Kernel

Kernel Git Source Tree

Root/kernel/auditfilter.c

1	/* auditfilter.c -- filtering of audit events
2	*
3	* Copyright 2003-2004 Red Hat, Inc.
4	* Copyright 2005 Hewlett-Packard Development Company, L.P.
5	* Copyright 2005 IBM Corporation
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; either version 2 of the License, or
10	* (at your option) any later version.
11	*
12	* This program is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	* GNU General Public License for more details.
16	*
17	* You should have received a copy of the GNU General Public License
18	* along with this program; if not, write to the Free Software
19	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20	*/
21
22	#include <linux/kernel.h>
23	#include <linux/audit.h>
24	#include <linux/kthread.h>
25	#include <linux/mutex.h>
26	#include <linux/fs.h>
27	#include <linux/namei.h>
28	#include <linux/netlink.h>
29	#include <linux/sched.h>
30	#include <linux/slab.h>
31	#include <linux/security.h>
32	#include "audit.h"
33
34	/*
35	* Locking model:
36	*
37	* audit_filter_mutex:
38	* Synchronizes writes and blocking reads of audit's filterlist
39	* data. Rcu is used to traverse the filterlist and access
40	* contents of structs audit_entry, audit_watch and opaque
41	* LSM rules during filtering. If modified, these structures
42	* must be copied and replace their counterparts in the filterlist.
43	* An audit_parent struct is not accessed during filtering, so may
44	* be written directly provided audit_filter_mutex is held.
45	*/
46
47	/* Audit filter lists, defined in <linux/audit.h> */
48	struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
49	LIST_HEAD_INIT(audit_filter_list[0]),
50	LIST_HEAD_INIT(audit_filter_list[1]),
51	LIST_HEAD_INIT(audit_filter_list[2]),
52	LIST_HEAD_INIT(audit_filter_list[3]),
53	LIST_HEAD_INIT(audit_filter_list[4]),
54	LIST_HEAD_INIT(audit_filter_list[5]),
55	#if AUDIT_NR_FILTERS != 6
56	#error Fix audit_filter_list initialiser
57	#endif
58	};
59	static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
60	LIST_HEAD_INIT(audit_rules_list[0]),
61	LIST_HEAD_INIT(audit_rules_list[1]),
62	LIST_HEAD_INIT(audit_rules_list[2]),
63	LIST_HEAD_INIT(audit_rules_list[3]),
64	LIST_HEAD_INIT(audit_rules_list[4]),
65	LIST_HEAD_INIT(audit_rules_list[5]),
66	};
67
68	DEFINE_MUTEX(audit_filter_mutex);
69
70	static inline void audit_free_rule(struct audit_entry *e)
71	{
72	int i;
73	struct audit_krule *erule = &e->rule;
74	/* some rules don't have associated watches */
75	if (erule->watch)
76	audit_put_watch(erule->watch);
77	if (erule->fields)
78	for (i = 0; i < erule->field_count; i++) {
79	struct audit_field *f = &erule->fields[i];
80	kfree(f->lsm_str);
81	security_audit_rule_free(f->lsm_rule);
82	}
83	kfree(erule->fields);
84	kfree(erule->filterkey);
85	kfree(e);
86	}
87
88	void audit_free_rule_rcu(struct rcu_head *head)
89	{
90	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
91	audit_free_rule(e);
92	}
93
94	/* Initialize an audit filterlist entry. */
95	static inline struct audit_entry *audit_init_entry(u32 field_count)
96	{
97	struct audit_entry *entry;
98	struct audit_field *fields;
99
100	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
101	if (unlikely(!entry))
102	return NULL;
103
104	fields = kzalloc(sizeof(fields) field_count, GFP_KERNEL);
105	if (unlikely(!fields)) {
106	kfree(entry);
107	return NULL;
108	}
109	entry->rule.fields = fields;
110
111	return entry;
112	}
113
114	/* Unpack a filter field's string representation from user-space
115	* buffer. */
116	char audit_unpack_string(void bufp, size_t remain, size_t len)
117	{
118	char *str;
119
120	if (!bufp \|\| (len == 0) \|\| (len > remain))
121	return ERR_PTR(-EINVAL);
122
123	/* Of the currently implemented string fields, PATH_MAX
124	* defines the longest valid length.
