1/* auditfilter.c -- filtering of audit events 2 * 3 * Copyright 2003-2004 Red Hat, Inc. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 IBM Corporation 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22#include <linux/kernel.h> 23#include <linux/audit.h> 24#include <linux/kthread.h> 25#include <linux/mutex.h> 26#include <linux/fs.h> 27#include <linux/namei.h> 28#include <linux/netlink.h> 29#include <linux/sched.h> 30#include <linux/inotify.h> 31#include <linux/selinux.h> 32#include "audit.h" 33 34/* 35 * Locking model: 36 * 37 * audit_filter_mutex: 38 * Synchronizes writes and blocking reads of audit's filterlist 39 * data. Rcu is used to traverse the filterlist and access 40 * contents of structs audit_entry, audit_watch and opaque 41 * selinux rules during filtering. If modified, these structures 42 * must be copied and replace their counterparts in the filterlist. 43 * An audit_parent struct is not accessed during filtering, so may 44 * be written directly provided audit_filter_mutex is held. 45 */ 46 47/* 48 * Reference counting: 49 * 50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED 51 * event. Each audit_watch holds a reference to its associated parent. 52 * 53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to 54 * audit_remove_watch(). Additionally, an audit_watch may exist 55 * temporarily to assist in searching existing filter data. Each 56 * audit_krule holds a reference to its associated watch. 57 */ 58 59struct audit_parent { 60 struct list_head ilist; /* entry in inotify registration list */ 61 struct list_head watches; /* associated watches */ 62 struct inotify_watch wdata; /* inotify watch data */ 63 unsigned flags; /* status flags */ 64}; 65 66/* 67 * audit_parent status flags: 68 * 69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to 70 * a filesystem event to ensure we're adding audit watches to a valid parent. 71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot 72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which 73 * we can receive while holding nameidata. 74 */ 75#define AUDIT_PARENT_INVALID 0x001 76 77/* Audit filter lists, defined in <linux/audit.h> */ 78struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 79 LIST_HEAD_INIT(audit_filter_list[0]), 80 LIST_HEAD_INIT(audit_filter_list[1]), 81 LIST_HEAD_INIT(audit_filter_list[2]), 82 LIST_HEAD_INIT(audit_filter_list[3]), 83 LIST_HEAD_INIT(audit_filter_list[4]), 84 LIST_HEAD_INIT(audit_filter_list[5]), 85#if AUDIT_NR_FILTERS != 6 86#error Fix audit_filter_list initialiser 87#endif 88}; 89 90static DEFINE_MUTEX(audit_filter_mutex); 91 92/* Inotify handle */ 93extern struct inotify_handle *audit_ih; 94 95/* Inotify events we care about. */ 96#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 97 98void audit_free_parent(struct inotify_watch *i_watch) 99{ 100 struct audit_parent *parent; 101 102 parent = container_of(i_watch, struct audit_parent, wdata); 103 WARN_ON(!list_empty(&parent->watches)); 104 kfree(parent); 105} 106 107static inline void audit_get_watch(struct audit_watch *watch) 108{ 109 atomic_inc(&watch->count); 110} 111 112static void audit_put_watch(struct audit_watch *watch) 113{ 114 if (atomic_dec_and_test(&watch->count)) { 115 WARN_ON(watch->parent); 116 WARN_ON(!list_empty(&watch->rules)); 117 kfree(watch->path); 118 kfree(watch); 119 } 120} 121 122static void audit_remove_watch(struct audit_watch *watch) 123{ 124 list_del(&watch->wlist); 125 put_inotify_watch(&watch->parent->wdata); 126 watch->parent = NULL; 127 audit_put_watch(watch); /* match initial get */ 128} 129 130static inline void audit_free_rule(struct audit_entry *e) 131{ 132 int i; 133 134 /* some rules don't have associated watches */ 135 if (e->rule.watch) 136 audit_put_watch(e->rule.watch); 137 if (e->rule.fields) 138 for (i = 0; i < e->rule.field_count; i++) { 139 struct audit_field *f = &e->rule.fields[i]; 140 kfree(f->se_str); 141 selinux_audit_rule_free(f->se_rule); 142 } 143 kfree(e->rule.fields); 144 kfree(e->rule.filterkey); 145 kfree(e); 146} 147 148static inline void audit_free_rule_rcu(struct rcu_head *head) 149{ 150 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 151 audit_free_rule(e); 152} 153 154/* Initialize a parent watch entry. */ 155static struct audit_parent *audit_init_parent(struct nameidata *ndp) 156{ 157 struct audit_parent *parent; 158 s32 wd; 159 160 parent = kzalloc(sizeof(*parent), GFP_KERNEL); 161 if (unlikely(!parent)) 162 return ERR_PTR(-ENOMEM); 163 164 INIT_LIST_HEAD(&parent->watches); 165 parent->flags = 0; 166 167 inotify_init_watch(&parent->wdata); 168 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */ 169 get_inotify_watch(&parent->wdata); 170 wd = inotify_add_watch(audit_ih, &parent->wdata, ndp->dentry->d_inode, 171 AUDIT_IN_WATCH); 172 if (wd < 0) { 173 audit_free_parent(&parent->wdata); 174 return ERR_PTR(wd); 175 } 176 177 return parent; 178} 179 180/* Initialize a watch entry. */ 181static struct audit_watch *audit_init_watch(char *path) 182{ 183 struct audit_watch *watch; 184 185 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 186 if (unlikely(!watch)) 187 return ERR_PTR(-ENOMEM); 188 189 INIT_LIST_HEAD(&watch->rules); 190 atomic_set(&watch->count, 1); 191 watch->path = path; 192 watch->dev = (dev_t)-1; 193 watch->ino = (unsigned long)-1; 194 195 return watch; 196} 197 198/* Initialize an audit filterlist entry. */ 199static inline struct audit_entry *audit_init_entry(u32 field_count) 200{ 201 struct audit_entry *entry; 202 struct audit_field *fields; 203 204 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 205 if (unlikely(!entry)) 206 return NULL; 207 208 fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL); 209 if (unlikely(!fields)) { 210 kfree(entry); 211 return NULL; 212 } 213 entry->rule.fields = fields; 214 215 return entry; 216} 217 218/* Unpack a filter field's string representation from user-space 219 * buffer. */ 220static char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 221{ 222 char *str; 223 224 if (!