Root/kernel/auditfilter.c

1/* auditfilter.c -- filtering of audit events
2 *
3 * Copyright 2003-2004 Red Hat, Inc.
4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
5 * Copyright 2005 IBM Corporation
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 */
21
22#include <linux/kernel.h>
23#include <linux/audit.h>
24#include <linux/kthread.h>
25#include <linux/mutex.h>
26#include <linux/fs.h>
27#include <linux/namei.h>
28#include <linux/netlink.h>
29#include <linux/sched.h>
30#include <linux/slab.h>
31#include <linux/security.h>
32#include "audit.h"
33
34/*
35 * Locking model:
36 *
37 * audit_filter_mutex:
38 * Synchronizes writes and blocking reads of audit's filterlist
39 * data. Rcu is used to traverse the filterlist and access
40 * contents of structs audit_entry, audit_watch and opaque
41 * LSM rules during filtering. If modified, these structures
42 * must be copied and replace their counterparts in the filterlist.
43 * An audit_parent struct is not accessed during filtering, so may
44 * be written directly provided audit_filter_mutex is held.
45 */
46
47/* Audit filter lists, defined in <linux/audit.h> */
48struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
49    LIST_HEAD_INIT(audit_filter_list[0]),
50    LIST_HEAD_INIT(audit_filter_list[1]),
51    LIST_HEAD_INIT(audit_filter_list[2]),
52    LIST_HEAD_INIT(audit_filter_list[3]),
53    LIST_HEAD_INIT(audit_filter_list[4]),
54    LIST_HEAD_INIT(audit_filter_list[5]),
55#if AUDIT_NR_FILTERS != 6
56#error Fix audit_filter_list initialiser
57#endif
58};
59static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
60    LIST_HEAD_INIT(audit_rules_list[0]),
61    LIST_HEAD_INIT(audit_rules_list[1]),
62    LIST_HEAD_INIT(audit_rules_list[2]),
63    LIST_HEAD_INIT(audit_rules_list[3]),
64    LIST_HEAD_INIT(audit_rules_list[4]),
65    LIST_HEAD_INIT(audit_rules_list[5]),
66};
67
68DEFINE_MUTEX(audit_filter_mutex);
69
70static inline void audit_free_rule(struct audit_entry *e)
71{
72    int i;
73    struct audit_krule *erule = &e->rule;
74
75    /* some rules don't have associated watches */
76    if (erule->watch)
77        audit_put_watch(erule->watch);
78    if (erule->fields)
79        for (i = 0; i < erule->field_count; i++) {
80            struct audit_field *f = &erule->fields[i];
81            kfree(f->lsm_str);
82            security_audit_rule_free(f->lsm_rule);
83        }
84    kfree(erule->fields);
85    kfree(erule->filterkey);
86    kfree(e);
87}
88
89void audit_free_rule_rcu(struct rcu_head *head)
90{
91    struct audit_entry *e = container_of(head, struct audit_entry, rcu);
92    audit_free_rule(e);
93}
94
95/* Initialize an audit filterlist entry. */
96static inline struct audit_entry *audit_init_entry(u32 field_count)
97{
98    struct audit_entry *entry;
99    struct audit_field *fields;
100
101    entry = kzalloc(sizeof(*entry), GFP_KERNEL);
102    if (unlikely(!entry))
103        return NULL;
104
105    fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
106    if (unlikely(!fields)) {
107        kfree(entry);
108        return NULL;
109    }
110    entry->rule.fields = fields;
111
112    return entry;
113}
114
115/* Unpack a filter field's string representation from user-space
116 * buffer. */
117char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
118{
119    char *str;
120
121    if (!*bufp || (len == 0) || (len > *remain))
122        return ERR_PTR(-EINVAL);
123
124    /* Of the currently implemented string fields, PATH_MAX
125     * defines the longest valid length.
