Root/kernel/auditfilter.c

1/* auditfilter.c -- filtering of audit events
2 *
3 * Copyright 2003-2004 Red Hat, Inc.
4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
5 * Copyright 2005 IBM Corporation
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 */
21
22#include <linux/kernel.h>
23#include <linux/audit.h>
24#include <linux/kthread.h>
25#include <linux/mutex.h>
26#include <linux/fs.h>
27#include <linux/namei.h>
28#include <linux/netlink.h>
29#include <linux/sched.h>
30#include <linux/slab.h>
31#include <linux/security.h>
32#include "audit.h"
33
34/*
35 * Locking model:
36 *
37 * audit_filter_mutex:
38 * Synchronizes writes and blocking reads of audit's filterlist
39 * data. Rcu is used to traverse the filterlist and access
40 * contents of structs audit_entry, audit_watch and opaque
41 * LSM rules during filtering. If modified, these structures
42 * must be copied and replace their counterparts in the filterlist.
43 * An audit_parent struct is not accessed during filtering, so may
44 * be written directly provided audit_filter_mutex is held.
45 */
46
47/* Audit filter lists, defined in <linux/audit.h> */
48struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
49    LIST_HEAD_INIT(audit_filter_list[0]),
50    LIST_HEAD_INIT(audit_filter_list[1]),
51    LIST_HEAD_INIT(audit_filter_list[2]),
52    LIST_HEAD_INIT(audit_filter_list[3]),
53    LIST_HEAD_INIT(audit_filter_list[4]),
54    LIST_HEAD_INIT(audit_filter_list[5]),
55#if AUDIT_NR_FILTERS != 6
56#error Fix audit_filter_list initialiser
57#endif
58};
59static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
60    LIST_HEAD_INIT(audit_rules_list[0]),
61    LIST_HEAD_INIT(audit_rules_list[1]),
62    LIST_HEAD_INIT(audit_rules_list[2]),
63    LIST_HEAD_INIT(audit_rules_list[3]),
64    LIST_HEAD_INIT(audit_rules_list[4]),
65    LIST_HEAD_INIT(audit_rules_list[5]),
66};
67
68DEFINE_MUTEX(audit_filter_mutex);
69
70static inline void audit_free_rule(struct audit_entry *e)
71{
72    int i;
73    struct audit_krule *erule = &e->rule;
74
75    /* some rules don't have associated watches */
76    if (erule->watch)
77        audit_put_watch(erule->watch);
78    if (erule->fields)
79        for (i = 0; i < erule->field_count; i++) {
80            struct audit_field *f = &erule->fields[i];
81            kfree(f->lsm_str);
82            security_audit_rule_free(f->lsm_rule);
83        }
84    kfree(erule->fields);
85    kfree(erule->filterkey);
86    kfree(e);
87}
88
89void audit_free_rule_rcu(struct rcu_head *head)
90{
91    struct audit_entry *e = container_of(head, struct audit_entry, rcu);
92    audit_free_rule(e);
93}
94
95/* Initialize an audit filterlist entry. */
96static inline struct audit_entry *audit_init_entry(u32 field_count)
97{
98    struct audit_entry *entry;
99    struct audit_field *fields;
100
101    entry = kzalloc(sizeof(*entry), GFP_KERNEL);
102    if (unlikely(!entry))
103        return NULL;
104
105    fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
106    if (unlikely(!fields)) {
107        kfree(entry);
108        return NULL;
109    }
110    entry->rule.fields = fields;
111
112    return entry;
113}
114
115/* Unpack a filter field's string representation from user-space
116 * buffer. */
117char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
118{
119    char *str;
120
121    if (!*bufp || (len == 0) || (len > *remain))
122        return ERR_PTR(-EINVAL);
123
124    /* Of the currently implemented string fields, PATH_MAX
125     * defines the longest valid length.