125	*/
126	if (len > PATH_MAX)
127	return ERR_PTR(-ENAMETOOLONG);
128
129	str = kmalloc(len + 1, GFP_KERNEL);
130	if (unlikely(!str))
131	return ERR_PTR(-ENOMEM);
132
133	memcpy(str, *bufp, len);
134	str[len] = 0;
135	*bufp += len;
136	*remain -= len;
137
138	return str;
139	}
140
141	/* Translate an inode field to kernel respresentation. */
142	static inline int audit_to_inode(struct audit_krule *krule,
143	struct audit_field *f)
144	{
145	if (krule->listnr != AUDIT_FILTER_EXIT \|\|
146	krule->watch \|\| krule->inode_f \|\| krule->tree \|\|
147	(f->op != Audit_equal && f->op != Audit_not_equal))
148	return -EINVAL;
149
150	krule->inode_f = f;
151	return 0;
152	}
153
154	static __u32 *classes[AUDIT_SYSCALL_CLASSES];
155
156	int __init audit_register_class(int class, unsigned *list)
157	{
158	__u32 p = kzalloc(AUDIT_BITMASK_SIZE sizeof(__u32), GFP_KERNEL);
159	if (!p)
160	return -ENOMEM;
161	while (*list != ~0U) {
162	unsigned n = *list++;
163	if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
164	kfree(p);
165	return -EINVAL;
166	}
167	p[AUDIT_WORD(n)] \|= AUDIT_BIT(n);
168	}
169	if (class >= AUDIT_SYSCALL_CLASSES \|\| classes[class]) {
170	kfree(p);
171	return -EINVAL;
172	}
173	classes[class] = p;
174	return 0;
175	}
176
177	int audit_match_class(int class, unsigned syscall)
178	{
179	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
180	return 0;
181	if (unlikely(class >= AUDIT_SYSCALL_CLASSES \|\| !classes[class]))
182	return 0;
183	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
184	}
185
186	#ifdef CONFIG_AUDITSYSCALL
187	static inline int audit_match_class_bits(int class, u32 *mask)
188	{
189	int i;
190
191	if (classes[class]) {
192	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
193	if (mask[i] & classes[class][i])
194	return 0;
195	}
196	return 1;
197	}
198
199	static int audit_match_signal(struct audit_entry *entry)
200	{
201	struct audit_field *arch = entry->rule.arch_f;
202
203	if (!arch) {
204	/* When arch is unspecified, we must check both masks on biarch
205	* as syscall number alone is ambiguous. */
206	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
207	entry->rule.mask) &&
208	audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
209	entry->rule.mask));
210	}
211
212	switch(audit_classify_arch(arch->val)) {
213	case 0: /* native */
214	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
215	entry->rule.mask));
216	case 1: /* 32bit on biarch */
217	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
218	entry->rule.mask));
219	default:
220	return 1;
221	}
222	}
223	#endif
224
225	/* Common user-space to kernel rule translation. */
226	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)
227	{
228	unsigned listnr;
229	struct audit_entry *entry;
230	int i, err;
231
232	err = -EINVAL;
233	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
234	switch(listnr) {
235	default:
236	goto exit_err;
237	case AUDIT_FILTER_USER:
238	case AUDIT_FILTER_TYPE:
239	#ifdef CONFIG_AUDITSYSCALL
240	case AUDIT_FILTER_ENTRY:
241	case AUDIT_FILTER_EXIT:
242	case AUDIT_FILTER_TASK:
243	#endif
244	;
245	}
246	if (unlikely(rule->action == AUDIT_POSSIBLE)) {
247	printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
248	goto exit_err;
249	}
250	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
251	goto exit_err;
252	if (rule->field_count > AUDIT_MAX_FIELDS)
253	goto exit_err;
254
255	err = -ENOMEM;
256	entry = audit_init_entry(rule->field_count);
257	if (!entry)
258	goto exit_err;
259
260	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
261	entry->rule.listnr = listnr;
262	entry->rule.action = rule->action;
263	entry->rule.field_count = rule->field_count;
264
265	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
266	entry->rule.mask[i] = rule->mask[i];
267
268	for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
269	int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
270	__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
271	__u32 *class;
272
273	if (!(*p & AUDIT_BIT(bit)))
274	continue;
275	*p &= ~AUDIT_BIT(bit);
276	class = classes[i];
277	if (class) {
278	int j;
279	for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
280	entry->rule.mask[j] \|= class[j];
281	}
282	}
283
284	return entry;
285
286	exit_err:
287	return ERR_PTR(err);
288	}
289
290	static u32 audit_ops[] =
291	{
292	[Audit_equal] = AUDIT_EQUAL,
293	[Audit_not_equal] = AUDIT_NOT_EQUAL,
294	[Audit_bitmask] = AUDIT_BIT_MASK,
295	[Audit_bittest] = AUDIT_BIT_TEST,
296	[Audit_lt] = AUDIT_LESS_THAN,
297	[Audit_gt] = AUDIT_GREATER_THAN,
298	[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
299	[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
300	};
301
302	static u32 audit_to_op(u32 op)
303	{
304	u32 n;
305	for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
306	;
307	return n;
308	}
309
310
311	/* Translate struct audit_rule to kernel's rule respresentation.