*bufp || (len == 0) || (len > *remain)) 225 return ERR_PTR(-EINVAL); 226 227 /* Of the currently implemented string fields, PATH_MAX 228 * defines the longest valid length. 229 */ 230 if (len > PATH_MAX) 231 return ERR_PTR(-ENAMETOOLONG); 232 233 str = kmalloc(len + 1, GFP_KERNEL); 234 if (unlikely(!str)) 235 return ERR_PTR(-ENOMEM); 236 237 memcpy(str, *bufp, len); 238 str[len] = 0; 239 *bufp += len; 240 *remain -= len; 241 242 return str; 243} 244 245/* Translate an inode field to kernel respresentation. */ 246static inline int audit_to_inode(struct audit_krule *krule, 247 struct audit_field *f) 248{ 249 if (krule->listnr != AUDIT_FILTER_EXIT || 250 krule->watch || krule->inode_f) 251 return -EINVAL; 252 253 krule->inode_f = f; 254 return 0; 255} 256 257/* Translate a watch string to kernel respresentation. */ 258static int audit_to_watch(struct audit_krule *krule, char *path, int len, 259 u32 op) 260{ 261 struct audit_watch *watch; 262 263 if (!audit_ih) 264 return -EOPNOTSUPP; 265 266 if (path[0] != '/' || path[len-1] == '/' || 267 krule->listnr != AUDIT_FILTER_EXIT || 268 op & ~AUDIT_EQUAL || 269 krule->inode_f || krule->watch) /* 1 inode # per rule, for hash */ 270 return -EINVAL; 271 272 watch = audit_init_watch(path); 273 if (unlikely(IS_ERR(watch))) 274 return PTR_ERR(watch); 275 276 audit_get_watch(watch); 277 krule->watch = watch; 278 279 return 0; 280} 281 282static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 283 284int __init audit_register_class(int class, unsigned *list) 285{ 286 __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL); 287 if (!p) 288 return -ENOMEM; 289 while (*list != ~0U) { 290 unsigned n = *list++; 291 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 292 kfree(p); 293 return -EINVAL; 294 } 295 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 296 } 297 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 298 kfree(p); 299 return -EINVAL; 300 } 301 classes[class] = p; 302 return 0; 303} 304 305int audit_match_class(int class, unsigned syscall) 306{ 307 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) 308 return 0; 309 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 310 return 0; 311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 312} 313 314#ifdef CONFIG_AUDITSYSCALL 315static inline int audit_match_class_bits(int class, u32 *mask) 316{ 317 int i; 318 319 if (classes[class]) { 320 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 321 if (mask[i] & classes[class][i]) 322 return 0; 323 } 324 return 1; 325} 326 327static int audit_match_signal(struct audit_entry *entry) 328{ 329 struct audit_field *arch = entry->rule.arch_f; 330 331 if (!arch) { 332 /* When arch is unspecified, we must check both masks on biarch 333 * as syscall number alone is ambiguous. */ 334 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 335 entry->rule.mask) && 336 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 337 entry->rule.mask)); 338 } 339 340 switch(audit_classify_arch(arch->val)) { 341 case 0: /* native */ 342 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 343 entry->rule.mask)); 344 case 1: /* 32bit on biarch */ 345 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 346 entry->rule.mask)); 347 default: 348 return 1; 349 } 350} 351#endif 352 353/* Common user-space to kernel rule translation. */ 354static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 355{ 356 unsigned listnr; 357 struct audit_entry *entry; 358 int i, err; 359 360 err = -EINVAL; 361 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 362 switch(listnr) { 363 default: 364 goto exit_err; 365 case AUDIT_FILTER_USER: 366 case AUDIT_FILTER_TYPE: 367#ifdef CONFIG_AUDITSYSCALL 368 case AUDIT_FILTER_ENTRY: 369 case AUDIT_FILTER_EXIT: 370 case AUDIT_FILTER_TASK: 371#endif 372 ; 373 } 374 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 375 printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); 376 goto exit_err; 377 } 378 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 379 goto exit_err; 380 if (rule->field_count > AUDIT_MAX_FIELDS) 381 goto exit_err; 382 383 err = -ENOMEM; 384 entry = audit_init_entry(rule->field_count); 385 if (!entry) 386 goto exit_err; 387 388 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 389 entry->rule.listnr = listnr; 390 entry->rule.action = rule->action; 391 entry->rule.field_count = rule->field_count; 392 393 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 394 entry->rule.mask[i] = rule->mask[i]; 395 396 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 397 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 398 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 399 __u32 *class; 400 401 if (!(*p & AUDIT_BIT(bit))) 402 continue; 403 *p &= ~AUDIT_BIT(bit); 404 class = classes[i]; 405 if (class) { 406 int j; 407 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 408 entry->rule.mask[j] |= class[j]; 409 } 410 } 411 412 return entry; 413 414exit_err: 415 return ERR_PTR(err); 416} 417 418/* Translate struct audit_rule to kernel's rule respresentation. 419 * Exists for backward compatibility with userspace. */ 420static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) 421{ 422 struct audit_entry *entry; 423 struct audit_field *f; 424 int err = 0; 425 int i; 426 427 entry = audit_to_entry_common(rule); 428 if (IS_ERR(entry)) 429 goto exit_nofree; 430 431 for (i = 0; i < rule->field_count; i++) { 432 struct audit_field *f = &entry->rule.fields[i]; 433 434 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); 435 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); 436 f->val = rule->values[i]; 437 438 err = -EINVAL; 439 switch(f->type) { 440 default: 441 goto exit_free; 442 case AUDIT_PID: 443 case AUDIT_UID: 444 case AUDIT_EUID: 445 case AUDIT_SUID: 446 case AUDIT_FSUID: 447 case AUDIT_GID: 448 case AUDIT_EGID: 449 case AUDIT_SGID: 450 case AUDIT_FSGID: 451 case AUDIT_LOGINUID: 452 case AUDIT_PERS: 453 case AUDIT_MSGTYPE: 454 case AUDIT_PPID: 455 case AUDIT_DEVMAJOR: 456 case AUDIT_DEVMINOR: 457 case AUDIT_EXIT: 458 case AUDIT_SUCCESS: 459 case AUDIT_ARG0: 460 case AUDIT_ARG1: 461 case AUDIT_ARG2: 