126     */
127    if (len > PATH_MAX)
128        return ERR_PTR(-ENAMETOOLONG);
129
130    str = kmalloc(len + 1, GFP_KERNEL);
131    if (unlikely(!str))
132        return ERR_PTR(-ENOMEM);
133
134    memcpy(str, *bufp, len);
135    str[len] = 0;
136    *bufp += len;
137    *remain -= len;
138
139    return str;
140}
141
142/* Translate an inode field to kernel respresentation. */
143static inline int audit_to_inode(struct audit_krule *krule,
144                 struct audit_field *f)
145{
146    if (krule->listnr != AUDIT_FILTER_EXIT ||
147        krule->watch || krule->inode_f || krule->tree ||
148        (f->op != Audit_equal && f->op != Audit_not_equal))
149        return -EINVAL;
150
151    krule->inode_f = f;
152    return 0;
153}
154
155static __u32 *classes[AUDIT_SYSCALL_CLASSES];
156
157int __init audit_register_class(int class, unsigned *list)
158{
159    __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
160    if (!p)
161        return -ENOMEM;
162    while (*list != ~0U) {
163        unsigned n = *list++;
164        if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
165            kfree(p);
166            return -EINVAL;
167        }
168        p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
169    }
170    if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
171        kfree(p);
172        return -EINVAL;
173    }
174    classes[class] = p;
175    return 0;
176}
177
178int audit_match_class(int class, unsigned syscall)
179{
180    if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
181        return 0;
182    if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
183        return 0;
184    return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
185}
186
187#ifdef CONFIG_AUDITSYSCALL
188static inline int audit_match_class_bits(int class, u32 *mask)
189{
190    int i;
191
192    if (classes[class]) {
193        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
194            if (mask[i] & classes[class][i])
195                return 0;
196    }
197    return 1;
198}
199
200static int audit_match_signal(struct audit_entry *entry)
201{
202    struct audit_field *arch = entry->rule.arch_f;
203
204    if (!arch) {
205        /* When arch is unspecified, we must check both masks on biarch
206         * as syscall number alone is ambiguous. */
207        return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
208                           entry->rule.mask) &&
209            audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
210                           entry->rule.mask));
211    }
212
213    switch(audit_classify_arch(arch->val)) {
214    case 0: /* native */
215        return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
216                           entry->rule.mask));
217    case 1: /* 32bit on biarch */
218        return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
219                           entry->rule.mask));
220    default:
221        return 1;
222    }
223}
224#endif
225
226/* Common user-space to kernel rule translation. */
227static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
228{
229    unsigned listnr;
230    struct audit_entry *entry;
231    int i, err;
232
233    err = -EINVAL;
234    listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
235    switch(listnr) {
236    default:
237        goto exit_err;
238    case AUDIT_FILTER_USER:
239    case AUDIT_FILTER_TYPE:
240#ifdef CONFIG_AUDITSYSCALL
241    case AUDIT_FILTER_ENTRY:
242    case AUDIT_FILTER_EXIT:
243    case AUDIT_FILTER_TASK:
244#endif
245        ;
246    }
247    if (unlikely(rule->action == AUDIT_POSSIBLE)) {
248        printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
249        goto exit_err;
250    }
251    if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
252        goto exit_err;
253    if (rule->field_count > AUDIT_MAX_FIELDS)
254        goto exit_err;
255
256    err = -ENOMEM;
257    entry = audit_init_entry(rule->field_count);
258    if (!entry)
259        goto exit_err;
260
261    entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
262    entry->rule.listnr = listnr;
263    entry->rule.action = rule->action;
264    entry->rule.field_count = rule->field_count;
265
266    for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
267        entry->rule.mask[i] = rule->mask[i];
268
269    for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
270        int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
271        __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
272        __u32 *class;
273
274        if (!(*p & AUDIT_BIT(bit)))
275            continue;
276        *p &= ~AUDIT_BIT(bit);
277        class = classes[i];
278        if (class) {
279            int j;
280            for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
281                entry->rule.mask[j] |= class[j];
282        }
283    }
284
285    return entry;
286
287exit_err:
288    return ERR_PTR(err);
289}
290
291static u32 audit_ops[] =
292{
293    [Audit_equal] = AUDIT_EQUAL,
294    [Audit_not_equal] = AUDIT_NOT_EQUAL,
295    [Audit_bitmask] = AUDIT_BIT_MASK,
296    [Audit_bittest] = AUDIT_BIT_TEST,
297    [Audit_lt] = AUDIT_LESS_THAN,
298    [Audit_gt] = AUDIT_GREATER_THAN,
299    [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
300    [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
301};
302
303static u32 audit_to_op(u32 op)
304{
305    u32 n;
306    for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
307        ;
308    return n;
309}
310
311
312/* Translate struct audit_rule to kernel's rule respresentation.
313 * Exists for backward compatibility with userspace. */
314static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
315{
316    struct audit_entry *entry;
317    int err = 0;
318    int i;
319
320    entry = audit_to_entry_common(rule);
321    if (IS_ERR(entry))
322        goto exit_nofree;
323
324    for (i = 0; i < rule->field_count; i++) {
325        struct audit_field *f = &entry->rule.fields[i];
326        u32 n;
327
328        n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
329
330        /* Support for legacy operators where
331         * AUDIT_NEGATE bit signifies != and otherwise assumes == */
332        if (n & AUDIT_NEGATE)
333            f->op = Audit_not_equal;
334        else if (!n)
335            f->op = Audit_equal;
336        else
337            f->op = audit_to_op(n);
338
339        entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
340
341        f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
342        f->val = rule->values[i];
343
344        err = -EINVAL;
345        if (f->op == Audit_bad)
346            goto exit_free;
347
348        switch(f->type) {
349        default:
350            goto exit_free;
351        case AUDIT_PID:
