Kernel

Kernel Git Source Tree

Root/kernel/auditfilter.c

1	/* auditfilter.c -- filtering of audit events
2	*
3	* Copyright 2003-2004 Red Hat, Inc.
4	* Copyright 2005 Hewlett-Packard Development Company, L.P.
5	* Copyright 2005 IBM Corporation
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; either version 2 of the License, or
10	* (at your option) any later version.
11	*
12	* This program is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	* GNU General Public License for more details.
16	*
17	* You should have received a copy of the GNU General Public License
18	* along with this program; if not, write to the Free Software
19	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20	*/
21
22	#include <linux/kernel.h>
23	#include <linux/audit.h>
24	#include <linux/kthread.h>
25	#include <linux/mutex.h>
26	#include <linux/fs.h>
27	#include <linux/namei.h>
28	#include <linux/netlink.h>
29	#include <linux/sched.h>
30	#include <linux/security.h>
31	#include "audit.h"
32
33	/*
34	* Locking model:
35	*
36	* audit_filter_mutex:
37	* Synchronizes writes and blocking reads of audit's filterlist
38	* data. Rcu is used to traverse the filterlist and access
39	* contents of structs audit_entry, audit_watch and opaque
40	* LSM rules during filtering. If modified, these structures
41	* must be copied and replace their counterparts in the filterlist.
42	* An audit_parent struct is not accessed during filtering, so may
43	* be written directly provided audit_filter_mutex is held.
44	*/
45
46	/* Audit filter lists, defined in <linux/audit.h> */
47	struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
48	LIST_HEAD_INIT(audit_filter_list[0]),
49	LIST_HEAD_INIT(audit_filter_list[1]),
50	LIST_HEAD_INIT(audit_filter_list[2]),
51	LIST_HEAD_INIT(audit_filter_list[3]),
52	LIST_HEAD_INIT(audit_filter_list[4]),
53	LIST_HEAD_INIT(audit_filter_list[5]),
54	#if AUDIT_NR_FILTERS != 6
55	#error Fix audit_filter_list initialiser
56	#endif
57	};
58	static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
59	LIST_HEAD_INIT(audit_rules_list[0]),
60	LIST_HEAD_INIT(audit_rules_list[1]),
61	LIST_HEAD_INIT(audit_rules_list[2]),
62	LIST_HEAD_INIT(audit_rules_list[3]),
63	LIST_HEAD_INIT(audit_rules_list[4]),
64	LIST_HEAD_INIT(audit_rules_list[5]),
65	};
66
67	DEFINE_MUTEX(audit_filter_mutex);
68
69	static inline void audit_free_rule(struct audit_entry *e)
70	{
71	int i;
72	struct audit_krule *erule = &e->rule;
73	/* some rules don't have associated watches */
74	if (erule->watch)
75	audit_put_watch(erule->watch);
76	if (erule->fields)
77	for (i = 0; i < erule->field_count; i++) {
78	struct audit_field *f = &erule->fields[i];
79	kfree(f->lsm_str);
80	security_audit_rule_free(f->lsm_rule);
81	}
82	kfree(erule->fields);
83	kfree(erule->filterkey);
84	kfree(e);
85	}
86
87	void audit_free_rule_rcu(struct rcu_head *head)
88	{
89	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
90	audit_free_rule(e);
91	}
92
93	/* Initialize an audit filterlist entry. */
94	static inline struct audit_entry *audit_init_entry(u32 field_count)
95	{
96	struct audit_entry *entry;
97	struct audit_field *fields;
98
99	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
100	if (unlikely(!entry))
101	return NULL;
102
103	fields = kzalloc(sizeof(fields) field_count, GFP_KERNEL);
104	if (unlikely(!fields)) {
105	kfree(entry);
106	return NULL;
107	}
108	entry->rule.fields = fields;
109
110	return entry;
111	}
112
113	/* Unpack a filter field's string representation from user-space
114	* buffer. */
115	char audit_unpack_string(void bufp, size_t remain, size_t len)
116	{
117	char *str;
118
119	if (!bufp \|\| (len == 0) \|\| (len > remain))
120	return ERR_PTR(-EINVAL);
121
122	/* Of the currently implemented string fields, PATH_MAX
123	* defines the longest valid length.