126     */
127    if (len > PATH_MAX)
128        return ERR_PTR(-ENAMETOOLONG);
129
130    str = kmalloc(len + 1, GFP_KERNEL);
131    if (unlikely(!str))
132        return ERR_PTR(-ENOMEM);
133
134    memcpy(str, *bufp, len);
135    str[len] = 0;
136    *bufp += len;
137    *remain -= len;
138
139    return str;
140}
141
142/* Translate an inode field to kernel respresentation. */
143static inline int audit_to_inode(struct audit_krule *krule,
144                 struct audit_field *f)
145{
146    if (krule->listnr != AUDIT_FILTER_EXIT ||
147        krule->watch || krule->inode_f || krule->tree ||
148        (f->op != Audit_equal && f->op != Audit_not_equal))
149        return -EINVAL;
150
151    krule->inode_f = f;
152    return 0;
153}
154
155static __u32 *classes[AUDIT_SYSCALL_CLASSES];
156
157int __init audit_register_class(int class, unsigned *list)
158{
159    __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
160    if (!p)
161        return -ENOMEM;
162    while (*list != ~0U) {
163        unsigned n = *list++;
164        if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
165            kfree(p);
166            return -EINVAL;
167        }
168        p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
169    }
170    if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
171        kfree(p);
172        return -EINVAL;
173    }
174    classes[class] = p;
175    return 0;
176}
177
178int audit_match_class(int class, unsigned syscall)
179{
180    if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
181        return 0;
182    if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
183        return 0;
184    return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
185}
186
187#ifdef CONFIG_AUDITSYSCALL
188static inline int audit_match_class_bits(int class, u32 *mask)
189{
190    int i;
191
192    if (classes[class]) {
193        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
194            if (mask[i] & classes[class][i])
195                return 0;
196    }
197    return 1;
198}
199
200static int audit_match_signal(struct audit_entry *entry)
201{
202    struct audit_field *arch = entry->rule.arch_f;
203
204    if (!arch) {
205        /* When arch is unspecified, we must check both masks on biarch
206         * as syscall number alone is ambiguous. */
207        return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
208                           entry->rule.mask) &&
209            audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
210                           entry->rule.mask));
211    }
212
213    switch(audit_classify_arch(arch->val)) {
214    case 0: /* native */
215        return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
216                           entry->rule.mask));
217    case 1: /* 32bit on biarch */
218        return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
219                           entry->rule.mask));
220    default:
221        return 1;
222    }
223}
224#endif
225
226/* Common user-space to kernel rule translation. */
227static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
228{
229    unsigned listnr;
230    struct audit_entry *entry;
231    int i, err;
232
233    err = -EINVAL;
234    listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
235    switch(listnr) {
236    default:
237        goto exit_err;
238#ifdef CONFIG_AUDITSYSCALL
239    case AUDIT_FILTER_ENTRY:
240        if (rule->action == AUDIT_ALWAYS)
241            goto exit_err;
242    case AUDIT_FILTER_EXIT:
243    case AUDIT_FILTER_TASK:
244#endif
245    case AUDIT_FILTER_USER:
246    case AUDIT_FILTER_TYPE:
247        ;
248    }
249    if (unlikely(rule->action == AUDIT_POSSIBLE)) {
250        printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
251        goto exit_err;
252    }
253    if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
254        goto exit_err;
255    if (rule->field_count > AUDIT_MAX_FIELDS)
256        goto exit_err;
257
258    err = -ENOMEM;
259    entry = audit_init_entry(rule->field_count);
260    if (!entry)
261        goto exit_err;
262
263    entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
264    entry->rule.listnr = listnr;
265    entry->rule.action = rule->action;
266    entry->rule.field_count = rule->field_count;
267
268    for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
269        entry->rule.mask[i] = rule->mask[i];
270
271    for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
272        int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
273        __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
274        __u32 *class;
275
276        if (!(*p & AUDIT_BIT(bit)))
277            continue;
278        *p &= ~AUDIT_BIT(bit);
279        class = classes[i];
280        if (class) {
281            int j;
282            for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
283                entry->rule.mask[j] |= class[j];
284        }
285    }
286
287    return entry;
288
289exit_err:
290    return ERR_PTR(err);
291}
292
293static u32 audit_ops[] =
294{
295    [Audit_equal] = AUDIT_EQUAL,
296    [Audit_not_equal] = AUDIT_NOT_EQUAL,
297    [Audit_bitmask] = AUDIT_BIT_MASK,
298    [Audit_bittest] = AUDIT_BIT_TEST,
299    [Audit_lt] = AUDIT_LESS_THAN,
300    [Audit_gt] = AUDIT_GREATER_THAN,
301    [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
302    [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
303};
304
305static u32 audit_to_op(u32 op)
306{
307    u32 n;
308    for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
309        ;
310    return n;
311}
312
313
314/* Translate struct audit_rule to kernel's rule respresentation.
315 * Exists for backward compatibility with userspace. */
316static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
317{
318    struct audit_entry *entry;
319    int err = 0;
320    int i;
321
322    entry = audit_to_entry_common(rule);
323    if (IS_ERR(entry))
324        goto exit_nofree;
325
326    for (i = 0; i < rule->field_count; i++) {
327        struct audit_field *f = &entry->rule.fields[i];
328        u32 n;
329
330        n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
331
332        /* Support for legacy operators where
333         * AUDIT_NEGATE bit signifies != and otherwise assumes == */
334        if (n & AUDIT_NEGATE)
335            f->op = Audit_not_equal;
336        else if (!n)
337            f->op = Audit_equal;
338        else
339            f->op = audit_to_op(n);
340
341        entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
342
343        f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
344        f->val = rule->values[i];
345
346        err = -EINVAL;
347        if (f->op == Audit_bad)
348            goto exit_free;
349
350        switch(f->type) {
351        default:
352            goto exit_free;
353        case AUDIT_PID:
354        case AUDIT_UID:
355        case AUDIT_EUID:
356        case AUDIT_SUID:
357        case AUDIT_FSUID:
358        case AUDIT_GID:
359        case AUDIT_EGID:
360        case AUDIT_SGID:
361        case AUDIT_FSGID:
362        case AUDIT_LOGINUID:
363        case AUDIT_PERS:
364        case AUDIT_MSGTYPE:
365        case AUDIT_PPID:
366        case AUDIT_DEVMAJOR:
367        case AUDIT_DEVMINOR:
368        case AUDIT_EXIT:
369        case AUDIT_SUCCESS:
370            /* bit ops are only useful on syscall args */
371            if (f->op == Audit_bitmask || f->op == Audit_bittest)
372                goto exit_free;
373            break;
374        case AUDIT_ARG0:
375        case AUDIT_ARG1:
376        case AUDIT_ARG2:
377        case AUDIT_ARG3:
378            break;
379        /* arch is only allowed to be = or != */
380        case AUDIT_ARCH:
381            if (f->op != Audit_not_equal && f->op != Audit_equal)
382                goto exit_free;
383            entry->rule.arch_f = f;
384            break;
385        case AUDIT_PERM:
386            if (f->val & ~15)
387                goto exit_free;
388            break;
389        case AUDIT_FILETYPE:
390            if (f->val & ~S_IFMT)
391                goto exit_free;
392            break;
393        case AUDIT_INODE:
394            err = audit_to_inode(&entry->rule, f);
395            if (err)
396                goto exit_free;
397            break;
398        }
399    }
400
401    if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
402        entry->rule.inode_f = NULL;
403
404exit_nofree:
405    return entry;
406
407exit_free:
408    audit_free_rule(entry);
409    return ERR_PTR(err);
410}
411
412/* Translate struct audit_rule_data to kernel's rule respresentation. */
413static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
414                           size_t datasz)
415{
416    int err = 0;
417    struct audit_entry *entry;
418    void *bufp;
419    size_t remain = datasz - sizeof(struct audit_rule_data);
420    int i;
421    char *str;
422
423    entry = audit_to_entry_common((struct audit_rule *)data);
424    if (IS_ERR(entry))
425        goto exit_nofree;
426
427    bufp = data->buf;
428    entry->rule.vers_ops = 2;
429    for (i = 0; i < data->field_count; i++) {
430        struct audit_field *f = &entry->rule.fields[i];
431
432        err = -EINVAL;
433
434        f->op = audit_to_op(data->fieldflags[i]);
435        if (f->op == Audit_bad)
436            goto exit_free;
437
438        f->type = data->fields[i];
439        f->val = data->values[i];
440        f->lsm_str = NULL;
441        f->lsm_rule = NULL;
442        switch(f->type) {
443        case AUDIT_PID:
444        case AUDIT_UID:
445        case AUDIT_EUID:
446        case AUDIT_SUID:
447        case AUDIT_FSUID:
448        case AUDIT_GID:
449        case AUDIT_EGID:
450        case AUDIT_SGID:
451        case AUDIT_FSGID:
452        case AUDIT_LOGINUID:
453        case AUDIT_PERS:
454        case AUDIT_MSGTYPE:
455        case AUDIT_PPID:
456        case AUDIT_DEVMAJOR:
457        case AUDIT_DEVMINOR:
458        case AUDIT_EXIT:
459        case AUDIT_SUCCESS:
460        case AUDIT_ARG0:
461        case AUDIT_ARG1:
462        case AUDIT_ARG2:
463        case AUDIT_ARG3:
464        case AUDIT_OBJ_UID:
465        case AUDIT_OBJ_GID:
466            break;
467        case AUDIT_ARCH:
468            entry->rule.arch_f = f;
469            break;
470        case AUDIT_SUBJ_USER:
471        case AUDIT_SUBJ_ROLE:
472        case AUDIT_SUBJ_TYPE:
473        case AUDIT_SUBJ_SEN:
474        case AUDIT_SUBJ_CLR:
475        case AUDIT_OBJ_USER:
476        case AUDIT_OBJ_ROLE:
477        case AUDIT_OBJ_TYPE:
478        case AUDIT_OBJ_LEV_LOW:
479        case AUDIT_OBJ_LEV_HIGH:
480            str = audit_unpack_string(&bufp, &remain, f->val);
481            if (IS_ERR(str))
482                goto exit_free;
483            entry->rule.buflen += f->val;
484
485            err = security_audit_rule_init(f->type, f->op, str,
486                               (void **)&f->lsm_rule);
487            /* Keep currently invalid fields around in case they
488             * become valid after a policy reload. */
489            if (err == -EINVAL) {
490                printk(KERN_WARNING "audit rule for LSM "
491                       "\'%s\' is invalid\n", str);
492                err = 0;
493            }
494            if (err) {
495                kfree(str);
496                goto exit_free;
497            } else
498                f->lsm_str = str;
499            break;
500        case AUDIT_WATCH:
501            str = audit_unpack_string(&bufp, &remain, f->val);
502            if (IS_ERR(str))
503                goto exit_free;
504            entry->rule.buflen += f->val;
505
506            err = audit_to_watch(&entry->rule, str, f->val, f->op);
507            if (err) {
508                kfree(str);
509                goto exit_free;
510            }
511            break;
512        case AUDIT_DIR:
513            str = audit_unpack_string(&bufp, &remain, f->val);
514            if (IS_ERR(str))
515                goto exit_free;
516            entry->rule.buflen += f->val;
517
518            err = audit_make_tree(&entry->rule, str, f->op);
519            kfree(str);
520            if (err)
521                goto exit_free;
522            break;
523        case AUDIT_INODE:
524            err = audit_to_inode(&entry->rule, f);
525            if (err)
526                goto exit_free;
527            break;
528        case AUDIT_FILTERKEY:
529            if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
530                goto exit_free;
531            str = audit_unpack_string(&bufp, &remain, f->val);
532            if (IS_ERR(str))
533                goto exit_free;
534            entry->rule.buflen += f->val;
535            entry->rule.filterkey = str;
536            break;
537        case AUDIT_PERM:
538            if (f->val & ~15)
539                goto exit_free;
540            break;
541        case AUDIT_FILETYPE:
542            if (f->val & ~S_IFMT)
543                goto exit_free;
544            break;
545        case AUDIT_FIELD_COMPARE:
546            if (f->val > AUDIT_MAX_FIELD_COMPARE)
547                goto exit_free;
548            break;
549        default:
550            goto exit_free;
551        }
552    }
553
554    if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
555        entry->rule.inode_f = NULL;
556
557exit_nofree:
558    return entry;
559
560exit_free:
561    audit_free_rule(entry);
562    return ERR_PTR(err);
563}
564
565/* Pack a filter field's string representation into data block. */
566static inline size_t audit_pack_string(void **bufp, const char *str)
567{
568    size_t len = strlen(str);
569
570    memcpy(*bufp, str, len);
571    *bufp += len;
572
573    return len;
574}
575
576/* Translate kernel rule respresentation to struct audit_rule.