352        case AUDIT_UID:
353        case AUDIT_EUID:
354        case AUDIT_SUID:
355        case AUDIT_FSUID:
356        case AUDIT_GID:
357        case AUDIT_EGID:
358        case AUDIT_SGID:
359        case AUDIT_FSGID:
360        case AUDIT_LOGINUID:
361        case AUDIT_PERS:
362        case AUDIT_MSGTYPE:
363        case AUDIT_PPID:
364        case AUDIT_DEVMAJOR:
365        case AUDIT_DEVMINOR:
366        case AUDIT_EXIT:
367        case AUDIT_SUCCESS:
368            /* bit ops are only useful on syscall args */
369            if (f->op == Audit_bitmask || f->op == Audit_bittest)
370                goto exit_free;
371            break;
372        case AUDIT_ARG0:
373        case AUDIT_ARG1:
374        case AUDIT_ARG2:
375        case AUDIT_ARG3:
376            break;
377        /* arch is only allowed to be = or != */
378        case AUDIT_ARCH:
379            if (f->op != Audit_not_equal && f->op != Audit_equal)
380                goto exit_free;
381            entry->rule.arch_f = f;
382            break;
383        case AUDIT_PERM:
384            if (f->val & ~15)
385                goto exit_free;
386            break;
387        case AUDIT_FILETYPE:
388            if ((f->val & ~S_IFMT) > S_IFMT)
389                goto exit_free;
390            break;
391        case AUDIT_INODE:
392            err = audit_to_inode(&entry->rule, f);
393            if (err)
394                goto exit_free;
395            break;
396        }
397    }
398
399    if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
400        entry->rule.inode_f = NULL;
401
402exit_nofree:
403    return entry;
404
405exit_free:
406    audit_free_rule(entry);
407    return ERR_PTR(err);
408}
409
410/* Translate struct audit_rule_data to kernel's rule respresentation. */
411static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
412                           size_t datasz)
413{
414    int err = 0;
415    struct audit_entry *entry;
416    void *bufp;
417    size_t remain = datasz - sizeof(struct audit_rule_data);
418    int i;
419    char *str;
420
421    entry = audit_to_entry_common((struct audit_rule *)data);
422    if (IS_ERR(entry))
423        goto exit_nofree;
424
425    bufp = data->buf;
426    entry->rule.vers_ops = 2;
427    for (i = 0; i < data->field_count; i++) {
428        struct audit_field *f = &entry->rule.fields[i];
429
430        err = -EINVAL;
431
432        f->op = audit_to_op(data->fieldflags[i]);
433        if (f->op == Audit_bad)
434            goto exit_free;
435
436        f->type = data->fields[i];
437        f->val = data->values[i];
438        f->lsm_str = NULL;
439        f->lsm_rule = NULL;
440        switch(f->type) {
441        case AUDIT_PID:
442        case AUDIT_UID:
443        case AUDIT_EUID:
444        case AUDIT_SUID:
445        case AUDIT_FSUID:
446        case AUDIT_GID:
447        case AUDIT_EGID:
448        case AUDIT_SGID:
449        case AUDIT_FSGID:
450        case AUDIT_LOGINUID:
451        case AUDIT_PERS:
452        case AUDIT_MSGTYPE:
453        case AUDIT_PPID:
454        case AUDIT_DEVMAJOR:
455        case AUDIT_DEVMINOR:
456        case AUDIT_EXIT:
457        case AUDIT_SUCCESS:
458        case AUDIT_ARG0:
459        case AUDIT_ARG1:
460        case AUDIT_ARG2:
461        case AUDIT_ARG3:
462            break;
463        case AUDIT_ARCH:
464            entry->rule.arch_f = f;
465            break;
466        case AUDIT_SUBJ_USER:
467        case AUDIT_SUBJ_ROLE:
468        case AUDIT_SUBJ_TYPE:
469        case AUDIT_SUBJ_SEN:
470        case AUDIT_SUBJ_CLR:
471        case AUDIT_OBJ_USER:
472        case AUDIT_OBJ_ROLE:
473        case AUDIT_OBJ_TYPE:
474        case AUDIT_OBJ_LEV_LOW:
475        case AUDIT_OBJ_LEV_HIGH:
476            str = audit_unpack_string(&bufp, &remain, f->val);
477            if (IS_ERR(str))
478                goto exit_free;
479            entry->rule.buflen += f->val;
480
481            err = security_audit_rule_init(f->type, f->op, str,
482                               (void **)&f->lsm_rule);
483            /* Keep currently invalid fields around in case they
484             * become valid after a policy reload. */
485            if (err == -EINVAL) {
486                printk(KERN_WARNING "audit rule for LSM "
487                       "\'%s\' is invalid\n", str);
488                err = 0;
489            }
490            if (err) {
491                kfree(str);
492                goto exit_free;
493            } else
494                f->lsm_str = str;
495            break;
496        case AUDIT_WATCH:
497            str = audit_unpack_string(&bufp, &remain, f->val);
498            if (IS_ERR(str))
499                goto exit_free;
500            entry->rule.buflen += f->val;
501
502            err = audit_to_watch(&entry->rule, str, f->val, f->op);
503            if (err) {
504                kfree(str);
505                goto exit_free;
506            }
507            break;
508        case AUDIT_DIR:
509            str = audit_unpack_string(&bufp, &remain, f->val);
510            if (IS_ERR(str))
511                goto exit_free;
512            entry->rule.buflen += f->val;
513
514            err = audit_make_tree(&entry->rule, str, f->op);
515            kfree(str);
516            if (err)
517                goto exit_free;
518            break;
519        case AUDIT_INODE:
520            err = audit_to_inode(&entry->rule, f);
521            if (err)
522                goto exit_free;
523            break;
524        case AUDIT_FILTERKEY:
525            err = -EINVAL;
526            if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
527                goto exit_free;
528            str = audit_unpack_string(&bufp, &remain, f->val);
529            if (IS_ERR(str))
530                goto exit_free;
531            entry->rule.buflen += f->val;
532            entry->rule.filterkey = str;
533            break;
534        case AUDIT_PERM:
535            if (f->val & ~15)
536                goto exit_free;
537            break;
538        case AUDIT_FILETYPE:
539            if ((f->val & ~S_IFMT) > S_IFMT)
540                goto exit_free;
541            break;
542        default:
543            goto exit_free;
544        }
545    }
546
547    if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
548        entry->rule.inode_f = NULL;
549
550exit_nofree:
551    return entry;
552
553exit_free:
554    audit_free_rule(entry);
555    return ERR_PTR(err);
556}
557
558/* Pack a filter field's string representation into data block. */
559static inline size_t audit_pack_string(void **bufp, const char *str)
560{
561    size_t len = strlen(str);
562
563    memcpy(*bufp, str, len);
564    *bufp += len;
565
566    return len;
567}
568
569/* Translate kernel rule respresentation to struct audit_rule.