124	*/
125	if (len > PATH_MAX)
126	return ERR_PTR(-ENAMETOOLONG);
127
128	str = kmalloc(len + 1, GFP_KERNEL);
129	if (unlikely(!str))
130	return ERR_PTR(-ENOMEM);
131
132	memcpy(str, *bufp, len);
133	str[len] = 0;
134	*bufp += len;
135	*remain -= len;
136
137	return str;
138	}
139
140	/* Translate an inode field to kernel respresentation. */
141	static inline int audit_to_inode(struct audit_krule *krule,
142	struct audit_field *f)
143	{
144	if (krule->listnr != AUDIT_FILTER_EXIT \|\|
145	krule->watch \|\| krule->inode_f \|\| krule->tree \|\|
146	(f->op != Audit_equal && f->op != Audit_not_equal))
147	return -EINVAL;
148
149	krule->inode_f = f;
150	return 0;
151	}
152
153	static __u32 *classes[AUDIT_SYSCALL_CLASSES];
154
155	int __init audit_register_class(int class, unsigned *list)
156	{
157	__u32 p = kzalloc(AUDIT_BITMASK_SIZE sizeof(__u32), GFP_KERNEL);
158	if (!p)
159	return -ENOMEM;
160	while (*list != ~0U) {
161	unsigned n = *list++;
162	if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
163	kfree(p);
164	return -EINVAL;
165	}
166	p[AUDIT_WORD(n)] \|= AUDIT_BIT(n);
167	}
168	if (class >= AUDIT_SYSCALL_CLASSES \|\| classes[class]) {
169	kfree(p);
170	return -EINVAL;
171	}
172	classes[class] = p;
173	return 0;
174	}
175
176	int audit_match_class(int class, unsigned syscall)
177	{
178	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
179	return 0;
180	if (unlikely(class >= AUDIT_SYSCALL_CLASSES \|\| !classes[class]))
181	return 0;
182	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
183	}
184
185	#ifdef CONFIG_AUDITSYSCALL
186	static inline int audit_match_class_bits(int class, u32 *mask)
187	{
188	int i;
189
190	if (classes[class]) {
191	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
192	if (mask[i] & classes[class][i])
193	return 0;
194	}
195	return 1;
196	}
197
198	static int audit_match_signal(struct audit_entry *entry)
199	{
200	struct audit_field *arch = entry->rule.arch_f;
201
202	if (!arch) {
203	/* When arch is unspecified, we must check both masks on biarch
204	* as syscall number alone is ambiguous. */
205	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
206	entry->rule.mask) &&
207	audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
208	entry->rule.mask));
209	}
210
211	switch(audit_classify_arch(arch->val)) {
212	case 0: /* native */
213	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
214	entry->rule.mask));
215	case 1: /* 32bit on biarch */
216	return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
217	entry->rule.mask));
218	default:
219	return 1;
220	}
221	}
222	#endif
223
224	/* Common user-space to kernel rule translation. */
225	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)
226	{
227	unsigned listnr;
228	struct audit_entry *entry;
229	int i, err;
230
231	err = -EINVAL;
232	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
233	switch(listnr) {
234	default:
235	goto exit_err;
236	case AUDIT_FILTER_USER:
237	case AUDIT_FILTER_TYPE:
238	#ifdef CONFIG_AUDITSYSCALL
239	case AUDIT_FILTER_ENTRY:
240	case AUDIT_FILTER_EXIT:
241	case AUDIT_FILTER_TASK:
242	#endif
243	;
244	}
245	if (unlikely(rule->action == AUDIT_POSSIBLE)) {
246	printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
247	goto exit_err;
248	}
249	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
250	goto exit_err;
251	if (rule->field_count > AUDIT_MAX_FIELDS)
252	goto exit_err;
253
254	err = -ENOMEM;
255	entry = audit_init_entry(rule->field_count);
256	if (!entry)
257	goto exit_err;
258
259	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
260	entry->rule.listnr = listnr;
261	entry->rule.action = rule->action;
262	entry->rule.field_count = rule->field_count;
263
264	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
265	entry->rule.mask[i] = rule->mask[i];
266
267	for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
268	int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
269	__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
270	__u32 *class;
271
272	if (!(*p & AUDIT_BIT(bit)))
273	continue;
274	*p &= ~AUDIT_BIT(bit);
275	class = classes[i];
276	if (class) {
277	int j;
278	for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
279	entry->rule.mask[j] \|= class[j];
280	}
281	}
282
283	return entry;
284
285	exit_err:
286	return ERR_PTR(err);
287	}
288
289	static u32 audit_ops[] =
290	{
291	[Audit_equal] = AUDIT_EQUAL,
292	[Audit_not_equal] = AUDIT_NOT_EQUAL,
293	[Audit_bitmask] = AUDIT_BIT_MASK,
294	[Audit_bittest] = AUDIT_BIT_TEST,
295	[Audit_lt] = AUDIT_LESS_THAN,
296	[Audit_gt] = AUDIT_GREATER_THAN,
297	[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
298	[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
299	};
300
301	static u32 audit_to_op(u32 op)
302	{
303	u32 n;
304	for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
305	;
306	return n;
307	}
308
309
310	/* Translate struct audit_rule to kernel's rule respresentation.
