Kernel

Kernel Git Source Tree

Root/kernel/auditfilter.c

1	/* auditfilter.c -- filtering of audit events
2	*
3	* Copyright 2003-2004 Red Hat, Inc.
4	* Copyright 2005 Hewlett-Packard Development Company, L.P.
5	* Copyright 2005 IBM Corporation
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; either version 2 of the License, or
10	* (at your option) any later version.
11	*
12	* This program is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	* GNU General Public License for more details.
16	*
17	* You should have received a copy of the GNU General Public License
18	* along with this program; if not, write to the Free Software
19	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20	*/
21
22	#include <linux/kernel.h>
23	#include <linux/audit.h>
24	#include <linux/kthread.h>
25	#include <linux/mutex.h>
26	#include <linux/fs.h>
27	#include <linux/namei.h>
28	#include <linux/netlink.h>
29	#include <linux/sched.h>
30	#include <linux/slab.h>
31	#include <linux/security.h>
32	#include "audit.h"
33
34	/*
35	* Locking model:
36	*
37	* audit_filter_mutex:
38	* Synchronizes writes and blocking reads of audit's filterlist
39	* data. Rcu is used to traverse the filterlist and access
40	* contents of structs audit_entry, audit_watch and opaque
41	* LSM rules during filtering. If modified, these structures
42	* must be copied and replace their counterparts in the filterlist.
43	* An audit_parent struct is not accessed during filtering, so may
44	* be written directly provided audit_filter_mutex is held.
45	*/
46
47	/* Audit filter lists, defined in <linux/audit.h> */
48	struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
49	LIST_HEAD_INIT(audit_filter_list[0]),
50	LIST_HEAD_INIT(audit_filter_list[1]),
51	LIST_HEAD_INIT(audit_filter_list[2]),
52	LIST_HEAD_INIT(audit_filter_list[3]),
53	LIST_HEAD_INIT(audit_filter_list[4]),
54	LIST_HEAD_INIT(audit_filter_list[5]),
55	#if AUDIT_NR_FILTERS != 6
56	#error Fix audit_filter_list initialiser
57	#endif
58	};
59	static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
60	LIST_HEAD_INIT(audit_rules_list[0]),
61	LIST_HEAD_INIT(audit_rules_list[1]),
62	LIST_HEAD_INIT(audit_rules_list[2]),
63	LIST_HEAD_INIT(audit_rules_list[3]),
64	LIST_HEAD_INIT(audit_rules_list[4]),
65	LIST_HEAD_INIT(audit_rules_list[5]),
66	};
67
68	DEFINE_MUTEX(audit_filter_mutex);
69
70	static inline void audit_free_rule(struct audit_entry *e)
71	{
72	int i;
73	struct audit_krule *erule = &e->rule;
74
75	/* some rules don't have associated watches */
76	if (erule->watch)
77	audit_put_watch(erule->watch);
78	if (erule->fields)
79	for (i = 0; i < erule->field_count; i++) {
80	struct audit_field *f = &erule->fields[i];
81	kfree(f->lsm_str);
82	security_audit_rule_free(f->lsm_rule);
83	}
84	kfree(erule->fields);
85	kfree(erule->filterkey);
86	kfree(e);
87	}
88
89	void audit_free_rule_rcu(struct rcu_head *head)
90	{
91	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
92	audit_free_rule(e);
93	}
94
95	/* Initialize an audit filterlist entry. */
96	static inline struct audit_entry *audit_init_entry(u32 field_count)
97	{
98	struct audit_entry *entry;
99	struct audit_field *fields;
100
101	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
102	if (unlikely(!entry))
103	return NULL;
104
105	fields = kzalloc(sizeof(fields) field_count, GFP_KERNEL);
106	if (unlikely(!fields)) {
107	kfree(entry);
108	return NULL;
109	}
110	entry->rule.fields = fields;
111
112	return entry;
113	}
114
115	/* Unpack a filter field's string representation from user-space
116	* buffer. */
117	char audit_unpack_string(void bufp, size_t remain, size_t len)
118	{
119	char *str;
120
121	if (!bufp \|\| (len == 0) \|\| (len > remain))
122	return ERR_PTR(-EINVAL);
123
124	/* Of the currently implemented string fields, PATH_MAX
125	* defines the longest valid length.
