Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit dbe0ca090fcc181319d56c27b90a9946647650a9

Authored by Paul Moore
Committed by Greg Kroah-Hartman
1 parent 1110f3504d

audit: don't attempt to lookup PIDs when changing PID filtering audit rules 

commit 3640dcfa4fd00cd91d88bb86250bdb496f7070c0 upstream.

Commit f1dc4867 ("audit: anchor all pid references in the initial pid
namespace") introduced a find_vpid() call when adding/removing audit
rules with PID/PPID filters; unfortunately this is problematic as
find_vpid() only works if there is a task with the associated PID
alive on the system.  The following commands demonstrate a simple
reproducer.

	# auditctl -D
	# auditctl -l
	# autrace /bin/true
	# auditctl -l

This patch resolves the problem by simply using the PID provided by
the user without any additional validation, e.g. no calls to check to
see if the task/PID exists.

Cc: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Showing 1 changed file with 0 additions and 13 deletions Inline Diff

kernel/auditfilter.c
Diff comments   View file @ dbe0ca0
1 /* auditfilter.c -- filtering of audit events 1 /* auditfilter.c -- filtering of audit events
2 * 2 *
3 * Copyright 2003-2004 Red Hat, Inc. 3 * Copyright 2003-2004 Red Hat, Inc.
4 * Copyright 2005 Hewlett-Packard Development Company, L.P. 4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
5 * Copyright 2005 IBM Corporation 5 * Copyright 2005 IBM Corporation
6 * 6 *
7 * This program is free software; you can redistribute it and/or modify 7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by 8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or 9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version. 10 * (at your option) any later version.
11 * 11 *
12 * This program is distributed in the hope that it will be useful, 12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details. 15 * GNU General Public License for more details.
16 * 16 *
17 * You should have received a copy of the GNU General Public License 17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software 18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 */ 20 */
21 21
22 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 22 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
23 23
24 #include <linux/kernel.h> 24 #include <linux/kernel.h>
25 #include <linux/audit.h> 25 #include <linux/audit.h>
26 #include <linux/kthread.h> 26 #include <linux/kthread.h>
27 #include <linux/mutex.h> 27 #include <linux/mutex.h>
28 #include <linux/fs.h> 28 #include <linux/fs.h>
29 #include <linux/namei.h> 29 #include <linux/namei.h>
30 #include <linux/netlink.h> 30 #include <linux/netlink.h>
31 #include <linux/sched.h> 31 #include <linux/sched.h>
32 #include <linux/slab.h> 32 #include <linux/slab.h>
33 #include <linux/security.h> 33 #include <linux/security.h>
34 #include <net/net_namespace.h> 34 #include <net/net_namespace.h>
35 #include <net/sock.h> 35 #include <net/sock.h>
36 #include "audit.h" 36 #include "audit.h"
37 37
38 /* 38 /*
39 * Locking model: 39 * Locking model:
40 * 40 *
41 * audit_filter_mutex: 41 * audit_filter_mutex:
42 * Synchronizes writes and blocking reads of audit's filterlist 42 * Synchronizes writes and blocking reads of audit's filterlist
43 * data. Rcu is used to traverse the filterlist and access 43 * data. Rcu is used to traverse the filterlist and access
44 * contents of structs audit_entry, audit_watch and opaque 44 * contents of structs audit_entry, audit_watch and opaque
45 * LSM rules during filtering. If modified, these structures 45 * LSM rules during filtering. If modified, these structures
46 * must be copied and replace their counterparts in the filterlist. 46 * must be copied and replace their counterparts in the filterlist.
47 * An audit_parent struct is not accessed during filtering, so may 47 * An audit_parent struct is not accessed during filtering, so may
48 * be written directly provided audit_filter_mutex is held. 48 * be written directly provided audit_filter_mutex is held.
49 */ 49 */
50 50
51 /* Audit filter lists, defined in <linux/audit.h> */ 51 /* Audit filter lists, defined in <linux/audit.h> */
52 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 52 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
53 LIST_HEAD_INIT(audit_filter_list[0]), 53 LIST_HEAD_INIT(audit_filter_list[0]),
54 LIST_HEAD_INIT(audit_filter_list[1]), 54 LIST_HEAD_INIT(audit_filter_list[1]),
55 LIST_HEAD_INIT(audit_filter_list[2]), 55 LIST_HEAD_INIT(audit_filter_list[2]),
56 LIST_HEAD_INIT(audit_filter_list[3]), 56 LIST_HEAD_INIT(audit_filter_list[3]),
57 LIST_HEAD_INIT(audit_filter_list[4]), 57 LIST_HEAD_INIT(audit_filter_list[4]),
58 LIST_HEAD_INIT(audit_filter_list[5]), 58 LIST_HEAD_INIT(audit_filter_list[5]),
59 #if AUDIT_NR_FILTERS != 6 59 #if AUDIT_NR_FILTERS != 6
60 #error Fix audit_filter_list initialiser 60 #error Fix audit_filter_list initialiser
61 #endif 61 #endif
62 }; 62 };
63 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { 63 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
64 LIST_HEAD_INIT(audit_rules_list[0]), 64 LIST_HEAD_INIT(audit_rules_list[0]),
65 LIST_HEAD_INIT(audit_rules_list[1]), 65 LIST_HEAD_INIT(audit_rules_list[1]),
66 LIST_HEAD_INIT(audit_rules_list[2]), 66 LIST_HEAD_INIT(audit_rules_list[2]),
67 LIST_HEAD_INIT(audit_rules_list[3]), 67 LIST_HEAD_INIT(audit_rules_list[3]),
68 LIST_HEAD_INIT(audit_rules_list[4]), 68 LIST_HEAD_INIT(audit_rules_list[4]),
69 LIST_HEAD_INIT(audit_rules_list[5]), 69 LIST_HEAD_INIT(audit_rules_list[5]),
70 }; 70 };
71 71
72 DEFINE_MUTEX(audit_filter_mutex); 72 DEFINE_MUTEX(audit_filter_mutex);
73 73
74 static void audit_free_lsm_field(struct audit_field *f) 74 static void audit_free_lsm_field(struct audit_field *f)
75 { 75 {
76 switch (f->type) { 76 switch (f->type) {
77 case AUDIT_SUBJ_USER: 77 case AUDIT_SUBJ_USER:
78 case AUDIT_SUBJ_ROLE: 78 case AUDIT_SUBJ_ROLE:
79 case AUDIT_SUBJ_TYPE: 79 case AUDIT_SUBJ_TYPE:
80 case AUDIT_SUBJ_SEN: 80 case AUDIT_SUBJ_SEN:
81 case AUDIT_SUBJ_CLR: 81 case AUDIT_SUBJ_CLR:
82 case AUDIT_OBJ_USER: 82 case AUDIT_OBJ_USER:
83 case AUDIT_OBJ_ROLE: 83 case AUDIT_OBJ_ROLE:
84 case AUDIT_OBJ_TYPE: 84 case AUDIT_OBJ_TYPE:
85 case AUDIT_OBJ_LEV_LOW: 85 case AUDIT_OBJ_LEV_LOW:
86 case AUDIT_OBJ_LEV_HIGH: 86 case AUDIT_OBJ_LEV_HIGH:
87 kfree(f->lsm_str); 87 kfree(f->lsm_str);
88 security_audit_rule_free(f->lsm_rule); 88 security_audit_rule_free(f->lsm_rule);
89 } 89 }
90 } 90 }
91 91
92 static inline void audit_free_rule(struct audit_entry *e) 92 static inline void audit_free_rule(struct audit_entry *e)
93 { 93 {
94 int i; 94 int i;
95 struct audit_krule *erule = &e->rule; 95 struct audit_krule *erule = &e->rule;
96 96
97 /* some rules don't have associated watches */ 97 /* some rules don't have associated watches */
98 if (erule->watch) 98 if (erule->watch)
99 audit_put_watch(erule->watch); 99 audit_put_watch(erule->watch);
100 if (erule->fields) 100 if (erule->fields)
101 for (i = 0; i < erule->field_count; i++) 101 for (i = 0; i < erule->field_count; i++)
102 audit_free_lsm_field(&erule->fields[i]); 102 audit_free_lsm_field(&erule->fields[i]);
103 kfree(erule->fields); 103 kfree(erule->fields);
104 kfree(erule->filterkey); 104 kfree(erule->filterkey);
105 kfree(e); 105 kfree(e);
106 } 106 }
107 107
108 void audit_free_rule_rcu(struct rcu_head *head) 108 void audit_free_rule_rcu(struct rcu_head *head)
109 { 109 {
110 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 110 struct audit_entry *e = container_of(head, struct audit_entry, rcu);
111 audit_free_rule(e); 111 audit_free_rule(e);
112 } 112 }
113 113
114 /* Initialize an audit filterlist entry. */ 114 /* Initialize an audit filterlist entry. */
115 static inline struct audit_entry *audit_init_entry(u32 field_count) 115 static inline struct audit_entry *audit_init_entry(u32 field_count)
116 { 116 {
117 struct audit_entry *entry; 117 struct audit_entry *entry;
118 struct audit_field *fields; 118 struct audit_field *fields;
119 119
120 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 120 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
121 if (unlikely(!entry)) 121 if (unlikely(!entry))
122 return NULL; 122 return NULL;
123 123
124 fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL); 124 fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
125 if (unlikely(!fields)) { 125 if (unlikely(!fields)) {
126 kfree(entry); 126 kfree(entry);
127 return NULL; 127 return NULL;
128 } 128 }
129 entry->rule.fields = fields; 129 entry->rule.fields = fields;
130 130
131 return entry; 131 return entry;
132 } 132 }
133 133
134 /* Unpack a filter field's string representation from user-space 134 /* Unpack a filter field's string representation from user-space
135 * buffer. */ 135 * buffer. */
136 char *audit_unpack_string(void **bufp, size_t *remain, size_t len) 136 char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
137 { 137 {
138 char *str; 138 char *str;
139 139
140 if (!*bufp || (len == 0) || (len > *remain)) 140 if (!*bufp || (len == 0) || (len > *remain))
141 return ERR_PTR(-EINVAL); 141 return ERR_PTR(-EINVAL);
142 142
143 /* Of the currently implemented string fields, PATH_MAX 143 /* Of the currently implemented string fields, PATH_MAX
144 * defines the longest valid length. 144 * defines the longest valid length.
145 */ 145 */
146 if (len > PATH_MAX) 146 if (len > PATH_MAX)
147 return ERR_PTR(-ENAMETOOLONG); 147 return ERR_PTR(-ENAMETOOLONG);
148 148
149 str = kmalloc(len + 1, GFP_KERNEL); 149 str = kmalloc(len + 1, GFP_KERNEL);
150 if (unlikely(!str)) 150 if (unlikely(!str))
151 return ERR_PTR(-ENOMEM); 151 return ERR_PTR(-ENOMEM);
152 152
153 memcpy(str, *bufp, len); 153 memcpy(str, *bufp, len);
154 str[len] = 0; 154 str[len] = 0;
155 *bufp += len; 155 *bufp += len;
156 *remain -= len; 156 *remain -= len;
157 157
158 return str; 158 return str;
159 } 159 }
160 160
161 /* Translate an inode field to kernel respresentation. */ 161 /* Translate an inode field to kernel respresentation. */
162 static inline int audit_to_inode(struct audit_krule *krule, 162 static inline int audit_to_inode(struct audit_krule *krule,
163 struct audit_field *f) 163 struct audit_field *f)
164 { 164 {
165 if (krule->listnr != AUDIT_FILTER_EXIT || 165 if (krule->listnr != AUDIT_FILTER_EXIT ||
166 krule->inode_f || krule->watch || krule->tree || 166 krule->inode_f || krule->watch || krule->tree ||
167 (f->op != Audit_equal && f->op != Audit_not_equal)) 167 (f->op != Audit_equal && f->op != Audit_not_equal))
168 return -EINVAL; 168 return -EINVAL;
169 169
170 krule->inode_f = f; 170 krule->inode_f = f;
171 return 0; 171 return 0;
172 } 172 }
173 173
174 static __u32 *classes[AUDIT_SYSCALL_CLASSES]; 174 static __u32 *classes[AUDIT_SYSCALL_CLASSES];
175 175
176 int __init audit_register_class(int class, unsigned *list) 176 int __init audit_register_class(int class, unsigned *list)
177 { 177 {
178 __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL); 178 __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
179 if (!p) 179 if (!p)
180 return -ENOMEM; 180 return -ENOMEM;
181 while (*list != ~0U) { 181 while (*list != ~0U) {
182 unsigned n = *list++; 182 unsigned n = *list++;
183 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) { 183 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
184 kfree(p); 184 kfree(p);
185 return -EINVAL; 185 return -EINVAL;
186 } 186 }
187 p[AUDIT_WORD(n)] |= AUDIT_BIT(n); 187 p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
188 } 188 }
189 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) { 189 if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
190 kfree(p); 190 kfree(p);
191 return -EINVAL; 191 return -EINVAL;
192 } 192 }
193 classes[class] = p; 193 classes[class] = p;
194 return 0; 194 return 0;
195 } 195 }
196 196
197 int audit_match_class(int class, unsigned syscall) 197 int audit_match_class(int class, unsigned syscall)
198 { 198 {
199 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) 199 if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
200 return 0; 200 return 0;