311	* Exists for backward compatibility with userspace. */
312	static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
313	{
314	struct audit_entry *entry;
315	int err = 0;
316	int i;
317
318	entry = audit_to_entry_common(rule);
319	if (IS_ERR(entry))
320	goto exit_nofree;
321
322	for (i = 0; i < rule->field_count; i++) {
323	struct audit_field *f = &entry->rule.fields[i];
324	u32 n;
325
326	n = rule->fields[i] & (AUDIT_NEGATE\|AUDIT_OPERATORS);
327
328	/* Support for legacy operators where
329	* AUDIT_NEGATE bit signifies != and otherwise assumes == */
330	if (n & AUDIT_NEGATE)
331	f->op = Audit_not_equal;
332	else if (!n)
333	f->op = Audit_equal;
334	else
335	f->op = audit_to_op(n);
336
337	entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
338
339	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);
340	f->val = rule->values[i];
341
342	err = -EINVAL;
343	if (f->op == Audit_bad)
344	goto exit_free;
345
346	switch(f->type) {
347	default:
348	goto exit_free;
349	case AUDIT_PID:
350	case AUDIT_UID:
351	case AUDIT_EUID:
352	case AUDIT_SUID:
353	case AUDIT_FSUID:
354	case AUDIT_GID:
355	case AUDIT_EGID:
356	case AUDIT_SGID:
357	case AUDIT_FSGID:
358	case AUDIT_LOGINUID:
359	case AUDIT_PERS:
360	case AUDIT_MSGTYPE:
361	case AUDIT_PPID:
362	case AUDIT_DEVMAJOR:
363	case AUDIT_DEVMINOR:
364	case AUDIT_EXIT:
365	case AUDIT_SUCCESS:
366	/* bit ops are only useful on syscall args */
367	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
368	goto exit_free;
369	break;
370	case AUDIT_ARG0:
371	case AUDIT_ARG1:
372	case AUDIT_ARG2:
373	case AUDIT_ARG3:
374	break;
375	/* arch is only allowed to be = or != */
376	case AUDIT_ARCH:
377	if (f->op != Audit_not_equal && f->op != Audit_equal)
378	goto exit_free;
379	entry->rule.arch_f = f;
380	break;
381	case AUDIT_PERM:
382	if (f->val & ~15)
383	goto exit_free;
384	break;
385	case AUDIT_FILETYPE:
386	if ((f->val & ~S_IFMT) > S_IFMT)
387	goto exit_free;
388	break;
389	case AUDIT_INODE:
390	err = audit_to_inode(&entry->rule, f);
391	if (err)
392	goto exit_free;
393	break;
394	}
395	}
396
397	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
398	entry->rule.inode_f = NULL;
399
400	exit_nofree:
401	return entry;
402
403	exit_free:
404	audit_free_rule(entry);
405	return ERR_PTR(err);
406	}
407
408	/* Translate struct audit_rule_data to kernel's rule respresentation. */
409	static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
410	size_t datasz)
411	{
412	int err = 0;
413	struct audit_entry *entry;
414	void *bufp;
415	size_t remain = datasz - sizeof(struct audit_rule_data);
416	int i;
417	char *str;
418
419	entry = audit_to_entry_common((struct audit_rule *)data);
420	if (IS_ERR(entry))
421	goto exit_nofree;
422
423	bufp = data->buf;
424	entry->rule.vers_ops = 2;
425	for (i = 0; i < data->field_count; i++) {
426	struct audit_field *f = &entry->rule.fields[i];
427
428	err = -EINVAL;
429
430	f->op = audit_to_op(data->fieldflags[i]);
431	if (f->op == Audit_bad)
432	goto exit_free;
433
434	f->type = data->fields[i];
435	f->val = data->values[i];
436	f->lsm_str = NULL;
437	f->lsm_rule = NULL;
438	switch(f->type) {
439	case AUDIT_PID:
440	case AUDIT_UID:
441	case AUDIT_EUID:
442	case AUDIT_SUID:
443	case AUDIT_FSUID:
444	case AUDIT_GID:
445	case AUDIT_EGID:
446	case AUDIT_SGID:
447	case AUDIT_FSGID:
448	case AUDIT_LOGINUID:
449	case AUDIT_PERS:
450	case AUDIT_MSGTYPE:
451	case AUDIT_PPID:
452	case AUDIT_DEVMAJOR:
453	case AUDIT_DEVMINOR:
454	case AUDIT_EXIT:
455	case AUDIT_SUCCESS:
456	case AUDIT_ARG0:
457	case AUDIT_ARG1:
458	case AUDIT_ARG2:
459	case AUDIT_ARG3:
460	break;
461	case AUDIT_ARCH:
462	entry->rule.arch_f = f;
463	break;
464	case AUDIT_SUBJ_USER:
465	case AUDIT_SUBJ_ROLE:
466	case AUDIT_SUBJ_TYPE:
467	case AUDIT_SUBJ_SEN:
468	case AUDIT_SUBJ_CLR:
469	case AUDIT_OBJ_USER:
470	case AUDIT_OBJ_ROLE:
471	case AUDIT_OBJ_TYPE:
472	case AUDIT_OBJ_LEV_LOW:
473	case AUDIT_OBJ_LEV_HIGH:
474	str = audit_unpack_string(&bufp, &remain, f->val);
475	if (IS_ERR(str))
476	goto exit_free;
477	entry->rule.buflen += f->val;
478
479	err = security_audit_rule_init(f->type, f->op, str,
480	(void **)&f->lsm_rule);
481	/* Keep currently invalid fields around in case they
482	* become valid after a policy reload. */
483	if (err == -EINVAL) {
484	printk(KERN_WARNING "audit rule for LSM "
485	"\'%s\' is invalid\n", str);
486	err = 0;
487	}
488	if (err) {
489	kfree(str);
490	goto exit_free;
491	} else
492	f->lsm_str = str;
493	break;
494	case AUDIT_WATCH:
495	str = audit_unpack_string(&bufp, &remain, f->val);
496	if (IS_ERR(str))
497	goto exit_free;
498	entry->rule.buflen += f->val;
499
500	err = audit_to_watch(&entry->rule, str, f->val, f->op);
501	if (err) {
502	kfree(str);
503	goto exit_free;
504	}
505	break;
506	case AUDIT_DIR:
507	str = audit_unpack_string(&bufp, &remain, f->val);
508	if (IS_ERR(str))
509	goto exit_free;
510	entry->rule.buflen += f->val;
511
512	err = audit_make_tree(&entry->rule, str, f->op);
513	kfree(str);
514	if (err)
515	goto exit_free;
516	break;
517	case AUDIT_INODE:
518	err = audit_to_inode(&entry->rule, f);
519	if (err)
520	goto exit_free;
521	break;
522	case AUDIT_FILTERKEY:
523	err = -EINVAL;
524	if (entry->rule.filterkey \|\| f->val > AUDIT_MAX_KEY_LEN)
525	goto exit_free;
526	str = audit_unpack_string(&bufp, &remain, f->val);
527	if (IS_ERR(str))
528	goto exit_free;
529	entry->rule.buflen += f->val;
530	entry->rule.filterkey = str;
531	break;
532	case AUDIT_PERM:
533	if (f->val & ~15)
534	goto exit_free;
535	break;
536	case AUDIT_FILETYPE:
537	if ((f->val & ~S_IFMT) > S_IFMT)
538	goto exit_free;
539	break;
540	default:
541	goto exit_free;
542	}
543	}
544
545	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
546	entry->rule.inode_f = NULL;
547
548	exit_nofree:
549	return entry;
550
551	exit_free:
552	audit_free_rule(entry);
553	return ERR_PTR(err);
554	}
555
556	/* Pack a filter field's string representation into data block. */
557	static inline size_t audit_pack_string(void *bufp, const char str)
558	{
559	size_t len = strlen(str);
560
561	memcpy(*bufp, str, len);
562	*bufp += len;
563
564	return len;
565	}
566
567	/* Translate kernel rule respresentation to struct audit_rule.
