auditfilter.c 35 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457
  1. /* auditfilter.c -- filtering of audit events
  2. *
  3. * Copyright 2003-2004 Red Hat, Inc.
  4. * Copyright 2005 Hewlett-Packard Development Company, L.P.
  5. * Copyright 2005 IBM Corporation
  6. *
  7. * This program is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * This program is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  20. */
  21. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  22. #include <linux/kernel.h>
  23. #include <linux/audit.h>
  24. #include <linux/kthread.h>
  25. #include <linux/mutex.h>
  26. #include <linux/fs.h>
  27. #include <linux/namei.h>
  28. #include <linux/netlink.h>
  29. #include <linux/sched.h>
  30. #include <linux/slab.h>
  31. #include <linux/security.h>
  32. #include <net/net_namespace.h>
  33. #include <net/sock.h>
  34. #include "audit.h"
  35. /*
  36. * Locking model:
  37. *
  38. * audit_filter_mutex:
  39. * Synchronizes writes and blocking reads of audit's filterlist
  40. * data. Rcu is used to traverse the filterlist and access
  41. * contents of structs audit_entry, audit_watch and opaque
  42. * LSM rules during filtering. If modified, these structures
  43. * must be copied and replace their counterparts in the filterlist.
  44. * An audit_parent struct is not accessed during filtering, so may
  45. * be written directly provided audit_filter_mutex is held.
  46. */
  47. /* Audit filter lists, defined in <linux/audit.h> */
  48. struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  49. LIST_HEAD_INIT(audit_filter_list[0]),
  50. LIST_HEAD_INIT(audit_filter_list[1]),
  51. LIST_HEAD_INIT(audit_filter_list[2]),
  52. LIST_HEAD_INIT(audit_filter_list[3]),
  53. LIST_HEAD_INIT(audit_filter_list[4]),
  54. LIST_HEAD_INIT(audit_filter_list[5]),
  55. #if AUDIT_NR_FILTERS != 6
  56. #error Fix audit_filter_list initialiser
  57. #endif
  58. };
  59. static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  60. LIST_HEAD_INIT(audit_rules_list[0]),
  61. LIST_HEAD_INIT(audit_rules_list[1]),
  62. LIST_HEAD_INIT(audit_rules_list[2]),
  63. LIST_HEAD_INIT(audit_rules_list[3]),
  64. LIST_HEAD_INIT(audit_rules_list[4]),
  65. LIST_HEAD_INIT(audit_rules_list[5]),
  66. };
  67. DEFINE_MUTEX(audit_filter_mutex);
  68. static void audit_free_lsm_field(struct audit_field *f)
  69. {
  70. switch (f->type) {
  71. case AUDIT_SUBJ_USER:
  72. case AUDIT_SUBJ_ROLE:
  73. case AUDIT_SUBJ_TYPE:
  74. case AUDIT_SUBJ_SEN:
  75. case AUDIT_SUBJ_CLR:
  76. case AUDIT_OBJ_USER:
  77. case AUDIT_OBJ_ROLE:
  78. case AUDIT_OBJ_TYPE:
  79. case AUDIT_OBJ_LEV_LOW:
  80. case AUDIT_OBJ_LEV_HIGH:
  81. kfree(f->lsm_str);
  82. security_audit_rule_free(f->lsm_rule);
  83. }
  84. }
  85. static inline void audit_free_rule(struct audit_entry *e)
  86. {
  87. int i;
  88. struct audit_krule *erule = &e->rule;
  89. /* some rules don't have associated watches */
  90. if (erule->watch)
  91. audit_put_watch(erule->watch);
  92. if (erule->fields)
  93. for (i = 0; i < erule->field_count; i++)
  94. audit_free_lsm_field(&erule->fields[i]);
  95. kfree(erule->fields);
  96. kfree(erule->filterkey);
  97. kfree(e);
  98. }
  99. void audit_free_rule_rcu(struct rcu_head *head)
  100. {
  101. struct audit_entry *e = container_of(head, struct audit_entry, rcu);
  102. audit_free_rule(e);
  103. }
  104. /* Initialize an audit filterlist entry. */
  105. static inline struct audit_entry *audit_init_entry(u32 field_count)
  106. {
  107. struct audit_entry *entry;
  108. struct audit_field *fields;
  109. entry = kzalloc(sizeof(*entry), GFP_KERNEL);
  110. if (unlikely(!entry))
  111. return NULL;
  112. fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
  113. if (unlikely(!fields)) {
  114. kfree(entry);
  115. return NULL;
  116. }
  117. entry->rule.fields = fields;
  118. return entry;
  119. }
  120. /* Unpack a filter field's string representation from user-space
  121. * buffer. */
  122. char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
  123. {
  124. char *str;
  125. if (!*bufp || (len == 0) || (len > *remain))
  126. return ERR_PTR(-EINVAL);
  127. /* Of the currently implemented string fields, PATH_MAX
  128. * defines the longest valid length.