201 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) 201 if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
202 return 0; 202 return 0;
203 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 203 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
204 } 204 }
205 205
206 #ifdef CONFIG_AUDITSYSCALL 206 #ifdef CONFIG_AUDITSYSCALL
207 static inline int audit_match_class_bits(int class, u32 *mask) 207 static inline int audit_match_class_bits(int class, u32 *mask)
208 { 208 {
209 int i; 209 int i;
210 210
211 if (classes[class]) { 211 if (classes[class]) {
212 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 212 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
213 if (mask[i] & classes[class][i]) 213 if (mask[i] & classes[class][i])
214 return 0; 214 return 0;
215 } 215 }
216 return 1; 216 return 1;
217 } 217 }
218 218
219 static int audit_match_signal(struct audit_entry *entry) 219 static int audit_match_signal(struct audit_entry *entry)
220 { 220 {
221 struct audit_field *arch = entry->rule.arch_f; 221 struct audit_field *arch = entry->rule.arch_f;
222 222
223 if (!arch) { 223 if (!arch) {
224 /* When arch is unspecified, we must check both masks on biarch 224 /* When arch is unspecified, we must check both masks on biarch
225 * as syscall number alone is ambiguous. */ 225 * as syscall number alone is ambiguous. */
226 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 226 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
227 entry->rule.mask) && 227 entry->rule.mask) &&
228 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 228 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
229 entry->rule.mask)); 229 entry->rule.mask));
230 } 230 }
231 231
232 switch(audit_classify_arch(arch->val)) { 232 switch(audit_classify_arch(arch->val)) {
233 case 0: /* native */ 233 case 0: /* native */
234 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, 234 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
235 entry->rule.mask)); 235 entry->rule.mask));
236 case 1: /* 32bit on biarch */ 236 case 1: /* 32bit on biarch */
237 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, 237 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
238 entry->rule.mask)); 238 entry->rule.mask));
239 default: 239 default:
240 return 1; 240 return 1;
241 } 241 }
242 } 242 }
243 #endif 243 #endif
244 244
245 /* Common user-space to kernel rule translation. */ 245 /* Common user-space to kernel rule translation. */
246 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule) 246 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
247 { 247 {
248 unsigned listnr; 248 unsigned listnr;
249 struct audit_entry *entry; 249 struct audit_entry *entry;
250 int i, err; 250 int i, err;
251 251
252 err = -EINVAL; 252 err = -EINVAL;
253 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; 253 listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
254 switch(listnr) { 254 switch(listnr) {
255 default: 255 default:
256 goto exit_err; 256 goto exit_err;
257 #ifdef CONFIG_AUDITSYSCALL 257 #ifdef CONFIG_AUDITSYSCALL
258 case AUDIT_FILTER_ENTRY: 258 case AUDIT_FILTER_ENTRY:
259 if (rule->action == AUDIT_ALWAYS) 259 if (rule->action == AUDIT_ALWAYS)
260 goto exit_err; 260 goto exit_err;
261 case AUDIT_FILTER_EXIT: 261 case AUDIT_FILTER_EXIT:
262 case AUDIT_FILTER_TASK: 262 case AUDIT_FILTER_TASK:
263 #endif 263 #endif
264 case AUDIT_FILTER_USER: 264 case AUDIT_FILTER_USER:
265 case AUDIT_FILTER_TYPE: 265 case AUDIT_FILTER_TYPE:
266 ; 266 ;
267 } 267 }
268 if (unlikely(rule->action == AUDIT_POSSIBLE)) { 268 if (unlikely(rule->action == AUDIT_POSSIBLE)) {
269 pr_err("AUDIT_POSSIBLE is deprecated\n"); 269 pr_err("AUDIT_POSSIBLE is deprecated\n");
270 goto exit_err; 270 goto exit_err;
271 } 271 }
272 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) 272 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
273 goto exit_err; 273 goto exit_err;
274 if (rule->field_count > AUDIT_MAX_FIELDS) 274 if (rule->field_count > AUDIT_MAX_FIELDS)
275 goto exit_err; 275 goto exit_err;
276 276
277 err = -ENOMEM; 277 err = -ENOMEM;
278 entry = audit_init_entry(rule->field_count); 278 entry = audit_init_entry(rule->field_count);
279 if (!entry) 279 if (!entry)
280 goto exit_err; 280 goto exit_err;
281 281
282 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; 282 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
283 entry->rule.listnr = listnr; 283 entry->rule.listnr = listnr;
284 entry->rule.action = rule->action; 284 entry->rule.action = rule->action;
285 entry->rule.field_count = rule->field_count; 285 entry->rule.field_count = rule->field_count;
286 286
287 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 287 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
288 entry->rule.mask[i] = rule->mask[i]; 288 entry->rule.mask[i] = rule->mask[i];
289 289
290 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) { 290 for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
291 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1; 291 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
292 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; 292 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
293 __u32 *class; 293 __u32 *class;
294 294
295 if (!(*p & AUDIT_BIT(bit))) 295 if (!(*p & AUDIT_BIT(bit)))
296 continue; 296 continue;
297 *p &= ~AUDIT_BIT(bit); 297 *p &= ~AUDIT_BIT(bit);
298 class = classes[i]; 298 class = classes[i];
299 if (class) { 299 if (class) {
300 int j; 300 int j;
301 for (j = 0; j < AUDIT_BITMASK_SIZE; j++) 301 for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
302 entry->rule.mask[j] |= class[j]; 302 entry->rule.mask[j] |= class[j];
303 } 303 }
304 } 304 }
305 305
306 return entry; 306 return entry;
307 307
308 exit_err: 308 exit_err:
309 return ERR_PTR(err); 309 return ERR_PTR(err);
310 } 310 }
311 311
312 static u32 audit_ops[] = 312 static u32 audit_ops[] =
313 { 313 {
314 [Audit_equal] = AUDIT_EQUAL, 314 [Audit_equal] = AUDIT_EQUAL,
315 [Audit_not_equal] = AUDIT_NOT_EQUAL, 315 [Audit_not_equal] = AUDIT_NOT_EQUAL,