577 * Exists for backward compatibility with userspace. */
578static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
579{
580    struct audit_rule *rule;
581    int i;
582
583    rule = kzalloc(sizeof(*rule), GFP_KERNEL);
584    if (unlikely(!rule))
585        return NULL;
586
587    rule->flags = krule->flags | krule->listnr;
588    rule->action = krule->action;
589    rule->field_count = krule->field_count;
590    for (i = 0; i < rule->field_count; i++) {
591        rule->values[i] = krule->fields[i].val;
592        rule->fields[i] = krule->fields[i].type;
593
594        if (krule->vers_ops == 1) {
595            if (krule->fields[i].op == Audit_not_equal)
596                rule->fields[i] |= AUDIT_NEGATE;
597        } else {
598            rule->fields[i] |= audit_ops[krule->fields[i].op];
599        }
600    }
601    for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
602
603    return rule;
604}
605
606/* Translate kernel rule respresentation to struct audit_rule_data. */
607static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
608{
609    struct audit_rule_data *data;
610    void *bufp;
611    int i;
612
613    data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
614    if (unlikely(!data))
615        return NULL;
616    memset(data, 0, sizeof(*data));
617
618    data->flags = krule->flags | krule->listnr;
619    data->action = krule->action;
620    data->field_count = krule->field_count;
621    bufp = data->buf;
622    for (i = 0; i < data->field_count; i++) {
623        struct audit_field *f = &krule->fields[i];
624
625        data->fields[i] = f->type;
626        data->fieldflags[i] = audit_ops[f->op];
627        switch(f->type) {
628        case AUDIT_SUBJ_USER:
629        case AUDIT_SUBJ_ROLE:
630        case AUDIT_SUBJ_TYPE:
631        case AUDIT_SUBJ_SEN:
632        case AUDIT_SUBJ_CLR:
633        case AUDIT_OBJ_USER:
634        case AUDIT_OBJ_ROLE:
635        case AUDIT_OBJ_TYPE:
636        case AUDIT_OBJ_LEV_LOW:
637        case AUDIT_OBJ_LEV_HIGH:
638            data->buflen += data->values[i] =
639                audit_pack_string(&bufp, f->lsm_str);
640            break;
641        case AUDIT_WATCH:
642            data->buflen += data->values[i] =
643                audit_pack_string(&bufp,
644                          audit_watch_path(krule->watch));
645            break;
646        case AUDIT_DIR:
647            data->buflen += data->values[i] =
648                audit_pack_string(&bufp,
649                          audit_tree_path(krule->tree));
650            break;
651        case AUDIT_FILTERKEY:
652            data->buflen += data->values[i] =
653                audit_pack_string(&bufp, krule->filterkey);
654            break;
655        default:
656            data->values[i] = f->val;
657        }
658    }
659    for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
660
661    return data;
662}
663
664/* Compare two rules in kernel format. Considered success if rules
665 * don't match. */
666static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
667{
668    int i;
669
670    if (a->flags != b->flags ||
671        a->listnr != b->listnr ||
672        a->action != b->action ||
673        a->field_count != b->field_count)
674        return 1;
675
676    for (i = 0; i < a->field_count; i++) {
677        if (a->fields[i].type != b->fields[i].type ||
678            a->fields[i].op != b->fields[i].op)
679            return 1;
680
681        switch(a->fields[i].type) {
682        case AUDIT_SUBJ_USER:
683        case AUDIT_SUBJ_ROLE:
684        case AUDIT_SUBJ_TYPE:
685        case AUDIT_SUBJ_SEN:
686        case AUDIT_SUBJ_CLR:
687        case AUDIT_OBJ_USER:
688        case AUDIT_OBJ_ROLE:
689        case AUDIT_OBJ_TYPE:
690        case AUDIT_OBJ_LEV_LOW:
691        case AUDIT_OBJ_LEV_HIGH:
692            if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
693                return 1;
694            break;
695        case AUDIT_WATCH:
696            if (strcmp(audit_watch_path(a->watch),
697                   audit_watch_path(b->watch)))
698                return 1;
699            break;
700        case AUDIT_DIR:
701            if (strcmp(audit_tree_path(a->tree),
702                   audit_tree_path(b->tree)))
703                return 1;
704            break;
705        case AUDIT_FILTERKEY:
706            /* both filterkeys exist based on above type compare */
707            if (strcmp(a->filterkey, b->filterkey))
708                return 1;
709            break;
710        default:
711            if (a->fields[i].val != b->fields[i].val)
712                return 1;
713        }
714    }
715
716    for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
717        if (a->mask[i] != b->mask[i])
718            return 1;
719
720    return 0;
721}
722
723/* Duplicate LSM field information. The lsm_rule is opaque, so must be
724 * re-initialized. */
725static inline int audit_dupe_lsm_field(struct audit_field *df,
726                       struct audit_field *sf)
727{
728    int ret = 0;
729    char *lsm_str;
730
731    /* our own copy of lsm_str */
732    lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
733    if (unlikely(!lsm_str))
734        return -ENOMEM;
735    df->lsm_str = lsm_str;
736
737    /* our own (refreshed) copy of lsm_rule */
738    ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
739                       (void **)&df->lsm_rule);
740    /* Keep currently invalid fields around in case they
741     * become valid after a policy reload. */
742    if (ret == -EINVAL) {
743        printk(KERN_WARNING "audit rule for LSM \'%s\' is "
744               "invalid\n", df->lsm_str);
745        ret = 0;
746    }
747
748    return ret;
749}
750
751/* Duplicate an audit rule. This will be a deep copy with the exception
752 * of the watch - that pointer is carried over. The LSM specific fields
753 * will be updated in the copy. The point is to be able to replace the old
754 * rule with the new rule in the filterlist, then free the old rule.
