LCOV - code coverage report
Current view: top level - kernel - auditfilter.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 12 395 3.0 %
Date: 2015-04-12 14:34:49 Functions: 2 24 8.3 %

          Line data    Source code
       1             : /* auditfilter.c -- filtering of audit events
       2             :  *
       3             :  * Copyright 2003-2004 Red Hat, Inc.
       4             :  * Copyright 2005 Hewlett-Packard Development Company, L.P.
       5             :  * Copyright 2005 IBM Corporation
       6             :  *
       7             :  * This program is free software; you can redistribute it and/or modify
       8             :  * it under the terms of the GNU General Public License as published by
       9             :  * the Free Software Foundation; either version 2 of the License, or
      10             :  * (at your option) any later version.
      11             :  *
      12             :  * This program is distributed in the hope that it will be useful,
      13             :  * but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :  * GNU General Public License for more details.
      16             :  *
      17             :  * You should have received a copy of the GNU General Public License
      18             :  * along with this program; if not, write to the Free Software
      19             :  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
      20             :  */
      21             : 
      22             : #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
      23             : 
      24             : #include <linux/kernel.h>
      25             : #include <linux/audit.h>
      26             : #include <linux/kthread.h>
      27             : #include <linux/mutex.h>
      28             : #include <linux/fs.h>
      29             : #include <linux/namei.h>
      30             : #include <linux/netlink.h>
      31             : #include <linux/sched.h>
      32             : #include <linux/slab.h>
      33             : #include <linux/security.h>
      34             : #include <net/net_namespace.h>
      35             : #include <net/sock.h>
      36             : #include "audit.h"
      37             : 
      38             : /*
      39             :  * Locking model:
      40             :  *
      41             :  * audit_filter_mutex:
      42             :  *              Synchronizes writes and blocking reads of audit's filterlist
      43             :  *              data.  Rcu is used to traverse the filterlist and access
      44             :  *              contents of structs audit_entry, audit_watch and opaque
      45             :  *              LSM rules during filtering.  If modified, these structures
      46             :  *              must be copied and replace their counterparts in the filterlist.
      47             :  *              An audit_parent struct is not accessed during filtering, so may
      48             :  *              be written directly provided audit_filter_mutex is held.
      49             :  */
      50             : 
      51             : /* Audit filter lists, defined in <linux/audit.h> */
      52             : struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
      53             :         LIST_HEAD_INIT(audit_filter_list[0]),
      54             :         LIST_HEAD_INIT(audit_filter_list[1]),
      55             :         LIST_HEAD_INIT(audit_filter_list[2]),
      56             :         LIST_HEAD_INIT(audit_filter_list[3]),
      57             :         LIST_HEAD_INIT(audit_filter_list[4]),
      58             :         LIST_HEAD_INIT(audit_filter_list[5]),
      59             : #if AUDIT_NR_FILTERS != 6
      60             : #error Fix audit_filter_list initialiser
      61             : #endif
      62             : };
      63             : static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
      64             :         LIST_HEAD_INIT(audit_rules_list[0]),
      65             :         LIST_HEAD_INIT(audit_rules_list[1]),
      66             :         LIST_HEAD_INIT(audit_rules_list[2]),
      67             :         LIST_HEAD_INIT(audit_rules_list[3]),
      68             :         LIST_HEAD_INIT(audit_rules_list[4]),
      69             :         LIST_HEAD_INIT(audit_rules_list[5]),
      70             : };
      71             : 
      72             : DEFINE_MUTEX(audit_filter_mutex);
      73             : 
      74           0 : static void audit_free_lsm_field(struct audit_field *f)
      75             : {
      76           0 :         switch (f->type) {
      77             :         case AUDIT_SUBJ_USER:
      78             :         case AUDIT_SUBJ_ROLE:
      79             :         case AUDIT_SUBJ_TYPE:
      80             :         case AUDIT_SUBJ_SEN:
      81             :         case AUDIT_SUBJ_CLR:
      82             :         case AUDIT_OBJ_USER:
      83             :         case AUDIT_OBJ_ROLE:
      84             :         case AUDIT_OBJ_TYPE:
      85             :         case AUDIT_OBJ_LEV_LOW:
      86             :         case AUDIT_OBJ_LEV_HIGH:
      87           0 :                 kfree(f->lsm_str);
      88             :                 security_audit_rule_free(f->lsm_rule);
      89             :         }
      90           0 : }
      91             : 
      92             : static inline void audit_free_rule(struct audit_entry *e)
      93             : {
      94             :         int i;
      95             :         struct audit_krule *erule = &e->rule;
      96             : 
      97             :         /* some rules don't have associated watches */
      98             :         if (erule->watch)
      99             :                 audit_put_watch(erule->watch);
     100           0 :         if (erule->fields)
     101           0 :                 for (i = 0; i < erule->field_count; i++)
     102           0 :                         audit_free_lsm_field(&erule->fields[i]);
     103           0 :         kfree(erule->fields);
     104           0 :         kfree(erule->filterkey);
     105           0 :         kfree(e);
     106             : }
     107             : 
     108           0 : void audit_free_rule_rcu(struct rcu_head *head)
     109             : {
     110           0 :         struct audit_entry *e = container_of(head, struct audit_entry, rcu);
     111             :         audit_free_rule(e);
     112           0 : }
     113             : 
     114             : /* Initialize an audit filterlist entry. */
     115             : static inline struct audit_entry *audit_init_entry(u32 field_count)
     116             : {
     117             :         struct audit_entry *entry;
     118             :         struct audit_field *fields;
     119             : 
     120             :         entry = kzalloc(sizeof(*entry), GFP_KERNEL);
     121           0 :         if (unlikely(!entry))
     122             :                 return NULL;
     123             : 
     124             :         fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
     125           0 :         if (unlikely(!fields)) {
     126           0 :                 kfree(entry);
     127             :                 return NULL;
     128             :         }
     129           0 :         entry->rule.fields = fields;
     130             : 
     131             :         return entry;
     132             : }
     133             : 
     134             : /* Unpack a filter field's string representation from user-space
     135             :  * buffer. */
     136           0 : char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
     137             : {
     138             :         char *str;
     139             : 
     140           0 :         if (!*bufp || (len == 0) || (len > *remain))
     141             :                 return ERR_PTR(-EINVAL);
     142             : 
     143             :         /* Of the currently implemented string fields, PATH_MAX
     144             :          * defines the longest valid length.