126	*/
127	if (len > PATH_MAX)
128	return ERR_PTR(-ENAMETOOLONG);
129
130	str = kmalloc(len + 1, GFP_KERNEL);
131	if (unlikely(!str))
132	return ERR_PTR(-ENOMEM);
133
134	memcpy(str, *bufp, len);
135	str[len] = 0;
136	*bufp += len;
137	*remain -= len;
138
139	return str;
140	}
141
142	/* Translate an inode field to kernel respresentation. */
143	static inline int audit_to_inode(struct audit_krule *krule,
144	struct audit_field *f)
145	{
146	if (krule->listnr != AUDIT_FILTER_EXIT \|\|
147	krule->watch \|\| krule->inode_f \|\| krule->tree \|\|
148	(f->op != Audit_equal && f->op != Audit_not_equal))
149	return -EINVAL;
150
151	krule->inode_f = f;
152	return 0;
153	}
154
155	static __u32 *classes[AUDIT_SYSCALL_CLASSES];
156
157	int __init audit_register_class(int class, unsigned *list)
158	{
159	__u32 p = kzalloc(AUDIT_BITMASK_SIZE sizeof(__u32), GFP_KERNEL);
160	if (!p)
161	return -ENOMEM;
162	while (*list != ~0U) {
163	unsigned n = *list++;
164	if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
165	kfree(p);
166	return -EINVAL;
167	}
168	p[AUDIT_WORD(n)] \|= AUDIT_BIT(n);
169	}
170	if (class >= AUDIT_SYSCALL_CLASSES \|\| classes[class]) {
171	kfree(p);
172	return -EINVAL;
173	}
174	classes[class] = p;
175	return 0;
176	}
177
178	int audit_match_class(int class, unsigned syscall)
179	{
180	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
181	return 0;
182	if (unlikely(class >= AUDIT_SYSCALL_CLASSES \|\| !classes[class]))
183	return 0;
184	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
185	}
186
187	#ifdef CONFIG_AUDITSYSCALL
188	static inline int audit_match_class_bits(int class, u32 *mask)
189	{
190	int i;
191
192	if (classes[class]) {
193	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
194	if (mask[i] & classes[class][i])
195	return 0;
196	}
197	return 1;
198	}
199
200	static int audit_match_signal(struct audit_entry *entry)
201	{
202	struct audit_field *arch = entry->rule.arch_f;
203
204	if (!arch) {
205	/* When arch is unspecified, we must check both masks on biarch
206	* as syscall number alone is ambiguous. */
207	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
208	entry->rule.mask) &&
209	audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
210	entry->rule.mask));
211	}
212
213	switch(audit_classify_arch(arch->val)) {
214	case 0: /* native */
215	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
216	entry->rule.mask));
217	case 1: /* 32bit on biarch */
218	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
219	entry->rule.mask));
220	default:
221	return 1;
222	}
223	}
224	#endif
225
226	/* Common user-space to kernel rule translation. */
227	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)
228	{
229	unsigned listnr;
230	struct audit_entry *entry;
231	int i, err;
232
233	err = -EINVAL;
234	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
235	switch(listnr) {
236	default:
237	goto exit_err;
238	case AUDIT_FILTER_USER:
239	case AUDIT_FILTER_TYPE:
240	#ifdef CONFIG_AUDITSYSCALL
241	case AUDIT_FILTER_ENTRY:
242	case AUDIT_FILTER_EXIT:
243	case AUDIT_FILTER_TASK:
244	#endif
245	;
246	}
247	if (unlikely(rule->action == AUDIT_POSSIBLE)) {
248	printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
249	goto exit_err;
250	}
251	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
252	goto exit_err;
253	if (rule->field_count > AUDIT_MAX_FIELDS)
254	goto exit_err;
255
256	err = -ENOMEM;
257	entry = audit_init_entry(rule->field_count);
258	if (!entry)
259	goto exit_err;
260
261	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
262	entry->rule.listnr = listnr;
263	entry->rule.action = rule->action;
264	entry->rule.field_count = rule->field_count;
265
266	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
267	entry->rule.mask[i] = rule->mask[i];
268
269	for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
270	int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
271	__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
272	__u32 *class;
273
274	if (!(*p & AUDIT_BIT(bit)))
275	continue;
276	*p &= ~AUDIT_BIT(bit);
277	class = classes[i];
278	if (class) {
279	int j;
280	for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
281	entry->rule.mask[j] \|= class[j];
282	}
283	}
284
285	return entry;
286
287	exit_err:
288	return ERR_PTR(err);
289	}
290
291	static u32 audit_ops[] =
292	{
293	[Audit_equal] = AUDIT_EQUAL,
294	[Audit_not_equal] = AUDIT_NOT_EQUAL,
295	[Audit_bitmask] = AUDIT_BIT_MASK,
296	[Audit_bittest] = AUDIT_BIT_TEST,
297	[Audit_lt] = AUDIT_LESS_THAN,
298	[Audit_gt] = AUDIT_GREATER_THAN,
299	[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
300	[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
301	};
302
303	static u32 audit_to_op(u32 op)
304	{
305	u32 n;
306	for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
307	;
308	return n;
309	}
310
311
312	/* Translate struct audit_rule to kernel's rule respresentation.