  129. */
  130. if (len > PATH_MAX)
  131. return ERR_PTR(-ENAMETOOLONG);
  132. str = kmalloc(len + 1, GFP_KERNEL);
  133. if (unlikely(!str))
  134. return ERR_PTR(-ENOMEM);
  135. memcpy(str, *bufp, len);
  136. str[len] = 0;
  137. *bufp += len;
  138. *remain -= len;
  139. return str;
  140. }
  141. /* Translate an inode field to kernel respresentation. */
  142. static inline int audit_to_inode(struct audit_krule *krule,
  143. struct audit_field *f)
  144. {
  145. if (krule->listnr != AUDIT_FILTER_EXIT ||
  146. krule->inode_f || krule->watch || krule->tree ||
  147. (f->op != Audit_equal && f->op != Audit_not_equal))
  148. return -EINVAL;
  149. krule->inode_f = f;
  150. return 0;
  151. }
  152. static __u32 *classes[AUDIT_SYSCALL_CLASSES];
  153. int __init audit_register_class(int class, unsigned *list)
  154. {
  155. __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
  156. if (!p)
  157. return -ENOMEM;
  158. while (*list != ~0U) {
  159. unsigned n = *list++;
  160. if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
  161. kfree(p);
  162. return -EINVAL;
  163. }
  164. p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
  165. }
  166. if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
  167. kfree(p);
  168. return -EINVAL;
  169. }
  170. classes[class] = p;
  171. return 0;
  172. }
  173. int audit_match_class(int class, unsigned syscall)
  174. {
  175. if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
  176. return 0;
  177. if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
  178. return 0;
  179. return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
  180. }
  181. #ifdef CONFIG_AUDITSYSCALL
  182. static inline int audit_match_class_bits(int class, u32 *mask)
  183. {
  184. int i;
  185. if (classes[class]) {
  186. for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
  187. if (mask[i] & classes[class][i])
  188. return 0;
  189. }
  190. return 1;
  191. }
  192. static int audit_match_signal(struct audit_entry *entry)
  193. {
  194. struct audit_field *arch = entry->rule.arch_f;
  195. if (!arch) {
  196. /* When arch is unspecified, we must check both masks on biarch
  197. * as syscall number alone is ambiguous. */
  198. return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
  199. entry->rule.mask) &&
  200. audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
  201. entry->rule.mask));
  202. }
  203. switch(audit_classify_arch(arch->val)) {
  204. case 0: /* native */
  205. return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
  206. entry->rule.mask));
  207. case 1: /* 32bit on biarch */
  208. return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
  209. entry->rule.mask));
  210. default:
  211. return 1;
  212. }
  213. }
  214. #endif
  215. /* Common user-space to kernel rule translation. */
  216. static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
  217. {
  218. unsigned listnr;
  219. struct audit_entry *entry;
  220. int i, err;
  221. err = -EINVAL;
  222. listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
  223. switch(listnr) {
  224. default:
  225. goto exit_err;
  226. #ifdef CONFIG_AUDITSYSCALL
  227. case AUDIT_FILTER_ENTRY:
  228. if (rule->action == AUDIT_ALWAYS)
  229. goto exit_err;
  230. case AUDIT_FILTER_EXIT:
  231. case AUDIT_FILTER_TASK:
  232. #endif
  233. case AUDIT_FILTER_USER:
  234. case AUDIT_FILTER_TYPE:
  235. ;
  236. }
  237. if (unlikely(rule->action == AUDIT_POSSIBLE)) {
  238. pr_err("AUDIT_POSSIBLE is deprecated\n");
  239. goto exit_err;
  240. }
  241. if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
  242. goto exit_err;
  243. if (rule->field_count > AUDIT_MAX_FIELDS)
  244. goto exit_err;
  245. err = -ENOMEM;
  246. entry = audit_init_entry(rule->field_count);
  247. if (!entry)
  248. goto exit_err;
  249. entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
  250. entry->rule.listnr = listnr;
  251. entry->rule.action = rule->action;
  252. entry->rule.field_count = rule->field_count;
  253. for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
  254. entry->rule.mask[i] = rule->mask[i];
  255. for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
  256. int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
  257. __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
  258. __u32 *class;
  259. if (!(*p & AUDIT_BIT(bit)))
  260. continue;
  261. *p &= ~AUDIT_BIT(bit);
  262. class = classes[i];
  263. if (class) {
  264. int j;
  265. for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
  266. entry->rule.mask[j] |= class[j];
  267. }
  268. }
  269. return entry;
  270. exit_err:
  271. return ERR_PTR(err);
  272. }
  273. static u32 audit_ops[] =
  274. {
  275. [Audit_equal] = AUDIT_EQUAL,
  276. [Audit_not_equal] = AUDIT_NOT_EQUAL,
  277. [Audit_bitmask] = AUDIT_BIT_MASK,
  278. [Audit_bittest] = AUDIT_BIT_TEST,
  279. [Audit_lt] = AUDIT_LESS_THAN,
  280. [Audit_gt] = AUDIT_GREATER_THAN,
  281. [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
  282. [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
  283. };