316 [Audit_bitmask] = AUDIT_BIT_MASK, 316 [Audit_bitmask] = AUDIT_BIT_MASK,
317 [Audit_bittest] = AUDIT_BIT_TEST, 317 [Audit_bittest] = AUDIT_BIT_TEST,
318 [Audit_lt] = AUDIT_LESS_THAN, 318 [Audit_lt] = AUDIT_LESS_THAN,
319 [Audit_gt] = AUDIT_GREATER_THAN, 319 [Audit_gt] = AUDIT_GREATER_THAN,
320 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL, 320 [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
321 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL, 321 [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
322 }; 322 };
323 323
324 static u32 audit_to_op(u32 op) 324 static u32 audit_to_op(u32 op)
325 { 325 {
326 u32 n; 326 u32 n;
327 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++) 327 for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
328 ; 328 ;
329 return n; 329 return n;
330 } 330 }
331 331
332 /* check if an audit field is valid */ 332 /* check if an audit field is valid */
333 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) 333 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
334 { 334 {
335 switch(f->type) { 335 switch(f->type) {
336 case AUDIT_MSGTYPE: 336 case AUDIT_MSGTYPE:
337 if (entry->rule.listnr != AUDIT_FILTER_TYPE && 337 if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
338 entry->rule.listnr != AUDIT_FILTER_USER) 338 entry->rule.listnr != AUDIT_FILTER_USER)
339 return -EINVAL; 339 return -EINVAL;
340 break; 340 break;
341 }; 341 };
342 342
343 switch(f->type) { 343 switch(f->type) {
344 default: 344 default:
345 return -EINVAL; 345 return -EINVAL;
346 case AUDIT_UID: 346 case AUDIT_UID:
347 case AUDIT_EUID: 347 case AUDIT_EUID:
348 case AUDIT_SUID: 348 case AUDIT_SUID:
349 case AUDIT_FSUID: 349 case AUDIT_FSUID:
350 case AUDIT_LOGINUID: 350 case AUDIT_LOGINUID:
351 case AUDIT_OBJ_UID: 351 case AUDIT_OBJ_UID:
352 case AUDIT_GID: 352 case AUDIT_GID:
353 case AUDIT_EGID: 353 case AUDIT_EGID:
354 case AUDIT_SGID: 354 case AUDIT_SGID:
355 case AUDIT_FSGID: 355 case AUDIT_FSGID:
356 case AUDIT_OBJ_GID: 356 case AUDIT_OBJ_GID:
357 case AUDIT_PID: 357 case AUDIT_PID:
358 case AUDIT_PERS: 358 case AUDIT_PERS:
359 case AUDIT_MSGTYPE: 359 case AUDIT_MSGTYPE:
360 case AUDIT_PPID: 360 case AUDIT_PPID:
361 case AUDIT_DEVMAJOR: 361 case AUDIT_DEVMAJOR:
362 case AUDIT_DEVMINOR: 362 case AUDIT_DEVMINOR:
363 case AUDIT_EXIT: 363 case AUDIT_EXIT:
364 case AUDIT_SUCCESS: 364 case AUDIT_SUCCESS:
365 case AUDIT_INODE: 365 case AUDIT_INODE:
366 /* bit ops are only useful on syscall args */ 366 /* bit ops are only useful on syscall args */
367 if (f->op == Audit_bitmask || f->op == Audit_bittest) 367 if (f->op == Audit_bitmask || f->op == Audit_bittest)
368 return -EINVAL; 368 return -EINVAL;
369 break; 369 break;
370 case AUDIT_ARG0: 370 case AUDIT_ARG0:
371 case AUDIT_ARG1: 371 case AUDIT_ARG1:
372 case AUDIT_ARG2: 372 case AUDIT_ARG2:
373 case AUDIT_ARG3: 373 case AUDIT_ARG3:
374 case AUDIT_SUBJ_USER: 374 case AUDIT_SUBJ_USER:
375 case AUDIT_SUBJ_ROLE: 375 case AUDIT_SUBJ_ROLE:
376 case AUDIT_SUBJ_TYPE: 376 case AUDIT_SUBJ_TYPE:
377 case AUDIT_SUBJ_SEN: 377 case AUDIT_SUBJ_SEN:
378 case AUDIT_SUBJ_CLR: 378 case AUDIT_SUBJ_CLR:
379 case AUDIT_OBJ_USER: 379 case AUDIT_OBJ_USER:
380 case AUDIT_OBJ_ROLE: 380 case AUDIT_OBJ_ROLE:
381 case AUDIT_OBJ_TYPE: 381 case AUDIT_OBJ_TYPE:
382 case AUDIT_OBJ_LEV_LOW: 382 case AUDIT_OBJ_LEV_LOW:
383 case AUDIT_OBJ_LEV_HIGH: 383 case AUDIT_OBJ_LEV_HIGH:
384 case AUDIT_WATCH: 384 case AUDIT_WATCH:
385 case AUDIT_DIR: 385 case AUDIT_DIR:
386 case AUDIT_FILTERKEY: 386 case AUDIT_FILTERKEY:
387 break; 387 break;
388 case AUDIT_LOGINUID_SET: 388 case AUDIT_LOGINUID_SET:
389 if ((f->val != 0) && (f->val != 1)) 389 if ((f->val != 0) && (f->val != 1))
390 return -EINVAL; 390 return -EINVAL;
391 /* FALL THROUGH */ 391 /* FALL THROUGH */
392 case AUDIT_ARCH: 392 case AUDIT_ARCH:
393 if (f->op != Audit_not_equal && f->op != Audit_equal) 393 if (f->op != Audit_not_equal && f->op != Audit_equal)
394 return -EINVAL; 394 return -EINVAL;
395 break; 395 break;
396 case AUDIT_PERM: 396 case AUDIT_PERM:
397 if (f->val & ~15) 397 if (f->val & ~15)
398 return -EINVAL; 398 return -EINVAL;
399 break; 399 break;
400 case AUDIT_FILETYPE: 400 case AUDIT_FILETYPE:
401 if (f->val & ~S_IFMT) 401 if (f->val & ~S_IFMT)
402 return -EINVAL; 402 return -EINVAL;
403 break; 403 break;
404 case AUDIT_FIELD_COMPARE: 404 case AUDIT_FIELD_COMPARE:
405 if (f->val > AUDIT_MAX_FIELD_COMPARE) 405 if (f->val > AUDIT_MAX_FIELD_COMPARE)
406 return -EINVAL; 406 return -EINVAL;
407 break; 407 break;
408 }; 408 };
409 return 0; 409 return 0;
410 } 410 }
411 411
412 /* Translate struct audit_rule_data to kernel's rule respresentation. */ 412 /* Translate struct audit_rule_data to kernel's rule respresentation. */
413 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 413 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
414 size_t datasz) 414 size_t datasz)
415 { 415 {
416 int err = 0; 416 int err = 0;
417 struct audit_entry *entry; 417 struct audit_entry *entry;
418 void *bufp; 418 void *bufp;
419 size_t remain = datasz - sizeof(struct audit_rule_data); 419 size_t remain = datasz - sizeof(struct audit_rule_data);
420 int i; 420 int i;
421 char *str; 421 char *str;
422 422
423 entry = audit_to_entry_common(data); 423 entry = audit_to_entry_common(data);
424 if (IS_ERR(entry)) 424 if (IS_ERR(entry))
425 goto exit_nofree; 425 goto exit_nofree;
426 426
427 bufp = data->buf; 427 bufp = data->buf;
428 entry->rule.vers_ops = 2; 428 entry->rule.vers_ops = 2;
429 for (i = 0; i < data->field_count; i++) { 429 for (i = 0; i < data->field_count; i++) {
430 struct audit_field *f = &entry->rule.fields[i]; 430 struct audit_field *f = &entry->rule.fields[i];
431 431
432 err = -EINVAL; 432 err = -EINVAL;
433 433
434 f->op = audit_to_op(data->fieldflags[i]); 434 f->op = audit_to_op(data->fieldflags[i]);
435 if (f->op == Audit_bad) 435 if (f->op == Audit_bad)
436 goto exit_free; 436 goto exit_free;
437 437
438 f->type = data->fields[i]; 438 f->type = data->fields[i];