313	* Exists for backward compatibility with userspace. */
314	static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
315	{
316	struct audit_entry *entry;
317	int err = 0;
318	int i;
319
320	entry = audit_to_entry_common(rule);
321	if (IS_ERR(entry))
322	goto exit_nofree;
323
324	for (i = 0; i < rule->field_count; i++) {
325	struct audit_field *f = &entry->rule.fields[i];
326	u32 n;
327
328	n = rule->fields[i] & (AUDIT_NEGATE\|AUDIT_OPERATORS);
329
330	/* Support for legacy operators where
331	* AUDIT_NEGATE bit signifies != and otherwise assumes == */
332	if (n & AUDIT_NEGATE)
333	f->op = Audit_not_equal;
334	else if (!n)
335	f->op = Audit_equal;
336	else
337	f->op = audit_to_op(n);
338
339	entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
340
341	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);
342	f->val = rule->values[i];
343
344	err = -EINVAL;
345	if (f->op == Audit_bad)
346	goto exit_free;
347
348	switch(f->type) {
349	default:
350	goto exit_free;
351	case AUDIT_PID:
352	case AUDIT_UID:
353	case AUDIT_EUID:
354	case AUDIT_SUID:
355	case AUDIT_FSUID:
356	case AUDIT_GID:
357	case AUDIT_EGID:
358	case AUDIT_SGID:
359	case AUDIT_FSGID:
360	case AUDIT_LOGINUID:
361	case AUDIT_PERS:
362	case AUDIT_MSGTYPE:
363	case AUDIT_PPID:
364	case AUDIT_DEVMAJOR:
365	case AUDIT_DEVMINOR:
366	case AUDIT_EXIT:
367	case AUDIT_SUCCESS:
368	/* bit ops are only useful on syscall args */
369	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
370	goto exit_free;
371	break;
372	case AUDIT_ARG0:
373	case AUDIT_ARG1:
374	case AUDIT_ARG2:
375	case AUDIT_ARG3:
376	break;
377	/* arch is only allowed to be = or != */
378	case AUDIT_ARCH:
379	if (f->op != Audit_not_equal && f->op != Audit_equal)
380	goto exit_free;
381	entry->rule.arch_f = f;
382	break;
383	case AUDIT_PERM:
384	if (f->val & ~15)
385	goto exit_free;
386	break;
387	case AUDIT_FILETYPE:
388	if ((f->val & ~S_IFMT) > S_IFMT)
389	goto exit_free;
390	break;
391	case AUDIT_INODE:
392	err = audit_to_inode(&entry->rule, f);
393	if (err)
394	goto exit_free;
395	break;
396	}
397	}
398
399	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
400	entry->rule.inode_f = NULL;
401
402	exit_nofree:
403	return entry;
404
405	exit_free:
406	audit_free_rule(entry);
407	return ERR_PTR(err);
408	}
409
410	/* Translate struct audit_rule_data to kernel's rule respresentation. */
411	static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
412	size_t datasz)
413	{
414	int err = 0;
415	struct audit_entry *entry;
416	void *bufp;
417	size_t remain = datasz - sizeof(struct audit_rule_data);
418	int i;
419	char *str;
420
421	entry = audit_to_entry_common((struct audit_rule *)data);
422	if (IS_ERR(entry))
423	goto exit_nofree;
424
425	bufp = data->buf;
426	entry->rule.vers_ops = 2;
427	for (i = 0; i < data->field_count; i++) {
428	struct audit_field *f = &entry->rule.fields[i];
429
430	err = -EINVAL;
431
432	f->op = audit_to_op(data->fieldflags[i]);
433	if (f->op == Audit_bad)
434	goto exit_free;
435
436	f->type = data->fields[i];
437	f->val = data->values[i];
438	f->lsm_str = NULL;
439	f->lsm_rule = NULL;
440	switch(f->type) {
441	case AUDIT_PID:
442	case AUDIT_UID:
443	case AUDIT_EUID:
444	case AUDIT_SUID:
445	case AUDIT_FSUID:
446	case AUDIT_GID:
447	case AUDIT_EGID:
448	case AUDIT_SGID:
449	case AUDIT_FSGID:
450	case AUDIT_LOGINUID:
451	case AUDIT_PERS:
452	case AUDIT_MSGTYPE:
453	case AUDIT_PPID:
454	case AUDIT_DEVMAJOR:
455	case AUDIT_DEVMINOR:
456	case AUDIT_EXIT:
457	case AUDIT_SUCCESS:
458	case AUDIT_ARG0:
459	case AUDIT_ARG1:
460	case AUDIT_ARG2:
461	case AUDIT_ARG3:
462	break;
463	case AUDIT_ARCH:
464	entry->rule.arch_f = f;
465	break;
466	case AUDIT_SUBJ_USER:
467	case AUDIT_SUBJ_ROLE:
468	case AUDIT_SUBJ_TYPE:
469	case AUDIT_SUBJ_SEN:
470	case AUDIT_SUBJ_CLR:
471	case AUDIT_OBJ_USER:
472	case AUDIT_OBJ_ROLE:
473	case AUDIT_OBJ_TYPE:
474	case AUDIT_OBJ_LEV_LOW:
475	case AUDIT_OBJ_LEV_HIGH:
476	str = audit_unpack_string(&bufp, &remain, f->val);
477	if (IS_ERR(str))
478	goto exit_free;
479	entry->rule.buflen += f->val;
480
481	err = security_audit_rule_init(f->type, f->op, str,
482	(void **)&f->lsm_rule);
483	/* Keep currently invalid fields around in case they
484	* become valid after a policy reload. */
485	if (err == -EINVAL) {
486	printk(KERN_WARNING "audit rule for LSM "
487	"\'%s\' is invalid\n", str);
488	err = 0;
489	}
490	if (err) {
491	kfree(str);
492	goto exit_free;
493	} else
494	f->lsm_str = str;
495	break;
496	case AUDIT_WATCH:
497	str = audit_unpack_string(&bufp, &remain, f->val);
498	if (IS_ERR(str))
499	goto exit_free;
500	entry->rule.buflen += f->val;
501
502	err = audit_to_watch(&entry->rule, str, f->val, f->op);
503	if (err) {
504	kfree(str);
505	goto exit_free;
506	}
507	break;
508	case AUDIT_DIR:
509	str = audit_unpack_string(&bufp, &remain, f->val);
510	if (IS_ERR(str))
511	goto exit_free;
512	entry->rule.buflen += f->val;
513
514	err = audit_make_tree(&entry->rule, str, f->op);
515	kfree(str);
516	if (err)
517	goto exit_free;
518	break;
519	case AUDIT_INODE:
520	err = audit_to_inode(&entry->rule, f);
521	if (err)
522	goto exit_free;
523	break;
524	case AUDIT_FILTERKEY:
525	err = -EINVAL;
526	if (entry->rule.filterkey \|\| f->val > AUDIT_MAX_KEY_LEN)
527	goto exit_free;
528	str = audit_unpack_string(&bufp, &remain, f->val);
529	if (IS_ERR(str))
530	goto exit_free;
531	entry->rule.buflen += f->val;
532	entry->rule.filterkey = str;
533	break;
534	case AUDIT_PERM:
535	if (f->val & ~15)
536	goto exit_free;
537	break;
538	case AUDIT_FILETYPE:
539	if ((f->val & ~S_IFMT) > S_IFMT)
540	goto exit_free;
541	break;
542	default:
543	goto exit_free;
544	}
545	}
546
547	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
548	entry->rule.inode_f = NULL;
549
550	exit_nofree:
551	return entry;
552
553	exit_free:
554	audit_free_rule(entry);
555	return ERR_PTR(err);
556	}
557
558	/* Pack a filter field's string representation into data block. */
559	static inline size_t audit_pack_string(void *bufp, const char str)
560	{
561	size_t len = strlen(str);
562
563	memcpy(*bufp, str, len);
564	*bufp += len;
565
566	return len;
567	}
568
569	/* Translate kernel rule respresentation to struct audit_rule.