  284. static u32 audit_to_op(u32 op)
  285. {
  286. u32 n;
  287. for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
  288. ;
  289. return n;
  290. }
  291. /* check if an audit field is valid */
  292. static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
  293. {
  294. switch(f->type) {
  295. case AUDIT_MSGTYPE:
  296. if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
  297. entry->rule.listnr != AUDIT_FILTER_USER)
  298. return -EINVAL;
  299. break;
  300. };
  301. switch(f->type) {
  302. default:
  303. return -EINVAL;
  304. case AUDIT_UID:
  305. case AUDIT_EUID:
  306. case AUDIT_SUID:
  307. case AUDIT_FSUID:
  308. case AUDIT_LOGINUID:
  309. case AUDIT_OBJ_UID:
  310. case AUDIT_GID:
  311. case AUDIT_EGID:
  312. case AUDIT_SGID:
  313. case AUDIT_FSGID:
  314. case AUDIT_OBJ_GID:
  315. case AUDIT_PID:
  316. case AUDIT_PERS:
  317. case AUDIT_MSGTYPE:
  318. case AUDIT_PPID:
  319. case AUDIT_DEVMAJOR:
  320. case AUDIT_DEVMINOR:
  321. case AUDIT_EXIT:
  322. case AUDIT_SUCCESS:
  323. case AUDIT_INODE:
  324. /* bit ops are only useful on syscall args */
  325. if (f->op == Audit_bitmask || f->op == Audit_bittest)
  326. return -EINVAL;
  327. break;
  328. case AUDIT_ARG0:
  329. case AUDIT_ARG1:
  330. case AUDIT_ARG2:
  331. case AUDIT_ARG3:
  332. case AUDIT_SUBJ_USER:
  333. case AUDIT_SUBJ_ROLE:
  334. case AUDIT_SUBJ_TYPE:
  335. case AUDIT_SUBJ_SEN:
  336. case AUDIT_SUBJ_CLR:
  337. case AUDIT_OBJ_USER:
  338. case AUDIT_OBJ_ROLE:
  339. case AUDIT_OBJ_TYPE:
  340. case AUDIT_OBJ_LEV_LOW:
  341. case AUDIT_OBJ_LEV_HIGH:
  342. case AUDIT_WATCH:
  343. case AUDIT_DIR:
  344. case AUDIT_FILTERKEY:
  345. break;
  346. case AUDIT_LOGINUID_SET:
  347. if ((f->val != 0) && (f->val != 1))
  348. return -EINVAL;
  349. /* FALL THROUGH */
  350. case AUDIT_ARCH:
  351. if (f->op != Audit_not_equal && f->op != Audit_equal)
  352. return -EINVAL;
  353. break;
  354. case AUDIT_PERM:
  355. if (f->val & ~15)
  356. return -EINVAL;
  357. break;
  358. case AUDIT_FILETYPE:
  359. if (f->val & ~S_IFMT)
  360. return -EINVAL;
  361. break;
  362. case AUDIT_FIELD_COMPARE:
  363. if (f->val > AUDIT_MAX_FIELD_COMPARE)
  364. return -EINVAL;
  365. break;
  366. case AUDIT_EXE:
  367. if (f->op != Audit_not_equal && f->op != Audit_equal)
  368. return -EINVAL;
  369. if (entry->rule.listnr != AUDIT_FILTER_EXIT)
  370. return -EINVAL;
  371. break;
  372. };
  373. return 0;
  374. }
  375. /* Translate struct audit_rule_data to kernel's rule respresentation. */
  376. static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
  377. size_t datasz)
  378. {
  379. int err = 0;
  380. struct audit_entry *entry;
  381. void *bufp;
  382. size_t remain = datasz - sizeof(struct audit_rule_data);
  383. int i;
  384. char *str;
  385. struct audit_fsnotify_mark *audit_mark;
  386. entry = audit_to_entry_common(data);
  387. if (IS_ERR(entry))
  388. goto exit_nofree;
  389. bufp = data->buf;
  390. for (i = 0; i < data->field_count; i++) {
  391. struct audit_field *f = &entry->rule.fields[i];
  392. err = -EINVAL;
  393. f->op = audit_to_op(data->fieldflags[i]);
  394. if (f->op == Audit_bad)
  395. goto exit_free;
  396. f->type = data->fields[i];
  397. f->val = data->values[i];
  398. /* Support legacy tests for a valid loginuid */
  399. if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
  400. f->type = AUDIT_LOGINUID_SET;
  401. f->val = 0;
  402. entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
  403. }
  404. err = audit_field_valid(entry, f);
  405. if (err)
  406. goto exit_free;
  407. err = -EINVAL;
  408. switch (f->type) {
  409. case AUDIT_LOGINUID:
  410. case AUDIT_UID:
  411. case AUDIT_EUID:
  412. case AUDIT_SUID:
  413. case AUDIT_FSUID:
  414. case AUDIT_OBJ_UID:
  415. f->uid = make_kuid(current_user_ns(), f->val);
  416. if (!uid_valid(f->uid))
  417. goto exit_free;
  418. break;
  419. case AUDIT_GID:
  420. case AUDIT_EGID:
  421. case AUDIT_SGID:
  422. case AUDIT_FSGID:
  423. case AUDIT_OBJ_GID:
  424. f->gid = make_kgid(current_user_ns(), f->val);
  425. if (!gid_valid(f->gid))
  426. goto exit_free;
  427. break;
  428. case AUDIT_ARCH:
  429. entry->rule.arch_f = f;
  430. break;
  431. case AUDIT_SUBJ_USER:
  432. case AUDIT_SUBJ_ROLE:
  433. case AUDIT_SUBJ_TYPE:
  434. case AUDIT_SUBJ_SEN:
  435. case AUDIT_SUBJ_CLR:
  436. case AUDIT_OBJ_USER:
  437. case AUDIT_OBJ_ROLE:
  438. case AUDIT_OBJ_TYPE:
  439. case AUDIT_OBJ_LEV_LOW:
  440. case AUDIT_OBJ_LEV_HIGH:
  441. str = audit_unpack_string(&bufp, &remain, f->val);
  442. if (IS_ERR(str))
  443. goto exit_free;
  444. entry->rule.buflen += f->val;
  445. err = security_audit_rule_init(f->type, f->op, str,
  446. (void **)&f->lsm_rule);
  447. /* Keep currently invalid fields around in case they
  448. * become valid after a policy reload. */
  449. if (err == -EINVAL) {
  450. pr_warn("audit rule for LSM \'%s\' is invalid\n",
  451. str);
  452. err = 0;
  453. }
  454. if (err) {
  455. kfree(str);
  456. goto exit_free;
  457. } else
  458. f->lsm_str = str;
  459. break;
  460. case AUDIT_WATCH:
  461. str = audit_unpack_string(&bufp, &remain, f->val);
  462. if (IS_ERR(str))
  463. goto exit_free;
  464. entry->rule.buflen += f->val;
  465. err = audit_to_watch(&entry->rule, str, f->val, f->op);
  466. if (err) {
  467. kfree(str);
  468. goto exit_free;
  469. }
  470. break;
  471. case AUDIT_DIR:
  472. str = audit_unpack_string(&bufp, &remain, f->val);
  473. if (IS_ERR(str))
  474. goto exit_free;
  475. entry->rule.buflen += f->val;
  476. err = audit_make_tree(&entry->rule, str, f->op);
  477. kfree(str);
  478. if (err)
  479. goto exit_free;
  480. break;
  481. case AUDIT_INODE:
  482. err = audit_to_inode(&entry->rule, f);
  483. if (err)
  484. goto exit_free;
  485. break;
  486. case AUDIT_FILTERKEY:
  487. if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
  488. goto exit_free;
  489. str = audit_unpack_string(&bufp, &remain, f->val);
  490. if (IS_ERR(str))
  491. goto exit_free;
  492. entry->rule.buflen += f->val;
  493. entry->rule.filterkey = str;
  494. break;
  495. case AUDIT_EXE:
  496. if (entry->rule.exe || f->val > PATH_MAX)
  497. goto exit_free;
  498. str = audit_unpack_string(&bufp, &remain, f->val);
  499. if (IS_ERR(str)) {
  500. err = PTR_ERR(str);
  501. goto exit_free;
  502. }
  503. entry->rule.buflen += f->val;
  504. audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
  505. if (IS_ERR(audit_mark)) {
  506. kfree(str);
  507. err = PTR_ERR(audit_mark);
  508. goto exit_free;
  509. }
  510. entry->rule.exe = audit_mark;
  511. break;
  512. }
  513. }
  514. if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
  515. entry->rule.inode_f = NULL;
  516. exit_nofree:
  517. return entry;
  518. exit_free:
  519. if (entry->rule.tree)
  520. audit_put_tree(entry->rule.tree); /* that's the temporary one */
  521. if (entry->rule.exe)
  522. audit_remove_mark(entry->rule.exe); /* that's the template one */
  523. audit_free_rule(entry);
  524. return ERR_PTR(err);
  525. }
  526. /* Pack a filter field's string representation into data block. */
  527. static inline size_t audit_pack_string(void **bufp, const char *str)
  528. {
  529. size_t len = strlen(str);
  530. memcpy(*bufp, str, len);
  531. *bufp += len;
  532. return len;
  533. }
  534. /* Translate kernel rule respresentation to struct audit_rule_data. */
  535. static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
  536. {
  537. struct audit_rule_data *data;
  538. void *bufp;
  539. int i;
  540. data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
  541. if (unlikely(!data))
  542. return NULL;
  543. memset(data, 0, sizeof(*data));
  544. data->flags = krule->flags | krule->listnr;
  545. data->action = krule->action;
  546. data->field_count = krule->field_count;
  547. bufp = data->buf;
  548. for (i = 0; i < data->field_count; i++) {
  549. struct audit_field *f = &krule->fields[i];
  550. data->fields[i] = f->type;
  551. data->fieldflags[i] = audit_ops[f->op];
  552. switch(f->type) {
  553. case AUDIT_SUBJ_USER:
  554. case AUDIT_SUBJ_ROLE:
  555. case AUDIT_SUBJ_TYPE:
  556. case AUDIT_SUBJ_SEN:
  557. case AUDIT_SUBJ_CLR:
  558. case AUDIT_OBJ_USER:
  559. case AUDIT_OBJ_ROLE:
  560. case AUDIT_OBJ_TYPE:
  561. case AUDIT_OBJ_LEV_LOW:
  562. case AUDIT_OBJ_LEV_HIGH:
  563. data->buflen += data->values[i] =
  564. audit_pack_string(&bufp, f->lsm_str);
  565. break;
  566. case AUDIT_WATCH:
  567. data->buflen += data->values[i] =
  568. audit_pack_string(&bufp,
  569. audit_watch_path(krule->watch));
  570. break;
  571. case AUDIT_DIR:
  572. data->buflen += data->values[i] =
  573. audit_pack_string(&bufp,
  574. audit_tree_path(krule->tree));
  575. break;
  576. case AUDIT_FILTERKEY:
  577. data->buflen += data->values[i] =
  578. audit_pack_string(&bufp, krule->filterkey);
  579. break;
  580. case AUDIT_EXE:
  581. data->buflen += data->values[i] =
  582. audit_pack_string(&bufp, audit_mark_path(krule->exe));
  583. break;
  584. case AUDIT_LOGINUID_SET:
  585. if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
  586. data->fields[i] = AUDIT_LOGINUID;
  587. data->values[i] = AUDIT_UID_UNSET;
  588. break;
  589. }
  590. /* fallthrough if set */
  591. default:
  592. data->values[i] = f->val;
  593. }
  594. }
  595. for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
  596. return data;
  597. }
  598. /* Compare two rules in kernel format. Considered success if rules
  599. * don't match. */
  600. static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
  601. {
  602. int i;
  603. if (a->flags != b->flags ||
  604. a->pflags != b->pflags ||
  605. a->listnr != b->listnr ||
  606. a->action != b->action ||
  607. a->field_count != b->field_count)
  608. return 1;
  609. for (i = 0; i < a->field_count; i++) {
  610. if (a->fields[i].type != b->fields[i].type ||
  611. a->fields[i].op != b->fields[i].op)
  612. return 1;
  613. switch(a->fields[i].type) {
  614. case AUDIT_SUBJ_USER:
  615. case AUDIT_SUBJ_ROLE:
  616. case AUDIT_SUBJ_TYPE:
  617. case AUDIT_SUBJ_SEN:
  618. case AUDIT_SUBJ_CLR:
  619. case AUDIT_OBJ_USER:
  620. case AUDIT_OBJ_ROLE:
  621. case AUDIT_OBJ_TYPE:
  622. case AUDIT_OBJ_LEV_LOW:
  623. case AUDIT_OBJ_LEV_HIGH:
  624. if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
  625. return 1;
  626. break;
  627. case AUDIT_WATCH:
  628. if (strcmp(audit_watch_path(a->watch),
  629. audit_watch_path(b->watch)))
  630. return 1;
  631. break;
  632. case AUDIT_DIR:
  633. if (strcmp(audit_tree_path(a->tree),
  634. audit_tree_path(b->tree)))
  635. return 1;
  636. break;
  637. case AUDIT_FILTERKEY:
  638. /* both filterkeys exist based on above type compare */
  639. if (strcmp(a->filterkey, b->filterkey))
  640. return 1;
  641. break;
  642. case AUDIT_EXE:
  643. /* both paths exist based on above type compare */
  644. if (strcmp(audit_mark_path(a->exe),
  645. audit_mark_path(b->exe)))
  646. return 1;
  647. break;
  648. case AUDIT_UID:
  649. case AUDIT_EUID:
  650. case AUDIT_SUID:
  651. case AUDIT_FSUID:
  652. case AUDIT_LOGINUID:
  653. case AUDIT_OBJ_UID:
  654. if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
  655. return 1;
  656. break;
  657. case AUDIT_GID:
  658. case AUDIT_EGID:
  659. case AUDIT_SGID:
  660. case AUDIT_FSGID:
  661. case AUDIT_OBJ_GID:
  662. if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
  663. return 1;
  664. break;
  665. default:
  666. if (a->fields[i].val != b->fields[i].val)
  667. return 1;
  668. }
  669. }
  670. for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
  671. if (a->mask[i] != b->mask[i])
  672. return 1;
  673. return 0;
  674. }
  675. /* Duplicate LSM field information. The lsm_rule is opaque, so must be
  676. * re-initialized. */
  677. static inline int audit_dupe_lsm_field(struct audit_field *df,
  678. struct audit_field *sf)
  679. {
  680. int ret = 0;
  681. char *lsm_str;
  682. /* our own copy of lsm_str */
  683. lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
  684. if (unlikely(!lsm_str))
  685. return -ENOMEM;
  686. df->lsm_str = lsm_str;
  687. /* our own (refreshed) copy of lsm_rule */
  688. ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
  689. (void **)&df->lsm_rule);
  690. /* Keep currently invalid fields around in case they
  691. * become valid after a policy reload. */
  692. if (ret == -EINVAL) {
  693. pr_warn("audit rule for LSM \'%s\' is invalid\n",
  694. df->lsm_str);
  695. ret = 0;
  696. }
  697. return ret;
  698. }
  699. /* Duplicate an audit rule. This will be a deep copy with the exception
  700. * of the watch - that pointer is carried over. The LSM specific fields
  701. * will be updated in the copy. The point is to be able to replace the old
  702. * rule with the new rule in the filterlist, then free the old rule.
  703. * The rlist element is undefined; list manipulations are handled apart from
  704. * the initial copy. */
  705. struct audit_entry *audit_dupe_rule(struct audit_krule *old)
  706. {
  707. u32 fcount = old->field_count;
  708. struct audit_entry *entry;
  709. struct audit_krule *new;
  710. char *fk;
  711. int i, err = 0;
  712. entry = audit_init_entry(fcount);
  713. if (unlikely(!entry))
  714. return ERR_PTR(-ENOMEM);
  715. new = &entry->rule;
  716. new->flags = old->flags;
  717. new->pflags = old->pflags;
  718. new->listnr = old->listnr;
  719. new->action = old->action;
  720. for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
  721. new->mask[i] = old->mask[i];
  722. new->prio = old->prio;
  723. new->buflen = old->buflen;
  724. new->inode_f = old->inode_f;
  725. new->field_count = old->field_count;
  726. /*
  727. * note that we are OK with not refcounting here; audit_match_tree()
  728. * never dereferences tree and we can't get false positives there
  729. * since we'd have to have rule gone from the list *and* removed
  730. * before the chunks found by lookup had been allocated, i.e. before
  731. * the beginning of list scan.
  732. */
  733. new->tree = old->tree;
  734. memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
  735. /* deep copy this information, updating the lsm_rule fields, because
  736. * the originals will all be freed when the old rule is freed. */
  737. for (i = 0; i < fcount; i++) {
  738. switch (new->fields[i].type) {
  739. case AUDIT_SUBJ_USER:
  740. case AUDIT_SUBJ_ROLE:
  741. case AUDIT_SUBJ_TYPE:
  742. case AUDIT_SUBJ_SEN:
  743. case AUDIT_SUBJ_CLR:
  744. case AUDIT_OBJ_USER:
  745. case AUDIT_OBJ_ROLE:
  746. case AUDIT_OBJ_TYPE:
  747. case AUDIT_OBJ_LEV_LOW:
  748. case AUDIT_OBJ_LEV_HIGH:
  749. err = audit_dupe_lsm_field(&new->fields[i],
  750. &old->fields[i]);
  751. break;
  752. case AUDIT_FILTERKEY:
  753. fk = kstrdup(old->filterkey, GFP_KERNEL);
  754. if (unlikely(!fk))
  755. err = -ENOMEM;
  756. else
  757. new->filterkey = fk;
  758. break;
  759. case AUDIT_EXE:
  760. err = audit_dupe_exe(new, old);
  761. break;
  762. }
  763. if (err) {
  764. if (new->exe)
  765. audit_remove_mark(new->exe);
  766. audit_free_rule(entry);
  767. return ERR_PTR(err);
  768. }
  769. }
  770. if (old->watch) {
  771. audit_get_watch(old->watch);
  772. new->watch = old->watch;
  773. }
  774. return entry;
  775. }
  776. /* Find an existing audit rule.