439 f->val = data->values[i]; 439 f->val = data->values[i];
440 440
441 /* Support legacy tests for a valid loginuid */ 441 /* Support legacy tests for a valid loginuid */
442 if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { 442 if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
443 f->type = AUDIT_LOGINUID_SET; 443 f->type = AUDIT_LOGINUID_SET;
444 f->val = 0; 444 f->val = 0;
445 } 445 }
446 446
447 if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
448 struct pid *pid;
449 rcu_read_lock();
450 pid = find_vpid(f->val);
451 if (!pid) {
452 rcu_read_unlock();
453 err = -ESRCH;
454 goto exit_free;
455 }
456 f->val = pid_nr(pid);
457 rcu_read_unlock();
458 }
459
460 err = audit_field_valid(entry, f); 447 err = audit_field_valid(entry, f);
461 if (err) 448 if (err)
462 goto exit_free; 449 goto exit_free;
463 450
464 err = -EINVAL; 451 err = -EINVAL;
465 switch (f->type) { 452 switch (f->type) {
466 case AUDIT_LOGINUID: 453 case AUDIT_LOGINUID:
467 case AUDIT_UID: 454 case AUDIT_UID:
468 case AUDIT_EUID: 455 case AUDIT_EUID:
469 case AUDIT_SUID: 456 case AUDIT_SUID:
470 case AUDIT_FSUID: 457 case AUDIT_FSUID:
471 case AUDIT_OBJ_UID: 458 case AUDIT_OBJ_UID:
472 f->uid = make_kuid(current_user_ns(), f->val); 459 f->uid = make_kuid(current_user_ns(), f->val);
473 if (!uid_valid(f->uid)) 460 if (!uid_valid(f->uid))
474 goto exit_free; 461 goto exit_free;
475 break; 462 break;
476 case AUDIT_GID: 463 case AUDIT_GID:
477 case AUDIT_EGID: 464 case AUDIT_EGID:
478 case AUDIT_SGID: 465 case AUDIT_SGID:
479 case AUDIT_FSGID: 466 case AUDIT_FSGID:
480 case AUDIT_OBJ_GID: 467 case AUDIT_OBJ_GID:
481 f->gid = make_kgid(current_user_ns(), f->val); 468 f->gid = make_kgid(current_user_ns(), f->val);
482 if (!gid_valid(f->gid)) 469 if (!gid_valid(f->gid))
483 goto exit_free; 470 goto exit_free;
484 break; 471 break;
485 case AUDIT_ARCH: 472 case AUDIT_ARCH:
486 entry->rule.arch_f = f; 473 entry->rule.arch_f = f;
487 break; 474 break;
488 case AUDIT_SUBJ_USER: 475 case AUDIT_SUBJ_USER:
489 case AUDIT_SUBJ_ROLE: 476 case AUDIT_SUBJ_ROLE:
490 case AUDIT_SUBJ_TYPE: 477 case AUDIT_SUBJ_TYPE:
491 case AUDIT_SUBJ_SEN: 478 case AUDIT_SUBJ_SEN:
492 case AUDIT_SUBJ_CLR: 479 case AUDIT_SUBJ_CLR:
493 case AUDIT_OBJ_USER: 480 case AUDIT_OBJ_USER:
494 case AUDIT_OBJ_ROLE: 481 case AUDIT_OBJ_ROLE:
495 case AUDIT_OBJ_TYPE: 482 case AUDIT_OBJ_TYPE:
496 case AUDIT_OBJ_LEV_LOW: 483 case AUDIT_OBJ_LEV_LOW:
497 case AUDIT_OBJ_LEV_HIGH: 484 case AUDIT_OBJ_LEV_HIGH:
498 str = audit_unpack_string(&bufp, &remain, f->val); 485 str = audit_unpack_string(&bufp, &remain, f->val);
499 if (IS_ERR(str)) 486 if (IS_ERR(str))
500 goto exit_free; 487 goto exit_free;
501 entry->rule.buflen += f->val; 488 entry->rule.buflen += f->val;
502 489
503 err = security_audit_rule_init(f->type, f->op, str, 490 err = security_audit_rule_init(f->type, f->op, str,
504 (void **)&f->lsm_rule); 491 (void **)&f->lsm_rule);
505 /* Keep currently invalid fields around in case they 492 /* Keep currently invalid fields around in case they
506 * become valid after a policy reload. */ 493 * become valid after a policy reload. */
507 if (err == -EINVAL) { 494 if (err == -EINVAL) {
508 pr_warn("audit rule for LSM \'%s\' is invalid\n", 495 pr_warn("audit rule for LSM \'%s\' is invalid\n",
509 str); 496 str);
510 err = 0; 497 err = 0;
511 } 498 }
512 if (err) { 499 if (err) {
513 kfree(str); 500 kfree(str);
514 goto exit_free; 501 goto exit_free;
515 } else 502 } else
516 f->lsm_str = str; 503 f->lsm_str = str;
517 break; 504 break;
518 case AUDIT_WATCH: 505 case AUDIT_WATCH:
519 str = audit_unpack_string(&bufp, &remain, f->val); 506 str = audit_unpack_string(&bufp, &remain, f->val);
520 if (IS_ERR(str)) 507 if (IS_ERR(str))
521 goto exit_free; 508 goto exit_free;
522 entry->rule.buflen += f->val; 509 entry->rule.buflen += f->val;
523 510
524 err = audit_to_watch(&entry->rule, str, f->val, f->op); 511 err = audit_to_watch(&entry->rule, str, f->val, f->op);
525 if (err) { 512 if (err) {
526 kfree(str); 513 kfree(str);
527 goto exit_free; 514 goto exit_free;
528 } 515 }
529 break; 516 break;
530 case AUDIT_DIR: 517 case AUDIT_DIR:
531 str = audit_unpack_string(&bufp, &remain, f->val); 518 str = audit_unpack_string(&bufp, &remain, f->val);
532 if (IS_ERR(str)) 519 if (IS_ERR(str))
533 goto exit_free; 520 goto exit_free;
534 entry->rule.buflen += f->val; 521 entry->rule.buflen += f->val;
535 522
536 err = audit_make_tree(&entry->rule, str, f->op); 523 err = audit_make_tree(&entry->rule, str, f->op);
537 kfree(str); 524 kfree(str);
538 if (err) 525 if (err)
539 goto exit_free; 526 goto exit_free;
540 break; 527 break;
541 case AUDIT_INODE: 528 case AUDIT_INODE:
542 err = audit_to_inode(&entry->rule, f); 529 err = audit_to_inode(&entry->rule, f);
543 if (err) 530 if (err)
544 goto exit_free; 531 goto exit_free;
545 break; 532 break;
546 case AUDIT_FILTERKEY: 533 case AUDIT_FILTERKEY:
547 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) 534 if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
548 goto exit_free; 535 goto exit_free;
549 str = audit_unpack_string(&bufp, &remain, f->val); 536 str = audit_unpack_string(&bufp, &remain, f->val);
550 if (IS_ERR(str)) 537 if (IS_ERR(str))
551 goto exit_free; 538 goto exit_free;
552 entry->rule.buflen += f->val; 539 entry->rule.buflen += f->val;
553 entry->rule.filterkey = str; 540 entry->rule.filterkey = str;
554 break; 541 break;
555 } 542 }
556 } 543 }
557 544
558 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) 545 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
559 entry->rule.inode_f = NULL; 546 entry->rule.inode_f = NULL;
560 547
561 exit_nofree: 548 exit_nofree:
562 return entry; 549 return entry;
563 550
564 exit_free: 551 exit_free:
565 if (entry->rule.watch) 552 if (entry->rule.watch)
566 audit_put_watch(entry->rule.watch); /* matches initial get */ 553 audit_put_watch(entry->rule.watch); /* matches initial get */
567 if (entry->rule.tree) 554 if (entry->rule.tree)