570 * Exists for backward compatibility with userspace. */
571static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
572{
573    struct audit_rule *rule;
574    int i;
575
576    rule = kzalloc(sizeof(*rule), GFP_KERNEL);
577    if (unlikely(!rule))
578        return NULL;
579
580    rule->flags = krule->flags | krule->listnr;
581    rule->action = krule->action;
582    rule->field_count = krule->field_count;
583    for (i = 0; i < rule->field_count; i++) {
584        rule->values[i] = krule->fields[i].val;
585        rule->fields[i] = krule->fields[i].type;
586
587        if (krule->vers_ops == 1) {
588            if (krule->fields[i].op == Audit_not_equal)
589                rule->fields[i] |= AUDIT_NEGATE;
590        } else {
591            rule->fields[i] |= audit_ops[krule->fields[i].op];
592        }
593    }
594    for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
595
596    return rule;
597}
598
599/* Translate kernel rule respresentation to struct audit_rule_data. */
600static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
601{
602    struct audit_rule_data *data;
603    void *bufp;
604    int i;
605
606    data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
607    if (unlikely(!data))
608        return NULL;
609    memset(data, 0, sizeof(*data));
610
611    data->flags = krule->flags | krule->listnr;
612    data->action = krule->action;
613    data->field_count = krule->field_count;
614    bufp = data->buf;
615    for (i = 0; i < data->field_count; i++) {
616        struct audit_field *f = &krule->fields[i];
617
618        data->fields[i] = f->type;
619        data->fieldflags[i] = audit_ops[f->op];
620        switch(f->type) {
621        case AUDIT_SUBJ_USER:
622        case AUDIT_SUBJ_ROLE:
623        case AUDIT_SUBJ_TYPE:
624        case AUDIT_SUBJ_SEN:
625        case AUDIT_SUBJ_CLR:
626        case AUDIT_OBJ_USER:
627        case AUDIT_OBJ_ROLE:
628        case AUDIT_OBJ_TYPE:
629        case AUDIT_OBJ_LEV_LOW:
630        case AUDIT_OBJ_LEV_HIGH:
631            data->buflen += data->values[i] =
632                audit_pack_string(&bufp, f->lsm_str);
633            break;
634        case AUDIT_WATCH:
635            data->buflen += data->values[i] =
636                audit_pack_string(&bufp,
637                          audit_watch_path(krule->watch));
638            break;
639        case AUDIT_DIR:
640            data->buflen += data->values[i] =
641                audit_pack_string(&bufp,
642                          audit_tree_path(krule->tree));
643            break;
644        case AUDIT_FILTERKEY:
645            data->buflen += data->values[i] =
646                audit_pack_string(&bufp, krule->filterkey);
647            break;
648        default:
649            data->values[i] = f->val;
650        }
651    }
652    for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
653
654    return data;
655}
656
657/* Compare two rules in kernel format. Considered success if rules
658 * don't match. */
659static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
660{
661    int i;
662
663    if (a->flags != b->flags ||
664        a->listnr != b->listnr ||
665        a->action != b->action ||
666        a->field_count != b->field_count)
667        return 1;
668
669    for (i = 0; i < a->field_count; i++) {
670        if (a->fields[i].type != b->fields[i].type ||
671            a->fields[i].op != b->fields[i].op)
672            return 1;
673
674        switch(a->fields[i].type) {
675        case AUDIT_SUBJ_USER:
676        case AUDIT_SUBJ_ROLE:
677        case AUDIT_SUBJ_TYPE:
678        case AUDIT_SUBJ_SEN:
679        case AUDIT_SUBJ_CLR:
680        case AUDIT_OBJ_USER:
681        case AUDIT_OBJ_ROLE:
682        case AUDIT_OBJ_TYPE:
683        case AUDIT_OBJ_LEV_LOW:
684        case AUDIT_OBJ_LEV_HIGH:
685            if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
686                return 1;
687            break;
688        case AUDIT_WATCH:
689            if (strcmp(audit_watch_path(a->watch),
690                   audit_watch_path(b->watch)))
691                return 1;
692            break;
693        case AUDIT_DIR:
694            if (strcmp(audit_tree_path(a->tree),
695                   audit_tree_path(b->tree)))
696                return 1;
697            break;
698        case AUDIT_FILTERKEY:
699            /* both filterkeys exist based on above type compare */
700            if (strcmp(a->filterkey, b->filterkey))
701                return 1;
702            break;
703        default:
704            if (a->fields[i].val != b->fields[i].val)
705                return 1;
706        }
707    }
708
709    for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
710        if (a->mask[i] != b->mask[i])
711            return 1;
712
713    return 0;
714}
715
716/* Duplicate LSM field information. The lsm_rule is opaque, so must be
717 * re-initialized. */
718static inline int audit_dupe_lsm_field(struct audit_field *df,
719                       struct audit_field *sf)
720{
721    int ret = 0;
722    char *lsm_str;
723
724    /* our own copy of lsm_str */
725    lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
726    if (unlikely(!lsm_str))
727        return -ENOMEM;
728    df->lsm_str = lsm_str;
729
730    /* our own (refreshed) copy of lsm_rule */
731    ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
732                       (void **)&df->lsm_rule);
733    /* Keep currently invalid fields around in case they
734     * become valid after a policy reload. */
735    if (ret == -EINVAL) {
736        printk(KERN_WARNING "audit rule for LSM \'%s\' is "
737               "invalid\n", df->lsm_str);
738        ret = 0;
739    }
740
741    return ret;
742}
743
744/* Duplicate an audit rule. This will be a deep copy with the exception
745 * of the watch - that pointer is carried over. The LSM specific fields
746 * will be updated in the copy. The point is to be able to replace the old
747 * rule with the new rule in the filterlist, then free the old rule.