568	* Exists for backward compatibility with userspace. */
569	static struct audit_rule audit_krule_to_rule(struct audit_krule krule)
570	{
571	struct audit_rule *rule;
572	int i;
573
574	rule = kzalloc(sizeof(*rule), GFP_KERNEL);
575	if (unlikely(!rule))
576	return NULL;
577
578	rule->flags = krule->flags \| krule->listnr;
579	rule->action = krule->action;
580	rule->field_count = krule->field_count;
581	for (i = 0; i < rule->field_count; i++) {
582	rule->values[i] = krule->fields[i].val;
583	rule->fields[i] = krule->fields[i].type;
584
585	if (krule->vers_ops == 1) {
586	if (krule->fields[i].op == Audit_not_equal)
587	rule->fields[i] \|= AUDIT_NEGATE;
588	} else {
589	rule->fields[i] \|= audit_ops[krule->fields[i].op];
590	}
591	}
592	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
593
594	return rule;
595	}
596
597	/* Translate kernel rule respresentation to struct audit_rule_data. */
598	static struct audit_rule_data audit_krule_to_data(struct audit_krule krule)
599	{
600	struct audit_rule_data *data;
601	void *bufp;
602	int i;
603
604	data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
605	if (unlikely(!data))
606	return NULL;
607	memset(data, 0, sizeof(*data));
608
609	data->flags = krule->flags \| krule->listnr;
610	data->action = krule->action;
611	data->field_count = krule->field_count;
612	bufp = data->buf;
613	for (i = 0; i < data->field_count; i++) {
614	struct audit_field *f = &krule->fields[i];
615
616	data->fields[i] = f->type;
617	data->fieldflags[i] = audit_ops[f->op];
618	switch(f->type) {
619	case AUDIT_SUBJ_USER:
620	case AUDIT_SUBJ_ROLE:
621	case AUDIT_SUBJ_TYPE:
622	case AUDIT_SUBJ_SEN:
623	case AUDIT_SUBJ_CLR:
624	case AUDIT_OBJ_USER:
625	case AUDIT_OBJ_ROLE:
626	case AUDIT_OBJ_TYPE:
627	case AUDIT_OBJ_LEV_LOW:
628	case AUDIT_OBJ_LEV_HIGH:
629	data->buflen += data->values[i] =
630	audit_pack_string(&bufp, f->lsm_str);
631	break;
632	case AUDIT_WATCH:
633	data->buflen += data->values[i] =
634	audit_pack_string(&bufp,
635	audit_watch_path(krule->watch));
636	break;
637	case AUDIT_DIR:
638	data->buflen += data->values[i] =
639	audit_pack_string(&bufp,
640	audit_tree_path(krule->tree));
641	break;
642	case AUDIT_FILTERKEY:
643	data->buflen += data->values[i] =
644	audit_pack_string(&bufp, krule->filterkey);
645	break;
646	default:
647	data->values[i] = f->val;
648	}
649	}
650	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
651
652	return data;
653	}
654
655	/* Compare two rules in kernel format. Considered success if rules
656	* don't match. */
657	static int audit_compare_rule(struct audit_krule a, struct audit_krule b)
658	{
659	int i;
660
661	if (a->flags != b->flags \|\|
662	a->listnr != b->listnr \|\|
663	a->action != b->action \|\|
664	a->field_count != b->field_count)
665	return 1;
666
667	for (i = 0; i < a->field_count; i++) {
668	if (a->fields[i].type != b->fields[i].type \|\|
669	a->fields[i].op != b->fields[i].op)
670	return 1;
671
672	switch(a->fields[i].type) {
673	case AUDIT_SUBJ_USER:
674	case AUDIT_SUBJ_ROLE:
675	case AUDIT_SUBJ_TYPE:
676	case AUDIT_SUBJ_SEN:
677	case AUDIT_SUBJ_CLR:
678	case AUDIT_OBJ_USER:
679	case AUDIT_OBJ_ROLE:
680	case AUDIT_OBJ_TYPE:
681	case AUDIT_OBJ_LEV_LOW:
682	case AUDIT_OBJ_LEV_HIGH:
683	if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
684	return 1;
685	break;
686	case AUDIT_WATCH:
687	if (strcmp(audit_watch_path(a->watch),
688	audit_watch_path(b->watch)))
689	return 1;
690	break;
691	case AUDIT_DIR:
692	if (strcmp(audit_tree_path(a->tree),
693	audit_tree_path(b->tree)))
694	return 1;
695	break;
696	case AUDIT_FILTERKEY:
697	/* both filterkeys exist based on above type compare */