568 audit_put_tree(entry->rule.tree); /* that's the temporary one */ 555 audit_put_tree(entry->rule.tree); /* that's the temporary one */
569 audit_free_rule(entry); 556 audit_free_rule(entry);
570 return ERR_PTR(err); 557 return ERR_PTR(err);
571 } 558 }
572 559
573 /* Pack a filter field's string representation into data block. */ 560 /* Pack a filter field's string representation into data block. */
574 static inline size_t audit_pack_string(void **bufp, const char *str) 561 static inline size_t audit_pack_string(void **bufp, const char *str)
575 { 562 {
576 size_t len = strlen(str); 563 size_t len = strlen(str);
577 564
578 memcpy(*bufp, str, len); 565 memcpy(*bufp, str, len);
579 *bufp += len; 566 *bufp += len;
580 567
581 return len; 568 return len;
582 } 569 }
583 570
584 /* Translate kernel rule respresentation to struct audit_rule_data. */ 571 /* Translate kernel rule respresentation to struct audit_rule_data. */
585 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) 572 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
586 { 573 {
587 struct audit_rule_data *data; 574 struct audit_rule_data *data;
588 void *bufp; 575 void *bufp;
589 int i; 576 int i;
590 577
591 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); 578 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
592 if (unlikely(!data)) 579 if (unlikely(!data))
593 return NULL; 580 return NULL;
594 memset(data, 0, sizeof(*data)); 581 memset(data, 0, sizeof(*data));
595 582
596 data->flags = krule->flags | krule->listnr; 583 data->flags = krule->flags | krule->listnr;
597 data->action = krule->action; 584 data->action = krule->action;
598 data->field_count = krule->field_count; 585 data->field_count = krule->field_count;
599 bufp = data->buf; 586 bufp = data->buf;
600 for (i = 0; i < data->field_count; i++) { 587 for (i = 0; i < data->field_count; i++) {
601 struct audit_field *f = &krule->fields[i]; 588 struct audit_field *f = &krule->fields[i];
602 589
603 data->fields[i] = f->type; 590 data->fields[i] = f->type;
604 data->fieldflags[i] = audit_ops[f->op]; 591 data->fieldflags[i] = audit_ops[f->op];
605 switch(f->type) { 592 switch(f->type) {
606 case AUDIT_SUBJ_USER: 593 case AUDIT_SUBJ_USER:
607 case AUDIT_SUBJ_ROLE: 594 case AUDIT_SUBJ_ROLE:
608 case AUDIT_SUBJ_TYPE: 595 case AUDIT_SUBJ_TYPE:
609 case AUDIT_SUBJ_SEN: 596 case AUDIT_SUBJ_SEN:
610 case AUDIT_SUBJ_CLR: 597 case AUDIT_SUBJ_CLR:
611 case AUDIT_OBJ_USER: 598 case AUDIT_OBJ_USER:
612 case AUDIT_OBJ_ROLE: 599 case AUDIT_OBJ_ROLE:
613 case AUDIT_OBJ_TYPE: 600 case AUDIT_OBJ_TYPE:
614 case AUDIT_OBJ_LEV_LOW: 601 case AUDIT_OBJ_LEV_LOW:
615 case AUDIT_OBJ_LEV_HIGH: 602 case AUDIT_OBJ_LEV_HIGH:
616 data->buflen += data->values[i] = 603 data->buflen += data->values[i] =
617 audit_pack_string(&bufp, f->lsm_str); 604 audit_pack_string(&bufp, f->lsm_str);
618 break; 605 break;
619 case AUDIT_WATCH: 606 case AUDIT_WATCH:
620 data->buflen += data->values[i] = 607 data->buflen += data->values[i] =
621 audit_pack_string(&bufp, 608 audit_pack_string(&bufp,
622 audit_watch_path(krule->watch)); 609 audit_watch_path(krule->watch));
623 break; 610 break;
624 case AUDIT_DIR: 611 case AUDIT_DIR:
625 data->buflen += data->values[i] = 612 data->buflen += data->values[i] =
626 audit_pack_string(&bufp, 613 audit_pack_string(&bufp,
627 audit_tree_path(krule->tree)); 614 audit_tree_path(krule->tree));
628 break; 615 break;
629 case AUDIT_FILTERKEY: 616 case AUDIT_FILTERKEY:
630 data->buflen += data->values[i] = 617 data->buflen += data->values[i] =
631 audit_pack_string(&bufp, krule->filterkey); 618 audit_pack_string(&bufp, krule->filterkey);
632 break; 619 break;
633 default: 620 default:
634 data->values[i] = f->val; 621 data->values[i] = f->val;
635 } 622 }
636 } 623 }
637 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; 624 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
638 625
639 return data; 626 return data;
640 } 627 }
641 628
642 /* Compare two rules in kernel format. Considered success if rules 629 /* Compare two rules in kernel format. Considered success if rules
643 * don't match. */ 630 * don't match. */
644 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) 631 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
645 { 632 {
646 int i; 633 int i;
647 634
648 if (a->flags != b->flags || 635 if (a->flags != b->flags ||
649 a->listnr != b->listnr || 636 a->listnr != b->listnr ||
650 a->action != b->action || 637 a->action != b->action ||
651 a->field_count != b->field_count) 638 a->field_count != b->field_count)
652 return 1; 639 return 1;
653 640
654 for (i = 0; i < a->field_count; i++) { 641 for (i = 0; i < a->field_count; i++) {
655 if (a->fields[i].type != b->fields[i].type || 642 if (a->fields[i].type != b->fields[i].type ||
656 a->fields[i].op != b->fields[i].op) 643 a->fields[i].op != b->fields[i].op)
657 return 1; 644 return 1;
658 645
659 switch(a->fields[i].type) { 646 switch(a->fields[i].type) {
660 case AUDIT_SUBJ_USER: 647 case AUDIT_SUBJ_USER:
661 case AUDIT_SUBJ_ROLE: 648 case AUDIT_SUBJ_ROLE:
662 case AUDIT_SUBJ_TYPE: 649 case AUDIT_SUBJ_TYPE:
663 case AUDIT_SUBJ_SEN: 650 case AUDIT_SUBJ_SEN:
664 case AUDIT_SUBJ_CLR: 651 case AUDIT_SUBJ_CLR:
665 case AUDIT_OBJ_USER: 652 case AUDIT_OBJ_USER:
666 case AUDIT_OBJ_ROLE: 653 case AUDIT_OBJ_ROLE:
667 case AUDIT_OBJ_TYPE: 654 case AUDIT_OBJ_TYPE:
668 case AUDIT_OBJ_LEV_LOW: 655 case AUDIT_OBJ_LEV_LOW:
669 case AUDIT_OBJ_LEV_HIGH: 656 case AUDIT_OBJ_LEV_HIGH:
670 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str)) 657 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
671 return 1; 658 return 1;
672 break; 659 break;
673 case AUDIT_WATCH: 660 case AUDIT_WATCH:
674 if (strcmp(audit_watch_path(a->watch), 661 if (strcmp(audit_watch_path(a->watch),
675 audit_watch_path(b->watch))) 662 audit_watch_path(b->watch)))
676 return 1; 663 return 1;
677 break; 664 break;
678 case AUDIT_DIR: 665 case AUDIT_DIR:
679 if (strcmp(audit_tree_path(a->tree), 666 if (strcmp(audit_tree_path(a->tree),
680 audit_tree_path(b->tree))) 667 audit_tree_path(b->tree)))