755 * The rlist element is undefined; list manipulations are handled apart from
756 * the initial copy. */
757struct audit_entry *audit_dupe_rule(struct audit_krule *old)
758{
759    u32 fcount = old->field_count;
760    struct audit_entry *entry;
761    struct audit_krule *new;
762    char *fk;
763    int i, err = 0;
764
765    entry = audit_init_entry(fcount);
766    if (unlikely(!entry))
767        return ERR_PTR(-ENOMEM);
768
769    new = &entry->rule;
770    new->vers_ops = old->vers_ops;
771    new->flags = old->flags;
772    new->listnr = old->listnr;
773    new->action = old->action;
774    for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
775        new->mask[i] = old->mask[i];
776    new->prio = old->prio;
777    new->buflen = old->buflen;
778    new->inode_f = old->inode_f;
779    new->field_count = old->field_count;
780
781    /*
782     * note that we are OK with not refcounting here; audit_match_tree()
783     * never dereferences tree and we can't get false positives there
784     * since we'd have to have rule gone from the list *and* removed
785     * before the chunks found by lookup had been allocated, i.e. before
786     * the beginning of list scan.
787     */
788    new->tree = old->tree;
789    memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
790
791    /* deep copy this information, updating the lsm_rule fields, because
792     * the originals will all be freed when the old rule is freed. */
793    for (i = 0; i < fcount; i++) {
794        switch (new->fields[i].type) {
795        case AUDIT_SUBJ_USER:
796        case AUDIT_SUBJ_ROLE:
797        case AUDIT_SUBJ_TYPE:
798        case AUDIT_SUBJ_SEN:
799        case AUDIT_SUBJ_CLR:
800        case AUDIT_OBJ_USER:
801        case AUDIT_OBJ_ROLE:
802        case AUDIT_OBJ_TYPE:
803        case AUDIT_OBJ_LEV_LOW:
804        case AUDIT_OBJ_LEV_HIGH:
805            err = audit_dupe_lsm_field(&new->fields[i],
806                               &old->fields[i]);
807            break;
808        case AUDIT_FILTERKEY:
809            fk = kstrdup(old->filterkey, GFP_KERNEL);
810            if (unlikely(!fk))
811                err = -ENOMEM;
812            else
813                new->filterkey = fk;
814        }
815        if (err) {
816            audit_free_rule(entry);
817            return ERR_PTR(err);
818        }
819    }
820
821    if (old->watch) {
822        audit_get_watch(old->watch);
823        new->watch = old->watch;
824    }
825
826    return entry;
827}
828
829/* Find an existing audit rule.