     145             :          */
     146           0 :         if (len > PATH_MAX)
     147             :                 return ERR_PTR(-ENAMETOOLONG);
     148             : 
     149           0 :         str = kmalloc(len + 1, GFP_KERNEL);
     150           0 :         if (unlikely(!str))
     151             :                 return ERR_PTR(-ENOMEM);
     152             : 
     153           0 :         memcpy(str, *bufp, len);
     154           0 :         str[len] = 0;
     155           0 :         *bufp += len;
     156           0 :         *remain -= len;
     157             : 
     158           0 :         return str;
     159             : }
     160             : 
     161             : /* Translate an inode field to kernel respresentation. */
     162             : static inline int audit_to_inode(struct audit_krule *krule,
     163             :                                  struct audit_field *f)
     164             : {
     165           0 :         if (krule->listnr != AUDIT_FILTER_EXIT ||
     166           0 :             krule->inode_f || krule->watch || krule->tree ||
     167           0 :             (f->op != Audit_equal && f->op != Audit_not_equal))
     168             :                 return -EINVAL;
     169             : 
     170           0 :         krule->inode_f = f;
     171             :         return 0;
     172             : }
     173             : 
     174             : static __u32 *classes[AUDIT_SYSCALL_CLASSES];
     175             : 
     176           5 : int __init audit_register_class(int class, unsigned *list)
     177             : {
     178             :         __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
     179           5 :         if (!p)
     180             :                 return -ENOMEM;
     181          71 :         while (*list != ~0U) {
     182          66 :                 unsigned n = *list++;
     183          66 :                 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
     184           0 :                         kfree(p);
     185           0 :                         return -EINVAL;
     186             :                 }
     187          66 :                 p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
     188             :         }
     189           5 :         if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
     190           0 :                 kfree(p);
     191           0 :                 return -EINVAL;
     192             :         }
     193           5 :         classes[class] = p;
     194           5 :         return 0;
     195             : }
     196             : 
     197           0 : int audit_match_class(int class, unsigned syscall)
     198             : {
     199           0 :         if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
     200             :                 return 0;
     201           0 :         if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
     202             :                 return 0;
     203           0 :         return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
     204             : }
     205             : 
     206             : #ifdef CONFIG_AUDITSYSCALL
     207             : static inline int audit_match_class_bits(int class, u32 *mask)
     208             : {
     209             :         int i;
     210             : 
     211             :         if (classes[class]) {
     212             :                 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
     213             :                         if (mask[i] & classes[class][i])
     214             :                                 return 0;
     215             :         }
     216             :         return 1;
     217             : }
     218             : 
     219             : static int audit_match_signal(struct audit_entry *entry)
     220             : {
     221             :         struct audit_field *arch = entry->rule.arch_f;
     222             : 
     223             :         if (!arch) {
     224             :                 /* When arch is unspecified, we must check both masks on biarch
     225             :                  * as syscall number alone is ambiguous. */
     226             :                 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
     227             :                                                entry->rule.mask) &&
     228             :                         audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
     229             :                                                entry->rule.mask));
     230             :         }
     231             : 
     232             :         switch(audit_classify_arch(arch->val)) {
     233             :         case 0: /* native */
     234             :                 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
     235             :                                                entry->rule.mask));
     236             :         case 1: /* 32bit on biarch */
     237             :                 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
     238             :                                                entry->rule.mask));
     239             :         default:
     240             :                 return 1;
     241             :         }
     242             : }
     243             : #endif
     244             : 
     245             : /* Common user-space to kernel rule translation. */
     246             : static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
     247             : {
     248             :         unsigned listnr;
     249             :         struct audit_entry *entry;
     250             :         int i, err;
     251             : 
     252             :         err = -EINVAL;
     253           0 :         listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
     254           0 :         switch(listnr) {
     255             :         default:
     256             :                 goto exit_err;
     257             : #ifdef CONFIG_AUDITSYSCALL
     258             :         case AUDIT_FILTER_ENTRY:
     259             :                 if (rule->action == AUDIT_ALWAYS)
     260             :                         goto exit_err;
     261             :         case AUDIT_FILTER_EXIT:
     262             :         case AUDIT_FILTER_TASK:
     263             : #endif
     264             :         case AUDIT_FILTER_USER:
     265             :         case AUDIT_FILTER_TYPE:
     266             :                 ;
     267             :         }
     268           0 :         if (unlikely(rule->action == AUDIT_POSSIBLE)) {
     269           0 :                 pr_err("AUDIT_POSSIBLE is deprecated\n");
     270             :                 goto exit_err;
     271             :         }
     272           0 :         if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
     273             :                 goto exit_err;
     274           0 :         if (rule->field_count > AUDIT_MAX_FIELDS)
     275             :                 goto exit_err;
     276             : 
     277             :         err = -ENOMEM;
     278             :         entry = audit_init_entry(rule->field_count);
     279           0 :         if (!entry)
     280             :                 goto exit_err;
     281             : 
     282           0 :         entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
     283           0 :         entry->rule.listnr = listnr;
     284           0 :         entry->rule.action = rule->action;
     285           0 :         entry->rule.field_count = rule->field_count;
     286             : 
     287           0 :         for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
     288           0 :                 entry->rule.mask[i] = rule->mask[i];
     289             : 
     290           0 :         for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
     291           0 :                 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
     292           0 :                 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
     293             :                 __u32 *class;
     294             : 
     295           0 :                 if (!(*p & AUDIT_BIT(bit)))
     296           0 :                         continue;
     297           0 :                 *p &= ~AUDIT_BIT(bit);
     298           0 :                 class = classes[i];
     299           0 :                 if (class) {
     300             :                         int j;
     301           0 :                         for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
     302           0 :                                 entry->rule.mask[j] |= class[j];
     303             :                 }
     304             :         }
     305             : 
     306             :         return entry;
     307             : 
     308             : exit_err:
     309             :         return ERR_PTR(err);
     310             : }
     311             : 
     312             : static u32 audit_ops[] =
     313             : {
     314             :         [Audit_equal] = AUDIT_EQUAL,
     315             :         [Audit_not_equal] = AUDIT_NOT_EQUAL,
     316             :         [Audit_bitmask] = AUDIT_BIT_MASK,
     317             :         [Audit_bittest] = AUDIT_BIT_TEST,
     318             :         [Audit_lt] = AUDIT_LESS_THAN,
     319             :         [Audit_gt] = AUDIT_GREATER_THAN,
     320             :         [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
     321             :         [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
     322             : };
     323             : 
     324             : static u32 audit_to_op(u32 op)
     325             : {
     326             :         u32 n;
     327           0 :         for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
     328             :                 ;
     329             :         return n;
     330             : }
     331             : 
     332             : /* check if an audit field is valid */
     333           0 : static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
     334             : {
     335           0 :         switch(f->type) {
     336             :         case AUDIT_MSGTYPE:
     337           0 :                 if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
     338             :                     entry->rule.listnr != AUDIT_FILTER_USER)
     339             :                         return -EINVAL;
     340             :                 break;
     341             :         };
     342             : 
     343           0 :         switch(f->type) {
     344             :         default:
     345             :                 return -EINVAL;
     346             :         case AUDIT_UID:
     347             :         case AUDIT_EUID:
     348             :         case AUDIT_SUID:
     349             :         case AUDIT_FSUID:
     350             :         case AUDIT_LOGINUID:
     351             :         case AUDIT_OBJ_UID:
     352             :         case AUDIT_GID:
     353             :         case AUDIT_EGID:
     354             :         case AUDIT_SGID:
     355             :         case AUDIT_FSGID:
     356             :         case AUDIT_OBJ_GID:
     357             :         case AUDIT_PID:
     358             :         case AUDIT_PERS:
     359             :         case AUDIT_MSGTYPE:
     360             :         case AUDIT_PPID:
     361             :         case AUDIT_DEVMAJOR:
     362             :         case AUDIT_DEVMINOR:
     363             :         case AUDIT_EXIT:
     364             :         case AUDIT_SUCCESS:
     365             :         case AUDIT_INODE:
     366             :                 /* bit ops are only useful on syscall args */
     367           0 :                 if (f->op == Audit_bitmask || f->op == Audit_bittest)
     368             :                         return -EINVAL;
     369             :                 break;
     370             :         case AUDIT_ARG0:
     371             :         case AUDIT_ARG1:
     372             :         case AUDIT_ARG2:
     373             :         case AUDIT_ARG3:
     374             :         case AUDIT_SUBJ_USER:
     375             :         case AUDIT_SUBJ_ROLE:
     376             :         case AUDIT_SUBJ_TYPE:
     377             :         case AUDIT_SUBJ_SEN:
     378             :         case AUDIT_SUBJ_CLR:
     379             :         case AUDIT_OBJ_USER:
     380             :         case AUDIT_OBJ_ROLE:
     381             :         case AUDIT_OBJ_TYPE:
     382             :         case AUDIT_OBJ_LEV_LOW:
     383             :         case AUDIT_OBJ_LEV_HIGH:
     384             :         case AUDIT_WATCH:
     385             :         case AUDIT_DIR:
     386             :         case AUDIT_FILTERKEY:
     387             :                 break;
     388             :         case AUDIT_LOGINUID_SET:
     389           0 :                 if ((f->val != 0) && (f->val != 1))
     390             :                         return -EINVAL;
     391             :         /* FALL THROUGH */
     392             :         case AUDIT_ARCH:
     393           0 :                 if (f->op != Audit_not_equal && f->op != Audit_equal)
     394             :                         return -EINVAL;
     395             :                 break;
     396             :         case AUDIT_PERM:
     397           0 :                 if (f->val & ~15)
     398             :                         return -EINVAL;
     399             :                 break;
     400             :         case AUDIT_FILETYPE:
     401           0 :                 if (f->val & ~S_IFMT)
     402             :                         return -EINVAL;
     403             :                 break;
     404             :         case AUDIT_FIELD_COMPARE:
     405           0 :                 if (f->val > AUDIT_MAX_FIELD_COMPARE)
     406             :                         return -EINVAL;
     407             :                 break;
     408             :         };
     409             :         return 0;
     410             : }
     411             : 
     412             : /* Translate struct audit_rule_data to kernel's rule respresentation. */
     413           0 : static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
     414             :                                                size_t datasz)
     415             : {
     416             :         int err = 0;
     417             :         struct audit_entry *entry;
     418             :         void *bufp;
     419           0 :         size_t remain = datasz - sizeof(struct audit_rule_data);
     420             :         int i;
     421             :         char *str;
     422             : 
     423             :         entry = audit_to_entry_common(data);
     424           0 :         if (IS_ERR(entry))
     425             :                 goto exit_nofree;
     426             : 
     427           0 :         bufp = data->buf;
     428           0 :         entry->rule.vers_ops = 2;
     429           0 :         for (i = 0; i < data->field_count; i++) {
     430           0 :                 struct audit_field *f = &entry->rule.fields[i];
     431             : 
     432             :                 err = -EINVAL;
     433             : 
     434           0 :                 f->op = audit_to_op(data->fieldflags[i]);
     435           0 :                 if (f->op == Audit_bad)
     436             :                         goto exit_free;
     437             : 
     438           0 :                 f->type = data->fields[i];
     439           0 :                 f->val = data->values[i];
     440             : 
     441             :                 /* Support legacy tests for a valid loginuid */
     442           0 :                 if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
     443           0 :                         f->type = AUDIT_LOGINUID_SET;
     444           0 :                         f->val = 0;
     445           0 :                         entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
     446             :                 }
     447             : 
     448           0 :                 err = audit_field_valid(entry, f);
     449           0 :                 if (err)
     450             :                         goto exit_free;
     451             : 
     452             :                 err = -EINVAL;
     453           0 :                 switch (f->type) {
     454             :                 case AUDIT_LOGINUID:
     455             :                 case AUDIT_UID:
     456             :                 case AUDIT_EUID:
     457             :                 case AUDIT_SUID:
     458             :                 case AUDIT_FSUID:
     459             :                 case AUDIT_OBJ_UID:
     460           0 :                         f->uid = make_kuid(current_user_ns(), f->val);
     461           0 :                         if (!uid_valid(f->uid))
     462             :                                 goto exit_free;
     463             :                         break;
     464             :                 case AUDIT_GID:
     465             :                 case AUDIT_EGID:
     466             :                 case AUDIT_SGID:
     467             :                 case AUDIT_FSGID:
     468             :                 case AUDIT_OBJ_GID:
     469           0 :                         f->gid = make_kgid(current_user_ns(), f->val);
     470           0 :                         if (!gid_valid(f->gid))
     471             :                                 goto exit_free;
     472             :                         break;
     473             :                 case AUDIT_ARCH:
     474           0 :                         entry->rule.arch_f = f;
     475           0 :                         break;
     476             :                 case AUDIT_SUBJ_USER:
     477             :                 case AUDIT_SUBJ_ROLE:
     478             :                 case AUDIT_SUBJ_TYPE:
     479             :                 case AUDIT_SUBJ_SEN:
     480             :                 case AUDIT_SUBJ_CLR:
     481             :                 case AUDIT_OBJ_USER:
     482             :                 case AUDIT_OBJ_ROLE:
     483             :                 case AUDIT_OBJ_TYPE:
     484             :                 case AUDIT_OBJ_LEV_LOW:
     485             :                 case AUDIT_OBJ_LEV_HIGH:
     486           0 :                         str = audit_unpack_string(&bufp, &remain, f->val);
     487           0 :                         if (IS_ERR(str))
     488             :                                 goto exit_free;
     489           0 :                         entry->rule.buflen += f->val;
     490             : 
     491             :                         err = security_audit_rule_init(f->type, f->op, str,
     492             :                                                        (void **)&f->lsm_rule);
     493             :                         /* Keep currently invalid fields around in case they
     494             :                          * become valid after a policy reload. */
     495             :                         if (err == -EINVAL) {
     496             :                                 pr_warn("audit rule for LSM \'%s\' is invalid\n",
     497             :                                         str);
     498             :                                 err = 0;
     499             :                         }
     500             :                         if (err) {
     501             :                                 kfree(str);
     502             :                                 goto exit_free;
     503             :                         } else
     504           0 :                                 f->lsm_str = str;
     505           0 :                         break;
     506             :                 case AUDIT_WATCH:
     507           0 :                         str = audit_unpack_string(&bufp, &remain, f->val);
     508           0 :                         if (IS_ERR(str))
     509             :                                 goto exit_free;
     510           0 :                         entry->rule.buflen += f->val;
     511             : 
     512             :                         err = audit_to_watch(&entry->rule, str, f->val, f->op);
     513             :                         if (err) {
     514           0 :                                 kfree(str);
     515           0 :                                 goto exit_free;
     516             :                         }
     517             :                         break;
     518             :                 case AUDIT_DIR:
     519           0 :                         str = audit_unpack_string(&bufp, &remain, f->val);
     520           0 :                         if (IS_ERR(str))
     521             :                                 goto exit_free;
     522           0 :                         entry->rule.buflen += f->val;
     523             : 
     524             :                         err = audit_make_tree(&entry->rule, str, f->op);
     525           0 :                         kfree(str);
     526             :                         if (err)
     527             :                                 goto exit_free;
     528             :                         break;
     529             :                 case AUDIT_INODE:
     530             :                         err = audit_to_inode(&entry->rule, f);
     531           0 :                         if (err)
     532             :                                 goto exit_free;
     533             :                         break;
     534             :                 case AUDIT_FILTERKEY:
     535           0 :                         if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
     536             :                                 goto exit_free;
     537           0 :                         str = audit_unpack_string(&bufp, &remain, f->val);
     538           0 :                         if (IS_ERR(str))
     539             :                                 goto exit_free;
     540           0 :                         entry->rule.buflen += f->val;
     541           0 :                         entry->rule.filterkey = str;
     542           0 :                         break;
     543             :                 }
     544             :         }
     545             : 
     546           0 :         if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
     547           0 :                 entry->rule.inode_f = NULL;
     548             : 
     549             : exit_nofree:
     550           0 :         return entry;
     551             : 
     552             : exit_free:
     553             :         if (entry->rule.watch)