748 * The rlist element is undefined; list manipulations are handled apart from
749 * the initial copy. */
750struct audit_entry *audit_dupe_rule(struct audit_krule *old)
751{
752    u32 fcount = old->field_count;
753    struct audit_entry *entry;
754    struct audit_krule *new;
755    char *fk;
756    int i, err = 0;
757
758    entry = audit_init_entry(fcount);
759    if (unlikely(!entry))
760        return ERR_PTR(-ENOMEM);
761
762    new = &entry->rule;
763    new->vers_ops = old->vers_ops;
764    new->flags = old->flags;
765    new->listnr = old->listnr;
766    new->action = old->action;
767    for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
768        new->mask[i] = old->mask[i];
769    new->prio = old->prio;
770    new->buflen = old->buflen;
771    new->inode_f = old->inode_f;
772    new->field_count = old->field_count;
773
774    /*
775     * note that we are OK with not refcounting here; audit_match_tree()
776     * never dereferences tree and we can't get false positives there
777     * since we'd have to have rule gone from the list *and* removed
778     * before the chunks found by lookup had been allocated, i.e. before
779     * the beginning of list scan.
780     */
781    new->tree = old->tree;
782    memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
783
784    /* deep copy this information, updating the lsm_rule fields, because
785     * the originals will all be freed when the old rule is freed. */
786    for (i = 0; i < fcount; i++) {
787        switch (new->fields[i].type) {
788        case AUDIT_SUBJ_USER:
789        case AUDIT_SUBJ_ROLE:
790        case AUDIT_SUBJ_TYPE:
791        case AUDIT_SUBJ_SEN:
792        case AUDIT_SUBJ_CLR:
793        case AUDIT_OBJ_USER:
794        case AUDIT_OBJ_ROLE:
795        case AUDIT_OBJ_TYPE:
796        case AUDIT_OBJ_LEV_LOW:
797        case AUDIT_OBJ_LEV_HIGH:
798            err = audit_dupe_lsm_field(&new->fields[i],
799                               &old->fields[i]);
800            break;
801        case AUDIT_FILTERKEY:
802            fk = kstrdup(old->filterkey, GFP_KERNEL);
803            if (unlikely(!fk))
804                err = -ENOMEM;
805            else
806                new->filterkey = fk;
807        }
808        if (err) {
809            audit_free_rule(entry);
810            return ERR_PTR(err);
811        }
812    }
813
814    if (old->watch) {
815        audit_get_watch(old->watch);
816        new->watch = old->watch;
817    }
818
819    return entry;
820}
821
822/* Find an existing audit rule.