462 case AUDIT_ARG3: 463 break; 464 /* arch is only allowed to be = or != */ 465 case AUDIT_ARCH: 466 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 467 && (f->op != AUDIT_NEGATE) && (f->op)) { 468 err = -EINVAL; 469 goto exit_free; 470 } 471 entry->rule.arch_f = f; 472 break; 473 case AUDIT_PERM: 474 if (f->val & ~15) 475 goto exit_free; 476 break; 477 case AUDIT_INODE: 478 err = audit_to_inode(&entry->rule, f); 479 if (err) 480 goto exit_free; 481 break; 482 } 483 484 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; 485 486 /* Support for legacy operators where 487 * AUDIT_NEGATE bit signifies != and otherwise assumes == */ 488 if (f->op & AUDIT_NEGATE) 489 f->op = AUDIT_NOT_EQUAL; 490 else if (!f->op) 491 f->op = AUDIT_EQUAL; 492 else if (f->op == AUDIT_OPERATORS) { 493 err = -EINVAL; 494 goto exit_free; 495 } 496 } 497 498 f = entry->rule.inode_f; 499 if (f) { 500 switch(f->op) { 501 case AUDIT_NOT_EQUAL: 502 entry->rule.inode_f = NULL; 503 case AUDIT_EQUAL: 504 break; 505 default: 506 err = -EINVAL; 507 goto exit_free; 508 } 509 } 510 511exit_nofree: 512 return entry; 513 514exit_free: 515 audit_free_rule(entry); 516 return ERR_PTR(err); 517} 518 519/* Translate struct audit_rule_data to kernel's rule respresentation. */ 520static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 521 size_t datasz) 522{ 523 int err = 0; 524 struct audit_entry *entry; 525 struct audit_field *f; 526 void *bufp; 527 size_t remain = datasz - sizeof(struct audit_rule_data); 528 int i; 529 char *str; 530 531 entry = audit_to_entry_common((struct audit_rule *)data); 532 if (IS_ERR(entry)) 533 goto exit_nofree; 534 535 bufp = data->buf; 536 entry->rule.vers_ops = 2; 537 for (i = 0; i < data->field_count; i++) { 538 struct audit_field *f = &entry->rule.fields[i]; 539 540 err = -EINVAL; 541 if (!(data->fieldflags[i] & AUDIT_OPERATORS) || 542 data->fieldflags[i] & ~AUDIT_OPERATORS) 543 goto exit_free; 544 545 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 546 f->type = data->fields[i]; 547 f->val = data->values[i]; 548 f->se_str = NULL; 549 f->se_rule = NULL; 550 switch(f->type) { 551 case AUDIT_PID: 552 case AUDIT_UID: 553 case AUDIT_EUID: 554 case AUDIT_SUID: 555 case AUDIT_FSUID: 556 case AUDIT_GID: 557 case AUDIT_EGID: 558 case AUDIT_SGID: 559 case AUDIT_FSGID: 560 case AUDIT_LOGINUID: 561 case AUDIT_PERS: 562 case AUDIT_MSGTYPE: 563 case AUDIT_PPID: 564 case AUDIT_DEVMAJOR: 565 case AUDIT_DEVMINOR: 566 case AUDIT_EXIT: 567 case AUDIT_SUCCESS: 568 case AUDIT_ARG0: 569 case AUDIT_ARG1: 570 case AUDIT_ARG2: 571 case AUDIT_ARG3: 572 break; 573 case AUDIT_ARCH: 574 entry->rule.arch_f = f; 575 break; 576 case AUDIT_SUBJ_USER: 577 case AUDIT_SUBJ_ROLE: 578 case AUDIT_SUBJ_TYPE: 579 case AUDIT_SUBJ_SEN: 580 case AUDIT_SUBJ_CLR: 581 case AUDIT_OBJ_USER: 582 case AUDIT_OBJ_ROLE: 583 case AUDIT_OBJ_TYPE: 584 case AUDIT_OBJ_LEV_LOW: 585 case AUDIT_OBJ_LEV_HIGH: 586 str = audit_unpack_string(&bufp, &remain, f->val); 587 if (IS_ERR(str)) 588 goto exit_free; 589 entry->rule.buflen += f->val; 590 591 err = selinux_audit_rule_init(f->type, f->op, str, 592 &f->se_rule); 593 /* Keep currently invalid fields around in case they 594 * become valid after a policy reload. */ 595 if (err == -EINVAL) { 596 printk(KERN_WARNING "audit rule for selinux " 597 "\'%s\' is invalid\n", str); 598 err = 0; 599 } 600 if (err) { 601 kfree(str); 602 goto exit_free; 603 } else 604 f->se_str = str; 605 break; 606 case AUDIT_WATCH: 607 str = audit_unpack_string(&bufp, &remain, f->val); 608 if (IS_ERR(str)) 609 goto exit_free; 610 entry->rule.buflen += f->val; 611 612 err = audit_to_watch(&entry->rule, str, f->val, f->op); 613 if (err) { 614 kfree(str); 615 goto exit_free; 616 } 617 break; 618 case AUDIT_INODE: 619 err = audit_to_inode(&entry->rule, f); 620 if (err) 621 goto exit_free; 622 break; 623 case AUDIT_FILTERKEY: 624 err = -EINVAL; 625 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 626 goto exit_free; 627 str = audit_unpack_string(&bufp, &remain, f->val); 628 if (IS_ERR(str)) 629 goto exit_free; 630 entry->rule.buflen += f->val; 631 entry->rule.filterkey = str; 632 break; 633 case AUDIT_PERM: 634 if (f->val & ~15) 635 goto exit_free; 636 break; 637 default: 638 goto exit_free; 639 } 640 } 641 642 f = entry->rule.inode_f; 643 if (f) { 644 switch(f->op) { 645 case AUDIT_NOT_EQUAL: 646 entry->rule.inode_f = NULL; 647 case AUDIT_EQUAL: 648 break; 649 default: 650 err = -EINVAL; 651 goto exit_free; 652 } 653 } 654 655exit_nofree: 656 return entry; 657 658exit_free: 659 audit_free_rule(entry); 660 return ERR_PTR(err); 661} 662 663/* Pack a filter field's string representation into data block. */ 664static inline size_t audit_pack_string(void **bufp, char *str) 665{ 666 size_t len = strlen(str); 667 668 memcpy(*bufp, str, len); 669 *bufp += len; 670 671 return len; 672} 673 674/* Translate kernel rule respresentation to struct audit_rule. 675 * Exists for backward compatibility with userspace. */ 676static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) 677{ 678 struct audit_rule *rule; 679 int i; 680 681 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 682 if (unlikely(!rule)) 683 return NULL; 684 685 rule->flags = krule->flags | krule->listnr; 686 rule->action = krule->action; 687 rule->field_count = krule->field_count; 688 for (i = 0; i < rule->field_count; i++) { 689 rule->values[i] = krule->fields[i].val; 690 rule->fields[i] = krule->fields[i].type; 691 692 if (krule->vers_ops == 1) { 693 if (krule->fields[i].op & AUDIT_NOT_EQUAL) 694 rule->fields[i] |= AUDIT_NEGATE; 695 } else { 696 rule->fields[i] |= krule->fields[i].op; 697 } 698 } 699 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; 700 701 return rule; 702} 703 704/* Translate kernel rule respresentation to struct audit_rule_data. */ 705static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 706{ 707 struct audit_rule_data *data; 708 void *bufp; 709 int i; 710 711 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 712 if (unlikely(!data)) 713 return NULL; 714 memset(data, 0, sizeof(*data)); 