570	* Exists for backward compatibility with userspace. */
571	static struct audit_rule audit_krule_to_rule(struct audit_krule krule)
572	{
573	struct audit_rule *rule;
574	int i;
575
576	rule = kzalloc(sizeof(*rule), GFP_KERNEL);
577	if (unlikely(!rule))
578	return NULL;
579
580	rule->flags = krule->flags \| krule->listnr;
581	rule->action = krule->action;
582	rule->field_count = krule->field_count;
583	for (i = 0; i < rule->field_count; i++) {
584	rule->values[i] = krule->fields[i].val;
585	rule->fields[i] = krule->fields[i].type;
586
587	if (krule->vers_ops == 1) {
588	if (krule->fields[i].op == Audit_not_equal)
589	rule->fields[i] \|= AUDIT_NEGATE;
590	} else {
591	rule->fields[i] \|= audit_ops[krule->fields[i].op];
592	}
593	}
594	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
595
596	return rule;
597	}
598
599	/* Translate kernel rule respresentation to struct audit_rule_data. */
600	static struct audit_rule_data audit_krule_to_data(struct audit_krule krule)
601	{
602	struct audit_rule_data *data;
603	void *bufp;
604	int i;
605
606	data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
607	if (unlikely(!data))
608	return NULL;
609	memset(data, 0, sizeof(*data));
610
611	data->flags = krule->flags \| krule->listnr;
612	data->action = krule->action;
613	data->field_count = krule->field_count;
614	bufp = data->buf;
615	for (i = 0; i < data->field_count; i++) {
616	struct audit_field *f = &krule->fields[i];
617
618	data->fields[i] = f->type;
619	data->fieldflags[i] = audit_ops[f->op];
620	switch(f->type) {
621	case AUDIT_SUBJ_USER:
622	case AUDIT_SUBJ_ROLE:
623	case AUDIT_SUBJ_TYPE:
624	case AUDIT_SUBJ_SEN:
625	case AUDIT_SUBJ_CLR:
626	case AUDIT_OBJ_USER:
627	case AUDIT_OBJ_ROLE:
628	case AUDIT_OBJ_TYPE:
629	case AUDIT_OBJ_LEV_LOW:
630	case AUDIT_OBJ_LEV_HIGH:
631	data->buflen += data->values[i] =
632	audit_pack_string(&bufp, f->lsm_str);
633	break;
634	case AUDIT_WATCH:
635	data->buflen += data->values[i] =
636	audit_pack_string(&bufp,
637	audit_watch_path(krule->watch));
638	break;
639	case AUDIT_DIR:
640	data->buflen += data->values[i] =
641	audit_pack_string(&bufp,
642	audit_tree_path(krule->tree));
643	break;
644	case AUDIT_FILTERKEY:
645	data->buflen += data->values[i] =
646	audit_pack_string(&bufp, krule->filterkey);
647	break;
648	default:
649	data->values[i] = f->val;
650	}
651	}
652	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
653
654	return data;
655	}
656
657	/* Compare two rules in kernel format. Considered success if rules
658	* don't match. */
659	static int audit_compare_rule(struct audit_krule a, struct audit_krule b)
660	{
661	int i;
662
663	if (a->flags != b->flags \|\|
664	a->listnr != b->listnr \|\|
665	a->action != b->action \|\|
666	a->field_count != b->field_count)
667	return 1;
668
669	for (i = 0; i < a->field_count; i++) {
670	if (a->fields[i].type != b->fields[i].type \|\|
671	a->fields[i].op != b->fields[i].op)
672	return 1;
673
674	switch(a->fields[i].type) {
675	case AUDIT_SUBJ_USER:
676	case AUDIT_SUBJ_ROLE:
677	case AUDIT_SUBJ_TYPE:
678	case AUDIT_SUBJ_SEN:
679	case AUDIT_SUBJ_CLR:
680	case AUDIT_OBJ_USER:
681	case AUDIT_OBJ_ROLE:
682	case AUDIT_OBJ_TYPE:
683	case AUDIT_OBJ_LEV_LOW:
684	case AUDIT_OBJ_LEV_HIGH:
685	if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
686	return 1;
687	break;
688	case AUDIT_WATCH:
689	if (strcmp(audit_watch_path(a->watch),
690	audit_watch_path(b->watch)))
691	return 1;
692	break;
693	case AUDIT_DIR:
694	if (strcmp(audit_tree_path(a->tree),
695	audit_tree_path(b->tree)))
696	return 1;
697	break;
698	case AUDIT_FILTERKEY:
699	/* both filterkeys exist based on above type compare */
700	if (strcmp(a->filterkey, b->filterkey))
701	return 1;
702	break;
703	default:
704	if (a->fields[i].val != b->fields[i].val)
705	return 1;
706	}
707	}
708
709	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
710	if (a->mask[i] != b->mask[i])
711	return 1;
712
713	return 0;
714	}
715
716	/* Duplicate LSM field information. The lsm_rule is opaque, so must be
717	* re-initialized. */
718	static inline int audit_dupe_lsm_field(struct audit_field *df,
719	struct audit_field *sf)
720	{
721	int ret = 0;
722	char *lsm_str;
723
724	/* our own copy of lsm_str */
725	lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
726	if (unlikely(!lsm_str))
727	return -ENOMEM;
728	df->lsm_str = lsm_str;
729
730	/* our own (refreshed) copy of lsm_rule */
731	ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
732	(void **)&df->lsm_rule);
733	/* Keep currently invalid fields around in case they
734	* become valid after a policy reload. */
735	if (ret == -EINVAL) {
736	printk(KERN_WARNING "audit rule for LSM \'%s\' is "
737	"invalid\n", df->lsm_str);
738	ret = 0;
739	}
740
741	return ret;
742	}
743
744	/* Duplicate an audit rule. This will be a deep copy with the exception
745	* of the watch - that pointer is carried over. The LSM specific fields
746	* will be updated in the copy. The point is to be able to replace the old
747	* rule with the new rule in the filterlist, then free the old rule.
748	* The rlist element is undefined; list manipulations are handled apart from
749	* the initial copy. */
750	struct audit_entry audit_dupe_rule(struct audit_krule old)
751	{
752	u32 fcount = old->field_count;
753	struct audit_entry *entry;
754	struct audit_krule *new;
755	char *fk;
756	int i, err = 0;
757
758	entry = audit_init_entry(fcount);
759	if (unlikely(!entry))
760	return ERR_PTR(-ENOMEM);
761
762	new = &entry->rule;
763	new->vers_ops = old->vers_ops;
764	new->flags = old->flags;
765	new->listnr = old->listnr;
766	new->action = old->action;
767	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
768	new->mask[i] = old->mask[i];
769	new->prio = old->prio;
770	new->buflen = old->buflen;
771	new->inode_f = old->inode_f;
772	new->field_count = old->field_count;
773
774	/*
775	* note that we are OK with not refcounting here; audit_match_tree()
776	* never dereferences tree and we can't get false positives there
777	* since we'd have to have rule gone from the list and removed
778	* before the chunks found by lookup had been allocated, i.e. before
779	* the beginning of list scan.
780	*/
781	new->tree = old->tree;
782	memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
783
784	/* deep copy this information, updating the lsm_rule fields, because
785	* the originals will all be freed when the old rule is freed. */
786	for (i = 0; i < fcount; i++) {
787	switch (new->fields[i].type) {
788	case AUDIT_SUBJ_USER:
789	case AUDIT_SUBJ_ROLE:
790	case AUDIT_SUBJ_TYPE:
791	case AUDIT_SUBJ_SEN:
792	case AUDIT_SUBJ_CLR:
793	case AUDIT_OBJ_USER:
794	case AUDIT_OBJ_ROLE:
795	case AUDIT_OBJ_TYPE:
796	case AUDIT_OBJ_LEV_LOW:
797	case AUDIT_OBJ_LEV_HIGH:
798	err = audit_dupe_lsm_field(&new->fields[i],
799	&old->fields[i]);
800	break;
801	case AUDIT_FILTERKEY:
802	fk = kstrdup(old->filterkey, GFP_KERNEL);
803	if (unlikely(!fk))
804	err = -ENOMEM;
805	else
806	new->filterkey = fk;
807	}
808	if (err) {
809	audit_free_rule(entry);
810	return ERR_PTR(err);
811	}
812	}
813
814	if (old->watch) {
815	audit_get_watch(old->watch);
816	new->watch = old->watch;
817	}
818
819	return entry;
820	}
821
822	/* Find an existing audit rule.
