_del_rule(entry); 1157 audit_log_rule_change(loginuid, sessionid, sid, "remove rule", 1158 &entry->rule, !err); 1159 1160 audit_free_rule(entry); 1161 break; 1162 default: 1163 return -EINVAL; 1164 } 1165 1166 return err; 1167} 1168 1169int audit_comparator(u32 left, u32 op, u32 right) 1170{ 1171 switch (op) { 1172 case Audit_equal: 1173 return (left == right); 1174 case Audit_not_equal: 1175 return (left != right); 1176 case Audit_lt: 1177 return (left < right); 1178 case Audit_le: 1179 return (left <= right); 1180 case Audit_gt: 1181 return (left > right); 1182 case Audit_ge: 1183 return (left >= right); 1184 case Audit_bitmask: 1185 return (left & right); 1186 case Audit_bittest: 1187 return ((left & right) == right); 1188 default: 1189 BUG(); 1190 return 0; 1191 } 1192} 1193 1194/* Compare given dentry name with last component in given path, 1195 * return of 0 indicates a match. */ 1196int audit_compare_dname_path(const char *dname, const char *path, 1197 int *dirlen) 1198{ 1199 int dlen, plen; 1200 const char *p; 1201 1202 if (!dname || !path) 1203 return 1; 1204 1205 dlen = strlen(dname); 1206 plen = strlen(path); 1207 if (plen < dlen) 1208 return 1; 1209 1210 /* disregard trailing slashes */ 1211 p = path + plen - 1; 1212 while ((*p == '/') && (p > path)) 1213 p--; 1214 1215 /* find last path component */ 1216 p = p - dlen + 1; 1217 if (p < path) 1218 return 1; 1219 else if (p > path) { 1220 if (*--p != '/') 1221 return 1; 1222 else 1223 p++; 1224 } 1225 1226 /* return length of path's directory component */ 1227 if (dirlen) 1228 *dirlen = p - path; 1229 return strncmp(p, dname, dlen); 1230} 1231 1232static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1233 struct audit_krule *rule, 1234 enum audit_state *state) 1235{ 1236 int i; 1237 1238 for (i = 0; i < rule->field_count; i++) { 1239 struct audit_field *f = &rule->fields[i]; 1240 int result = 0; 1241 1242 switch (f->type) { 1243 case AUDIT_PID: 1244 result = audit_comparator(cb->creds.pid, f->op, f->val); 1245 break; 1246 case AUDIT_UID: 1247 result = audit_comparator(cb->creds.uid, f->op, f->val); 1248 break; 1249 case AUDIT_GID: 1250 result = audit_comparator(cb->creds.gid, f->op, f->val); 1251 break; 1252 case AUDIT_LOGINUID: 1253 result = audit_comparator(cb->loginuid, f->op, f->val); 1254 break; 1255 } 1256 1257 if (!result) 1258 return 0; 1259 } 1260 switch (rule->action) { 1261 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1262 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1263 } 1264 return 1; 1265} 1266 1267int audit_filter_user(struct netlink_skb_parms *cb) 1268{ 1269 enum audit_state state = AUDIT_DISABLED; 1270 struct audit_entry *e; 1271 int ret = 1; 1272 1273 rcu_read_lock(); 1274 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1275 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1276 if (state == AUDIT_DISABLED) 1277 ret = 0; 1278 break; 1279 } 1280 } 1281 rcu_read_unlock(); 1282 1283 return ret; /* Audit by default */ 1284} 1285 1286int audit_filter_type(int type) 1287{ 1288 struct audit_entry *e; 1289 int result = 0; 1290 1291 rcu_read_lock(); 1292 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1293 goto unlock_and_return; 1294 1295 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1296 list) { 1297 int i; 1298 for (i = 0; i < e->rule.field_count; i++) { 1299 struct audit_field *f = &e->rule.fields[i]; 1300 if (f->type == AUDIT_MSGTYPE) { 1301 result = audit_comparator(type, f->op, f->val); 1302 if (!result) 1303 break; 1304 } 1305 } 1306 if (result) 1307 goto unlock_and_return; 1308 } 1309unlock_and_return: 1310 rcu_read_unlock(); 1311 return result; 1312} 1313 1314static int update_lsm_rule(struct audit_krule *r) 1315{ 1316 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1317 struct audit_entry *nentry; 1318 int err = 0; 1319 1320 if (!security_audit_rule_known(r)) 1321 return 0; 1322 1323 nentry = audit_dupe_rule(r); 1324 if (IS_ERR(nentry)) { 1325 /* save the first error encountered for the 1326 * return value */ 1327 err = PTR_ERR(nentry); 1328 audit_panic("error updating LSM filters"); 1329 if (r->watch) 1330 list_del(&r->rlist); 1331 list_del_rcu(&entry->list); 1332 list_del(&r->list); 1333 } else { 1334 if (r->watch || r->tree) 1335 list_replace_init(&r->rlist, &nentry->rule.rlist); 1336 list_replace_rcu(&entry->list, &nentry->list); 1337 list_replace(&r->list, &nentry->rule.list); 1338 } 1339 call_rcu(&entry->rcu, audit_free_rule_rcu); 1340 1341 return err; 1342} 1343 1344/* This function will re-initialize the lsm_rule field of all applicable rules. 1345 * It will traverse the filter lists serarching for rules that contain LSM 1346 * specific filter fields. When such a rule is found, it is copied, the 1347 * LSM field is re-initialized, and the old rule is replaced with the 1348 * updated rule. */ 1349int audit_update_lsm_rules(void) 1350{ 1351 struct audit_krule *r, *n; 1352 int i, err = 0; 1353 1354 /* audit_filter_mutex synchronizes the writers */ 1355 mutex_lock(&audit_filter_mutex); 1356 1357 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1358 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1359 int res = update_lsm_rule(r); 1360 if (!err) 1361 err = res; 1362 } 1363 } 1364 mutex_unlock(&audit_filter_mutex); 1365 1366 return err; 1367} 1368