715 716 data->flags = krule->flags | krule->listnr; 717 data->action = krule->action; 718 data->field_count = krule->field_count; 719 bufp = data->buf; 720 for (i = 0; i < data->field_count; i++) { 721 struct audit_field *f = &krule->fields[i]; 722 723 data->fields[i] = f->type; 724 data->fieldflags[i] = f->op; 725 switch(f->type) { 726 case AUDIT_SUBJ_USER: 727 case AUDIT_SUBJ_ROLE: 728 case AUDIT_SUBJ_TYPE: 729 case AUDIT_SUBJ_SEN: 730 case AUDIT_SUBJ_CLR: 731 case AUDIT_OBJ_USER: 732 case AUDIT_OBJ_ROLE: 733 case AUDIT_OBJ_TYPE: 734 case AUDIT_OBJ_LEV_LOW: 735 case AUDIT_OBJ_LEV_HIGH: 736 data->buflen += data->values[i] = 737 audit_pack_string(&bufp, f->se_str); 738 break; 739 case AUDIT_WATCH: 740 data->buflen += data->values[i] = 741 audit_pack_string(&bufp, krule->watch->path); 742 break; 743 case AUDIT_FILTERKEY: 744 data->buflen += data->values[i] = 745 audit_pack_string(&bufp, krule->filterkey); 746 break; 747 default: 748 data->values[i] = f->val; 749 } 750 } 751 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 752 753 return data; 754} 755 756/* Compare two rules in kernel format. Considered success if rules 757 * don't match. */ 758static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 759{ 760 int i; 761 762 if (a->flags != b->flags || 763 a->listnr != b->listnr || 764 a->action != b->action || 765 a->field_count != b->field_count) 766 return 1; 767 768 for (i = 0; i < a->field_count; i++) { 769 if (a->fields[i].type != b->fields[i].type || 770 a->fields[i].op != b->fields[i].op) 771 return 1; 772 773 switch(a->fields[i].type) { 774 case AUDIT_SUBJ_USER: 775 case AUDIT_SUBJ_ROLE: 776 case AUDIT_SUBJ_TYPE: 777 case AUDIT_SUBJ_SEN: 778 case AUDIT_SUBJ_CLR: 779 case AUDIT_OBJ_USER: 780 case AUDIT_OBJ_ROLE: 781 case AUDIT_OBJ_TYPE: 782 case AUDIT_OBJ_LEV_LOW: 783 case AUDIT_OBJ_LEV_HIGH: 784 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 785 return 1; 786 break; 787 case AUDIT_WATCH: 788 if (strcmp(a->watch->path, b->watch->path)) 789 return 1; 790 break; 791 case AUDIT_FILTERKEY: 792 /* both filterkeys exist based on above type compare */ 793 if (strcmp(a->filterkey, b->filterkey)) 794 return 1; 795 break; 796 default: 797 if (a->fields[i].val != b->fields[i].val) 798 return 1; 799 } 800 } 801 802 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 803 if (a->mask[i] != b->mask[i]) 804 return 1; 805 806 return 0; 807} 808 809/* Duplicate the given audit watch. The new watch's rules list is initialized 810 * to an empty list and wlist is undefined. */ 811static struct audit_watch *audit_dupe_watch(struct audit_watch *old) 812{ 813 char *path; 814 struct audit_watch *new; 815 816 path = kstrdup(old->path, GFP_KERNEL); 817 if (unlikely(!path)) 818 return ERR_PTR(-ENOMEM); 819 820 new = audit_init_watch(path); 821 if (unlikely(IS_ERR(new))) { 822 kfree(path); 823 goto out; 824 } 825 826 new->dev = old->dev; 827 new->ino = old->ino; 828 get_inotify_watch(&old->parent->wdata); 829 new->parent = old->parent; 830 831out: 832 return new; 833} 834 835/* Duplicate selinux field information. The se_rule is opaque, so must be 836 * re-initialized. */ 837static inline int audit_dupe_selinux_field(struct audit_field *df, 838 struct audit_field *sf) 839{ 840 int ret = 0; 841 char *se_str; 842 843 /* our own copy of se_str */ 844 se_str = kstrdup(sf->se_str, GFP_KERNEL); 845 if (unlikely(!se_str)) 846 return -ENOMEM; 847 df->se_str = se_str; 848 849 /* our own (refreshed) copy of se_rule */ 850 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 851 &df->se_rule); 852 /* Keep currently invalid fields around in case they 853 * become valid after a policy reload. */ 854 if (ret == -EINVAL) { 855 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 856 "invalid\n", df->se_str); 857 ret = 0; 858 } 859 860 return ret; 861} 862 863/* Duplicate an audit rule. This will be a deep copy with the exception 864 * of the watch - that pointer is carried over. The selinux specific fields 865 * will be updated in the copy. The point is to be able to replace the old 866 * rule with the new rule in the filterlist, then free the old rule. 867 * The rlist element is undefined; list manipulations are handled apart from 868 * the initial copy. */ 869static struct audit_entry *audit_dupe_rule(struct audit_krule *old, 870 struct audit_watch *watch) 871{ 872 u32 fcount = old->field_count; 873 struct audit_entry *entry; 874 struct audit_krule *new; 875 char *fk; 876 int i, err = 0; 877 878 entry = audit_init_entry(fcount); 879 if (unlikely(!entry)) 880 return ERR_PTR(-ENOMEM); 881 882 new = &entry->rule; 883 new->vers_ops = old->vers_ops; 884 new->flags = old->flags; 885 new->listnr = old->listnr; 886 new->action = old->action; 887 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 888 new->mask[i] = old->mask[i]; 889 new->buflen = old->buflen; 890 new->inode_f = old->inode_f; 891 new->watch = NULL; 892 new->field_count = old->field_count; 893 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 894 895 /* deep copy this information, updating the se_rule fields, because 896 * the originals will all be freed when the old rule is freed. */ 897 for (i = 0; i < fcount; i++) { 898 switch (new->fields[i].type) { 899 case AUDIT_SUBJ_USER: 900 case AUDIT_SUBJ_ROLE: 901 case AUDIT_SUBJ_TYPE: 902 case AUDIT_SUBJ_SEN: 903 case AUDIT_SUBJ_CLR: 904 case AUDIT_OBJ_USER: 905 case AUDIT_OBJ_ROLE: 906 case AUDIT_OBJ_TYPE: 907 case AUDIT_OBJ_LEV_LOW: 908 case AUDIT_OBJ_LEV_HIGH: 909 err = audit_dupe_selinux_field(&new->fields[i], 910 &old->fields[i]); 911 break; 912 case AUDIT_FILTERKEY: 913 fk = kstrdup(old->filterkey, GFP_KERNEL); 914 if (unlikely(!fk)) 915 err = -ENOMEM; 916 else 917 new->filterkey = fk; 918 } 919 if (err) { 920 audit_free_rule(entry); 921 return ERR_PTR(err); 922 } 923 } 924 925 if (watch) { 926 audit_get_watch(watch); 927 new->watch = watch; 928 } 929 930 return entry; 931} 932 933/* Update inode info in audit rules based on filesystem event. */ 934static void audit_update_watch(struct audit_parent *parent, 935 const char *dname, dev_t dev, 936 unsigned