823	* Caller must hold audit_filter_mutex to prevent stale rule data. */
824	static struct audit_entry audit_find_rule(struct audit_entry entry,
825	struct list_head **p)
826	{
827	struct audit_entry e, found = NULL;
828	struct list_head *list;
829	int h;
830
831	if (entry->rule.inode_f) {
832	h = audit_hash_ino(entry->rule.inode_f->val);
833	*p = list = &audit_inode_hash[h];
834	} else if (entry->rule.watch) {
835	/* we don't know the inode number, so must walk entire hash */
836	for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
837	list = &audit_inode_hash[h];
838	list_for_each_entry(e, list, list)
839	if (!audit_compare_rule(&entry->rule, &e->rule)) {
840	found = e;
841	goto out;
842	}
843	}
844	goto out;
845	} else {
846	*p = list = &audit_filter_list[entry->rule.listnr];
847	}
848
849	list_for_each_entry(e, list, list)
850	if (!audit_compare_rule(&entry->rule, &e->rule)) {
851	found = e;
852	goto out;
853	}
854
855	out:
856	return found;
857	}
858
859	static u64 prio_low = ~0ULL/2;
860	static u64 prio_high = ~0ULL/2 - 1;
861
862	/* Add rule to given filterlist if not a duplicate. */
863	static inline int audit_add_rule(struct audit_entry *entry)
864	{
865	struct audit_entry *e;
866	struct audit_watch *watch = entry->rule.watch;
867	struct audit_tree *tree = entry->rule.tree;
868	struct list_head *list;
869	int err;
870	#ifdef CONFIG_AUDITSYSCALL
871	int dont_count = 0;
872
873	/* If either of these, don't count towards total */
874	if (entry->rule.listnr == AUDIT_FILTER_USER \|\|
875	entry->rule.listnr == AUDIT_FILTER_TYPE)
876	dont_count = 1;
877	#endif
878
879	mutex_lock(&audit_filter_mutex);
880	e = audit_find_rule(entry, &list);
881	if (e) {
882	mutex_unlock(&audit_filter_mutex);
883	err = -EEXIST;
884	/* normally audit_add_tree_rule() will free it on failure */
885	if (tree)
886	audit_put_tree(tree);
887	goto error;
888	}
889
890	if (watch) {
891	/* audit_filter_mutex is dropped and re-taken during this call */
892	err = audit_add_watch(&entry->rule, &list);
893	if (err) {
894	mutex_unlock(&audit_filter_mutex);
895	goto error;
896	}
897	}
898	if (tree) {
899	err = audit_add_tree_rule(&entry->rule);
900	if (err) {
901	mutex_unlock(&audit_filter_mutex);
902	goto error;
903	}
904	}
905
906	entry->rule.prio = ~0ULL;
907	if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
908	if (entry->rule.flags & AUDIT_FILTER_PREPEND)
909	entry->rule.prio = ++prio_high;
910	else
911	entry->rule.prio = --prio_low;
912	}
913
914	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
915	list_add(&entry->rule.list,
916	&audit_rules_list[entry->rule.listnr]);
917	list_add_rcu(&entry->list, list);
918	entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
919	} else {
920	list_add_tail(&entry->rule.list,
921	&audit_rules_list[entry->rule.listnr]);
922	list_add_tail_rcu(&entry->list, list);
923	}
924	#ifdef CONFIG_AUDITSYSCALL
925	if (!dont_count)
926	audit_n_rules++;
927
928	if (!audit_match_signal(entry))
929	audit_signals++;
930	#endif
931	mutex_unlock(&audit_filter_mutex);
932
933	return 0;
934
935	error:
936	if (watch)
937	audit_put_watch(watch); /* tmp watch, matches initial get */
938	return err;
939	}
940
941	/* Remove an existing rule from filterlist. */
942	static inline int audit_del_rule(struct audit_entry *entry)
943	{
944	struct audit_entry *e;
945	struct audit_watch *watch = entry->rule.watch;
946	struct audit_tree *tree = entry->rule.tree;
947	struct list_head *list;
948	int ret = 0;
949	#ifdef CONFIG_AUDITSYSCALL
950	int dont_count = 0;
951
952	/* If either of these, don't count towards total */
953	if (entry->rule.listnr == AUDIT_FILTER_USER \|\|
954	entry->rule.listnr == AUDIT_FILTER_TYPE)
955	dont_count = 1;
956	#endif
957
958	mutex_lock(&audit_filter_mutex);
959	e = audit_find_rule(entry, &list);
960	if (!e) {
961	mutex_unlock(&audit_filter_mutex);
962	ret = -ENOENT;
963	goto out;
964	}
965
966	if (e->rule.watch)
967	audit_remove_watch_rule(&e->rule);
968
969	if (e->rule.tree)
970	audit_remove_tree_rule(&e->rule);
971
972	list_del_rcu(&e->list);
973	list_del(&e->rule.list);
974	call_rcu(&e->rcu, audit_free_rule_rcu);
975
976	#ifdef CONFIG_AUDITSYSCALL
977	if (!dont_count)
978	audit_n_rules--;
979
980	if (!audit_match_signal(entry))
981	audit_signals--;
982	#endif
983	mutex_unlock(&audit_filter_mutex);
984
985	out:
986	if (watch)
987	audit_put_watch(watch); /* match initial get */
988	if (tree)
989	audit_put_tree(tree); /* that's the temporary one */
990
991	return ret;
992	}
993
994	/* List rules using struct audit_rule. Exists for backward
995	* compatibility with userspace. */
996	static void audit_list(int pid, int seq, struct sk_buff_head *q)
997	{
998	struct sk_buff *skb;
999	struct audit_krule *r;
1000	int i;
1001
1002	/* This is a blocking read, so use audit_filter_mutex instead of rcu
1003	* iterator to sync with list writers. */
1004	for (i=0; i<AUDIT_NR_FILTERS; i++) {
1005	list_for_each_entry(r, &audit_rules_list[i], list) {
1006	struct audit_rule *rule;
1007
1008	rule = audit_krule_to_rule(r);
1009	if (unlikely(!rule))