312	* Exists for backward compatibility with userspace. */
313	static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
314	{
315	struct audit_entry *entry;
316	int err = 0;
317	int i;
318
319	entry = audit_to_entry_common(rule);
320	if (IS_ERR(entry))
321	goto exit_nofree;
322
323	for (i = 0; i < rule->field_count; i++) {
324	struct audit_field *f = &entry->rule.fields[i];
325	u32 n;
326
327	n = rule->fields[i] & (AUDIT_NEGATE\|AUDIT_OPERATORS);
328
329	/* Support for legacy operators where
330	* AUDIT_NEGATE bit signifies != and otherwise assumes == */
331	if (n & AUDIT_NEGATE)
332	f->op = Audit_not_equal;
333	else if (!n)
334	f->op = Audit_equal;
335	else
336	f->op = audit_to_op(n);
337
338	entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
339
340	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);
341	f->val = rule->values[i];
342
343	err = -EINVAL;
344	if (f->op == Audit_bad)
345	goto exit_free;
346
347	switch(f->type) {
348	default:
349	goto exit_free;
350	case AUDIT_PID:
351	case AUDIT_UID:
352	case AUDIT_EUID:
353	case AUDIT_SUID:
354	case AUDIT_FSUID:
355	case AUDIT_GID:
356	case AUDIT_EGID:
357	case AUDIT_SGID:
358	case AUDIT_FSGID:
359	case AUDIT_LOGINUID:
360	case AUDIT_PERS:
361	case AUDIT_MSGTYPE:
362	case AUDIT_PPID:
363	case AUDIT_DEVMAJOR:
364	case AUDIT_DEVMINOR:
365	case AUDIT_EXIT:
366	case AUDIT_SUCCESS:
367	/* bit ops are only useful on syscall args */
368	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
369	goto exit_free;
370	break;
371	case AUDIT_ARG0:
372	case AUDIT_ARG1:
373	case AUDIT_ARG2:
374	case AUDIT_ARG3:
375	break;
376	/* arch is only allowed to be = or != */
377	case AUDIT_ARCH:
378	if (f->op != Audit_not_equal && f->op != Audit_equal)
379	goto exit_free;
380	entry->rule.arch_f = f;
381	break;
382	case AUDIT_PERM:
383	if (f->val & ~15)
384	goto exit_free;
385	break;
386	case AUDIT_FILETYPE:
387	if ((f->val & ~S_IFMT) > S_IFMT)
388	goto exit_free;
389	break;
390	case AUDIT_INODE:
391	err = audit_to_inode(&entry->rule, f);
392	if (err)
393	goto exit_free;
394	break;
395	}
396	}
397
398	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
399	entry->rule.inode_f = NULL;
400
401	exit_nofree:
402	return entry;
403
404	exit_free:
405	audit_free_rule(entry);
406	return ERR_PTR(err);
407	}
408
409	/* Translate struct audit_rule_data to kernel's rule respresentation. */
410	static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
411	size_t datasz)
412	{
413	int err = 0;
414	struct audit_entry *entry;
415	void *bufp;
416	size_t remain = datasz - sizeof(struct audit_rule_data);
417	int i;
418	char *str;
419
420	entry = audit_to_entry_common((struct audit_rule *)data);
421	if (IS_ERR(entry))
422	goto exit_nofree;
423
424	bufp = data->buf;
425	entry->rule.vers_ops = 2;
426	for (i = 0; i < data->field_count; i++) {
427	struct audit_field *f = &entry->rule.fields[i];
428
429	err = -EINVAL;
430
431	f->op = audit_to_op(data->fieldflags[i]);
432	if (f->op == Audit_bad)
433	goto exit_free;
434
435	f->type = data->fields[i];
436	f->val = data->values[i];
437	f->lsm_str = NULL;
438	f->lsm_rule = NULL;
439	switch(f->type) {
440	case AUDIT_PID:
441	case AUDIT_UID:
442	case AUDIT_EUID:
443	case AUDIT_SUID:
444	case AUDIT_FSUID:
445	case AUDIT_GID:
446	case AUDIT_EGID:
447	case AUDIT_SGID:
448	case AUDIT_FSGID:
449	case AUDIT_LOGINUID:
450	case AUDIT_PERS:
451	case AUDIT_MSGTYPE:
452	case AUDIT_PPID:
453	case AUDIT_DEVMAJOR:
454	case AUDIT_DEVMINOR:
455	case AUDIT_EXIT:
456	case AUDIT_SUCCESS:
457	case AUDIT_ARG0:
458	case AUDIT_ARG1:
459	case AUDIT_ARG2:
460	case AUDIT_ARG3:
461	break;
462	case AUDIT_ARCH:
463	entry->rule.arch_f = f;
464	break;
465	case AUDIT_SUBJ_USER:
466	case AUDIT_SUBJ_ROLE:
467	case AUDIT_SUBJ_TYPE:
468	case AUDIT_SUBJ_SEN:
469	case AUDIT_SUBJ_CLR:
470	case AUDIT_OBJ_USER:
471	case AUDIT_OBJ_ROLE:
472	case AUDIT_OBJ_TYPE:
473	case AUDIT_OBJ_LEV_LOW:
474	case AUDIT_OBJ_LEV_HIGH:
475	str = audit_unpack_string(&bufp, &remain, f->val);
476	if (IS_ERR(str))
477	goto exit_free;
478	entry->rule.buflen += f->val;
479
480	err = security_audit_rule_init(f->type, f->op, str,
481	(void **)&f->lsm_rule);
482	/* Keep currently invalid fields around in case they
483	* become valid after a policy reload. */
484	if (err == -EINVAL) {
485	printk(KERN_WARNING "audit rule for LSM "
486	"\'%s\' is invalid\n", str);
487	err = 0;
488	}
489	if (err) {
490	kfree(str);
491	goto exit_free;
492	} else
493	f->lsm_str = str;
494	break;
495	case AUDIT_WATCH:
496	str = audit_unpack_string(&bufp, &remain, f->val);
497	if (IS_ERR(str))
498	goto exit_free;
499	entry->rule.buflen += f->val;
500
501	err = audit_to_watch(&entry->rule, str, f->val, f->op);
502	if (err) {
503	kfree(str);
504	goto exit_free;
505	}
506	break;
507	case AUDIT_DIR:
508	str = audit_unpack_string(&bufp, &remain, f->val);
509	if (IS_ERR(str))
510	goto exit_free;
511	entry->rule.buflen += f->val;
512
513	err = audit_make_tree(&entry->rule, str, f->op);
514	kfree(str);
515	if (err)
516	goto exit_free;
517	break;
518	case AUDIT_INODE:
519	err = audit_to_inode(&entry->rule, f);
520	if (err)
521	goto exit_free;
522	break;
523	case AUDIT_FILTERKEY:
524	err = -EINVAL;
525	if (entry->rule.filterkey \|\| f->val > AUDIT_MAX_KEY_LEN)
526	goto exit_free;
527	str = audit_unpack_string(&bufp, &remain, f->val);
528	if (IS_ERR(str))
529	goto exit_free;
530	entry->rule.buflen += f->val;
531	entry->rule.filterkey = str;
532	break;
533	case AUDIT_PERM:
534	if (f->val & ~15)
535	goto exit_free;
536	break;
537	case AUDIT_FILETYPE:
538	if ((f->val & ~S_IFMT) > S_IFMT)
539	goto exit_free;
540	break;
541	default:
542	goto exit_free;
543	}
544	}
545
546	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
547	entry->rule.inode_f = NULL;
548
549	exit_nofree:
550	return entry;
551
552	exit_free:
553	audit_free_rule(entry);
554	return ERR_PTR(err);
555	}
556
557	/* Pack a filter field's string representation into data block. */
558	static inline size_t audit_pack_string(void *bufp, const char str)
559	{
560	size_t len = strlen(str);
561
562	memcpy(*bufp, str, len);
563	*bufp += len;
564
565	return len;
566	}
567
568	/* Translate kernel rule respresentation to struct audit_rule.