long ino, unsigned invalidating) 937{ 938 struct audit_watch *owatch, *nwatch, *nextw; 939 struct audit_krule *r, *nextr; 940 struct audit_entry *oentry, *nentry; 941 struct audit_buffer *ab; 942 943 mutex_lock(&audit_filter_mutex); 944 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 945 if (audit_compare_dname_path(dname, owatch->path, NULL)) 946 continue; 947 948 /* If the update involves invalidating rules, do the inode-based 949 * filtering now, so we don't omit records. */ 950 if (invalidating && current->audit_context && 951 audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) 952 audit_set_auditable(current->audit_context); 953 954 nwatch = audit_dupe_watch(owatch); 955 if (unlikely(IS_ERR(nwatch))) { 956 mutex_unlock(&audit_filter_mutex); 957 audit_panic("error updating watch, skipping"); 958 return; 959 } 960 nwatch->dev = dev; 961 nwatch->ino = ino; 962 963 list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { 964 965 oentry = container_of(r, struct audit_entry, rule); 966 list_del(&oentry->rule.rlist); 967 list_del_rcu(&oentry->list); 968 969 nentry = audit_dupe_rule(&oentry->rule, nwatch); 970 if (unlikely(IS_ERR(nentry))) 971 audit_panic("error updating watch, removing"); 972 else { 973 int h = audit_hash_ino((u32)ino); 974 list_add(&nentry->rule.rlist, &nwatch->rules); 975 list_add_rcu(&nentry->list, &audit_inode_hash[h]); 976 } 977 978 call_rcu(&oentry->rcu, audit_free_rule_rcu); 979 } 980 981 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 982 audit_log_format(ab, "op=updated rules specifying path="); 983 audit_log_untrustedstring(ab, owatch->path); 984 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 985 audit_log_format(ab, " list=%d res=1", r->listnr); 986 audit_log_end(ab); 987 988 audit_remove_watch(owatch); 989 goto add_watch_to_parent; /* event applies to a single watch */ 990 } 991 mutex_unlock(&audit_filter_mutex); 992 return; 993 994add_watch_to_parent: 995 list_add(&nwatch->wlist, &parent->watches); 996 mutex_unlock(&audit_filter_mutex); 997 return; 998} 999 1000/* Remove all watches & rules associated with a parent that is going away. */ 1001static void audit_remove_parent_watches(struct audit_parent *parent) 1002{ 1003 struct audit_watch *w, *nextw; 1004 struct audit_krule *r, *nextr; 1005 struct audit_entry *e; 1006 struct audit_buffer *ab; 1007 1008 mutex_lock(&audit_filter_mutex); 1009 parent->flags |= AUDIT_PARENT_INVALID; 1010 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1011 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1012 e = container_of(r, struct audit_entry, rule); 1013 1014 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1015 audit_log_format(ab, "op=remove rule path="); 1016 audit_log_untrustedstring(ab, w->path); 1017 if (r->filterkey) { 1018 audit_log_format(ab, " key="); 1019 audit_log_untrustedstring(ab, r->filterkey); 1020 } else 1021 audit_log_format(ab, " key=(null)"); 1022 audit_log_format(ab, " list=%d res=1", r->listnr); 1023 audit_log_end(ab); 1024 1025 list_del(&r->rlist); 1026 list_del_rcu(&e->list); 1027 call_rcu(&e->rcu, audit_free_rule_rcu); 1028 } 1029 audit_remove_watch(w); 1030 } 1031 mutex_unlock(&audit_filter_mutex); 1032} 1033 1034/* Unregister inotify watches for parents on in_list. 1035 * Generates an IN_IGNORED event. */ 1036static void audit_inotify_unregister(struct list_head *in_list) 1037{ 1038 struct audit_parent *p, *n; 1039 1040 list_for_each_entry_safe(p, n, in_list, ilist) { 1041 list_del(&p->ilist); 1042 inotify_rm_watch(audit_ih, &p->wdata); 1043 /* the put matching the get in audit_do_del_rule() */ 1044 put_inotify_watch(&p->wdata); 1045 } 1046} 1047 1048/* Find an existing audit rule. 1049 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 1050static struct audit_entry *audit_find_rule(struct audit_entry *entry, 1051 struct list_head *list) 1052{ 1053 struct audit_entry *e, *found = NULL; 1054 int h; 1055 1056 if (entry->rule.watch) { 1057 /* we don't know the inode number, so must walk entire hash */ 1058 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 1059 list = &audit_inode_hash[h]; 1060 list_for_each_entry(e, list, list) 1061 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1062 found = e; 1063 goto out; 1064 } 1065 } 1066 goto out; 1067 } 1068 1069 list_for_each_entry(e, list, list) 1070 if (!audit_compare_rule(&entry->rule, &e->rule)) { 1071 found = e; 1072 goto out; 1073 } 1074 1075out: 1076 return found; 1077} 1078 1079/* Get path information necessary for adding watches. */ 1080static int audit_get_nd(char *path, struct nameidata **ndp, 1081 struct nameidata **ndw) 1082{ 1083 struct nameidata *ndparent, *ndwatch; 1084 int err; 1085 1086 ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); 1087 if (unlikely(!ndparent)) 1088 return -ENOMEM; 1089 1090 ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); 1091 if (unlikely(!ndwatch)) { 1092 kfree(ndparent); 1093 return -ENOMEM; 1094 } 1095 1096 err = path_lookup(path, LOOKUP_PARENT, ndparent); 1097 if (err) { 1098 kfree(ndparent); 1099 kfree(ndwatch); 1100 return err; 1101 } 1102 1103 err = path_lookup(path, 0, ndwatch); 1104 if (err) { 1105 kfree(ndwatch); 1106 ndwatch = NULL; 1107 } 1108 1109 *ndp = ndparent; 1110 *ndw = ndwatch; 1111 1112 return 0; 1113} 1114 1115/* Release resources used for watch path information. */ 1116static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw) 1117{ 1118 if (ndp) { 1119 path_release(ndp); 1120 kfree(ndp); 1121 } 1122 if (ndw) { 1123 path_release(ndw); 1124 kfree(ndw); 1125 } 1126} 1127 1128/* Associate the given rule with an existing parent inotify_watch. 