698	if (strcmp(a->filterkey, b->filterkey))
699	return 1;
700	break;
701	default:
702	if (a->fields[i].val != b->fields[i].val)
703	return 1;
704	}
705	}
706
707	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
708	if (a->mask[i] != b->mask[i])
709	return 1;
710
711	return 0;
712	}
713
714	/* Duplicate LSM field information. The lsm_rule is opaque, so must be
715	* re-initialized. */
716	static inline int audit_dupe_lsm_field(struct audit_field *df,
717	struct audit_field *sf)
718	{
719	int ret = 0;
720	char *lsm_str;
721
722	/* our own copy of lsm_str */
723	lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
724	if (unlikely(!lsm_str))
725	return -ENOMEM;
726	df->lsm_str = lsm_str;
727
728	/* our own (refreshed) copy of lsm_rule */
729	ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
730	(void **)&df->lsm_rule);
731	/* Keep currently invalid fields around in case they
732	* become valid after a policy reload. */
733	if (ret == -EINVAL) {
734	printk(KERN_WARNING "audit rule for LSM \'%s\' is "
735	"invalid\n", df->lsm_str);
736	ret = 0;
737	}
738
739	return ret;
740	}
741
742	/* Duplicate an audit rule. This will be a deep copy with the exception
743	* of the watch - that pointer is carried over. The LSM specific fields
744	* will be updated in the copy. The point is to be able to replace the old
745	* rule with the new rule in the filterlist, then free the old rule.
746	* The rlist element is undefined; list manipulations are handled apart from
747	* the initial copy. */
748	struct audit_entry audit_dupe_rule(struct audit_krule old,
749	struct audit_watch *watch)
750	{
751	u32 fcount = old->field_count;
752	struct audit_entry *entry;
753	struct audit_krule *new;
754	char *fk;
755	int i, err = 0;
756
757	entry = audit_init_entry(fcount);
758	if (unlikely(!entry))
759	return ERR_PTR(-ENOMEM);
760
761	new = &entry->rule;
762	new->vers_ops = old->vers_ops;
763	new->flags = old->flags;
764	new->listnr = old->listnr;
765	new->action = old->action;
766	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
767	new->mask[i] = old->mask[i];
768	new->prio = old->prio;
769	new->buflen = old->buflen;
770	new->inode_f = old->inode_f;
771	new->watch = NULL;
772	new->field_count = old->field_count;
773	/*
774	* note that we are OK with not refcounting here; audit_match_tree()
775	* never dereferences tree and we can't get false positives there
776	* since we'd have to have rule gone from the list and removed
777	* before the chunks found by lookup had been allocated, i.e. before
778	* the beginning of list scan.
779	*/
780	new->tree = old->tree;
781	memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
782
783	/* deep copy this information, updating the lsm_rule fields, because
784	* the originals will all be freed when the old rule is freed. */
785	for (i = 0; i < fcount; i++) {
786	switch (new->fields[i].type) {
787	case AUDIT_SUBJ_USER:
788	case AUDIT_SUBJ_ROLE:
789	case AUDIT_SUBJ_TYPE:
790	case AUDIT_SUBJ_SEN:
791	case AUDIT_SUBJ_CLR:
792	case AUDIT_OBJ_USER:
793	case AUDIT_OBJ_ROLE:
794	case AUDIT_OBJ_TYPE:
795	case AUDIT_OBJ_LEV_LOW:
796	case AUDIT_OBJ_LEV_HIGH:
797	err = audit_dupe_lsm_field(&new->fields[i],
798	&old->fields[i]);
799	break;
800	case AUDIT_FILTERKEY:
801	fk = kstrdup(old->filterkey, GFP_KERNEL);
802	if (unlikely(!fk))
803	err = -ENOMEM;
804	else
805	new->filterkey = fk;
806	}
807	if (err) {
808	audit_free_rule(entry);
809	return ERR_PTR(err);
810	}
811	}
812
813	if (watch) {
814	audit_get_watch(watch);
815	new->watch = watch;
816	}
817
818	return entry;
819	}
820
821	/* Find an existing audit rule.