823 * Caller must hold audit_filter_mutex to prevent stale rule data. */
824static struct audit_entry *audit_find_rule(struct audit_entry *entry,
825                       struct list_head **p)
826{
827    struct audit_entry *e, *found = NULL;
828    struct list_head *list;
829    int h;
830
831    if (entry->rule.inode_f) {
832        h = audit_hash_ino(entry->rule.inode_f->val);
833        *p = list = &audit_inode_hash[h];
834    } else if (entry->rule.watch) {
835        /* we don't know the inode number, so must walk entire hash */
836        for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
837            list = &audit_inode_hash[h];
838            list_for_each_entry(e, list, list)
839                if (!audit_compare_rule(&entry->rule, &e->rule)) {
840                    found = e;
841                    goto out;
842                }
843        }
844        goto out;
845    } else {
846        *p = list = &audit_filter_list[entry->rule.listnr];
847    }
848
849    list_for_each_entry(e, list, list)
850        if (!audit_compare_rule(&entry->rule, &e->rule)) {
851            found = e;
852            goto out;
853        }
854
855out:
856    return found;
857}
858
859static u64 prio_low = ~0ULL/2;
860static u64 prio_high = ~0ULL/2 - 1;
861
862/* Add rule to given filterlist if not a duplicate. */
863static inline int audit_add_rule(struct audit_entry *entry)
864{
865    struct audit_entry *e;
866    struct audit_watch *watch = entry->rule.watch;
867    struct audit_tree *tree = entry->rule.tree;
868    struct list_head *list;
869    int err;
870#ifdef CONFIG_AUDITSYSCALL
871    int dont_count = 0;
872
873    /* If either of these, don't count towards total */
874    if (entry->rule.listnr == AUDIT_FILTER_USER ||
875        entry->rule.listnr == AUDIT_FILTER_TYPE)
876        dont_count = 1;
877#endif
878
879    mutex_lock(&audit_filter_mutex);
880    e = audit_find_rule(entry, &list);
881    if (e) {
882        mutex_unlock(&audit_filter_mutex);
883        err = -EEXIST;
884        /* normally audit_add_tree_rule() will free it on failure */
885        if (tree)
886            audit_put_tree(tree);
887        goto error;
888    }
889
890    if (watch) {
891        /* audit_filter_mutex is dropped and re-taken during this call */
892        err = audit_add_watch(&entry->rule, &list);
893        if (err) {
894            mutex_unlock(&audit_filter_mutex);
895            goto error;
896        }
897    }
898    if (tree) {
899        err = audit_add_tree_rule(&entry->rule);
900        if (err) {
901            mutex_unlock(&audit_filter_mutex);
902            goto error;
903        }
904    }
905
906    entry->rule.prio = ~0ULL;
907    if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
908        if (entry->rule.flags & AUDIT_FILTER_PREPEND)
909            entry->rule.prio = ++prio_high;
910        else
911            entry->rule.prio = --prio_low;
912    }
913
914    if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
915        list_add(&entry->rule.list,
916             &audit_rules_list[entry->rule.listnr]);
917        list_add_rcu(&entry->list, list);
918        entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
919    } else {
920        list_add_tail(&entry->rule.list,
921                  &audit_rules_list[entry->rule.listnr]);
922        list_add_tail_rcu(&entry->list, list);
923    }
924#ifdef CONFIG_AUDITSYSCALL
925    if (!dont_count)
926        audit_n_rules++;
927
928    if (!audit_match_signal(entry))
929        audit_signals++;
930#endif
931    mutex_unlock(&audit_filter_mutex);
932
933     return 0;
934
935error:
936    if (watch)
937        audit_put_watch(watch); /* tmp watch, matches initial get */
938    return err;
939}
940
941/* Remove an existing rule from filterlist. */
942static inline int audit_del_rule(struct audit_entry *entry)
943{
944    struct audit_entry *e;
945    struct audit_watch *watch = entry->rule.watch;
946    struct audit_tree *tree = entry->rule.tree;
947    struct list_head *list;
948    int ret = 0;
949#ifdef CONFIG_AUDITSYSCALL
950    int dont_count = 0;
951
952    /* If either of these, don't count towards total */
953    if (entry->rule.listnr == AUDIT_FILTER_USER ||
954        entry->rule.listnr == AUDIT_FILTER_TYPE)
955        dont_count = 1;
956#endif
957
958    mutex_lock(&audit_filter_mutex);
959    e = audit_find_rule(entry, &list);
960    if (!e) {
961        mutex_unlock(&audit_filter_mutex);
962        ret = -ENOENT;
963        goto out;
964    }
965
966    if (e->rule.watch)
967        audit_remove_watch_rule(&e->rule);
968
969    if (e->rule.tree)
970        audit_remove_tree_rule(&e->rule);
971
972    list_del_rcu(&e->list);
973    list_del(&e->rule.list);
974    call_rcu(&e->rcu, audit_free_rule_rcu);
975
976#ifdef CONFIG_AUDITSYSCALL
977    if (!dont_count)
978        audit_n_rules--;
979
980    if (!audit_match_signal(entry))
981        audit_signals--;
982#endif
983    mutex_unlock(&audit_filter_mutex);
984
985out:
986    if (watch)
987        audit_put_watch(watch); /* match initial get */
988    if (tree)
989        audit_put_tree(tree); /* that's the temporary one */
990
991    return ret;
992}
993
994/* List rules using struct audit_rule. Exists for backward
995 * compatibility with userspace. */
996static void audit_list(int pid, int seq, struct sk_buff_head *q)
997{
998    struct sk_buff *skb;
999    struct audit_krule *r;
1000    int i;
1001
1002    /* This is a blocking read, so use audit_filter_mutex instead of rcu
1003     * iterator to sync with list writers. */
1004    for (i=0; i<AUDIT_NR_FILTERS; i++) {
1005        list_for_each_entry(r, &audit_rules_list[i], list) {
1006            struct audit_rule *rule;
1007
1008            rule = audit_krule_to_rule(r);
1009            if (unlikely(!rule))
1010                break;
1011            skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
1012                     rule, sizeof(*rule));