569	* Exists for backward compatibility with userspace. */
570	static struct audit_rule audit_krule_to_rule(struct audit_krule krule)
571	{
572	struct audit_rule *rule;
573	int i;
574
575	rule = kzalloc(sizeof(*rule), GFP_KERNEL);
576	if (unlikely(!rule))
577	return NULL;
578
579	rule->flags = krule->flags \| krule->listnr;
580	rule->action = krule->action;
581	rule->field_count = krule->field_count;
582	for (i = 0; i < rule->field_count; i++) {
583	rule->values[i] = krule->fields[i].val;
584	rule->fields[i] = krule->fields[i].type;
585
586	if (krule->vers_ops == 1) {
587	if (krule->fields[i].op == Audit_not_equal)
588	rule->fields[i] \|= AUDIT_NEGATE;
589	} else {
590	rule->fields[i] \|= audit_ops[krule->fields[i].op];
591	}
592	}
593	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
594
595	return rule;
596	}
597
598	/* Translate kernel rule respresentation to struct audit_rule_data. */
599	static struct audit_rule_data audit_krule_to_data(struct audit_krule krule)
600	{
601	struct audit_rule_data *data;
602	void *bufp;
603	int i;
604
605	data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
606	if (unlikely(!data))
607	return NULL;
608	memset(data, 0, sizeof(*data));
609
610	data->flags = krule->flags \| krule->listnr;
611	data->action = krule->action;
612	data->field_count = krule->field_count;
613	bufp = data->buf;
614	for (i = 0; i < data->field_count; i++) {
615	struct audit_field *f = &krule->fields[i];
616
617	data->fields[i] = f->type;
618	data->fieldflags[i] = audit_ops[f->op];
619	switch(f->type) {
620	case AUDIT_SUBJ_USER:
621	case AUDIT_SUBJ_ROLE:
622	case AUDIT_SUBJ_TYPE:
623	case AUDIT_SUBJ_SEN:
624	case AUDIT_SUBJ_CLR:
625	case AUDIT_OBJ_USER:
626	case AUDIT_OBJ_ROLE:
627	case AUDIT_OBJ_TYPE:
628	case AUDIT_OBJ_LEV_LOW:
629	case AUDIT_OBJ_LEV_HIGH:
630	data->buflen += data->values[i] =
631	audit_pack_string(&bufp, f->lsm_str);
632	break;
633	case AUDIT_WATCH:
634	data->buflen += data->values[i] =
635	audit_pack_string(&bufp,
636	audit_watch_path(krule->watch));
637	break;
638	case AUDIT_DIR:
639	data->buflen += data->values[i] =
640	audit_pack_string(&bufp,
641	audit_tree_path(krule->tree));
642	break;
643	case AUDIT_FILTERKEY:
644	data->buflen += data->values[i] =
645	audit_pack_string(&bufp, krule->filterkey);
646	break;
647	default:
648	data->values[i] = f->val;
649	}
650	}
651	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
652
653	return data;
654	}
655
656	/* Compare two rules in kernel format. Considered success if rules
657	* don't match. */
658	static int audit_compare_rule(struct audit_krule a, struct audit_krule b)
659	{
660	int i;
661
662	if (a->flags != b->flags \|\|
663	a->listnr != b->listnr \|\|
664	a->action != b->action \|\|
665	a->field_count != b->field_count)
666	return 1;
667
668	for (i = 0; i < a->field_count; i++) {
669	if (a->fields[i].type != b->fields[i].type \|\|
670	a->fields[i].op != b->fields[i].op)
671	return 1;
672
673	switch(a->fields[i].type) {
674	case AUDIT_SUBJ_USER:
675	case AUDIT_SUBJ_ROLE:
676	case AUDIT_SUBJ_TYPE:
677	case AUDIT_SUBJ_SEN:
678	case AUDIT_SUBJ_CLR:
679	case AUDIT_OBJ_USER:
680	case AUDIT_OBJ_ROLE:
681	case AUDIT_OBJ_TYPE:
682	case AUDIT_OBJ_LEV_LOW:
683	case AUDIT_OBJ_LEV_HIGH:
684	if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
685	return 1;
686	break;
687	case AUDIT_WATCH:
688	if (strcmp(audit_watch_path(a->watch),
689	audit_watch_path(b->watch)))
690	return 1;
691	break;
692	case AUDIT_DIR:
693	if (strcmp(audit_tree_path(a->tree),
694	audit_tree_path(b->tree)))
695	return 1;
696	break;
697	case AUDIT_FILTERKEY:
698	/* both filterkeys exist based on above type compare */