     554             :                 audit_put_watch(entry->rule.watch); /* matches initial get */
     555             :         if (entry->rule.tree)
     556             :                 audit_put_tree(entry->rule.tree); /* that's the temporary one */
     557             :         audit_free_rule(entry);
     558           0 :         return ERR_PTR(err);
     559             : }
     560             : 
     561             : /* Pack a filter field's string representation into data block. */
     562             : static inline size_t audit_pack_string(void **bufp, const char *str)
     563             : {
     564           0 :         size_t len = strlen(str);
     565             : 
     566           0 :         memcpy(*bufp, str, len);
     567           0 :         *bufp += len;
     568             : 
     569             :         return len;
     570             : }
     571             : 
     572             : /* Translate kernel rule respresentation to struct audit_rule_data. */
     573           0 : static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
     574             : {
     575             :         struct audit_rule_data *data;
     576             :         void *bufp;
     577             :         int i;
     578             : 
     579           0 :         data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
     580           0 :         if (unlikely(!data))
     581             :                 return NULL;
     582           0 :         memset(data, 0, sizeof(*data));
     583             : 
     584           0 :         data->flags = krule->flags | krule->listnr;
     585           0 :         data->action = krule->action;
     586           0 :         data->field_count = krule->field_count;
     587           0 :         bufp = data->buf;
     588           0 :         for (i = 0; i < data->field_count; i++) {
     589           0 :                 struct audit_field *f = &krule->fields[i];
     590             : 
     591           0 :                 data->fields[i] = f->type;
     592           0 :                 data->fieldflags[i] = audit_ops[f->op];
     593           0 :                 switch(f->type) {
     594             :                 case AUDIT_SUBJ_USER:
     595             :                 case AUDIT_SUBJ_ROLE:
     596             :                 case AUDIT_SUBJ_TYPE:
     597             :                 case AUDIT_SUBJ_SEN:
     598             :                 case AUDIT_SUBJ_CLR:
     599             :                 case AUDIT_OBJ_USER:
     600             :                 case AUDIT_OBJ_ROLE:
     601             :                 case AUDIT_OBJ_TYPE:
     602             :                 case AUDIT_OBJ_LEV_LOW:
     603             :                 case AUDIT_OBJ_LEV_HIGH:
     604           0 :                         data->buflen += data->values[i] =
     605           0 :                                 audit_pack_string(&bufp, f->lsm_str);
     606           0 :                         break;
     607             :                 case AUDIT_WATCH:
     608           0 :                         data->buflen += data->values[i] =
     609             :                                 audit_pack_string(&bufp,
     610             :                                                   audit_watch_path(krule->watch));
     611           0 :                         break;
     612             :                 case AUDIT_DIR:
     613           0 :                         data->buflen += data->values[i] =
     614             :                                 audit_pack_string(&bufp,
     615             :                                                   audit_tree_path(krule->tree));
     616           0 :                         break;
     617             :                 case AUDIT_FILTERKEY:
     618           0 :                         data->buflen += data->values[i] =
     619           0 :                                 audit_pack_string(&bufp, krule->filterkey);
     620           0 :                         break;
     621             :                 case AUDIT_LOGINUID_SET:
     622           0 :                         if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
     623           0 :                                 data->fields[i] = AUDIT_LOGINUID;
     624           0 :                                 data->values[i] = AUDIT_UID_UNSET;
     625           0 :                                 break;
     626             :                         }
     627             :                         /* fallthrough if set */
     628             :                 default:
     629           0 :                         data->values[i] = f->val;
     630             :                 }
     631             :         }
     632           0 :         for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
     633             : 
     634             :         return data;
     635             : }
     636             : 
     637             : /* Compare two rules in kernel format.  Considered success if rules
     638             :  * don't match. */
     639           0 : static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
     640             : {
     641             :         int i;
     642             : 
     643           0 :         if (a->flags != b->flags ||
     644           0 :             a->pflags != b->pflags ||
     645           0 :             a->listnr != b->listnr ||
     646           0 :             a->action != b->action ||
     647           0 :             a->field_count != b->field_count)
     648             :                 return 1;
     649             : 
     650           0 :         for (i = 0; i < a->field_count; i++) {
     651           0 :                 if (a->fields[i].type != b->fields[i].type ||
     652           0 :                     a->fields[i].op != b->fields[i].op)
     653             :                         return 1;
     654             : 
     655           0 :                 switch(a->fields[i].type) {
     656             :                 case AUDIT_SUBJ_USER:
     657             :                 case AUDIT_SUBJ_ROLE:
     658             :                 case AUDIT_SUBJ_TYPE:
     659             :                 case AUDIT_SUBJ_SEN:
     660             :                 case AUDIT_SUBJ_CLR:
     661             :                 case AUDIT_OBJ_USER:
     662             :                 case AUDIT_OBJ_ROLE:
     663             :                 case AUDIT_OBJ_TYPE:
     664             :                 case AUDIT_OBJ_LEV_LOW:
     665             :                 case AUDIT_OBJ_LEV_HIGH:
     666           0 :                         if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
     667             :                                 return 1;
     668             :                         break;
     669             :                 case AUDIT_WATCH:
     670             :                         if (strcmp(audit_watch_path(a->watch),
     671             :                                    audit_watch_path(b->watch)))
     672             :                                 return 1;
     673             :                         break;
     674             :                 case AUDIT_DIR:
     675             :                         if (strcmp(audit_tree_path(a->tree),
     676             :                                    audit_tree_path(b->tree)))
     677             :                                 return 1;
     678             :                         break;
     679             :                 case AUDIT_FILTERKEY:
     680             :                         /* both filterkeys exist based on above type compare */
     681           0 :                         if (strcmp(a->filterkey, b->filterkey))
     682             :                                 return 1;
     683             :                         break;
     684             :                 case AUDIT_UID:
     685             :                 case AUDIT_EUID:
     686             :                 case AUDIT_SUID:
     687             :                 case AUDIT_FSUID:
     688             :                 case AUDIT_LOGINUID:
     689             :                 case AUDIT_OBJ_UID:
     690           0 :                         if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
     691             :                                 return 1;
     692             :                         break;
     693             :                 case AUDIT_GID:
     694             :                 case AUDIT_EGID:
     695             :                 case AUDIT_SGID:
     696             :                 case AUDIT_FSGID:
     697             :                 case AUDIT_OBJ_GID:
     698           0 :                         if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
     699             :                                 return 1;
     700             :                         break;
     701             :                 default:
     702           0 :                         if (a->fields[i].val != b->fields[i].val)
     703             :                                 return 1;
     704             :                 }
     705             :         }
     706             : 
     707           0 :         for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
     708           0 :                 if (a->mask[i] != b->mask[i])
     709             :                         return 1;
     710             : 
     711             :         return 0;
     712             : }
     713             : 
     714             : /* Duplicate LSM field information.  The lsm_rule is opaque, so must be
     715             :  * re-initialized. */
     716             : static inline int audit_dupe_lsm_field(struct audit_field *df,
     717             :                                            struct audit_field *sf)
     718             : {
     719             :         int ret = 0;
     720             :         char *lsm_str;
     721             : 
     722             :         /* our own copy of lsm_str */
     723           0 :         lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
     724           0 :         if (unlikely(!lsm_str))
     725             :                 return -ENOMEM;
     726           0 :         df->lsm_str = lsm_str;
     727             : 
     728             :         /* our own (refreshed) copy of lsm_rule */
     729             :         ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
     730             :                                        (void **)&df->lsm_rule);
     731             :         /* Keep currently invalid fields around in case they
     732             :          * become valid after a policy reload. */
     733             :         if (ret == -EINVAL) {
     734             :                 pr_warn("audit rule for LSM \'%s\' is invalid\n",
     735             :                         df->lsm_str);
     736             :                 ret = 0;
     737             :         }
     738             : 
     739             :         return ret;
     740             : }
     741             : 
     742             : /* Duplicate an audit rule.  This will be a deep copy with the exception
     743             :  * of the watch - that pointer is carried over.  The LSM specific fields
     744             :  * will be updated in the copy.  The point is to be able to replace the old
     745             :  * rule with the new rule in the filterlist, then free the old rule.