822	* Caller must hold audit_filter_mutex to prevent stale rule data. */
823	static struct audit_entry audit_find_rule(struct audit_entry entry,
824	struct list_head **p)
825	{
826	struct audit_entry e, found = NULL;
827	struct list_head *list;
828	int h;
829
830	if (entry->rule.inode_f) {
831	h = audit_hash_ino(entry->rule.inode_f->val);
832	*p = list = &audit_inode_hash[h];
833	} else if (entry->rule.watch) {
834	/* we don't know the inode number, so must walk entire hash */
835	for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
836	list = &audit_inode_hash[h];
837	list_for_each_entry(e, list, list)
838	if (!audit_compare_rule(&entry->rule, &e->rule)) {
839	found = e;
840	goto out;
841	}
842	}
843	goto out;
844	} else {
845	*p = list = &audit_filter_list[entry->rule.listnr];
846	}
847
848	list_for_each_entry(e, list, list)
849	if (!audit_compare_rule(&entry->rule, &e->rule)) {
850	found = e;
851	goto out;
852	}
853
854	out:
855	return found;
856	}
857
858	static u64 prio_low = ~0ULL/2;
859	static u64 prio_high = ~0ULL/2 - 1;
860
861	/* Add rule to given filterlist if not a duplicate. */
862	static inline int audit_add_rule(struct audit_entry *entry)
863	{
864	struct audit_entry *e;
865	struct audit_watch *watch = entry->rule.watch;
866	struct audit_tree *tree = entry->rule.tree;
867	struct list_head *list;
868	int h, err;
869	#ifdef CONFIG_AUDITSYSCALL
870	int dont_count = 0;
871
872	/* If either of these, don't count towards total */
873	if (entry->rule.listnr == AUDIT_FILTER_USER \|\|
874	entry->rule.listnr == AUDIT_FILTER_TYPE)
875	dont_count = 1;
876	#endif
877
878	mutex_lock(&audit_filter_mutex);
879	e = audit_find_rule(entry, &list);
880	if (e) {
881	mutex_unlock(&audit_filter_mutex);
882	err = -EEXIST;
883	/* normally audit_add_tree_rule() will free it on failure */
884	if (tree)
885	audit_put_tree(tree);
886	goto error;
887	}
888
889	if (watch) {
890	/* audit_filter_mutex is dropped and re-taken during this call */
891	err = audit_add_watch(&entry->rule);
892	if (err) {
893	mutex_unlock(&audit_filter_mutex);
894	goto error;
895	}
896	/* entry->rule.watch may have changed during audit_add_watch() */
897	watch = entry->rule.watch;
898	h = audit_hash_ino((u32)audit_watch_inode(watch));
899	list = &audit_inode_hash[h];
900	}
901	if (tree) {
902	err = audit_add_tree_rule(&entry->rule);
903	if (err) {
904	mutex_unlock(&audit_filter_mutex);
905	goto error;
906	}
907	}
908
909	entry->rule.prio = ~0ULL;
910	if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
911	if (entry->rule.flags & AUDIT_FILTER_PREPEND)
912	entry->rule.prio = ++prio_high;
913	else
914	entry->rule.prio = --prio_low;
915	}
916
917	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
918	list_add(&entry->rule.list,
919	&audit_rules_list[entry->rule.listnr]);
920	list_add_rcu(&entry->list, list);
921	entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
922	} else {
923	list_add_tail(&entry->rule.list,
924	&audit_rules_list[entry->rule.listnr]);
925	list_add_tail_rcu(&entry->list, list);
926	}
927	#ifdef CONFIG_AUDITSYSCALL
928	if (!dont_count)
929	audit_n_rules++;
930
931	if (!audit_match_signal(entry))
932	audit_signals++;
933	#endif
934	mutex_unlock(&audit_filter_mutex);
935
936	return 0;
937
938	error:
939	if (watch)
940	audit_put_watch(watch); /* tmp watch, matches initial get */
941	return err;
942	}
943
944	/* Remove an existing rule from filterlist. */
945	static inline int audit_del_rule(struct audit_entry *entry)
946	{
947	struct audit_entry *e;
948	struct audit_watch *watch = entry->rule.watch;
949	struct audit_tree *tree = entry->rule.tree;
950	struct list_head *list;
951	LIST_HEAD(inotify_list);
952	int ret = 0;
953	#ifdef CONFIG_AUDITSYSCALL
954	int dont_count = 0;
955
956	/* If either of these, don't count towards total */
957	if (entry->rule.listnr == AUDIT_FILTER_USER \|\|
958	entry->rule.listnr == AUDIT_FILTER_TYPE)
959	dont_count = 1;
960	#endif
961
962	mutex_lock(&audit_filter_mutex);
963	e = audit_find_rule(entry, &list);
964	if (!e) {
965	mutex_unlock(&audit_filter_mutex);
966	ret = -ENOENT;
967	goto out;
968	}
969
970	if (e->rule.watch)
971	audit_remove_watch_rule(&e->rule, &inotify_list);
972
973	if (e->rule.tree)
974	audit_remove_tree_rule(&e->rule);
975
976	list_del_rcu(&e->list);
977	list_del(&e->rule.list);
978	call_rcu(&e->rcu, audit_free_rule_rcu);
979
980	#ifdef CONFIG_AUDITSYSCALL
981	if (!dont_count)
982	audit_n_rules--;
983
984	if (!audit_match_signal(entry))
985	audit_signals--;
986	#endif
987	mutex_unlock(&audit_filter_mutex);
988
989	if (!list_empty(&inotify_list))
990	audit_inotify_unregister(&inotify_list);
991
992	out:
993	if (watch)
994	audit_put_watch(watch); /* match initial get */
995	if (tree)
996	audit_put_tree(tree); /* that's the temporary one */
997
998	return ret;
999	}
1000
1001	/* List rules using struct audit_rule. Exists for backward
1002	* compatibility with userspace. */
1003	static void audit_list(int pid, int seq, struct sk_buff_head *q)
1004	{
1005	struct sk_buff *skb;
1006	struct audit_krule *r;
1007	int i;
1008
1009	/* This is a blocking read, so use audit_filter_mutex instead of rcu