1010	break;
1011	skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
1012	rule, sizeof(*rule));
1013	if (skb)
1014	skb_queue_tail(q, skb);
1015	kfree(rule);
1016	}
1017	}
1018	skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
1019	if (skb)
1020	skb_queue_tail(q, skb);
1021	}
1022
1023	/* List rules using struct audit_rule_data. */
1024	static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1025	{
1026	struct sk_buff *skb;
1027	struct audit_krule *r;
1028	int i;
1029
1030	/* This is a blocking read, so use audit_filter_mutex instead of rcu
1031	* iterator to sync with list writers. */
1032	for (i=0; i<AUDIT_NR_FILTERS; i++) {
1033	list_for_each_entry(r, &audit_rules_list[i], list) {
1034	struct audit_rule_data *data;
1035
1036	data = audit_krule_to_data(r);
1037	if (unlikely(!data))
1038	break;
1039	skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
1040	data, sizeof(*data) + data->buflen);
1041	if (skb)
1042	skb_queue_tail(q, skb);
1043	kfree(data);
1044	}
1045	}
1046	skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1047	if (skb)
1048	skb_queue_tail(q, skb);
1049	}
1050
1051	/* Log rule additions and removals */
1052	static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
1053	char action, struct audit_krule rule,
1054	int res)
1055	{
1056	struct audit_buffer *ab;
1057
1058	if (!audit_enabled)
1059	return;
1060
1061	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1062	if (!ab)
1063	return;
1064	audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
1065	if (sid) {
1066	char *ctx = NULL;
1067	u32 len;
1068	if (security_secid_to_secctx(sid, &ctx, &len))
1069	audit_log_format(ab, " ssid=%u", sid);
1070	else {
1071	audit_log_format(ab, " subj=%s", ctx);
1072	security_release_secctx(ctx, len);
1073	}
1074	}
1075	audit_log_format(ab, " op=");
1076	audit_log_string(ab, action);
1077	audit_log_key(ab, rule->filterkey);
1078	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1079	audit_log_end(ab);
1080	}
1081
1082	/**
1083	* audit_receive_filter - apply all rules to the specified message type
1084	* @type: audit message type
1085	* @pid: target pid for netlink audit messages
1086	* @uid: target uid for netlink audit messages
1087	* @seq: netlink audit message sequence (serial) number
1088	* @data: payload data
1089	* @datasz: size of payload data
1090	* @loginuid: loginuid of sender
1091	* @sessionid: sessionid for netlink audit message
1092	* @sid: SE Linux Security ID of sender
1093	*/
1094	int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1095	size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
1096	{
1097	struct task_struct *tsk;
1098	struct audit_netlink_list *dest;
1099	int err = 0;
1100	struct audit_entry *entry;
1101
1102	switch (type) {
1103	case AUDIT_LIST:
1104	case AUDIT_LIST_RULES:
1105	/* We can't just spew out the rules here because we might fill
1106	* the available socket buffer space and deadlock waiting for
1107	* auditctl to read from it... which isn't ever going to
1108	* happen if we're actually running in the context of auditctl
1109	* trying to _send_ the stuff */
1110
1111	dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1112	if (!dest)
1113	return -ENOMEM;
1114	dest->pid = pid;
1115	skb_queue_head_init(&dest->q);
1116
1117	mutex_lock(&audit_filter_mutex);
1118	if (type == AUDIT_LIST)
1119	audit_list(pid, seq, &dest->q);
1120	else
1121	audit_list_rules(pid, seq, &dest->q);
1122	mutex_unlock(&audit_filter_mutex);
1123
1124	tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1125	if (IS_ERR(tsk)) {
1126	skb_queue_purge(&dest->q);
1127	kfree(dest);
1128	err = PTR_ERR(tsk);
1129	}
1130	break;
1131	case AUDIT_ADD:
1132	case AUDIT_ADD_RULE:
1133	if (type == AUDIT_ADD)
1134	entry = audit_rule_to_entry(data);
1135	else
1136	entry = audit_data_to_entry(data, datasz);
1137	if (IS_ERR(entry))
1138	return PTR_ERR(entry);
1139
1140	err = audit_add_rule(entry);
1141	audit_log_rule_change(loginuid, sessionid, sid, "add rule",
1142	&entry->rule, !err);
1143
1144	if (err)
1145	audit_free_rule(entry);
1146	break;
1147	case AUDIT_DEL:
1148	case AUDIT_DEL_RULE:
1149	if (type == AUDIT_DEL)
1150	entry = audit_rule_to_entry(data);
1151	else
1152	entry = audit_data_to_entry(data, datasz);
1153	if (IS_ERR(entry))
1154	return PTR_ERR(entry);
1155
1156	err = audit_del_rule(entry);
1157	audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
1158	&entry->rule, !err);
1159
1160	audit_free_rule(entry);
1161	break;
1162	default:
1163	return -EINVAL;
1164	}
1165
1166	return err;
1167	}
1168
1169	int audit_comparator(u32 left, u32 op, u32 right)
1170	{
1171	switch (op) {
1172	case Audit_equal:
1173	return (left == right);
1174	case Audit_not_equal:
1175	return (left != right);
1176	case Audit_lt:
1177	return (left < right);
1178	case Audit_le:
1179	return (left <= right);
1180	case Audit_gt:
1181	return (left > right);
1182	case Audit_ge:
1183	return (left >= right);
1184	case Audit_bitmask:
1185	return (left & right);
1186	case Audit_bittest:
1187	return ((left & right) == right);
1188	default:
1189	BUG();