     746             :  * The rlist element is undefined; list manipulations are handled apart from
     747             :  * the initial copy. */
     748           0 : struct audit_entry *audit_dupe_rule(struct audit_krule *old)
     749             : {
     750           0 :         u32 fcount = old->field_count;
     751             :         struct audit_entry *entry;
     752             :         struct audit_krule *new;
     753             :         char *fk;
     754             :         int i, err = 0;
     755             : 
     756             :         entry = audit_init_entry(fcount);
     757           0 :         if (unlikely(!entry))
     758             :                 return ERR_PTR(-ENOMEM);
     759             : 
     760             :         new = &entry->rule;
     761           0 :         new->vers_ops = old->vers_ops;
     762           0 :         new->flags = old->flags;
     763           0 :         new->pflags = old->pflags;
     764           0 :         new->listnr = old->listnr;
     765           0 :         new->action = old->action;
     766           0 :         for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
     767           0 :                 new->mask[i] = old->mask[i];
     768           0 :         new->prio = old->prio;
     769           0 :         new->buflen = old->buflen;
     770           0 :         new->inode_f = old->inode_f;
     771           0 :         new->field_count = old->field_count;
     772             : 
     773             :         /*
     774             :          * note that we are OK with not refcounting here; audit_match_tree()
     775             :          * never dereferences tree and we can't get false positives there
     776             :          * since we'd have to have rule gone from the list *and* removed
     777             :          * before the chunks found by lookup had been allocated, i.e. before
     778             :          * the beginning of list scan.
     779             :          */
     780           0 :         new->tree = old->tree;
     781           0 :         memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
     782             : 
     783             :         /* deep copy this information, updating the lsm_rule fields, because
     784             :          * the originals will all be freed when the old rule is freed. */
     785           0 :         for (i = 0; i < fcount; i++) {
     786           0 :                 switch (new->fields[i].type) {
     787             :                 case AUDIT_SUBJ_USER:
     788             :                 case AUDIT_SUBJ_ROLE:
     789             :                 case AUDIT_SUBJ_TYPE:
     790             :                 case AUDIT_SUBJ_SEN:
     791             :                 case AUDIT_SUBJ_CLR:
     792             :                 case AUDIT_OBJ_USER:
     793             :                 case AUDIT_OBJ_ROLE:
     794             :                 case AUDIT_OBJ_TYPE:
     795             :                 case AUDIT_OBJ_LEV_LOW:
     796             :                 case AUDIT_OBJ_LEV_HIGH:
     797           0 :                         err = audit_dupe_lsm_field(&new->fields[i],
     798           0 :                                                        &old->fields[i]);
     799           0 :                         break;
     800             :                 case AUDIT_FILTERKEY:
     801           0 :                         fk = kstrdup(old->filterkey, GFP_KERNEL);
     802           0 :                         if (unlikely(!fk))
     803             :                                 err = -ENOMEM;
     804             :                         else
     805           0 :                                 new->filterkey = fk;
     806             :                 }
     807           0 :                 if (err) {
     808             :                         audit_free_rule(entry);
     809           0 :                         return ERR_PTR(err);
     810             :                 }
     811             :         }
     812             : 
     813           0 :         if (old->watch) {
     814             :                 audit_get_watch(old->watch);
     815           0 :                 new->watch = old->watch;
     816             :         }
     817             : 
     818           0 :         return entry;
     819             : }
     820             : 
     821             : /* Find an existing audit rule.
     822             :  * Caller must hold audit_filter_mutex to prevent stale rule data. */
     823           0 : static struct audit_entry *audit_find_rule(struct audit_entry *entry,
     824             :                                            struct list_head **p)
     825             : {
     826             :         struct audit_entry *e, *found = NULL;
     827             :         struct list_head *list;
     828             :         int h;
     829             : 
     830           0 :         if (entry->rule.inode_f) {
     831           0 :                 h = audit_hash_ino(entry->rule.inode_f->val);
     832           0 :                 *p = list = &audit_inode_hash[h];
     833           0 :         } else if (entry->rule.watch) {
     834             :                 /* we don't know the inode number, so must walk entire hash */
     835           0 :                 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
     836           0 :                         list = &audit_inode_hash[h];
     837           0 :                         list_for_each_entry(e, list, list)
     838           0 :                                 if (!audit_compare_rule(&entry->rule, &e->rule)) {
     839             :                                         found = e;
     840             :                                         goto out;
     841             :                                 }
     842             :                 }
     843             :                 goto out;
     844             :         } else {
     845           0 :                 *p = list = &audit_filter_list[entry->rule.listnr];
     846             :         }
     847             : 
     848           0 :         list_for_each_entry(e, list, list)
     849           0 :                 if (!audit_compare_rule(&entry->rule, &e->rule)) {
     850             :                         found = e;
     851             :                         goto out;
     852             :                 }
     853             : 
     854             : out:
     855           0 :         return found;
     856             : }
     857             : 
     858             : static u64 prio_low = ~0ULL/2;
     859             : static u64 prio_high = ~0ULL/2 - 1;
     860             : 
     861             : /* Add rule to given filterlist if not a duplicate. */
     862             : static inline int audit_add_rule(struct audit_entry *entry)
     863             : {
     864             :         struct audit_entry *e;
     865           0 :         struct audit_watch *watch = entry->rule.watch;
     866           0 :         struct audit_tree *tree = entry->rule.tree;
     867             :         struct list_head *list;
     868             :         int err;
     869             : #ifdef CONFIG_AUDITSYSCALL
     870             :         int dont_count = 0;
     871             : 
     872             :         /* If either of these, don't count towards total */
     873             :         if (entry->rule.listnr == AUDIT_FILTER_USER ||
     874             :                 entry->rule.listnr == AUDIT_FILTER_TYPE)
     875             :                 dont_count = 1;
     876             : #endif
     877             : 
     878           0 :         mutex_lock(&audit_filter_mutex);
     879           0 :         e = audit_find_rule(entry, &list);
     880           0 :         if (e) {
     881           0 :                 mutex_unlock(&audit_filter_mutex);
     882             :                 err = -EEXIST;
     883             :                 /* normally audit_add_tree_rule() will free it on failure */
     884             :                 if (tree)
     885             :                         audit_put_tree(tree);
     886             :                 goto error;
     887             :         }
     888             : 
     889           0 :         if (watch) {
     890             :                 /* audit_filter_mutex is dropped and re-taken during this call */
     891             :                 err = audit_add_watch(&entry->rule, &list);
     892             :                 if (err) {
     893           0 :                         mutex_unlock(&audit_filter_mutex);
     894             :                         /*
     895             :                          * normally audit_add_tree_rule() will free it
     896             :                          * on failure
     897             :                          */
     898             :                         if (tree)