830 * Caller must hold audit_filter_mutex to prevent stale rule data. */
831static struct audit_entry *audit_find_rule(struct audit_entry *entry,
832                       struct list_head **p)
833{
834    struct audit_entry *e, *found = NULL;
835    struct list_head *list;
836    int h;
837
838    if (entry->rule.inode_f) {
839        h = audit_hash_ino(entry->rule.inode_f->val);
840        *p = list = &audit_inode_hash[h];
841    } else if (entry->rule.watch) {
842        /* we don't know the inode number, so must walk entire hash */
843        for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
844            list = &audit_inode_hash[h];
845            list_for_each_entry(e, list, list)
846                if (!audit_compare_rule(&entry->rule, &e->rule)) {
847                    found = e;
848                    goto out;
849                }
850        }
851        goto out;
852    } else {
853        *p = list = &audit_filter_list[entry->rule.listnr];
854    }
855
856    list_for_each_entry(e, list, list)
857        if (!audit_compare_rule(&entry->rule, &e->rule)) {
858            found = e;
859            goto out;
860        }
861
862out:
863    return found;
864}
865
866static u64 prio_low = ~0ULL/2;
867static u64 prio_high = ~0ULL/2 - 1;
868
869/* Add rule to given filterlist if not a duplicate. */
870static inline int audit_add_rule(struct audit_entry *entry)
871{
872    struct audit_entry *e;
873    struct audit_watch *watch = entry->rule.watch;
874    struct audit_tree *tree = entry->rule.tree;
875    struct list_head *list;
876    int err;
877#ifdef CONFIG_AUDITSYSCALL
878    int dont_count = 0;
879
880    /* If either of these, don't count towards total */
881    if (entry->rule.listnr == AUDIT_FILTER_USER ||
882        entry->rule.listnr == AUDIT_FILTER_TYPE)
883        dont_count = 1;
884#endif
885
886    mutex_lock(&audit_filter_mutex);
887    e = audit_find_rule(entry, &list);
888    if (e) {
889        mutex_unlock(&audit_filter_mutex);
890        err = -EEXIST;
891        /* normally audit_add_tree_rule() will free it on failure */
892        if (tree)
893            audit_put_tree(tree);
894        goto error;
895    }
896
897    if (watch) {
898        /* audit_filter_mutex is dropped and re-taken during this call */
899        err = audit_add_watch(&entry->rule, &list);
900        if (err) {
901            mutex_unlock(&audit_filter_mutex);
902            goto error;
903        }
904    }
905    if (tree) {
906        err = audit_add_tree_rule(&entry->rule);
907        if (err) {
908            mutex_unlock(&audit_filter_mutex);
909            goto error;
910        }
911    }
912
913    entry->rule.prio = ~0ULL;
914    if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
915        if (entry->rule.flags & AUDIT_FILTER_PREPEND)
916            entry->rule.prio = ++prio_high;
917        else
918            entry->rule.prio = --prio_low;
919    }
920
921    if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
922        list_add(&entry->rule.list,
923             &audit_rules_list[entry->rule.listnr]);
924        list_add_rcu(&entry->list, list);
925        entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
926    } else {
927        list_add_tail(&entry->rule.list,
928                  &audit_rules_list[entry->rule.listnr]);
929        list_add_tail_rcu(&entry->list, list);
930    }
931#ifdef CONFIG_AUDITSYSCALL
932    if (!dont_count)
933        audit_n_rules++;
934
935    if (!audit_match_signal(entry))
936        audit_signals++;
937#endif
938    mutex_unlock(&audit_filter_mutex);
939
940     return 0;
941
942error:
943    if (watch)
944        audit_put_watch(watch); /* tmp watch, matches initial get */
945    return err;
946}
947
948/* Remove an existing rule from filterlist. */
949static inline int audit_del_rule(struct audit_entry *entry)
950{
951    struct audit_entry *e;
952    struct audit_watch *watch = entry->rule.watch;
953    struct audit_tree *tree = entry->rule.tree;
954    struct list_head *list;
955    int ret = 0;
956#ifdef CONFIG_AUDITSYSCALL
957    int dont_count = 0;
958
959    /* If either of these, don't count towards total */
960    if (entry->rule.listnr == AUDIT_FILTER_USER ||
961        entry->rule.listnr == AUDIT_FILTER_TYPE)
962        dont_count = 1;
963#endif
964
965    mutex_lock(&audit_filter_mutex);
966    e = audit_find_rule(entry, &list);
967    if (!e) {
968        mutex_unlock(&audit_filter_mutex);
969        ret = -ENOENT;
970        goto out;
971    }
972
973    if (e->rule.watch)
974        audit_remove_watch_rule(&e->rule);
975
976    if (e->rule.tree)
977        audit_remove_tree_rule(&e->rule);
978
979    list_del_rcu(&e->list);
980    list_del(&e->rule.list);
981    call_rcu(&e->rcu, audit_free_rule_rcu);
982
983#ifdef CONFIG_AUDITSYSCALL
984    if (!dont_count)
985        audit_n_rules--;
986
987    if (!audit_match_signal(entry))
988        audit_signals--;
989#endif
990    mutex_unlock(&audit_filter_mutex);
991
992out:
993    if (watch)
994        audit_put_watch(watch); /* match initial get */
995    if (tree)
996        audit_put_tree(tree); /* that's the temporary one */
997
998    return ret;
999}
1000
1001/* List rules using struct audit_rule. Exists for backward
1002 * compatibility with userspace. */
1003static void audit_list(int pid, int seq, struct sk_buff_head *q)
1004{
1005    struct sk_buff *skb;
1006    struct audit_krule *r;
1007    int i;
1008
1009    /* This is a blocking read, so use audit_filter_mutex instead of rcu
1010     * iterator to sync with list writers. */
1011    for (i=0; i<AUDIT_NR_FILTERS; i++) {
1012        list_for_each_entry(r, &audit_rules_list[i], list) {
1013            struct audit_rule *rule;
1014
1015            rule = audit_krule_to_rule(r);
1016            if (unlikely(!rule))
1017                break;
1018            skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
1019                     rule, sizeof(*rule));