1129 * Caller must hold audit_filter_mutex. */ 1130static void audit_add_to_parent(struct audit_krule *krule, 1131 struct audit_parent *parent) 1132{ 1133 struct audit_watch *w, *watch = krule->watch; 1134 int watch_found = 0; 1135 1136 list_for_each_entry(w, &parent->watches, wlist) { 1137 if (strcmp(watch->path, w->path)) 1138 continue; 1139 1140 watch_found = 1; 1141 1142 /* put krule's and initial refs to temporary watch */ 1143 audit_put_watch(watch); 1144 audit_put_watch(watch); 1145 1146 audit_get_watch(w); 1147 krule->watch = watch = w; 1148 break; 1149 } 1150 1151 if (!watch_found) { 1152 get_inotify_watch(&parent->wdata); 1153 watch->parent = parent; 1154 1155 list_add(&watch->wlist, &parent->watches); 1156 } 1157 list_add(&krule->rlist, &watch->rules); 1158} 1159 1160/* Find a matching watch entry, or add this one. 1161 * Caller must hold audit_filter_mutex. */ 1162static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, 1163 struct nameidata *ndw) 1164{ 1165 struct audit_watch *watch = krule->watch; 1166 struct inotify_watch *i_watch; 1167 struct audit_parent *parent; 1168 int ret = 0; 1169 1170 /* update watch filter fields */ 1171 if (ndw) { 1172 watch->dev = ndw->dentry->d_inode->i_sb->s_dev; 1173 watch->ino = ndw->dentry->d_inode->i_ino; 1174 } 1175 1176 /* The audit_filter_mutex must not be held during inotify calls because 1177 * we hold it during inotify event callback processing. If an existing 1178 * inotify watch is found, inotify_find_watch() grabs a reference before 1179 * returning. 1180 */ 1181 mutex_unlock(&audit_filter_mutex); 1182 1183 if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { 1184 parent = audit_init_parent(ndp); 1185 if (IS_ERR(parent)) { 1186 /* caller expects mutex locked */ 1187 mutex_lock(&audit_filter_mutex); 1188 return PTR_ERR(parent); 1189 } 1190 } else 1191 parent = container_of(i_watch, struct audit_parent, wdata); 1192 1193 mutex_lock(&audit_filter_mutex); 1194 1195 /* parent was moved before we took audit_filter_mutex */ 1196 if (parent->flags & AUDIT_PARENT_INVALID) 1197 ret = -ENOENT; 1198 else 1199 audit_add_to_parent(krule, parent); 1200 1201 /* match get in audit_init_parent or inotify_find_watch */ 1202 put_inotify_watch(&parent->wdata); 1203 return ret; 1204} 1205 1206/* Add rule to given filterlist if not a duplicate. */ 1207static inline int audit_add_rule(struct audit_entry *entry, 1208 struct list_head *list) 1209{ 1210 struct audit_entry *e; 1211 struct audit_field *inode_f = entry->rule.inode_f; 1212 struct audit_watch *watch = entry->rule.watch; 1213 struct nameidata *ndp, *ndw; 1214 int h, err, putnd_needed = 0; 1215#ifdef CONFIG_AUDITSYSCALL 1216 int dont_count = 0; 1217 1218 /* If either of these, don't count towards total */ 1219 if (entry->rule.listnr == AUDIT_FILTER_USER || 1220 entry->rule.listnr == AUDIT_FILTER_TYPE) 1221 dont_count = 1; 1222#endif 1223 1224 if (inode_f) { 1225 h = audit_hash_ino(inode_f->val); 1226 list = &audit_inode_hash[h]; 1227 } 1228 1229 mutex_lock(&audit_filter_mutex); 1230 e = audit_find_rule(entry, list); 1231 mutex_unlock(&audit_filter_mutex); 1232 if (e) { 1233 err = -EEXIST; 1234 goto error; 1235 } 1236 1237 /* Avoid calling path_lookup under audit_filter_mutex. */ 1238 if (watch) { 1239 err = audit_get_nd(watch->path, &ndp, &ndw); 1240 if (err) 1241 goto error; 1242 putnd_needed = 1; 1243 } 1244 1245 mutex_lock(&audit_filter_mutex); 1246 if (watch) { 1247 /* audit_filter_mutex is dropped and re-taken during this call */ 1248 err = audit_add_watch(&entry->rule, ndp, ndw); 1249 if (err) { 1250 mutex_unlock(&audit_filter_mutex); 1251 goto error; 1252 } 1253 h = audit_hash_ino((u32)watch->ino); 1254 list = &audit_inode_hash[h]; 1255 } 1256 1257 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 1258 list_add_rcu(&entry->list, list); 1259 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 1260 } else { 1261 list_add_tail_rcu(&entry->list, list); 1262 } 1263#ifdef CONFIG_AUDITSYSCALL 1264 if (!dont_count) 1265 audit_n_rules++; 1266 1267 if (!audit_match_signal(entry)) 1268 audit_signals++; 1269#endif 1270 mutex_unlock(&audit_filter_mutex); 1271 1272 if (putnd_needed) 1273 audit_put_nd(ndp, ndw); 1274 1275 return 0; 1276 1277error: 1278 if (putnd_needed) 1279 audit_put_nd(ndp, ndw); 1280 if (watch) 1281 audit_put_watch(watch); /* tmp watch, matches initial get */ 1282 return err; 1283} 1284 1285/* Remove an existing rule from filterlist. */ 1286static inline int audit_del_rule(struct audit_entry *entry, 1287 struct list_head *list) 1288{ 1289 struct audit_entry *e; 1290 struct audit_field *inode_f = entry->rule.inode_f; 1291 struct audit_watch *watch, *tmp_watch = entry->rule.watch; 1292 LIST_HEAD(inotify_list); 1293 int h, ret = 0; 1294#ifdef CONFIG_AUDITSYSCALL 1295 int dont_count = 0; 1296 1297 /* If either of these, don't count towards total */ 1298 if (entry->rule.listnr == AUDIT_FILTER_USER || 1299 entry->rule.listnr == AUDIT_FILTER_TYPE) 1300 dont_count = 1; 1301#endif 1302 1303 if (inode_f) { 1304 h = audit_hash_ino(inode_f->val); 1305 list = &audit_inode_hash[h]; 1306 } 1307 1308 mutex_lock(&audit_filter_mutex); 1309 e = audit_find_rule(entry, list); 1310 if (!e) { 1311 mutex_unlock(&audit_filter_mutex); 1312 ret = -ENOENT; 1313 goto out; 1314 } 1315 1316 watch = e->rule.watch; 1317 if (watch) { 1318 struct audit_parent *parent = watch->parent; 1319 1320 list_del(&e->rule.rlist); 1321 1322 if (list_empty(&watch->rules)) { 1323 audit_remove_watch(watch); 1324 1325 if (list_empty(&parent->watches)) { 1326 /* Put parent on the inotify un-registration 1327 * list. Grab a reference before releasing 1328 * audit_filter_mutex, to be released in 1329 * audit_inotify_unregister(). */ 1330 list_add(&parent->ilist, &inotify_list); 1331 get_inotify_watch(&parent->wdata); 1332 } 1333 } 1334 } 1335 1336 list_del_rcu(&e->list); 1337 call_rcu(&e->rcu, audit_free_rule_rcu); 1338 1339#ifdef CONFIG_AUDITSYSCALL 1340 if (!dont_count) 1341 audit_n_rules--; 1342 1343 if (!audit_match_signal(entry)) 1344 audit_signals--; 1345#endif 1346 mutex_unlock(&audit_filter_mutex); 1347 1348 if (!list_empty(&inotify_list)) 1349 audit_inotify_unregister(&inotify_list); 1350 1351out: 1352 if (tmp_watch) 1353 audit_put_watch(tmp_watch); /* match initial get */ 1354 1355 return ret; 1356} 1357 1358/* List rules using struct audit_rule. Exists for backward 1359 * compatibility with userspace. */ 1360static void audit_list(int pid, int seq, struct sk_buff_head *q) 1361{ 1362 struct sk_buff *skb; 1363 struct audit_entry *entry; 1364 int i; 1365 1366 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1367 * iterator to sync with list writers. */ 1368 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1369 list_for_each_entry(entry, &audit_filter_list[i], list) { 1370 struct audit_rule *rule; 1371 1372 rule = audit_krule_to_rule(&entry->rule); 1373 if (unlikely(!rule)) 1374 break; 1375 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1376 rule, sizeof(*rule)); 1377 if (skb) 1378 skb_queue_tail(q, skb); 1379 kfree(rule); 1380 } 1381 } 1382 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) { 1383 list_for_each_entry(entry, &audit_inode_hash[i], list) { 1384 struct audit_rule *rule; 1385 1386 rule = audit_krule_to_rule(&entry->rule); 1387 if (unlikely(!rule)) 1388 break; 1389 skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, 1390 rule, sizeof(*rule)); 1391 if (skb) 1392 skb_queue_tail(q, skb); 1393 kfree(rule); 1394 } 1395 } 1396 skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 1397 if (skb) 1398 skb_queue_tail(q, skb); 1399} 1400 1401/* List rules using struct audit_rule_data. */ 1402static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 1403{ 1404 struct sk_buff *skb; 1405 struct audit_entry *e; 1406 int i; 1407 1408 /* This is a blocking read, so use audit_filter_mutex instead of rcu 1409 * iterator to sync with list writers. */ 1410 for (i=0; i<AUDIT_NR_FILTERS; i++) { 1411 list_for_each_entry(e, &audit_filter_list[i], list) { 1412 struct audit_rule_data *data; 1413 1414 data = audit_krule_to_data(&e->rule); 1415 if (unlikely(!data)) 1416 break; 1417 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1418 data, sizeof(*data) + data->buflen); 1419 if (skb) 1420 skb_queue_tail(q, skb); 1421 kfree(data); 1422 } 1423 } 1424 for (i=0; i< AUDIT_INODE_BUCKETS; i++) { 1425 list_for_each_entry(e, &audit_inode_hash[i], list) { 1426 struct audit_rule_data *data; 1427 1428 data = audit_krule_to_data(&e->rule); 1429 if (unlikely(!data)) 1430 break; 1431 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 1432 data, sizeof(*data) + data->buflen); 1433 if (skb) 1434 skb_queue_tail(q, skb); 1435 kfree(data); 1436 } 1437 } 1438 skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1439 if (skb) 1440 skb_queue_tail(q, skb); 1441} 1442 1443/* Log rule additions and removals */ 1444static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1445 struct audit_krule *rule, int res) 1446{ 1447 struct audit_buffer *ab; 1448 1449 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1450 if (!ab) 1451 return; 1452 audit_log_format(ab, "auid=%u", loginuid); 1453 if (sid) { 1454 char *ctx = NULL; 1455 u32 len; 1456 if (selinux_sid_to_string(sid, &ctx, &len)) 1457 audit_log_format(ab, " ssid=%u", sid); 1458 else 1459 audit_log_format(ab, " subj=%s", ctx); 1460 kfree(ctx); 1461 } 1462 audit_log_format(ab, " op=%s rule key=", action); 1463 if (rule->filterkey) 1464 audit_log_untrustedstring(ab, rule->filterkey); 1465 else 1466 audit_log_format(ab, "(null)"); 1467 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1468 audit_log_end(ab); 1469} 1470 1471/** 1472 * audit_receive_filter - apply all rules to the specified message type 1473 * @type: audit message type 1474 * @pid: target pid for netlink audit messages 1475 * @uid: target uid for netlink audit messages 1476 * @seq: netlink audit message sequence (serial) number 1477 * @data: payload data 1478 * @datasz: size of payload data 1479 * @loginuid: loginuid of sender 1480 * @sid: SE Linux Security ID of sender 1481 */ 1482int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1483 size_t datasz, uid_t loginuid, u32 sid) 1484{ 1485 struct task_struct *tsk; 1486 struct audit_netlink_list *dest; 1487 int err = 0; 1488 struct audit_entry *entry; 1489 1490 switch (type) { 1491 case AUDIT_LIST: 1492 case AUDIT_LIST_RULES: 1493 /* We can't just spew out the rules here because we might fill 1494 * the available socket buffer space and deadlock waiting for 1495 * auditctl to read from it... which isn't ever going to 1496 * happen if we're actually running in the context of auditctl 1497 * trying to _send_ the stuff */ 1498 1499 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1500 if (!dest) 1501 return -ENOMEM; 1502 dest->pid = pid; 1503 skb_queue_head_init(&dest->q); 1504 1505 mutex_lock(&audit_filter_mutex); 1506 if (type == AUDIT_LIST) 1507 audit_list(pid, seq, &dest->q); 1508 else 1509 audit_list_rules(pid, seq, &dest->q); 1510 mutex_unlock(&audit_filter_mutex); 1511 1512 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1513 if (IS_ERR(tsk)) { 1514 skb_queue_purge(&dest->q); 1515 kfree(dest); 1516 err = PTR_ERR(tsk); 1517 } 1518 break; 1519 case AUDIT_ADD: 1520 case AUDIT_ADD_RULE: 1521 if (type == AUDIT_ADD) 1522 entry = audit_rule_to_entry(data); 1523 else 1524 entry = audit_data_to_entry(data, datasz); 1525 if (IS_ERR(entry)) 1526 return PTR_ERR(entry); 1527 1528 err = audit_add_rule(entry, 1529 &audit_filter_list[entry->rule.listnr]); 1530 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1531 1532 if (err) 1533 audit_free_rule(entry); 1534 break; 1535 case AUDIT_DEL: 1536 case AUDIT_DEL_RULE: 1537 if (type == AUDIT_DEL) 1538 entry = audit_rule_to_entry(data); 1539 else 1540 entry = audit_data_to_entry(data, datasz); 1541 if (IS_ERR(entry)) 1542 return PTR_ERR(entry); 1543 1544 err = audit_del_rule(entry, 1545 &audit_filter_list[entry->rule.listnr]); 1546 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1547 !err); 1548 1549 audit_free_rule(entry); 1550 break; 1551 default: 1552 return -EINVAL; 1553 } 1554 1555 return err; 1556} 1557 1558int audit_comparator(const u32 left, const u32 op, const u32 right) 1559{ 1560 switch (op) { 1561 case AUDIT_EQUAL: 1562 return (left == right); 1563 case AUDIT_NOT_EQUAL: 1564 return (left != right); 1565 case AUDIT_LESS_THAN: 1566 return (left < right); 1567 case AUDIT_LESS_THAN_OR_EQUAL: 1568 return (left <= right); 1569 case AUDIT_GREATER_THAN: 1570 return (left > right); 1571 case AUDIT_GREATER_THAN_OR_EQUAL: 1572 return (left >= right); 1573 } 1574 