1013            if (skb)
1014                skb_queue_tail(q, skb);
1015            kfree(rule);
1016        }
1017    }
1018    skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
1019    if (skb)
1020        skb_queue_tail(q, skb);
1021}
1022
1023/* List rules using struct audit_rule_data. */
1024static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1025{
1026    struct sk_buff *skb;
1027    struct audit_krule *r;
1028    int i;
1029
1030    /* This is a blocking read, so use audit_filter_mutex instead of rcu
1031     * iterator to sync with list writers. */
1032    for (i=0; i<AUDIT_NR_FILTERS; i++) {
1033        list_for_each_entry(r, &audit_rules_list[i], list) {
1034            struct audit_rule_data *data;
1035
1036            data = audit_krule_to_data(r);
1037            if (unlikely(!data))
1038                break;
1039            skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
1040                     data, sizeof(*data) + data->buflen);
1041            if (skb)
1042                skb_queue_tail(q, skb);
1043            kfree(data);
1044        }
1045    }
1046    skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1047    if (skb)
1048        skb_queue_tail(q, skb);
1049}
1050
1051/* Log rule additions and removals */
1052static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
1053                  char *action, struct audit_krule *rule,
1054                  int res)
1055{
1056    struct audit_buffer *ab;
1057
1058    if (!audit_enabled)
1059        return;
1060
1061    ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1062    if (!ab)
1063        return;
1064    audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
1065    if (sid) {
1066        char *ctx = NULL;
1067        u32 len;
1068        if (security_secid_to_secctx(sid, &ctx, &len))
1069            audit_log_format(ab, " ssid=%u", sid);
1070        else {
1071            audit_log_format(ab, " subj=%s", ctx);
1072            security_release_secctx(ctx, len);
1073        }
1074    }
1075    audit_log_format(ab, " op=");
1076    audit_log_string(ab, action);
1077    audit_log_key(ab, rule->filterkey);
1078    audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1079    audit_log_end(ab);
1080}
1081
1082/**
1083 * audit_receive_filter - apply all rules to the specified message type
1084 * @type: audit message type
1085 * @pid: target pid for netlink audit messages
1086 * @uid: target uid for netlink audit messages
1087 * @seq: netlink audit message sequence (serial) number
1088 * @data: payload data
1089 * @datasz: size of payload data
1090 * @loginuid: loginuid of sender
1091 * @sessionid: sessionid for netlink audit message
1092 * @sid: SE Linux Security ID of sender
1093 */
1094int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1095             size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
1096{
1097    struct task_struct *tsk;
1098    struct audit_netlink_list *dest;
1099    int err = 0;
1100    struct audit_entry *entry;
1101
1102    switch (type) {
1103    case AUDIT_LIST:
1104    case AUDIT_LIST_RULES:
1105        /* We can't just spew out the rules here because we might fill
1106         * the available socket buffer space and deadlock waiting for
1107         * auditctl to read from it... which isn't ever going to
1108         * happen if we're actually running in the context of auditctl
1109         * trying to _send_ the stuff */
1110
1111        dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1112        if (!dest)
1113            return -ENOMEM;
1114        dest->pid = pid;
1115        skb_queue_head_init(&dest->q);
1116
1117        mutex_lock(&audit_filter_mutex);
1118        if (type == AUDIT_LIST)
1119            audit_list(pid, seq, &dest->q);
1120        else
1121            audit_list_rules(pid, seq, &dest->q);
1122        mutex_unlock(&audit_filter_mutex);
1123
1124        tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1125        if (IS_ERR(tsk)) {
1126            skb_queue_purge(&dest->q);
1127            kfree(dest);
1128            err = PTR_ERR(tsk);
1129        }
1130        break;
1131    case AUDIT_ADD:
1132    case AUDIT_ADD_RULE:
1133        if (type == AUDIT_ADD)
1134            entry = audit_rule_to_entry(data);
1135        else
1136            entry = audit_data_to_entry(data, datasz);
1137        if (IS_ERR(entry))
1138            return PTR_ERR(entry);
1139
1140        err = audit_add_rule(entry);
1141        audit_log_rule_change(loginuid, sessionid, sid, "add rule",
1142                      &entry->rule, !err);
1143
1144        if (err)
1145            audit_free_rule(entry);
1146        break;
1147    case AUDIT_DEL:
1148    case AUDIT_DEL_RULE:
1149        if (type == AUDIT_DEL)
1150            entry = audit_rule_to_entry(data);
1151        else
1152            entry = audit_data_to_entry(data, datasz);
1153        if (IS_ERR(entry))
1154            return PTR_ERR(entry);
1155
1156        err = audit_del_rule(entry);
1157        audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
1158                      &entry->rule, !err);
1159
1160        audit_free_rule(entry);
1161        break;
1162    default:
1163        return -EINVAL;
1164    }
1165
1166    return err;
1167}
1168
1169int audit_comparator(u32 left, u32 op, u32 right)
1170{
1171    switch (op) {
1172    case Audit_equal:
1173        return (left == right);
1174    case Audit_not_equal:
1175        return (left != right);
1176    case Audit_lt:
1177        return (left < right);
1178    case Audit_le:
1179        return (left <= right);
1180    case Audit_gt:
1181        return (left > right);
1182    case Audit_ge:
1183        return (left >= right);
1184    case Audit_bitmask:
1185        return (left & right);
1186    case Audit_bittest:
1187        return ((left & right) == right);
1188    default:
1189        BUG();
1190        return 0;
1191    }
1192}
1193
1194/* Compare given dentry name with last component in given path,