699	if (strcmp(a->filterkey, b->filterkey))
700	return 1;
701	break;
702	default:
703	if (a->fields[i].val != b->fields[i].val)
704	return 1;
705	}
706	}
707
708	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
709	if (a->mask[i] != b->mask[i])
710	return 1;
711
712	return 0;
713	}
714
715	/* Duplicate LSM field information. The lsm_rule is opaque, so must be
716	* re-initialized. */
717	static inline int audit_dupe_lsm_field(struct audit_field *df,
718	struct audit_field *sf)
719	{
720	int ret = 0;
721	char *lsm_str;
722
723	/* our own copy of lsm_str */
724	lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
725	if (unlikely(!lsm_str))
726	return -ENOMEM;
727	df->lsm_str = lsm_str;
728
729	/* our own (refreshed) copy of lsm_rule */
730	ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
731	(void **)&df->lsm_rule);
732	/* Keep currently invalid fields around in case they
733	* become valid after a policy reload. */
734	if (ret == -EINVAL) {
735	printk(KERN_WARNING "audit rule for LSM \'%s\' is "
736	"invalid\n", df->lsm_str);
737	ret = 0;
738	}
739
740	return ret;
741	}
742
743	/* Duplicate an audit rule. This will be a deep copy with the exception
744	* of the watch - that pointer is carried over. The LSM specific fields
745	* will be updated in the copy. The point is to be able to replace the old
746	* rule with the new rule in the filterlist, then free the old rule.
747	* The rlist element is undefined; list manipulations are handled apart from
748	* the initial copy. */
749	struct audit_entry audit_dupe_rule(struct audit_krule old,
750	struct audit_watch *watch)
751	{
752	u32 fcount = old->field_count;
753	struct audit_entry *entry;
754	struct audit_krule *new;
755	char *fk;
756	int i, err = 0;
757
758	entry = audit_init_entry(fcount);
759	if (unlikely(!entry))
760	return ERR_PTR(-ENOMEM);
761
762	new = &entry->rule;
763	new->vers_ops = old->vers_ops;
764	new->flags = old->flags;
765	new->listnr = old->listnr;
766	new->action = old->action;
767	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
768	new->mask[i] = old->mask[i];
769	new->prio = old->prio;
770	new->buflen = old->buflen;
771	new->inode_f = old->inode_f;
772	new->watch = NULL;
773	new->field_count = old->field_count;
774	/*
775	* note that we are OK with not refcounting here; audit_match_tree()
776	* never dereferences tree and we can't get false positives there
777	* since we'd have to have rule gone from the list and removed
778	* before the chunks found by lookup had been allocated, i.e. before
779	* the beginning of list scan.
780	*/
781	new->tree = old->tree;
782	memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
783
784	/* deep copy this information, updating the lsm_rule fields, because
785	* the originals will all be freed when the old rule is freed. */
786	for (i = 0; i < fcount; i++) {
787	switch (new->fields[i].type) {
788	case AUDIT_SUBJ_USER:
789	case AUDIT_SUBJ_ROLE:
790	case AUDIT_SUBJ_TYPE:
791	case AUDIT_SUBJ_SEN:
792	case AUDIT_SUBJ_CLR:
793	case AUDIT_OBJ_USER:
794	case AUDIT_OBJ_ROLE:
795	case AUDIT_OBJ_TYPE:
796	case AUDIT_OBJ_LEV_LOW:
797	case AUDIT_OBJ_LEV_HIGH:
798	err = audit_dupe_lsm_field(&new->fields[i],
799	&old->fields[i]);
800	break;
801	case AUDIT_FILTERKEY:
802	fk = kstrdup(old->filterkey, GFP_KERNEL);
803	if (unlikely(!fk))
804	err = -ENOMEM;
805	else
806	new->filterkey = fk;
807	}
808	if (err) {
809	audit_free_rule(entry);
810	return ERR_PTR(err);
811	}
812	}
813
814	if (watch) {
815	audit_get_watch(watch);
816	new->watch = watch;
817	}
818
819	return entry;
820	}
821
822	/* Find an existing audit rule.