BUG(); 1575 return 0; 1576} 1577 1578/* Compare given dentry name with last component in given path, 1579 * return of 0 indicates a match. */ 1580int audit_compare_dname_path(const char *dname, const char *path, 1581 int *dirlen) 1582{ 1583 int dlen, plen; 1584 const char *p; 1585 1586 if (!dname || !path) 1587 return 1; 1588 1589 dlen = strlen(dname); 1590 plen = strlen(path); 1591 if (plen < dlen) 1592 return 1; 1593 1594 /* disregard trailing slashes */ 1595 p = path + plen - 1; 1596 while ((*p == '/') && (p > path)) 1597 p--; 1598 1599 /* find last path component */ 1600 p = p - dlen + 1; 1601 if (p < path) 1602 return 1; 1603 else if (p > path) { 1604 if (*--p != '/') 1605 return 1; 1606 else 1607 p++; 1608 } 1609 1610 /* return length of path's directory component */ 1611 if (dirlen) 1612 *dirlen = p - path; 1613 return strncmp(p, dname, dlen); 1614} 1615 1616static int audit_filter_user_rules(struct netlink_skb_parms *cb, 1617 struct audit_krule *rule, 1618 enum audit_state *state) 1619{ 1620 int i; 1621 1622 for (i = 0; i < rule->field_count; i++) { 1623 struct audit_field *f = &rule->fields[i]; 1624 int result = 0; 1625 1626 switch (f->type) { 1627 case AUDIT_PID: 1628 result = audit_comparator(cb->creds.pid, f->op, f->val); 1629 break; 1630 case AUDIT_UID: 1631 result = audit_comparator(cb->creds.uid, f->op, f->val); 1632 break; 1633 case AUDIT_GID: 1634 result = audit_comparator(cb->creds.gid, f->op, f->val); 1635 break; 1636 case AUDIT_LOGINUID: 1637 result = audit_comparator(cb->loginuid, f->op, f->val); 1638 break; 1639 } 1640 1641 if (!result) 1642 return 0; 1643 } 1644 switch (rule->action) { 1645 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1646 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1647 } 1648 return 1; 1649} 1650 1651int audit_filter_user(struct netlink_skb_parms *cb, int type) 1652{ 1653 enum audit_state state = AUDIT_DISABLED; 1654 struct audit_entry *e; 1655 int ret = 1; 1656 1657 rcu_read_lock(); 1658 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1659 if (audit_filter_user_rules(cb, &e->rule, &state)) { 1660 if (state == AUDIT_DISABLED) 1661 ret = 0; 1662 break; 1663 } 1664 } 1665 rcu_read_unlock(); 1666 1667 return ret; /* Audit by default */ 1668} 1669 1670int audit_filter_type(int type) 1671{ 1672 struct audit_entry *e; 1673 int result = 0; 1674 1675 rcu_read_lock(); 1676 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1677 goto unlock_and_return; 1678 1679 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1680 list) { 1681 int i; 1682 for (i = 0; i < e->rule.field_count; i++) { 1683 struct audit_field *f = &e->rule.fields[i]; 1684 if (f->type == AUDIT_MSGTYPE) { 1685 result = audit_comparator(type, f->op, f->val); 1686 if (!result) 1687 break; 1688 } 1689 } 1690 if (result) 1691 goto unlock_and_return; 1692 } 1693unlock_and_return: 1694 rcu_read_unlock(); 1695 return result; 1696} 1697 1698/* Check to see if the rule contains any selinux fields. Returns 1 if there 1699 are selinux fields specified in the rule, 0 otherwise. */ 1700static inline int audit_rule_has_selinux(struct audit_krule *rule) 1701{ 1702 int i; 1703 1704 for (i = 0; i < rule->field_count; i++) { 1705 struct audit_field *f = &rule->fields[i]; 1706 switch (f->type) { 1707 case AUDIT_SUBJ_USER: 1708 case AUDIT_SUBJ_ROLE: 1709 case AUDIT_SUBJ_TYPE: 1710 case AUDIT_SUBJ_SEN: 1711 case AUDIT_SUBJ_CLR: 1712 case AUDIT_OBJ_USER: 1713 case AUDIT_OBJ_ROLE: 1714 case AUDIT_OBJ_TYPE: 1715 case AUDIT_OBJ_LEV_LOW: 1716 case AUDIT_OBJ_LEV_HIGH: 1717 return 1; 1718 } 1719 } 1720 1721 return 0; 1722} 1723 1724/* This function will re-initialize the se_rule field of all applicable rules. 1725 * It will traverse the filter lists serarching for rules that contain selinux 1726 * specific filter fields. When such a rule is found, it is copied, the 1727 * selinux field is re-initialized, and the old rule is replaced with the 1728 * updated rule. */ 1729int selinux_audit_rule_update(void) 1730{ 1731 struct audit_entry *entry, *n, *nentry; 1732 struct audit_watch *watch; 1733 int i, err = 0; 1734 1735 /* audit_filter_mutex synchronizes the writers */ 1736 mutex_lock(&audit_filter_mutex); 1737 1738 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1739 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1740 if (!audit_rule_has_selinux(&entry->rule)) 1741 continue; 1742 1743 watch = entry->rule.watch; 1744 nentry = audit_dupe_rule(&entry->rule, watch); 1745 if (unlikely(IS_ERR(nentry))) { 1746 /* save the first error encountered for the 1747 * return value */ 1748 if (!err) 1749 err = PTR_ERR(nentry); 1750 audit_panic("error updating selinux filters"); 1751 if (watch) 1752 list_del(&entry->rule.rlist); 1753 list_del_rcu(&entry->list); 1754 } else { 1755 if (watch) { 1756 list_add(&nentry->rule.rlist, 1757 &watch->rules); 1758 list_del(&entry->rule.rlist); 1759 } 1760 list_replace_rcu(&entry->list, &nentry->list); 1761 } 1762 call_rcu(&entry->rcu, audit_free_rule_rcu); 1763 } 1764 } 1765 1766 mutex_unlock(&audit_filter_mutex); 1767 1768 return err; 1769} 1770 1771/* Update watch data in audit rules based on inotify events. */ 1772void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, 1773 u32 cookie, const char *dname, struct inode *inode) 1774{ 1775 struct audit_parent *parent; 1776 1777 parent = container_of(i_watch, struct audit_parent, wdata); 1778 1779 if (mask & (IN_CREATE|IN_MOVED_TO) && inode) 1780 audit_update_watch(parent, dname, inode->i_sb->s_dev, 1781 inode->i_ino, 0); 1782 else if (mask & (IN_DELETE|IN_MOVED_FROM)) 1783 audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); 1784 /* inotify automatically removes the watch and sends IN_IGNORED */ 1785 else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) 1786 audit_remove_parent_watches(parent); 1787 /* inotify does not remove the watch, so remove it manually */ 1788 else if(mask & IN_MOVE_SELF) { 1789 audit_remove_parent_watches(parent); 1790 inotify_remove_watch_locked(audit_ih, i_watch); 1791 } else if (mask & IN_IGNORED) 1792 put_inotify_watch(i_watch); 1793} 1794