1020            if (skb)
1021                skb_queue_tail(q, skb);
1022            kfree(rule);
1023        }
1024    }
1025    skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
1026    if (skb)
1027        skb_queue_tail(q, skb);
1028}
1029
1030/* List rules using struct audit_rule_data. */
1031static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1032{
1033    struct sk_buff *skb;
1034    struct audit_krule *r;
1035    int i;
1036
1037    /* This is a blocking read, so use audit_filter_mutex instead of rcu
1038     * iterator to sync with list writers. */
1039    for (i=0; i<AUDIT_NR_FILTERS; i++) {
1040        list_for_each_entry(r, &audit_rules_list[i], list) {
1041            struct audit_rule_data *data;
1042
1043            data = audit_krule_to_data(r);
1044            if (unlikely(!data))
1045                break;
1046            skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
1047                     data, sizeof(*data) + data->buflen);
1048            if (skb)
1049                skb_queue_tail(q, skb);
1050            kfree(data);
1051        }
1052    }
1053    skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1054    if (skb)
1055        skb_queue_tail(q, skb);
1056}
1057
1058/* Log rule additions and removals */
1059static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
1060                  char *action, struct audit_krule *rule,
1061                  int res)
1062{
1063    struct audit_buffer *ab;
1064
1065    if (!audit_enabled)
1066        return;
1067
1068    ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1069    if (!ab)
1070        return;
1071    audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
1072    if (sid) {
1073        char *ctx = NULL;
1074        u32 len;
1075        if (security_secid_to_secctx(sid, &ctx, &len))
1076            audit_log_format(ab, " ssid=%u", sid);
1077        else {
1078            audit_log_format(ab, " subj=%s", ctx);
1079            security_release_secctx(ctx, len);
1080        }
1081    }
1082    audit_log_format(ab, " op=");
1083    audit_log_string(ab, action);
1084    audit_log_key(ab, rule->filterkey);
1085    audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1086    audit_log_end(ab);
1087}
1088
1089/**
1090 * audit_receive_filter - apply all rules to the specified message type
1091 * @type: audit message type
1092 * @pid: target pid for netlink audit messages
1093 * @uid: target uid for netlink audit messages
1094 * @seq: netlink audit message sequence (serial) number
1095 * @data: payload data
1096 * @datasz: size of payload data
1097 * @loginuid: loginuid of sender
1098 * @sessionid: sessionid for netlink audit message
1099 * @sid: SE Linux Security ID of sender
1100 */
1101int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1102             size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
1103{
1104    struct task_struct *tsk;
1105    struct audit_netlink_list *dest;
1106    int err = 0;
1107    struct audit_entry *entry;
1108
1109    switch (type) {
1110    case AUDIT_LIST:
1111    case AUDIT_LIST_RULES:
1112        /* We can't just spew out the rules here because we might fill
1113         * the available socket buffer space and deadlock waiting for
1114         * auditctl to read from it... which isn't ever going to
1115         * happen if we're actually running in the context of auditctl
1116         * trying to _send_ the stuff */
1117
1118        dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1119        if (!dest)
1120            return -ENOMEM;
1121        dest->pid = pid;
1122        skb_queue_head_init(&dest->q);
1123
1124        mutex_lock(&audit_filter_mutex);
1125        if (type == AUDIT_LIST)
1126            audit_list(pid, seq, &dest->q);
1127        else
1128            audit_list_rules(pid, seq, &dest->q);
1129        mutex_unlock(&audit_filter_mutex);
1130
1131        tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1132        if (IS_ERR(tsk)) {
1133            skb_queue_purge(&dest->q);
1134            kfree(dest);
1135            err = PTR_ERR(tsk);
1136        }
1137        break;
1138    case AUDIT_ADD:
1139    case AUDIT_ADD_RULE:
1140        if (type == AUDIT_ADD)
1141            entry = audit_rule_to_entry(data);
1142        else
1143            entry = audit_data_to_entry(data, datasz);
1144        if (IS_ERR(entry))
1145            return PTR_ERR(entry);
1146
1147        err = audit_add_rule(entry);
1148        audit_log_rule_change(loginuid, sessionid, sid, "add rule",
1149                      &entry->rule, !err);
1150
1151        if (err)
1152            audit_free_rule(entry);
1153        break;
1154    case AUDIT_DEL:
1155    case AUDIT_DEL_RULE:
1156        if (type == AUDIT_DEL)
1157            entry = audit_rule_to_entry(data);
1158        else
1159            entry = audit_data_to_entry(data, datasz);
1160        if (IS_ERR(entry))
1161            return PTR_ERR(entry);
1162
1163        err = audit_del_rule(entry);
1164        audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
1165                      &entry->rule, !err);
1166
1167        audit_free_rule(entry);
1168        break;
1169    default:
1170        return -EINVAL;
1171    }
1172
1173    return err;
1174}
1175
1176int audit_comparator(u32 left, u32 op, u32 right)
1177{
1178    switch (op) {
1179    case Audit_equal:
1180        return (left == right);
1181    case Audit_not_equal:
1182        return (left != right);
1183    case Audit_lt:
1184        return (left < right);
1185    case Audit_le:
1186        return (left <= right);
1187    case Audit_gt:
1188        return (left > right);
1189    case Audit_ge:
1190        return (left >= right);
1191    case Audit_bitmask:
1192        return (left & right);
1193    case Audit_bittest:
1194        return ((left & right) == right);
1195    default:
1196        BUG();
1197        return 0;
1198    }
1199}
1200
1201/* Compare given dentry name with last component in given path,