     899             :                                 audit_put_tree(tree);
     900             :                         goto error;
     901             :                 }
     902             :         }
     903           0 :         if (tree) {
     904             :                 err = audit_add_tree_rule(&entry->rule);
     905             :                 if (err) {
     906           0 :                         mutex_unlock(&audit_filter_mutex);
     907             :                         goto error;
     908             :                 }
     909             :         }
     910             : 
     911           0 :         entry->rule.prio = ~0ULL;
     912           0 :         if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
     913           0 :                 if (entry->rule.flags & AUDIT_FILTER_PREPEND)
     914           0 :                         entry->rule.prio = ++prio_high;
     915             :                 else
     916           0 :                         entry->rule.prio = --prio_low;
     917             :         }
     918             : 
     919           0 :         if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
     920           0 :                 list_add(&entry->rule.list,
     921             :                          &audit_rules_list[entry->rule.listnr]);
     922           0 :                 list_add_rcu(&entry->list, list);
     923           0 :                 entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
     924             :         } else {
     925           0 :                 list_add_tail(&entry->rule.list,
     926             :                               &audit_rules_list[entry->rule.listnr]);
     927           0 :                 list_add_tail_rcu(&entry->list, list);
     928             :         }
     929             : #ifdef CONFIG_AUDITSYSCALL
     930             :         if (!dont_count)
     931             :                 audit_n_rules++;
     932             : 
     933             :         if (!audit_match_signal(entry))
     934             :                 audit_signals++;
     935             : #endif
     936           0 :         mutex_unlock(&audit_filter_mutex);
     937             : 
     938             :         return 0;
     939             : 
     940             : error:
     941             :         if (watch)
     942             :                 audit_put_watch(watch); /* tmp watch, matches initial get */
     943             :         return err;
     944             : }
     945             : 
     946             : /* Remove an existing rule from filterlist. */
     947             : static inline int audit_del_rule(struct audit_entry *entry)
     948             : {
     949             :         struct audit_entry  *e;
     950             :         struct audit_watch *watch = entry->rule.watch;
     951             :         struct audit_tree *tree = entry->rule.tree;
     952             :         struct list_head *list;
     953             :         int ret = 0;
     954             : #ifdef CONFIG_AUDITSYSCALL
     955             :         int dont_count = 0;
     956             : 
     957             :         /* If either of these, don't count towards total */
     958             :         if (entry->rule.listnr == AUDIT_FILTER_USER ||
     959             :                 entry->rule.listnr == AUDIT_FILTER_TYPE)
     960             :                 dont_count = 1;
     961             : #endif
     962             : 
     963           0 :         mutex_lock(&audit_filter_mutex);
     964           0 :         e = audit_find_rule(entry, &list);
     965           0 :         if (!e) {
     966           0 :                 mutex_unlock(&audit_filter_mutex);
     967             :                 ret = -ENOENT;
     968             :                 goto out;
     969             :         }
     970             : 
     971           0 :         if (e->rule.watch)
     972             :                 audit_remove_watch_rule(&e->rule);
     973             : 
     974           0 :         if (e->rule.tree)
     975             :                 audit_remove_tree_rule(&e->rule);
     976             : 
     977             :         list_del_rcu(&e->list);
     978             :         list_del(&e->rule.list);
     979           0 :         call_rcu(&e->rcu, audit_free_rule_rcu);
     980             : 
     981             : #ifdef CONFIG_AUDITSYSCALL
     982             :         if (!dont_count)
     983             :                 audit_n_rules--;
     984             : 
     985             :         if (!audit_match_signal(entry))
     986             :                 audit_signals--;
     987             : #endif
     988           0 :         mutex_unlock(&audit_filter_mutex);
     989             : 
     990             : out:
     991             :         if (watch)
     992             :                 audit_put_watch(watch); /* match initial get */
     993             :         if (tree)
     994             :                 audit_put_tree(tree);   /* that's the temporary one */
     995             : 
     996             :         return ret;
     997             : }
     998             : 
     999             : /* List rules using struct audit_rule_data. */
    1000           0 : static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q)
    1001             : {
    1002             :         struct sk_buff *skb;
    1003             :         struct audit_krule *r;
    1004             :         int i;
    1005             : 
    1006             :         /* This is a blocking read, so use audit_filter_mutex instead of rcu
    1007             :          * iterator to sync with list writers. */
    1008           0 :         for (i=0; i<AUDIT_NR_FILTERS; i++) {
    1009           0 :                 list_for_each_entry(r, &audit_rules_list[i], list) {
    1010             :                         struct audit_rule_data *data;
    1011             : 
    1012           0 :                         data = audit_krule_to_data(r);
    1013           0 :                         if (unlikely(!data))
    1014             :                                 break;
    1015           0 :                         skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES,
    1016             :                                                0, 1, data,
    1017           0 :                                                sizeof(*data) + data->buflen);
    1018           0 :                         if (skb)
    1019           0 :                                 skb_queue_tail(q, skb);
    1020           0 :                         kfree(data);
    1021             :                 }
    1022             :         }
    1023           0 :         skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
    1024           0 :         if (skb)
    1025           0 :                 skb_queue_tail(q, skb);
    1026           0 : }
    1027             : 
    1028             : /* Log rule additions and removals */
    1029           0 : static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
    1030             : {
    1031             :         struct audit_buffer *ab;
    1032             :         uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
    1033             :         unsigned int sessionid = audit_get_sessionid(current);
    1034             : 
    1035           0 :         if (!audit_enabled)
    1036             :                 return;
    1037             : 
    1038           0 :         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
    1039           0 :         if (!ab)
    1040             :                 return;
    1041           0 :         audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
    1042           0 :         audit_log_task_context(ab);
    1043           0 :         audit_log_format(ab, " op=");
    1044             :         audit_log_string(ab, action);
    1045           0 :         audit_log_key(ab, rule->filterkey);
    1046           0 :         audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
    1047           0 :         audit_log_end(ab);
    1048             : }
    1049             : 
    1050             : /**
    1051             :  * audit_rule_change - apply all rules to the specified message type
    1052             :  * @type: audit message type
    1053             :  * @portid: target port id for netlink audit messages
    1054             :  * @seq: netlink audit message sequence (serial) number
    1055             :  * @data: payload data
    1056             :  * @datasz: size of payload data
    1057             :  */
    1058           0 : int audit_rule_change(int type, __u32 portid, int seq, void *data,
    1059             :                         size_t datasz)
    1060             : {
    1061             :         int err = 0;
    1062             :         struct audit_entry *entry;