1190	return 0;
1191	}
1192	}
1193
1194	/* Compare given dentry name with last component in given path,
1195	* return of 0 indicates a match. */
1196	int audit_compare_dname_path(const char dname, const char path,
1197	int *dirlen)
1198	{
1199	int dlen, plen;
1200	const char *p;
1201
1202	if (!dname \|\| !path)
1203	return 1;
1204
1205	dlen = strlen(dname);
1206	plen = strlen(path);
1207	if (plen < dlen)
1208	return 1;
1209
1210	/* disregard trailing slashes */
1211	p = path + plen - 1;
1212	while ((*p == '/') && (p > path))
1213	p--;
1214
1215	/* find last path component */
1216	p = p - dlen + 1;
1217	if (p < path)
1218	return 1;
1219	else if (p > path) {
1220	if (*--p != '/')
1221	return 1;
1222	else
1223	p++;
1224	}
1225
1226	/* return length of path's directory component */
1227	if (dirlen)
1228	*dirlen = p - path;
1229	return strncmp(p, dname, dlen);
1230	}
1231
1232	static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1233	struct audit_krule *rule,
1234	enum audit_state *state)
1235	{
1236	int i;
1237
1238	for (i = 0; i < rule->field_count; i++) {
1239	struct audit_field *f = &rule->fields[i];
1240	int result = 0;
1241
1242	switch (f->type) {
1243	case AUDIT_PID:
1244	result = audit_comparator(cb->creds.pid, f->op, f->val);
1245	break;
1246	case AUDIT_UID:
1247	result = audit_comparator(cb->creds.uid, f->op, f->val);
1248	break;
1249	case AUDIT_GID:
1250	result = audit_comparator(cb->creds.gid, f->op, f->val);
1251	break;
1252	case AUDIT_LOGINUID:
1253	result = audit_comparator(cb->loginuid, f->op, f->val);
1254	break;
1255	case AUDIT_SUBJ_USER:
1256	case AUDIT_SUBJ_ROLE:
1257	case AUDIT_SUBJ_TYPE:
1258	case AUDIT_SUBJ_SEN:
1259	case AUDIT_SUBJ_CLR:
1260	if (f->lsm_rule)
1261	result = security_audit_rule_match(cb->sid,
1262	f->type,
1263	f->op,
1264	f->lsm_rule,
1265	NULL);
1266	break;
1267	}
1268
1269	if (!result)
1270	return 0;
1271	}
1272	switch (rule->action) {
1273	case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
1274	case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
1275	}
1276	return 1;
1277	}
1278
1279	int audit_filter_user(struct netlink_skb_parms *cb)
1280	{
1281	enum audit_state state = AUDIT_DISABLED;
1282	struct audit_entry *e;
1283	int ret = 1;
1284
1285	rcu_read_lock();
1286	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1287	if (audit_filter_user_rules(cb, &e->rule, &state)) {
1288	if (state == AUDIT_DISABLED)
1289	ret = 0;
1290	break;
1291	}
1292	}
1293	rcu_read_unlock();
1294
1295	return ret; /* Audit by default */
1296	}
1297
1298	int audit_filter_type(int type)
1299	{
1300	struct audit_entry *e;
1301	int result = 0;
1302
1303	rcu_read_lock();
1304	if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1305	goto unlock_and_return;
1306
1307	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1308	list) {
1309	int i;
1310	for (i = 0; i < e->rule.field_count; i++) {
1311	struct audit_field *f = &e->rule.fields[i];
1312	if (f->type == AUDIT_MSGTYPE) {
1313	result = audit_comparator(type, f->op, f->val);
1314	if (!result)
1315	break;
1316	}
1317	}
1318	if (result)
1319	goto unlock_and_return;
1320	}
1321	unlock_and_return:
1322	rcu_read_unlock();
1323	return result;
1324	}
1325
1326	static int update_lsm_rule(struct audit_krule *r)
1327	{
1328	struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1329	struct audit_entry *nentry;
1330	int err = 0;
1331
1332	if (!security_audit_rule_known(r))
1333	return 0;
1334
1335	nentry = audit_dupe_rule(r);
1336	if (IS_ERR(nentry)) {
1337	/* save the first error encountered for the
1338	* return value */
1339	err = PTR_ERR(nentry);
1340	audit_panic("error updating LSM filters");
1341	if (r->watch)
1342	list_del(&r->rlist);
1343	list_del_rcu(&entry->list);
1344	list_del(&r->list);
1345	} else {
1346	if (r->watch \|\| r->tree)
1347	list_replace_init(&r->rlist, &nentry->rule.rlist);
1348	list_replace_rcu(&entry->list, &nentry->list);
1349	list_replace(&r->list, &nentry->rule.list);
1350	}
1351	call_rcu(&entry->rcu, audit_free_rule_rcu);
1352
1353	return err;
1354	}
1355
1356	/* This function will re-initialize the lsm_rule field of all applicable rules.
1357	* It will traverse the filter lists serarching for rules that contain LSM
1358	* specific filter fields. When such a rule is found, it is copied, the
1359	* LSM field is re-initialized, and the old rule is replaced with the
1360	* updated rule. */
1361	int audit_update_lsm_rules(void)
1362	{
1363	struct audit_krule r, n;
1364	int i, err = 0;
1365
1366	/* audit_filter_mutex synchronizes the writers */
1367	mutex_lock(&audit_filter_mutex);
1368
1369	for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1370	list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1371	int res = update_lsm_rule(r);
1372	if (!err)
1373	err = res;
1374	}
1375	}
1376	mutex_unlock(&audit_filter_mutex);
1377
1378	return err;
1379	}
1380

Download this file

Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master

Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9

Kernel

Kernel Git Source Tree

Root/kernel/auditfilter.c

interactive