  777. * Caller must hold audit_filter_mutex to prevent stale rule data. */
  778. static struct audit_entry *audit_find_rule(struct audit_entry *entry,
  779. struct list_head **p)
  780. {
  781. struct audit_entry *e, *found = NULL;
  782. struct list_head *list;
  783. int h;
  784. if (entry->rule.inode_f) {
  785. h = audit_hash_ino(entry->rule.inode_f->val);
  786. *p = list = &audit_inode_hash[h];
  787. } else if (entry->rule.watch) {
  788. /* we don't know the inode number, so must walk entire hash */
  789. for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
  790. list = &audit_inode_hash[h];
  791. list_for_each_entry(e, list, list)
  792. if (!audit_compare_rule(&entry->rule, &e->rule)) {
  793. found = e;
  794. goto out;
  795. }
  796. }
  797. goto out;
  798. } else {
  799. *p = list = &audit_filter_list[entry->rule.listnr];
  800. }
  801. list_for_each_entry(e, list, list)
  802. if (!audit_compare_rule(&entry->rule, &e->rule)) {
  803. found = e;
  804. goto out;
  805. }
  806. out:
  807. return found;
  808. }
  809. static u64 prio_low = ~0ULL/2;
  810. static u64 prio_high = ~0ULL/2 - 1;
  811. /* Add rule to given filterlist if not a duplicate. */
  812. static inline int audit_add_rule(struct audit_entry *entry)
  813. {
  814. struct audit_entry *e;
  815. struct audit_watch *watch = entry->rule.watch;
  816. struct audit_tree *tree = entry->rule.tree;
  817. struct list_head *list;
  818. int err = 0;
  819. #ifdef CONFIG_AUDITSYSCALL
  820. int dont_count = 0;
  821. /* If either of these, don't count towards total */
  822. if (entry->rule.listnr == AUDIT_FILTER_USER ||
  823. entry->rule.listnr == AUDIT_FILTER_TYPE)
  824. dont_count = 1;
  825. #endif
  826. mutex_lock(&audit_filter_mutex);
  827. e = audit_find_rule(entry, &list);
  828. if (e) {
  829. mutex_unlock(&audit_filter_mutex);
  830. err = -EEXIST;
  831. /* normally audit_add_tree_rule() will free it on failure */
  832. if (tree)
  833. audit_put_tree(tree);
  834. return err;
  835. }
  836. if (watch) {
  837. /* audit_filter_mutex is dropped and re-taken during this call */
  838. err = audit_add_watch(&entry->rule, &list);
  839. if (err) {
  840. mutex_unlock(&audit_filter_mutex);
  841. /*
  842. * normally audit_add_tree_rule() will free it
  843. * on failure
  844. */
  845. if (tree)
  846. audit_put_tree(tree);
  847. return err;
  848. }
  849. }
  850. if (tree) {
  851. err = audit_add_tree_rule(&entry->rule);
  852. if (err) {
  853. mutex_unlock(&audit_filter_mutex);
  854. return err;
  855. }
  856. }
  857. entry->rule.prio = ~0ULL;
  858. if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
  859. if (entry->rule.flags & AUDIT_FILTER_PREPEND)
  860. entry->rule.prio = ++prio_high;
  861. else
  862. entry->rule.prio = --prio_low;
  863. }
  864. if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
  865. list_add(&entry->rule.list,
  866. &audit_rules_list[entry->rule.listnr]);
  867. list_add_rcu(&entry->list, list);
  868. entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
  869. } else {
  870. list_add_tail(&entry->rule.list,
  871. &audit_rules_list[entry->rule.listnr]);
  872. list_add_tail_rcu(&entry->list, list);
  873. }
  874. #ifdef CONFIG_AUDITSYSCALL
  875. if (!dont_count)
  876. audit_n_rules++;
  877. if (!audit_match_signal(entry))
  878. audit_signals++;
  879. #endif
  880. mutex_unlock(&audit_filter_mutex);
  881. return err;
  882. }
  883. /* Remove an existing rule from filterlist. */
  884. int audit_del_rule(struct audit_entry *entry)
  885. {
  886. struct audit_entry *e;
  887. struct audit_tree *tree = entry->rule.tree;
  888. struct list_head *list;
  889. int ret = 0;
  890. #ifdef CONFIG_AUDITSYSCALL
  891. int dont_count = 0;
  892. /* If either of these, don't count towards total */
  893. if (entry->rule.listnr == AUDIT_FILTER_USER ||
  894. entry->rule.listnr == AUDIT_FILTER_TYPE)
  895. dont_count = 1;
  896. #endif
  897. mutex_lock(&audit_filter_mutex);
  898. e = audit_find_rule(entry, &list);
  899. if (!e) {
  900. ret = -ENOENT;
  901. goto out;
  902. }
  903. if (e->rule.watch)
  904. audit_remove_watch_rule(&e->rule);
  905. if (e->rule.tree)
  906. audit_remove_tree_rule(&e->rule);
  907. if (e->rule.exe)
  908. audit_remove_mark_rule(&e->rule);
  909. #ifdef CONFIG_AUDITSYSCALL
  910. if (!dont_count)
  911. audit_n_rules--;
  912. if (!audit_match_signal(entry))
  913. audit_signals--;
  914. #endif
  915. list_del_rcu(&e->list);
  916. list_del(&e->rule.list);
  917. call_rcu(&e->rcu, audit_free_rule_rcu);
  918. out:
  919. mutex_unlock(&audit_filter_mutex);
  920. if (tree)
  921. audit_put_tree(tree); /* that's the temporary one */
  922. return ret;
  923. }
  924. /* List rules using struct audit_rule_data. */
  925. static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q)
  926. {
  927. struct sk_buff *skb;
  928. struct audit_krule *r;
  929. int i;
  930. /* This is a blocking read, so use audit_filter_mutex instead of rcu
  931. * iterator to sync with list writers. */
  932. for (i=0; i<AUDIT_NR_FILTERS; i++) {
  933. list_for_each_entry(r, &audit_rules_list[i], list) {
  934. struct audit_rule_data *data;
  935. data = audit_krule_to_data(r);
  936. if (unlikely(!data))
  937. break;
  938. skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES,
  939. 0, 1, data,
  940. sizeof(*data) + data->buflen);
  941. if (skb)
  942. skb_queue_tail(q, skb);
  943. kfree(data);
  944. }
  945. }
  946. skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
  947. if (skb)
  948. skb_queue_tail(q, skb);
  949. }
  950. /* Log rule additions and removals */
  951. static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
  952. {
  953. struct audit_buffer *ab;
  954. uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
  955. unsigned int sessionid = audit_get_sessionid(current);