1010	* iterator to sync with list writers. */
1011	for (i=0; i<AUDIT_NR_FILTERS; i++) {
1012	list_for_each_entry(r, &audit_rules_list[i], list) {
1013	struct audit_rule *rule;
1014
1015	rule = audit_krule_to_rule(r);
1016	if (unlikely(!rule))
1017	break;
1018	skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
1019	rule, sizeof(*rule));
1020	if (skb)
1021	skb_queue_tail(q, skb);
1022	kfree(rule);
1023	}
1024	}
1025	skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
1026	if (skb)
1027	skb_queue_tail(q, skb);
1028	}
1029
1030	/* List rules using struct audit_rule_data. */
1031	static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1032	{
1033	struct sk_buff *skb;
1034	struct audit_krule *r;
1035	int i;
1036
1037	/* This is a blocking read, so use audit_filter_mutex instead of rcu
1038	* iterator to sync with list writers. */
1039	for (i=0; i<AUDIT_NR_FILTERS; i++) {
1040	list_for_each_entry(r, &audit_rules_list[i], list) {
1041	struct audit_rule_data *data;
1042
1043	data = audit_krule_to_data(r);
1044	if (unlikely(!data))
1045	break;
1046	skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
1047	data, sizeof(*data) + data->buflen);
1048	if (skb)
1049	skb_queue_tail(q, skb);
1050	kfree(data);
1051	}
1052	}
1053	skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1054	if (skb)
1055	skb_queue_tail(q, skb);
1056	}
1057
1058	/* Log rule additions and removals */
1059	static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
1060	char action, struct audit_krule rule,
1061	int res)
1062	{
1063	struct audit_buffer *ab;
1064
1065	if (!audit_enabled)
1066	return;
1067
1068	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1069	if (!ab)
1070	return;
1071	audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
1072	if (sid) {
1073	char *ctx = NULL;
1074	u32 len;
1075	if (security_secid_to_secctx(sid, &ctx, &len))
1076	audit_log_format(ab, " ssid=%u", sid);
1077	else {
1078	audit_log_format(ab, " subj=%s", ctx);
1079	security_release_secctx(ctx, len);
1080	}
1081	}
1082	audit_log_format(ab, " op=");
1083	audit_log_string(ab, action);
1084	audit_log_key(ab, rule->filterkey);
1085	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1086	audit_log_end(ab);
1087	}
1088
1089	/**
1090	* audit_receive_filter - apply all rules to the specified message type
1091	* @type: audit message type
1092	* @pid: target pid for netlink audit messages
1093	* @uid: target uid for netlink audit messages
1094	* @seq: netlink audit message sequence (serial) number
1095	* @data: payload data
1096	* @datasz: size of payload data
1097	* @loginuid: loginuid of sender
1098	* @sessionid: sessionid for netlink audit message
1099	* @sid: SE Linux Security ID of sender
1100	*/
1101	int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1102	size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
1103	{
1104	struct task_struct *tsk;
1105	struct audit_netlink_list *dest;
1106	int err = 0;
1107	struct audit_entry *entry;
1108
1109	switch (type) {
1110	case AUDIT_LIST:
1111	case AUDIT_LIST_RULES:
1112	/* We can't just spew out the rules here because we might fill
1113	* the available socket buffer space and deadlock waiting for
1114	* auditctl to read from it... which isn't ever going to
1115	* happen if we're actually running in the context of auditctl
1116	* trying to _send_ the stuff */
1117
1118	dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1119	if (!dest)
1120	return -ENOMEM;
1121	dest->pid = pid;
1122	skb_queue_head_init(&dest->q);
1123
1124	mutex_lock(&audit_filter_mutex);
1125	if (type == AUDIT_LIST)
1126	audit_list(pid, seq, &dest->q);
1127	else
1128	audit_list_rules(pid, seq, &dest->q);
1129	mutex_unlock(&audit_filter_mutex);
1130
1131	tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1132	if (IS_ERR(tsk)) {
1133	skb_queue_purge(&dest->q);
1134	kfree(dest);
1135	err = PTR_ERR(tsk);
1136	}
1137	break;
1138	case AUDIT_ADD:
1139	case AUDIT_ADD_RULE:
1140	if (type == AUDIT_ADD)
1141	entry = audit_rule_to_entry(data);
1142	else
1143	entry = audit_data_to_entry(data, datasz);
1144	if (IS_ERR(entry))
1145	return PTR_ERR(entry);
1146
1147	err = audit_add_rule(entry);
1148	audit_log_rule_change(loginuid, sessionid, sid, "add rule",
1149	&entry->rule, !err);
1150
1151	if (err)
1152	audit_free_rule(entry);
1153	break;
1154	case AUDIT_DEL:
1155	case AUDIT_DEL_RULE:
1156	if (type == AUDIT_DEL)
1157	entry = audit_rule_to_entry(data);
1158	else
1159	entry = audit_data_to_entry(data, datasz);
1160	if (IS_ERR(entry))
1161	return PTR_ERR(entry);
1162
1163	err = audit_del_rule(entry);
1164	audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
1165	&entry->rule, !err);
1166
1167	audit_free_rule(entry);
1168	break;
1169	default:
1170	return -EINVAL;
1171	}
1172
1173	return err;
1174	}
1175
1176	int audit_comparator(u32 left, u32 op, u32 right)
1177	{
1178	switch (op) {
1179	case Audit_equal:
1180	return (left == right);
1181	case Audit_not_equal:
1182	return (left != right);
1183	case Audit_lt:
1184	return (left < right);
1185	case Audit_le:
1186	return (left <= right);
1187	case Audit_gt:
1188	return (left > right);
1189	case Audit_ge:
1190	return (left >= right);