681 return 1; 668 return 1;
682 break; 669 break;
683 case AUDIT_FILTERKEY: 670 case AUDIT_FILTERKEY:
684 /* both filterkeys exist based on above type compare */ 671 /* both filterkeys exist based on above type compare */
685 if (strcmp(a->filterkey, b->filterkey)) 672 if (strcmp(a->filterkey, b->filterkey))
686 return 1; 673 return 1;
687 break; 674 break;
688 case AUDIT_UID: 675 case AUDIT_UID:
689 case AUDIT_EUID: 676 case AUDIT_EUID:
690 case AUDIT_SUID: 677 case AUDIT_SUID:
691 case AUDIT_FSUID: 678 case AUDIT_FSUID:
692 case AUDIT_LOGINUID: 679 case AUDIT_LOGINUID:
693 case AUDIT_OBJ_UID: 680 case AUDIT_OBJ_UID:
694 if (!uid_eq(a->fields[i].uid, b->fields[i].uid)) 681 if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
695 return 1; 682 return 1;
696 break; 683 break;
697 case AUDIT_GID: 684 case AUDIT_GID:
698 case AUDIT_EGID: 685 case AUDIT_EGID:
699 case AUDIT_SGID: 686 case AUDIT_SGID:
700 case AUDIT_FSGID: 687 case AUDIT_FSGID:
701 case AUDIT_OBJ_GID: 688 case AUDIT_OBJ_GID:
702 if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) 689 if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
703 return 1; 690 return 1;
704 break; 691 break;
705 default: 692 default:
706 if (a->fields[i].val != b->fields[i].val) 693 if (a->fields[i].val != b->fields[i].val)
707 return 1; 694 return 1;
708 } 695 }
709 } 696 }
710 697
711 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 698 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
712 if (a->mask[i] != b->mask[i]) 699 if (a->mask[i] != b->mask[i])
713 return 1; 700 return 1;
714 701
715 return 0; 702 return 0;
716 } 703 }
717 704
718 /* Duplicate LSM field information. The lsm_rule is opaque, so must be 705 /* Duplicate LSM field information. The lsm_rule is opaque, so must be
719 * re-initialized. */ 706 * re-initialized. */
720 static inline int audit_dupe_lsm_field(struct audit_field *df, 707 static inline int audit_dupe_lsm_field(struct audit_field *df,
721 struct audit_field *sf) 708 struct audit_field *sf)
722 { 709 {
723 int ret = 0; 710 int ret = 0;
724 char *lsm_str; 711 char *lsm_str;
725 712
726 /* our own copy of lsm_str */ 713 /* our own copy of lsm_str */
727 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL); 714 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
728 if (unlikely(!lsm_str)) 715 if (unlikely(!lsm_str))
729 return -ENOMEM; 716 return -ENOMEM;
730 df->lsm_str = lsm_str; 717 df->lsm_str = lsm_str;
731 718
732 /* our own (refreshed) copy of lsm_rule */ 719 /* our own (refreshed) copy of lsm_rule */
733 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 720 ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
734 (void **)&df->lsm_rule); 721 (void **)&df->lsm_rule);
735 /* Keep currently invalid fields around in case they 722 /* Keep currently invalid fields around in case they
736 * become valid after a policy reload. */ 723 * become valid after a policy reload. */
737 if (ret == -EINVAL) { 724 if (ret == -EINVAL) {
738 pr_warn("audit rule for LSM \'%s\' is invalid\n", 725 pr_warn("audit rule for LSM \'%s\' is invalid\n",
739 df->lsm_str); 726 df->lsm_str);
740 ret = 0; 727 ret = 0;
741 } 728 }
742 729
743 return ret; 730 return ret;
744 } 731 }
745 732
746 /* Duplicate an audit rule. This will be a deep copy with the exception 733 /* Duplicate an audit rule. This will be a deep copy with the exception
747 * of the watch - that pointer is carried over. The LSM specific fields 734 * of the watch - that pointer is carried over. The LSM specific fields
748 * will be updated in the copy. The point is to be able to replace the old 735 * will be updated in the copy. The point is to be able to replace the old
749 * rule with the new rule in the filterlist, then free the old rule. 736 * rule with the new rule in the filterlist, then free the old rule.
750 * The rlist element is undefined; list manipulations are handled apart from 737 * The rlist element is undefined; list manipulations are handled apart from
751 * the initial copy. */ 738 * the initial copy. */
752 struct audit_entry *audit_dupe_rule(struct audit_krule *old) 739 struct audit_entry *audit_dupe_rule(struct audit_krule *old)
753 { 740 {
754 u32 fcount = old->field_count; 741 u32 fcount = old->field_count;
755 struct audit_entry *entry; 742 struct audit_entry *entry;
756 struct audit_krule *new; 743 struct audit_krule *new;
757 char *fk; 744 char *fk;
758 int i, err = 0; 745 int i, err = 0;
759 746
760 entry = audit_init_entry(fcount); 747 entry = audit_init_entry(fcount);
761 if (unlikely(!entry)) 748 if (unlikely(!entry))
762 return ERR_PTR(-ENOMEM); 749 return ERR_PTR(-ENOMEM);
763 750
764 new = &entry->rule; 751 new = &entry->rule;
765 new->vers_ops = old->vers_ops; 752 new->vers_ops = old->vers_ops;
766 new->flags = old->flags; 753 new->flags = old->flags;
767 new->listnr = old->listnr; 754 new->listnr = old->listnr;
768 new->action = old->action; 755 new->action = old->action;
769 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 756 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
770 new->mask[i] = old->mask[i]; 757 new->mask[i] = old->mask[i];
771 new->prio = old->prio; 758 new->prio = old->prio;
772 new->buflen = old->buflen; 759 new->buflen = old->buflen;
773 new->inode_f = old->inode_f; 760 new->inode_f = old->inode_f;
774 new->field_count = old->field_count; 761 new->field_count = old->field_count;
775 762
776 /* 763 /*
777 * note that we are OK with not refcounting here; audit_match_tree() 764 * note that we are OK with not refcounting here; audit_match_tree()
778 * never dereferences tree and we can't get false positives there 765 * never dereferences tree and we can't get false positives there
779 * since we'd have to have rule gone from the list *and* removed 766 * since we'd have to have rule gone from the list *and* removed
780 * before the chunks found by lookup had been allocated, i.e. before 767 * before the chunks found by lookup had been allocated, i.e. before
781 * the beginning of list scan. 768 * the beginning of list scan.