1202 * return of 0 indicates a match. */
1203int audit_compare_dname_path(const char *dname, const char *path,
1204                 int *dirlen)
1205{
1206    int dlen, plen;
1207    const char *p;
1208
1209    if (!dname || !path)
1210        return 1;
1211
1212    dlen = strlen(dname);
1213    plen = strlen(path);
1214    if (plen < dlen)
1215        return 1;
1216
1217    /* disregard trailing slashes */
1218    p = path + plen - 1;
1219    while ((*p == '/') && (p > path))
1220        p--;
1221
1222    /* find last path component */
1223    p = p - dlen + 1;
1224    if (p < path)
1225        return 1;
1226    else if (p > path) {
1227        if (*--p != '/')
1228            return 1;
1229        else
1230            p++;
1231    }
1232
1233    /* return length of path's directory component */
1234    if (dirlen)
1235        *dirlen = p - path;
1236    return strncmp(p, dname, dlen);
1237}
1238
1239static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1240                   struct audit_krule *rule,
1241                   enum audit_state *state)
1242{
1243    int i;
1244
1245    for (i = 0; i < rule->field_count; i++) {
1246        struct audit_field *f = &rule->fields[i];
1247        int result = 0;
1248        u32 sid;
1249
1250        switch (f->type) {
1251        case AUDIT_PID:
1252            result = audit_comparator(cb->creds.pid, f->op, f->val);
1253            break;
1254        case AUDIT_UID:
1255            result = audit_comparator(cb->creds.uid, f->op, f->val);
1256            break;
1257        case AUDIT_GID:
1258            result = audit_comparator(cb->creds.gid, f->op, f->val);
1259            break;
1260        case AUDIT_LOGINUID:
1261            result = audit_comparator(audit_get_loginuid(current),
1262                          f->op, f->val);
1263            break;
1264        case AUDIT_SUBJ_USER:
1265        case AUDIT_SUBJ_ROLE:
1266        case AUDIT_SUBJ_TYPE:
1267        case AUDIT_SUBJ_SEN:
1268        case AUDIT_SUBJ_CLR:
1269            if (f->lsm_rule) {
1270                security_task_getsecid(current, &sid);
1271                result = security_audit_rule_match(sid,
1272                                   f->type,
1273                                   f->op,
1274                                   f->lsm_rule,
1275                                   NULL);
1276            }
1277            break;
1278        }
1279
1280        if (!result)
1281            return 0;
1282    }
1283    switch (rule->action) {
1284    case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
1285    case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
1286    }
1287    return 1;
1288}
1289
1290int audit_filter_user(struct netlink_skb_parms *cb)
1291{
1292    enum audit_state state = AUDIT_DISABLED;
1293    struct audit_entry *e;
1294    int ret = 1;
1295
1296    rcu_read_lock();
1297    list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1298        if (audit_filter_user_rules(cb, &e->rule, &state)) {
1299            if (state == AUDIT_DISABLED)
1300                ret = 0;
1301            break;
1302        }
1303    }
1304    rcu_read_unlock();
1305
1306    return ret; /* Audit by default */
1307}
1308
1309int audit_filter_type(int type)
1310{
1311    struct audit_entry *e;
1312    int result = 0;
1313
1314    rcu_read_lock();
1315    if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1316        goto unlock_and_return;
1317
1318    list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1319                list) {
1320        int i;
1321        for (i = 0; i < e->rule.field_count; i++) {
1322            struct audit_field *f = &e->rule.fields[i];
1323            if (f->type == AUDIT_MSGTYPE) {
1324                result = audit_comparator(type, f->op, f->val);
1325                if (!result)
1326                    break;
1327            }
1328        }
1329        if (result)
1330            goto unlock_and_return;
1331    }
1332unlock_and_return:
1333    rcu_read_unlock();
1334    return result;
1335}
1336
1337static int update_lsm_rule(struct audit_krule *r)
1338{
1339    struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1340    struct audit_entry *nentry;
1341    int err = 0;
1342
1343    if (!security_audit_rule_known(r))
1344        return 0;
1345
1346    nentry = audit_dupe_rule(r);
1347    if (IS_ERR(nentry)) {
1348        /* save the first error encountered for the
1349         * return value */
1350        err = PTR_ERR(nentry);
1351        audit_panic("error updating LSM filters");
1352        if (r->watch)
1353            list_del(&r->rlist);
1354        list_del_rcu(&entry->list);
1355        list_del(&r->list);
1356    } else {
1357        if (r->watch || r->tree)
1358            list_replace_init(&r->rlist, &nentry->rule.rlist);
1359        list_replace_rcu(&entry->list, &nentry->list);
1360        list_replace(&r->list, &nentry->rule.list);
1361    }
1362    call_rcu(&entry->rcu, audit_free_rule_rcu);
1363
1364    return err;
1365}
1366
1367/* This function will re-initialize the lsm_rule field of all applicable rules.
1368 * It will traverse the filter lists serarching for rules that contain LSM
1369 * specific filter fields. When such a rule is found, it is copied, the
1370 * LSM field is re-initialized, and the old rule is replaced with the
1371 * updated rule. */
1372int audit_update_lsm_rules(void)
1373{
1374    struct audit_krule *r, *n;
1375    int i, err = 0;
1376
1377    /* audit_filter_mutex synchronizes the writers */
1378    mutex_lock(&audit_filter_mutex);
1379
1380    for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1381        list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1382            int res = update_lsm_rule(r);
1383            if (!err)
1384                err = res;
1385        }
1386    }
1387    mutex_unlock(&audit_filter_mutex);
1388
1389    return err;
1390}
1391

Archive Download this file



interactive