  956. if (!audit_enabled)
  957. return;
  958. ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
  959. if (!ab)
  960. return;
  961. audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
  962. audit_log_task_context(ab);
  963. audit_log_format(ab, " op=");
  964. audit_log_string(ab, action);
  965. audit_log_key(ab, rule->filterkey);
  966. audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
  967. audit_log_end(ab);
  968. }
  969. /**
  970. * audit_rule_change - apply all rules to the specified message type
  971. * @type: audit message type
  972. * @portid: target port id for netlink audit messages
  973. * @seq: netlink audit message sequence (serial) number
  974. * @data: payload data
  975. * @datasz: size of payload data
  976. */
  977. int audit_rule_change(int type, __u32 portid, int seq, void *data,
  978. size_t datasz)
  979. {
  980. int err = 0;
  981. struct audit_entry *entry;
  982. entry = audit_data_to_entry(data, datasz);
  983. if (IS_ERR(entry))
  984. return PTR_ERR(entry);
  985. switch (type) {
  986. case AUDIT_ADD_RULE:
  987. err = audit_add_rule(entry);
  988. audit_log_rule_change("add_rule", &entry->rule, !err);
  989. break;
  990. case AUDIT_DEL_RULE:
  991. err = audit_del_rule(entry);
  992. audit_log_rule_change("remove_rule", &entry->rule, !err);
  993. break;
  994. default:
  995. err = -EINVAL;
  996. WARN_ON(1);
  997. }
  998. if (err || type == AUDIT_DEL_RULE) {
  999. if (entry->rule.exe)
  1000. audit_remove_mark(entry->rule.exe);
  1001. audit_free_rule(entry);
  1002. }
  1003. return err;
  1004. }
  1005. /**
  1006. * audit_list_rules_send - list the audit rules
  1007. * @request_skb: skb of request we are replying to (used to target the reply)
  1008. * @seq: netlink audit message sequence (serial) number
  1009. */
  1010. int audit_list_rules_send(struct sk_buff *request_skb, int seq)
  1011. {
  1012. u32 portid = NETLINK_CB(request_skb).portid;
  1013. struct net *net = sock_net(NETLINK_CB(request_skb).sk);
  1014. struct task_struct *tsk;
  1015. struct audit_netlink_list *dest;
  1016. int err = 0;
  1017. /* We can't just spew out the rules here because we might fill
  1018. * the available socket buffer space and deadlock waiting for
  1019. * auditctl to read from it... which isn't ever going to
  1020. * happen if we're actually running in the context of auditctl
  1021. * trying to _send_ the stuff */
  1022. dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
  1023. if (!dest)
  1024. return -ENOMEM;
  1025. dest->net = get_net(net);
  1026. dest->portid = portid;
  1027. skb_queue_head_init(&dest->q);
  1028. mutex_lock(&audit_filter_mutex);
  1029. audit_list_rules(portid, seq, &dest->q);
  1030. mutex_unlock(&audit_filter_mutex);
  1031. tsk = kthread_run(audit_send_list, dest, "audit_send_list");
  1032. if (IS_ERR(tsk)) {
  1033. skb_queue_purge(&dest->q);
  1034. kfree(dest);
  1035. err = PTR_ERR(tsk);
  1036. }
  1037. return err;
  1038. }
  1039. int audit_comparator(u32 left, u32 op, u32 right)
  1040. {
  1041. switch (op) {
  1042. case Audit_equal:
  1043. return (left == right);
  1044. case Audit_not_equal:
  1045. return (left != right);
  1046. case Audit_lt:
  1047. return (left < right);
  1048. case Audit_le:
  1049. return (left <= right);
  1050. case Audit_gt:
  1051. return (left > right);
  1052. case Audit_ge:
  1053. return (left >= right);
  1054. case Audit_bitmask:
  1055. return (left & right);
  1056. case Audit_bittest:
  1057. return ((left & right) == right);
  1058. default:
  1059. BUG();
  1060. return 0;
  1061. }
  1062. }
  1063. int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
  1064. {
  1065. switch (op) {
  1066. case Audit_equal:
  1067. return uid_eq(left, right);
  1068. case Audit_not_equal:
  1069. return !uid_eq(left, right);
  1070. case Audit_lt:
  1071. return uid_lt(left, right);
  1072. case Audit_le:
  1073. return uid_lte(left, right);
  1074. case Audit_gt:
  1075. return uid_gt(left, right);
  1076. case Audit_ge:
  1077. return uid_gte(left, right);
  1078. case Audit_bitmask:
  1079. case Audit_bittest:
  1080. default:
  1081. BUG();
  1082. return 0;
  1083. }
  1084. }
  1085. int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
  1086. {
  1087. switch (op) {
  1088. case Audit_equal:
  1089. return gid_eq(left, right);
  1090. case Audit_not_equal:
  1091. return !gid_eq(left, right);
  1092. case Audit_lt:
  1093. return gid_lt(left, right);
  1094. case Audit_le:
  1095. return gid_lte(left, right);
  1096. case Audit_gt:
  1097. return gid_gt(left, right);
  1098. case Audit_ge:
  1099. return gid_gte(left, right);
  1100. case Audit_bitmask:
  1101. case Audit_bittest:
  1102. default:
  1103. BUG();
  1104. return 0;
  1105. }
  1106. }
  1107. /**
  1108. * parent_len - find the length of the parent portion of a pathname
  1109. * @path: pathname of which to determine length
  1110. */
  1111. int parent_len(const char *path)
  1112. {
  1113. int plen;
  1114. const char *p;
  1115. plen = strlen(path);
  1116. if (plen == 0)
  1117. return plen;
  1118. /* disregard trailing slashes */
  1119. p = path + plen - 1;
  1120. while ((*p == '/') && (p > path))
  1121. p--;
  1122. /* walk backward until we find the next slash or hit beginning */
  1123. while ((*p != '/') && (p > path))
  1124. p--;
  1125. /* did we find a slash? Then increment to include it in path */
  1126. if (*p == '/')
  1127. p++;
  1128. return p - path;
  1129. }
  1130. /**
  1131. * audit_compare_dname_path - compare given dentry name with last component in
  1132. * given path. Return of 0 indicates a match.
  1133. * @dname: dentry name that we're comparing
  1134. * @path: full pathname that we're comparing
  1135. * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL
  1136. * here indicates that we must compute this value.