1195 * return of 0 indicates a match. */
1196int audit_compare_dname_path(const char *dname, const char *path,
1197                 int *dirlen)
1198{
1199    int dlen, plen;
1200    const char *p;
1201
1202    if (!dname || !path)
1203        return 1;
1204
1205    dlen = strlen(dname);
1206    plen = strlen(path);
1207    if (plen < dlen)
1208        return 1;
1209
1210    /* disregard trailing slashes */
1211    p = path + plen - 1;
1212    while ((*p == '/') && (p > path))
1213        p--;
1214
1215    /* find last path component */
1216    p = p - dlen + 1;
1217    if (p < path)
1218        return 1;
1219    else if (p > path) {
1220        if (*--p != '/')
1221            return 1;
1222        else
1223            p++;
1224    }
1225
1226    /* return length of path's directory component */
1227    if (dirlen)
1228        *dirlen = p - path;
1229    return strncmp(p, dname, dlen);
1230}
1231
1232static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1233                   struct audit_krule *rule,
1234                   enum audit_state *state)
1235{
1236    int i;
1237
1238    for (i = 0; i < rule->field_count; i++) {
1239        struct audit_field *f = &rule->fields[i];
1240        int result = 0;
1241        u32 sid;
1242
1243        switch (f->type) {
1244        case AUDIT_PID:
1245            result = audit_comparator(cb->creds.pid, f->op, f->val);
1246            break;
1247        case AUDIT_UID:
1248            result = audit_comparator(cb->creds.uid, f->op, f->val);
1249            break;
1250        case AUDIT_GID:
1251            result = audit_comparator(cb->creds.gid, f->op, f->val);
1252            break;
1253        case AUDIT_LOGINUID:
1254            result = audit_comparator(audit_get_loginuid(current),
1255                          f->op, f->val);
1256            break;
1257        case AUDIT_SUBJ_USER:
1258        case AUDIT_SUBJ_ROLE:
1259        case AUDIT_SUBJ_TYPE:
1260        case AUDIT_SUBJ_SEN:
1261        case AUDIT_SUBJ_CLR:
1262            if (f->lsm_rule) {
1263                security_task_getsecid(current, &sid);
1264                result = security_audit_rule_match(sid,
1265                                   f->type,
1266                                   f->op,
1267                                   f->lsm_rule,
1268                                   NULL);
1269            }
1270            break;
1271        }
1272
1273        if (!result)
1274            return 0;
1275    }
1276    switch (rule->action) {
1277    case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
1278    case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
1279    }
1280    return 1;
1281}
1282
1283int audit_filter_user(struct netlink_skb_parms *cb)
1284{
1285    enum audit_state state = AUDIT_DISABLED;
1286    struct audit_entry *e;
1287    int ret = 1;
1288
1289    rcu_read_lock();
1290    list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1291        if (audit_filter_user_rules(cb, &e->rule, &state)) {
1292            if (state == AUDIT_DISABLED)
1293                ret = 0;
1294            break;
1295        }
1296    }
1297    rcu_read_unlock();
1298
1299    return ret; /* Audit by default */
1300}
1301
1302int audit_filter_type(int type)
1303{
1304    struct audit_entry *e;
1305    int result = 0;
1306
1307    rcu_read_lock();
1308    if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1309        goto unlock_and_return;
1310
1311    list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1312                list) {
1313        int i;
1314        for (i = 0; i < e->rule.field_count; i++) {
1315            struct audit_field *f = &e->rule.fields[i];
1316            if (f->type == AUDIT_MSGTYPE) {
1317                result = audit_comparator(type, f->op, f->val);
1318                if (!result)
1319                    break;
1320            }
1321        }
1322        if (result)
1323            goto unlock_and_return;
1324    }
1325unlock_and_return:
1326    rcu_read_unlock();
1327    return result;
1328}
1329
1330static int update_lsm_rule(struct audit_krule *r)
1331{
1332    struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1333    struct audit_entry *nentry;
1334    int err = 0;
1335
1336    if (!security_audit_rule_known(r))
1337        return 0;
1338
1339    nentry = audit_dupe_rule(r);
1340    if (IS_ERR(nentry)) {
1341        /* save the first error encountered for the
1342         * return value */
1343        err = PTR_ERR(nentry);
1344        audit_panic("error updating LSM filters");
1345        if (r->watch)
1346            list_del(&r->rlist);
1347        list_del_rcu(&entry->list);
1348        list_del(&r->list);
1349    } else {
1350        if (r->watch || r->tree)
1351            list_replace_init(&r->rlist, &nentry->rule.rlist);
1352        list_replace_rcu(&entry->list, &nentry->list);
1353        list_replace(&r->list, &nentry->rule.list);
1354    }
1355    call_rcu(&entry->rcu, audit_free_rule_rcu);
1356
1357    return err;
1358}
1359
1360/* This function will re-initialize the lsm_rule field of all applicable rules.
1361 * It will traverse the filter lists serarching for rules that contain LSM
1362 * specific filter fields. When such a rule is found, it is copied, the
1363 * LSM field is re-initialized, and the old rule is replaced with the
1364 * updated rule. */
1365int audit_update_lsm_rules(void)
1366{
1367    struct audit_krule *r, *n;
1368    int i, err = 0;
1369
1370    /* audit_filter_mutex synchronizes the writers */
1371    mutex_lock(&audit_filter_mutex);
1372
1373    for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1374        list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1375            int res = update_lsm_rule(r);
1376            if (!err)
1377                err = res;
1378        }
1379    }
1380    mutex_unlock(&audit_filter_mutex);
1381
1382    return err;
1383}
1384

Archive Download this file



interactive