823	* Caller must hold audit_filter_mutex to prevent stale rule data. */
824	static struct audit_entry audit_find_rule(struct audit_entry entry,
825	struct list_head **p)
826	{
827	struct audit_entry e, found = NULL;
828	struct list_head *list;
829	int h;
830
831	if (entry->rule.inode_f) {
832	h = audit_hash_ino(entry->rule.inode_f->val);
833	*p = list = &audit_inode_hash[h];
834	} else if (entry->rule.watch) {
835	/* we don't know the inode number, so must walk entire hash */
836	for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
837	list = &audit_inode_hash[h];
838	list_for_each_entry(e, list, list)
839	if (!audit_compare_rule(&entry->rule, &e->rule)) {
840	found = e;
841	goto out;
842	}
843	}
844	goto out;
845	} else {
846	*p = list = &audit_filter_list[entry->rule.listnr];
847	}
848
849	list_for_each_entry(e, list, list)
850	if (!audit_compare_rule(&entry->rule, &e->rule)) {
851	found = e;
852	goto out;
853	}
854
855	out:
856	return found;
857	}
858
859	static u64 prio_low = ~0ULL/2;
860	static u64 prio_high = ~0ULL/2 - 1;
861
862	/* Add rule to given filterlist if not a duplicate. */
863	static inline int audit_add_rule(struct audit_entry *entry)
864	{
865	struct audit_entry *e;
866	struct audit_watch *watch = entry->rule.watch;
867	struct audit_tree *tree = entry->rule.tree;
868	struct list_head *list;
869	int h, err;
870	#ifdef CONFIG_AUDITSYSCALL
871	int dont_count = 0;
872
873	/* If either of these, don't count towards total */
874	if (entry->rule.listnr == AUDIT_FILTER_USER \|\|
875	entry->rule.listnr == AUDIT_FILTER_TYPE)
876	dont_count = 1;
877	#endif
878
879	mutex_lock(&audit_filter_mutex);
880	e = audit_find_rule(entry, &list);
881	if (e) {
882	mutex_unlock(&audit_filter_mutex);
883	err = -EEXIST;
884	/* normally audit_add_tree_rule() will free it on failure */
885	if (tree)
886	audit_put_tree(tree);
887	goto error;
888	}
889
890	if (watch) {
891	/* audit_filter_mutex is dropped and re-taken during this call */
892	err = audit_add_watch(&entry->rule);
893	if (err) {
894	mutex_unlock(&audit_filter_mutex);
895	goto error;
896	}
897	/* entry->rule.watch may have changed during audit_add_watch() */
898	watch = entry->rule.watch;
899	h = audit_hash_ino((u32)audit_watch_inode(watch));
900	list = &audit_inode_hash[h];
901	}
902	if (tree) {
903	err = audit_add_tree_rule(&entry->rule);
904	if (err) {
905	mutex_unlock(&audit_filter_mutex);
906	goto error;
907	}
908	}
909
910	entry->rule.prio = ~0ULL;
911	if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
912	if (entry->rule.flags & AUDIT_FILTER_PREPEND)
913	entry->rule.prio = ++prio_high;
914	else
915	entry->rule.prio = --prio_low;
916	}
917
918	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
919	list_add(&entry->rule.list,
920	&audit_rules_list[entry->rule.listnr]);
921	list_add_rcu(&entry->list, list);
922	entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
923	} else {
924	list_add_tail(&entry->rule.list,
925	&audit_rules_list[entry->rule.listnr]);
926	list_add_tail_rcu(&entry->list, list);
927	}
928	#ifdef CONFIG_AUDITSYSCALL
929	if (!dont_count)
930	audit_n_rules++;
931
932	if (!audit_match_signal(entry))
933	audit_signals++;
934	#endif
935	mutex_unlock(&audit_filter_mutex);
936
937	return 0;
938
939	error:
940	if (watch)
941	audit_put_watch(watch); /* tmp watch, matches initial get */
942	return err;
943	}
944
945	/* Remove an existing rule from filterlist. */
946	static inline int audit_del_rule(struct audit_entry *entry)
947	{
948	struct audit_entry *e;
949	struct audit_watch *watch = entry->rule.watch;
950	struct audit_tree *tree = entry->rule.tree;
951	struct list_head *list;
952	LIST_HEAD(inotify_list);
953	int ret = 0;
954	#ifdef CONFIG_AUDITSYSCALL
955	int dont_count = 0;
956
957	/* If either of these, don't count towards total */
958	if (entry->rule.listnr == AUDIT_FILTER_USER \|\|
959	entry->rule.listnr == AUDIT_FILTER_TYPE)
960	dont_count = 1;
961	#endif
962
963	mutex_lock(&audit_filter_mutex);
964	e = audit_find_rule(entry, &list);
965	if (!e) {
966	mutex_unlock(&audit_filter_mutex);
967	ret = -ENOENT;
968	goto out;
969	}
970
971	if (e->rule.watch)
972	audit_remove_watch_rule(&e->rule, &inotify_list);
973
974	if (e->rule.tree)
975	audit_remove_tree_rule(&e->rule);
976
977	list_del_rcu(&e->list);
978	list_del(&e->rule.list);
979	call_rcu(&e->rcu, audit_free_rule_rcu);
980
981	#ifdef CONFIG_AUDITSYSCALL
982	if (!dont_count)
983	audit_n_rules--;
984
985	if (!audit_match_signal(entry))
986	audit_signals--;
987	#endif
988	mutex_unlock(&audit_filter_mutex);
989
990	if (!list_empty(&inotify_list))
991	audit_inotify_unregister(&inotify_list);
992
993	out:
994	if (watch)
995	audit_put_watch(watch); /* match initial get */
996	if (tree)
997	audit_put_tree(tree); /* that's the temporary one */
998
999	return ret;
1000	}
1001
1002	/* List rules using struct audit_rule. Exists for backward
1003	* compatibility with userspace. */
1004	static void audit_list(int pid, int seq, struct sk_buff_head *q)
1005	{
1006	struct sk_buff *skb;
1007	struct audit_krule *r;
1008	int i;
1009
1010	/* This is a blocking read, so use audit_filter_mutex instead of rcu