  1137. */
  1138. int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
  1139. {
  1140. int dlen, pathlen;
  1141. const char *p;
  1142. dlen = strlen(dname);
  1143. pathlen = strlen(path);
  1144. if (pathlen < dlen)
  1145. return 1;
  1146. parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
  1147. if (pathlen - parentlen != dlen)
  1148. return 1;
  1149. p = path + parentlen;
  1150. return strncmp(p, dname, dlen);
  1151. }
  1152. static int audit_filter_user_rules(struct audit_krule *rule, int type,
  1153. enum audit_state *state)
  1154. {
  1155. int i;
  1156. for (i = 0; i < rule->field_count; i++) {
  1157. struct audit_field *f = &rule->fields[i];
  1158. pid_t pid;
  1159. int result = 0;
  1160. u32 sid;
  1161. switch (f->type) {
  1162. case AUDIT_PID:
  1163. pid = task_pid_nr(current);
  1164. result = audit_comparator(pid, f->op, f->val);
  1165. break;
  1166. case AUDIT_UID:
  1167. result = audit_uid_comparator(current_uid(), f->op, f->uid);
  1168. break;
  1169. case AUDIT_GID:
  1170. result = audit_gid_comparator(current_gid(), f->op, f->gid);
  1171. break;
  1172. case AUDIT_LOGINUID:
  1173. result = audit_uid_comparator(audit_get_loginuid(current),
  1174. f->op, f->uid);
  1175. break;
  1176. case AUDIT_LOGINUID_SET:
  1177. result = audit_comparator(audit_loginuid_set(current),
  1178. f->op, f->val);
  1179. break;
  1180. case AUDIT_MSGTYPE:
  1181. result = audit_comparator(type, f->op, f->val);
  1182. break;
  1183. case AUDIT_SUBJ_USER:
  1184. case AUDIT_SUBJ_ROLE:
  1185. case AUDIT_SUBJ_TYPE:
  1186. case AUDIT_SUBJ_SEN:
  1187. case AUDIT_SUBJ_CLR:
  1188. if (f->lsm_rule) {
  1189. security_task_getsecid(current, &sid);
  1190. result = security_audit_rule_match(sid,
  1191. f->type,
  1192. f->op,
  1193. f->lsm_rule,
  1194. NULL);
  1195. }
  1196. break;
  1197. }
  1198. if (!result)
  1199. return 0;
  1200. }
  1201. switch (rule->action) {
  1202. case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
  1203. case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
  1204. }
  1205. return 1;
  1206. }
  1207. int audit_filter_user(int type)
  1208. {
  1209. enum audit_state state = AUDIT_DISABLED;
  1210. struct audit_entry *e;
  1211. int rc, ret;
  1212. ret = 1; /* Audit by default */
  1213. rcu_read_lock();
  1214. list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
  1215. rc = audit_filter_user_rules(&e->rule, type, &state);
  1216. if (rc) {
  1217. if (rc > 0 && state == AUDIT_DISABLED)
  1218. ret = 0;
  1219. break;
  1220. }
  1221. }
  1222. rcu_read_unlock();
  1223. return ret;
  1224. }
  1225. int audit_filter_type(int type)
  1226. {
  1227. struct audit_entry *e;
  1228. int result = 0;
  1229. rcu_read_lock();
  1230. if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
  1231. goto unlock_and_return;
  1232. list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
  1233. list) {
  1234. int i;
  1235. for (i = 0; i < e->rule.field_count; i++) {
  1236. struct audit_field *f = &e->rule.fields[i];
  1237. if (f->type == AUDIT_MSGTYPE) {
  1238. result = audit_comparator(type, f->op, f->val);
  1239. if (!result)
  1240. break;
  1241. }
  1242. }
  1243. if (result)
  1244. goto unlock_and_return;
  1245. }
  1246. unlock_and_return:
  1247. rcu_read_unlock();
  1248. return result;
  1249. }
  1250. static int update_lsm_rule(struct audit_krule *r)
  1251. {
  1252. struct audit_entry *entry = container_of(r, struct audit_entry, rule);
  1253. struct audit_entry *nentry;
  1254. int err = 0;
  1255. if (!security_audit_rule_known(r))
  1256. return 0;
  1257. nentry = audit_dupe_rule(r);
  1258. if (entry->rule.exe)
  1259. audit_remove_mark(entry->rule.exe);
  1260. if (IS_ERR(nentry)) {
  1261. /* save the first error encountered for the
  1262. * return value */
  1263. err = PTR_ERR(nentry);
  1264. audit_panic("error updating LSM filters");
  1265. if (r->watch)
  1266. list_del(&r->rlist);
  1267. list_del_rcu(&entry->list);
  1268. list_del(&r->list);
  1269. } else {
  1270. if (r->watch || r->tree)
  1271. list_replace_init(&r->rlist, &nentry->rule.rlist);
  1272. list_replace_rcu(&entry->list, &nentry->list);
  1273. list_replace(&r->list, &nentry->rule.list);
  1274. }
  1275. call_rcu(&entry->rcu, audit_free_rule_rcu);
  1276. return err;
  1277. }
  1278. /* This function will re-initialize the lsm_rule field of all applicable rules.
  1279. * It will traverse the filter lists serarching for rules that contain LSM
  1280. * specific filter fields. When such a rule is found, it is copied, the
  1281. * LSM field is re-initialized, and the old rule is replaced with the
  1282. * updated rule. */
  1283. int audit_update_lsm_rules(void)
  1284. {
  1285. struct audit_krule *r, *n;
  1286. int i, err = 0;
  1287. /* audit_filter_mutex synchronizes the writers */
  1288. mutex_lock(&audit_filter_mutex);
  1289. for (i = 0; i < AUDIT_NR_FILTERS; i++) {
  1290. list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
  1291. int res = update_lsm_rule(r);
  1292. if (!err)
  1293. err = res;
  1294. }
  1295. }
  1296. mutex_unlock(&audit_filter_mutex);
  1297. return err;
  1298. }