1191	case Audit_bitmask:
1192	return (left & right);
1193	case Audit_bittest:
1194	return ((left & right) == right);
1195	default:
1196	BUG();
1197	return 0;
1198	}
1199	}
1200
1201	/* Compare given dentry name with last component in given path,
1202	* return of 0 indicates a match. */
1203	int audit_compare_dname_path(const char dname, const char path,
1204	int *dirlen)
1205	{
1206	int dlen, plen;
1207	const char *p;
1208
1209	if (!dname \|\| !path)
1210	return 1;
1211
1212	dlen = strlen(dname);
1213	plen = strlen(path);
1214	if (plen < dlen)
1215	return 1;
1216
1217	/* disregard trailing slashes */
1218	p = path + plen - 1;
1219	while ((*p == '/') && (p > path))
1220	p--;
1221
1222	/* find last path component */
1223	p = p - dlen + 1;
1224	if (p < path)
1225	return 1;
1226	else if (p > path) {
1227	if (*--p != '/')
1228	return 1;
1229	else
1230	p++;
1231	}
1232
1233	/* return length of path's directory component */
1234	if (dirlen)
1235	*dirlen = p - path;
1236	return strncmp(p, dname, dlen);
1237	}
1238
1239	static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1240	struct audit_krule *rule,
1241	enum audit_state *state)
1242	{
1243	int i;
1244
1245	for (i = 0; i < rule->field_count; i++) {
1246	struct audit_field *f = &rule->fields[i];
1247	int result = 0;
1248
1249	switch (f->type) {
1250	case AUDIT_PID:
1251	result = audit_comparator(cb->creds.pid, f->op, f->val);
1252	break;
1253	case AUDIT_UID:
1254	result = audit_comparator(cb->creds.uid, f->op, f->val);
1255	break;
1256	case AUDIT_GID:
1257	result = audit_comparator(cb->creds.gid, f->op, f->val);
1258	break;
1259	case AUDIT_LOGINUID:
1260	result = audit_comparator(cb->loginuid, f->op, f->val);
1261	break;
1262	}
1263
1264	if (!result)
1265	return 0;
1266	}
1267	switch (rule->action) {
1268	case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
1269	case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
1270	}
1271	return 1;
1272	}
1273
1274	int audit_filter_user(struct netlink_skb_parms *cb)
1275	{
1276	enum audit_state state = AUDIT_DISABLED;
1277	struct audit_entry *e;
1278	int ret = 1;
1279
1280	rcu_read_lock();
1281	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1282	if (audit_filter_user_rules(cb, &e->rule, &state)) {
1283	if (state == AUDIT_DISABLED)
1284	ret = 0;
1285	break;
1286	}
1287	}
1288	rcu_read_unlock();
1289
1290	return ret; /* Audit by default */
1291	}
1292
1293	int audit_filter_type(int type)
1294	{
1295	struct audit_entry *e;
1296	int result = 0;
1297
1298	rcu_read_lock();
1299	if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1300	goto unlock_and_return;
1301
1302	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1303	list) {
1304	int i;
1305	for (i = 0; i < e->rule.field_count; i++) {
1306	struct audit_field *f = &e->rule.fields[i];
1307	if (f->type == AUDIT_MSGTYPE) {
1308	result = audit_comparator(type, f->op, f->val);
1309	if (!result)
1310	break;
1311	}
1312	}
1313	if (result)
1314	goto unlock_and_return;
1315	}
1316	unlock_and_return:
1317	rcu_read_unlock();
1318	return result;
1319	}
1320
1321	static int update_lsm_rule(struct audit_krule *r)
1322	{
1323	struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1324	struct audit_entry *nentry;
1325	struct audit_watch *watch;
1326	struct audit_tree *tree;
1327	int err = 0;
1328
1329	if (!security_audit_rule_known(r))
1330	return 0;
1331
1332	watch = r->watch;
1333	tree = r->tree;
1334	nentry = audit_dupe_rule(r, watch);
1335	if (IS_ERR(nentry)) {
1336	/* save the first error encountered for the
1337	* return value */
1338	err = PTR_ERR(nentry);
1339	audit_panic("error updating LSM filters");
1340	if (watch)
1341	list_del(&r->rlist);
1342	list_del_rcu(&entry->list);
1343	list_del(&r->list);
1344	} else {
1345	if (watch) {
1346	list_add(&nentry->rule.rlist, audit_watch_rules(watch));
1347	list_del(&r->rlist);
1348	} else if (tree)
1349	list_replace_init(&r->rlist, &nentry->rule.rlist);
1350	list_replace_rcu(&entry->list, &nentry->list);
1351	list_replace(&r->list, &nentry->rule.list);
1352	}
1353	call_rcu(&entry->rcu, audit_free_rule_rcu);
1354
1355	return err;
1356	}
1357
1358	/* This function will re-initialize the lsm_rule field of all applicable rules.
1359	* It will traverse the filter lists serarching for rules that contain LSM
1360	* specific filter fields. When such a rule is found, it is copied, the
1361	* LSM field is re-initialized, and the old rule is replaced with the
1362	* updated rule. */
1363	int audit_update_lsm_rules(void)
1364	{
1365	struct audit_krule r, n;
1366	int i, err = 0;
1367
1368	/* audit_filter_mutex synchronizes the writers */
1369	mutex_lock(&audit_filter_mutex);
1370
1371	for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1372	list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1373	int res = update_lsm_rule(r);
1374	if (!err)
1375	err = res;
1376	}
1377	}
1378	mutex_unlock(&audit_filter_mutex);
1379
1380	return err;
1381	}
1382

Download this file

Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master

Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9

Kernel

Kernel Git Source Tree

Root/kernel/auditfilter.c

interactive