1011	* iterator to sync with list writers. */
1012	for (i=0; i<AUDIT_NR_FILTERS; i++) {
1013	list_for_each_entry(r, &audit_rules_list[i], list) {
1014	struct audit_rule *rule;
1015
1016	rule = audit_krule_to_rule(r);
1017	if (unlikely(!rule))
1018	break;
1019	skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
1020	rule, sizeof(*rule));
1021	if (skb)
1022	skb_queue_tail(q, skb);
1023	kfree(rule);
1024	}
1025	}
1026	skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
1027	if (skb)
1028	skb_queue_tail(q, skb);
1029	}
1030
1031	/* List rules using struct audit_rule_data. */
1032	static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1033	{
1034	struct sk_buff *skb;
1035	struct audit_krule *r;
1036	int i;
1037
1038	/* This is a blocking read, so use audit_filter_mutex instead of rcu
1039	* iterator to sync with list writers. */
1040	for (i=0; i<AUDIT_NR_FILTERS; i++) {
1041	list_for_each_entry(r, &audit_rules_list[i], list) {
1042	struct audit_rule_data *data;
1043
1044	data = audit_krule_to_data(r);
1045	if (unlikely(!data))
1046	break;
1047	skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
1048	data, sizeof(*data) + data->buflen);
1049	if (skb)
1050	skb_queue_tail(q, skb);
1051	kfree(data);
1052	}
1053	}
1054	skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1055	if (skb)
1056	skb_queue_tail(q, skb);
1057	}
1058
1059	/* Log rule additions and removals */
1060	static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
1061	char action, struct audit_krule rule,
1062	int res)
1063	{
1064	struct audit_buffer *ab;
1065
1066	if (!audit_enabled)
1067	return;
1068
1069	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1070	if (!ab)
1071	return;
1072	audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
1073	if (sid) {
1074	char *ctx = NULL;
1075	u32 len;
1076	if (security_secid_to_secctx(sid, &ctx, &len))
1077	audit_log_format(ab, " ssid=%u", sid);
1078	else {
1079	audit_log_format(ab, " subj=%s", ctx);
1080	security_release_secctx(ctx, len);
1081	}
1082	}
1083	audit_log_format(ab, " op=");
1084	audit_log_string(ab, action);
1085	audit_log_key(ab, rule->filterkey);
1086	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1087	audit_log_end(ab);
1088	}
1089
1090	/**
1091	* audit_receive_filter - apply all rules to the specified message type
1092	* @type: audit message type
1093	* @pid: target pid for netlink audit messages
1094	* @uid: target uid for netlink audit messages
1095	* @seq: netlink audit message sequence (serial) number
1096	* @data: payload data
1097	* @datasz: size of payload data
1098	* @loginuid: loginuid of sender
1099	* @sessionid: sessionid for netlink audit message
1100	* @sid: SE Linux Security ID of sender
1101	*/
1102	int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1103	size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
1104	{
1105	struct task_struct *tsk;
1106	struct audit_netlink_list *dest;
1107	int err = 0;
1108	struct audit_entry *entry;
1109
1110	switch (type) {
1111	case AUDIT_LIST:
1112	case AUDIT_LIST_RULES:
1113	/* We can't just spew out the rules here because we might fill
1114	* the available socket buffer space and deadlock waiting for
1115	* auditctl to read from it... which isn't ever going to
1116	* happen if we're actually running in the context of auditctl
1117	* trying to _send_ the stuff */
1118
1119	dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1120	if (!dest)
1121	return -ENOMEM;
1122	dest->pid = pid;
1123	skb_queue_head_init(&dest->q);
1124
1125	mutex_lock(&audit_filter_mutex);
1126	if (type == AUDIT_LIST)
1127	audit_list(pid, seq, &dest->q);
1128	else
1129	audit_list_rules(pid, seq, &dest->q);
1130	mutex_unlock(&audit_filter_mutex);
1131
1132	tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1133	if (IS_ERR(tsk)) {
1134	skb_queue_purge(&dest->q);
1135	kfree(dest);
1136	err = PTR_ERR(tsk);
1137	}
1138	break;
1139	case AUDIT_ADD:
1140	case AUDIT_ADD_RULE:
1141	if (type == AUDIT_ADD)
1142	entry = audit_rule_to_entry(data);
1143	else
1144	entry = audit_data_to_entry(data, datasz);
1145	if (IS_ERR(entry))
1146	return PTR_ERR(entry);
1147
1148	err = audit_add_rule(entry);
1149	audit_log_rule_change(loginuid, sessionid, sid, "add rule",
1150	&entry->rule, !err);
1151
1152	if (err)
1153	audit_free_rule(entry);
1154	break;
1155	case AUDIT_DEL:
1156	case AUDIT_DEL_RULE:
1157	if (type == AUDIT_DEL)
1158	entry = audit_rule_to_entry(data);
1159	else
1160	entry = audit_data_to_entry(data, datasz);
1161	if (IS_ERR(entry))
1162	return PTR_ERR(entry);
1163
1164	err = audit_del_rule(entry);
1165	audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
1166	&entry->rule, !err);
1167
1168	audit_free_rule(entry);
1169	break;
1170	default:
1171	return -EINVAL;
1172	}
1173
1174	return err;
1175	}
1176
1177	int audit_comparator(u32 left, u32 op, u32 right)
1178	{
1179	switch (op) {
1180	case Audit_equal:
1181	return (left == right);
1182	case Audit_not_equal:
1183	return (left != right);
1184	case Audit_lt:
1185	return (left < right);
1186	case Audit_le:
1187	return (left <= right);
1188	case Audit_gt:
1189	return (left > right);
1190	case Audit_ge:
1191	return (left >= right);