    1063             : 
    1064           0 :         entry = audit_data_to_entry(data, datasz);
    1065           0 :         if (IS_ERR(entry))
    1066           0 :                 return PTR_ERR(entry);
    1067             : 
    1068           0 :         switch (type) {
    1069             :         case AUDIT_ADD_RULE:
    1070             :                 err = audit_add_rule(entry);
    1071           0 :                 audit_log_rule_change("add_rule", &entry->rule, !err);
    1072           0 :                 break;
    1073             :         case AUDIT_DEL_RULE:
    1074             :                 err = audit_del_rule(entry);
    1075           0 :                 audit_log_rule_change("remove_rule", &entry->rule, !err);
    1076           0 :                 break;
    1077             :         default:
    1078             :                 err = -EINVAL;
    1079             :                 WARN_ON(1);
    1080             :         }
    1081             : 
    1082           0 :         if (err || type == AUDIT_DEL_RULE)
    1083             :                 audit_free_rule(entry);
    1084             : 
    1085           0 :         return err;
    1086             : }
    1087             : 
    1088             : /**
    1089             :  * audit_list_rules_send - list the audit rules
    1090             :  * @request_skb: skb of request we are replying to (used to target the reply)
    1091             :  * @seq: netlink audit message sequence (serial) number
    1092             :  */
    1093           0 : int audit_list_rules_send(struct sk_buff *request_skb, int seq)
    1094             : {
    1095           0 :         u32 portid = NETLINK_CB(request_skb).portid;
    1096           0 :         struct net *net = sock_net(NETLINK_CB(request_skb).sk);
    1097             :         struct task_struct *tsk;
    1098             :         struct audit_netlink_list *dest;
    1099             :         int err = 0;
    1100             : 
    1101             :         /* We can't just spew out the rules here because we might fill
    1102             :          * the available socket buffer space and deadlock waiting for
    1103             :          * auditctl to read from it... which isn't ever going to
    1104             :          * happen if we're actually running in the context of auditctl
    1105             :          * trying to _send_ the stuff */
    1106             : 
    1107             :         dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
    1108           0 :         if (!dest)
    1109             :                 return -ENOMEM;
    1110           0 :         dest->net = get_net(net);
    1111           0 :         dest->portid = portid;
    1112           0 :         skb_queue_head_init(&dest->q);
    1113             : 
    1114           0 :         mutex_lock(&audit_filter_mutex);
    1115           0 :         audit_list_rules(portid, seq, &dest->q);
    1116           0 :         mutex_unlock(&audit_filter_mutex);
    1117             : 
    1118           0 :         tsk = kthread_run(audit_send_list, dest, "audit_send_list");
    1119           0 :         if (IS_ERR(tsk)) {
    1120           0 :                 skb_queue_purge(&dest->q);
    1121           0 :                 kfree(dest);
    1122             :                 err = PTR_ERR(tsk);
    1123             :         }
    1124             : 
    1125           0 :         return err;
    1126             : }
    1127             : 
    1128           0 : int audit_comparator(u32 left, u32 op, u32 right)
    1129             : {
    1130           0 :         switch (op) {
    1131             :         case Audit_equal:
    1132           0 :                 return (left == right);
    1133             :         case Audit_not_equal:
    1134           0 :                 return (left != right);
    1135             :         case Audit_lt:
    1136           0 :                 return (left < right);
    1137             :         case Audit_le:
    1138           0 :                 return (left <= right);
    1139             :         case Audit_gt:
    1140           0 :                 return (left > right);
    1141             :         case Audit_ge:
    1142           0 :                 return (left >= right);
    1143             :         case Audit_bitmask:
    1144           0 :                 return (left & right);
    1145             :         case Audit_bittest:
    1146           0 :                 return ((left & right) == right);
    1147             :         default:
    1148           0 :                 BUG();
    1149             :                 return 0;
    1150             :         }
    1151             : }
    1152             : 
    1153           0 : int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
    1154             : {
    1155           0 :         switch (op) {
    1156             :         case Audit_equal:
    1157           0 :                 return uid_eq(left, right);
    1158             :         case Audit_not_equal:
    1159           0 :                 return !uid_eq(left, right);
    1160             :         case Audit_lt:
    1161           0 :                 return uid_lt(left, right);
    1162             :         case Audit_le:
    1163           0 :                 return uid_lte(left, right);
    1164             :         case Audit_gt:
    1165           0 :                 return uid_gt(left, right);
    1166             :         case Audit_ge:
    1167           0 :                 return uid_gte(left, right);
    1168             :         case Audit_bitmask:
    1169             :         case Audit_bittest:
    1170             :         default:
    1171             :                 BUG();
    1172             :                 return 0;
    1173             :         }
    1174             : }
    1175             : 
    1176           0 : int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
    1177             : {
    1178           0 :         switch (op) {
    1179             :         case Audit_equal:
    1180           0 :                 return gid_eq(left, right);
    1181             :         case Audit_not_equal:
    1182           0 :                 return !gid_eq(left, right);
    1183             :         case Audit_lt:
    1184           0 :                 return gid_lt(left, right);
    1185             :         case Audit_le:
    1186           0 :                 return gid_lte(left, right);
    1187             :         case Audit_gt:
    1188           0 :                 return gid_gt(left, right);
    1189             :         case Audit_ge:
    1190           0 :                 return gid_gte(left, right);
    1191             :         case Audit_bitmask:
    1192             :         case Audit_bittest:
    1193             :         default:
    1194             :                 BUG();
    1195             :                 return 0;
    1196             :         }
    1197             : }
    1198             : 
    1199             : /**
    1200             :  * parent_len - find the length of the parent portion of a pathname
    1201             :  * @path: pathname of which to determine length
    1202             :  */
    1203           0 : int parent_len(const char *path)
    1204             : {
    1205             :         int plen;
    1206             :         const char *p;
    1207             : 
    1208           0 :         plen = strlen(path);
    1209             : 
    1210           0 :         if (plen == 0)
    1211             :                 return plen;
    1212             : 
    1213             :         /* disregard trailing slashes */
    1214           0 :         p = path + plen - 1;
    1215           0 :         while ((*p == '/') && (p > path))
    1216           0 :                 p--;
    1217             : 
    1218             :         /* walk backward until we find the next slash or hit beginning */
    1219           0 :         while ((*p != '/') && (p > path))
    1220           0 :                 p--;
    1221             : 
    1222             :         /* did we find a slash? Then increment to include it in path */
    1223           0 :         if (*p == '/')
    1224           0 :                 p++;
    1225             : 
    1226           0 :         return p - path;
    1227             : }
    1228             : 
    1229             : /**
    1230             :  * audit_compare_dname_path - compare given dentry name with last component in
    1231             :  *                            given path. Return of 0 indicates a match.
    1232             :  * @dname:      dentry name that we're comparing
    1233             :  * @path:       full pathname that we're comparing
    1234             :  * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
    1235             :  *              here indicates that we must compute this value.