1192	case Audit_bitmask:
1193	return (left & right);
1194	case Audit_bittest:
1195	return ((left & right) == right);
1196	default:
1197	BUG();
1198	return 0;
1199	}
1200	}
1201
1202	/* Compare given dentry name with last component in given path,
1203	* return of 0 indicates a match. */
1204	int audit_compare_dname_path(const char dname, const char path,
1205	int *dirlen)
1206	{
1207	int dlen, plen;
1208	const char *p;
1209
1210	if (!dname \|\| !path)
1211	return 1;
1212
1213	dlen = strlen(dname);
1214	plen = strlen(path);
1215	if (plen < dlen)
1216	return 1;
1217
1218	/* disregard trailing slashes */
1219	p = path + plen - 1;
1220	while ((*p == '/') && (p > path))
1221	p--;
1222
1223	/* find last path component */
1224	p = p - dlen + 1;
1225	if (p < path)
1226	return 1;
1227	else if (p > path) {
1228	if (*--p != '/')
1229	return 1;
1230	else
1231	p++;
1232	}
1233
1234	/* return length of path's directory component */
1235	if (dirlen)
1236	*dirlen = p - path;
1237	return strncmp(p, dname, dlen);
1238	}
1239
1240	static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1241	struct audit_krule *rule,
1242	enum audit_state *state)
1243	{
1244	int i;
1245
1246	for (i = 0; i < rule->field_count; i++) {
1247	struct audit_field *f = &rule->fields[i];
1248	int result = 0;
1249
1250	switch (f->type) {
1251	case AUDIT_PID:
1252	result = audit_comparator(cb->creds.pid, f->op, f->val);
1253	break;
1254	case AUDIT_UID:
1255	result = audit_comparator(cb->creds.uid, f->op, f->val);
1256	break;
1257	case AUDIT_GID:
1258	result = audit_comparator(cb->creds.gid, f->op, f->val);
1259	break;
1260	case AUDIT_LOGINUID:
1261	result = audit_comparator(cb->loginuid, f->op, f->val);
1262	break;
1263	}
1264
1265	if (!result)
1266	return 0;
1267	}
1268	switch (rule->action) {
1269	case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
1270	case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
1271	}
1272	return 1;
1273	}
1274
1275	int audit_filter_user(struct netlink_skb_parms *cb)
1276	{
1277	enum audit_state state = AUDIT_DISABLED;
1278	struct audit_entry *e;
1279	int ret = 1;
1280
1281	rcu_read_lock();
1282	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1283	if (audit_filter_user_rules(cb, &e->rule, &state)) {
1284	if (state == AUDIT_DISABLED)
1285	ret = 0;
1286	break;
1287	}
1288	}
1289	rcu_read_unlock();
1290
1291	return ret; /* Audit by default */
1292	}
1293
1294	int audit_filter_type(int type)
1295	{
1296	struct audit_entry *e;
1297	int result = 0;
1298
1299	rcu_read_lock();
1300	if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1301	goto unlock_and_return;
1302
1303	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1304	list) {
1305	int i;
1306	for (i = 0; i < e->rule.field_count; i++) {
1307	struct audit_field *f = &e->rule.fields[i];
1308	if (f->type == AUDIT_MSGTYPE) {
1309	result = audit_comparator(type, f->op, f->val);
1310	if (!result)
1311	break;
1312	}
1313	}
1314	if (result)
1315	goto unlock_and_return;
1316	}
1317	unlock_and_return:
1318	rcu_read_unlock();
1319	return result;
1320	}
1321
1322	static int update_lsm_rule(struct audit_krule *r)
1323	{
1324	struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1325	struct audit_entry *nentry;
1326	struct audit_watch *watch;
1327	struct audit_tree *tree;
1328	int err = 0;
1329
1330	if (!security_audit_rule_known(r))
1331	return 0;
1332
1333	watch = r->watch;
1334	tree = r->tree;
1335	nentry = audit_dupe_rule(r, watch);
1336	if (IS_ERR(nentry)) {
1337	/* save the first error encountered for the
1338	* return value */
1339	err = PTR_ERR(nentry);
1340	audit_panic("error updating LSM filters");
1341	if (watch)
1342	list_del(&r->rlist);
1343	list_del_rcu(&entry->list);
1344	list_del(&r->list);
1345	} else {
1346	if (watch) {
1347	list_add(&nentry->rule.rlist, audit_watch_rules(watch));
1348	list_del(&r->rlist);
1349	} else if (tree)
1350	list_replace_init(&r->rlist, &nentry->rule.rlist);
1351	list_replace_rcu(&entry->list, &nentry->list);
1352	list_replace(&r->list, &nentry->rule.list);
1353	}
1354	call_rcu(&entry->rcu, audit_free_rule_rcu);
1355
1356	return err;
1357	}
1358
1359	/* This function will re-initialize the lsm_rule field of all applicable rules.
1360	* It will traverse the filter lists serarching for rules that contain LSM
1361	* specific filter fields. When such a rule is found, it is copied, the
1362	* LSM field is re-initialized, and the old rule is replaced with the
1363	* updated rule. */
1364	int audit_update_lsm_rules(void)
1365	{
1366	struct audit_krule r, n;
1367	int i, err = 0;
1368
1369	/* audit_filter_mutex synchronizes the writers */
1370	mutex_lock(&audit_filter_mutex);
1371
1372	for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1373	list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1374	int res = update_lsm_rule(r);
1375	if (!err)
1376	err = res;
1377	}
1378	}
1379	mutex_unlock(&audit_filter_mutex);
1380
1381	return err;
1382	}
1383

Download this file

Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master

Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9

Kernel

Kernel Git Source Tree

Root/kernel/auditfilter.c

interactive