    1236             :  */
    1237           0 : int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
    1238             : {
    1239             :         int dlen, pathlen;
    1240             :         const char *p;
    1241             : 
    1242           0 :         dlen = strlen(dname);
    1243           0 :         pathlen = strlen(path);
    1244           0 :         if (pathlen < dlen)
    1245             :                 return 1;
    1246             : 
    1247           0 :         parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
    1248           0 :         if (pathlen - parentlen != dlen)
    1249             :                 return 1;
    1250             : 
    1251           0 :         p = path + parentlen;
    1252             : 
    1253           0 :         return strncmp(p, dname, dlen);
    1254             : }
    1255             : 
    1256           0 : static int audit_filter_user_rules(struct audit_krule *rule, int type,
    1257             :                                    enum audit_state *state)
    1258             : {
    1259             :         int i;
    1260             : 
    1261           0 :         for (i = 0; i < rule->field_count; i++) {
    1262           0 :                 struct audit_field *f = &rule->fields[i];
    1263             :                 pid_t pid;
    1264             :                 int result = 0;
    1265             :                 u32 sid;
    1266             : 
    1267           0 :                 switch (f->type) {
    1268             :                 case AUDIT_PID:
    1269           0 :                         pid = task_pid_nr(current);
    1270           0 :                         result = audit_comparator(pid, f->op, f->val);
    1271           0 :                         break;
    1272             :                 case AUDIT_UID:
    1273           0 :                         result = audit_uid_comparator(current_uid(), f->op, f->uid);
    1274           0 :                         break;
    1275             :                 case AUDIT_GID:
    1276           0 :                         result = audit_gid_comparator(current_gid(), f->op, f->gid);
    1277           0 :                         break;
    1278             :                 case AUDIT_LOGINUID:
    1279           0 :                         result = audit_uid_comparator(audit_get_loginuid(current),
    1280             :                                                   f->op, f->uid);
    1281           0 :                         break;
    1282             :                 case AUDIT_LOGINUID_SET:
    1283           0 :                         result = audit_comparator(audit_loginuid_set(current),
    1284             :                                                   f->op, f->val);
    1285           0 :                         break;
    1286             :                 case AUDIT_MSGTYPE:
    1287           0 :                         result = audit_comparator(type, f->op, f->val);
    1288           0 :                         break;
    1289             :                 case AUDIT_SUBJ_USER:
    1290             :                 case AUDIT_SUBJ_ROLE:
    1291             :                 case AUDIT_SUBJ_TYPE:
    1292             :                 case AUDIT_SUBJ_SEN:
    1293             :                 case AUDIT_SUBJ_CLR:
    1294             :                         if (f->lsm_rule) {
    1295             :                                 security_task_getsecid(current, &sid);
    1296             :                                 result = security_audit_rule_match(sid,
    1297             :                                                                    f->type,
    1298             :                                                                    f->op,
    1299             :                                                                    f->lsm_rule,
    1300             :                                                                    NULL);
    1301             :                         }
    1302             :                         break;
    1303             :                 }
    1304             : 
    1305           0 :                 if (!result)
    1306             :                         return 0;
    1307             :         }
    1308           0 :         switch (rule->action) {
    1309           0 :         case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
    1310           0 :         case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
    1311             :         }
    1312             :         return 1;
    1313             : }
    1314             : 
    1315           0 : int audit_filter_user(int type)
    1316             : {
    1317           0 :         enum audit_state state = AUDIT_DISABLED;
    1318             :         struct audit_entry *e;
    1319             :         int rc, ret;
    1320             : 
    1321             :         ret = 1; /* Audit by default */
    1322             : 
    1323             :         rcu_read_lock();
    1324           0 :         list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
    1325           0 :                 rc = audit_filter_user_rules(&e->rule, type, &state);
    1326           0 :                 if (rc) {
    1327           0 :                         if (rc > 0 && state == AUDIT_DISABLED)
    1328             :                                 ret = 0;
    1329             :                         break;
    1330             :                 }
    1331             :         }
    1332             :         rcu_read_unlock();
    1333             : 
    1334           0 :         return ret;
    1335             : }
    1336             : 
    1337           1 : int audit_filter_type(int type)
    1338             : {
    1339             :         struct audit_entry *e;
    1340             :         int result = 0;
    1341             : 
    1342             :         rcu_read_lock();
    1343           1 :         if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
    1344             :                 goto unlock_and_return;
    1345             : 
    1346           0 :         list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
    1347             :                                 list) {
    1348             :                 int i;
    1349           0 :                 for (i = 0; i < e->rule.field_count; i++) {
    1350           0 :                         struct audit_field *f = &e->rule.fields[i];
    1351           0 :                         if (f->type == AUDIT_MSGTYPE) {
    1352           0 :                                 result = audit_comparator(type, f->op, f->val);
    1353           0 :                                 if (!result)
    1354             :                                         break;
    1355             :                         }
    1356             :                 }
    1357           0 :                 if (result)
    1358             :                         goto unlock_and_return;
    1359             :         }
    1360             : unlock_and_return:
    1361             :         rcu_read_unlock();
    1362           1 :         return result;
    1363             : }
    1364             : 
    1365             : static int update_lsm_rule(struct audit_krule *r)
    1366             : {
    1367             :         struct audit_entry *entry = container_of(r, struct audit_entry, rule);
    1368             :         struct audit_entry *nentry;
    1369             :         int err = 0;
    1370             : 
    1371             :         if (!security_audit_rule_known(r))
    1372             :                 return 0;
    1373             : 
    1374             :         nentry = audit_dupe_rule(r);
    1375             :         if (IS_ERR(nentry)) {
    1376             :                 /* save the first error encountered for the
    1377             :                  * return value */
    1378             :                 err = PTR_ERR(nentry);
    1379             :                 audit_panic("error updating LSM filters");
    1380             :                 if (r->watch)
    1381             :                         list_del(&r->rlist);
    1382             :                 list_del_rcu(&entry->list);
    1383             :                 list_del(&r->list);
    1384             :         } else {
    1385             :                 if (r->watch || r->tree)
    1386             :                         list_replace_init(&r->rlist, &nentry->rule.rlist);
    1387             :                 list_replace_rcu(&entry->list, &nentry->list);
    1388             :                 list_replace(&r->list, &nentry->rule.list);
    1389             :         }
    1390             :         call_rcu(&entry->rcu, audit_free_rule_rcu);
    1391             : 
    1392             :         return err;
    1393             : }
    1394             : 
    1395             : /* This function will re-initialize the lsm_rule field of all applicable rules.
    1396             :  * It will traverse the filter lists serarching for rules that contain LSM
    1397             :  * specific filter fields.  When such a rule is found, it is copied, the
    1398             :  * LSM field is re-initialized, and the old rule is replaced with the
    1399             :  * updated rule. */
    1400           0 : int audit_update_lsm_rules(void)
    1401             : {
    1402             :         struct audit_krule *r, *n;
    1403             :         int i, err = 0;
    1404             : 
    1405             :         /* audit_filter_mutex synchronizes the writers */
    1406           0 :         mutex_lock(&audit_filter_mutex);
    1407             : 
    1408           0 :         for (i = 0; i < AUDIT_NR_FILTERS; i++) {
    1409           0 :                 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
    1410             :                         int res = update_lsm_rule(r);
    1411             :                         if (!err)
    1412             :                                 err = res;
    1413             :                 }
    1414             :         }
    1415           0 :         mutex_unlock(&audit_filter_mutex);
    1416             : 
    1417           0 :         return err;
    1418             : }

Generated by: LCOV version 1.11