782 */ 769 */
783 new->tree = old->tree; 770 new->tree = old->tree;
784 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 771 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
785 772
786 /* deep copy this information, updating the lsm_rule fields, because 773 /* deep copy this information, updating the lsm_rule fields, because
787 * the originals will all be freed when the old rule is freed. */ 774 * the originals will all be freed when the old rule is freed. */
788 for (i = 0; i < fcount; i++) { 775 for (i = 0; i < fcount; i++) {
789 switch (new->fields[i].type) { 776 switch (new->fields[i].type) {
790 case AUDIT_SUBJ_USER: 777 case AUDIT_SUBJ_USER:
791 case AUDIT_SUBJ_ROLE: 778 case AUDIT_SUBJ_ROLE:
792 case AUDIT_SUBJ_TYPE: 779 case AUDIT_SUBJ_TYPE:
793 case AUDIT_SUBJ_SEN: 780 case AUDIT_SUBJ_SEN:
794 case AUDIT_SUBJ_CLR: 781 case AUDIT_SUBJ_CLR:
795 case AUDIT_OBJ_USER: 782 case AUDIT_OBJ_USER:
796 case AUDIT_OBJ_ROLE: 783 case AUDIT_OBJ_ROLE:
797 case AUDIT_OBJ_TYPE: 784 case AUDIT_OBJ_TYPE:
798 case AUDIT_OBJ_LEV_LOW: 785 case AUDIT_OBJ_LEV_LOW:
799 case AUDIT_OBJ_LEV_HIGH: 786 case AUDIT_OBJ_LEV_HIGH:
800 err = audit_dupe_lsm_field(&new->fields[i], 787 err = audit_dupe_lsm_field(&new->fields[i],
801 &old->fields[i]); 788 &old->fields[i]);
802 break; 789 break;
803 case AUDIT_FILTERKEY: 790 case AUDIT_FILTERKEY:
804 fk = kstrdup(old->filterkey, GFP_KERNEL); 791 fk = kstrdup(old->filterkey, GFP_KERNEL);
805 if (unlikely(!fk)) 792 if (unlikely(!fk))
806 err = -ENOMEM; 793 err = -ENOMEM;
807 else 794 else
808 new->filterkey = fk; 795 new->filterkey = fk;
809 } 796 }
810 if (err) { 797 if (err) {
811 audit_free_rule(entry); 798 audit_free_rule(entry);
812 return ERR_PTR(err); 799 return ERR_PTR(err);
813 } 800 }
814 } 801 }
815 802
816 if (old->watch) { 803 if (old->watch) {
817 audit_get_watch(old->watch); 804 audit_get_watch(old->watch);
818 new->watch = old->watch; 805 new->watch = old->watch;
819 } 806 }
820 807
821 return entry; 808 return entry;
822 } 809 }
823 810
824 /* Find an existing audit rule. 811 /* Find an existing audit rule.
825 * Caller must hold audit_filter_mutex to prevent stale rule data. */ 812 * Caller must hold audit_filter_mutex to prevent stale rule data. */
826 static struct audit_entry *audit_find_rule(struct audit_entry *entry, 813 static struct audit_entry *audit_find_rule(struct audit_entry *entry,
827 struct list_head **p) 814 struct list_head **p)
828 { 815 {
829 struct audit_entry *e, *found = NULL; 816 struct audit_entry *e, *found = NULL;
830 struct list_head *list; 817 struct list_head *list;
831 int h; 818 int h;
832 819
833 if (entry->rule.inode_f) { 820 if (entry->rule.inode_f) {
834 h = audit_hash_ino(entry->rule.inode_f->val); 821 h = audit_hash_ino(entry->rule.inode_f->val);
835 *p = list = &audit_inode_hash[h]; 822 *p = list = &audit_inode_hash[h];
836 } else if (entry->rule.watch) { 823 } else if (entry->rule.watch) {
837 /* we don't know the inode number, so must walk entire hash */ 824 /* we don't know the inode number, so must walk entire hash */
838 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { 825 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
839 list = &audit_inode_hash[h]; 826 list = &audit_inode_hash[h];
840 list_for_each_entry(e, list, list) 827 list_for_each_entry(e, list, list)
841 if (!audit_compare_rule(&entry->rule, &e->rule)) { 828 if (!audit_compare_rule(&entry->rule, &e->rule)) {
842 found = e; 829 found = e;
843 goto out; 830 goto out;
844 } 831 }
845 } 832 }
846 goto out; 833 goto out;
847 } else { 834 } else {
848 *p = list = &audit_filter_list[entry->rule.listnr]; 835 *p = list = &audit_filter_list[entry->rule.listnr];
849 } 836 }
850 837
851 list_for_each_entry(e, list, list) 838 list_for_each_entry(e, list, list)
852 if (!audit_compare_rule(&entry->rule, &e->rule)) { 839 if (!audit_compare_rule(&entry->rule, &e->rule)) {
853 found = e; 840 found = e;
854 goto out; 841 goto out;
855 } 842 }
856 843
857 out: 844 out:
858 return found; 845 return found;
859 } 846 }
860 847
861 static u64 prio_low = ~0ULL/2; 848 static u64 prio_low = ~0ULL/2;
862 static u64 prio_high = ~0ULL/2 - 1; 849 static u64 prio_high = ~0ULL/2 - 1;
863 850
864 /* Add rule to given filterlist if not a duplicate. */ 851 /* Add rule to given filterlist if not a duplicate. */
865 static inline int audit_add_rule(struct audit_entry *entry) 852 static inline int audit_add_rule(struct audit_entry *entry)
866 { 853 {
867 struct audit_entry *e; 854 struct audit_entry *e;
868 struct audit_watch *watch = entry->rule.watch; 855 struct audit_watch *watch = entry->rule.watch;
869 struct audit_tree *tree = entry->rule.tree; 856 struct audit_tree *tree = entry->rule.tree;
870 struct list_head *list; 857 struct list_head *list;
871 int err; 858 int err;
872 #ifdef CONFIG_AUDITSYSCALL 859 #ifdef CONFIG_AUDITSYSCALL
873 int dont_count = 0; 860 int dont_count = 0;
874 861
875 /* If either of these, don't count towards total */ 862 /* If either of these, don't count towards total */
876 if (entry->rule.listnr == AUDIT_FILTER_USER || 863 if (entry->rule.listnr == AUDIT_FILTER_USER ||
877 entry->rule.listnr == AUDIT_FILTER_TYPE) 864 entry->rule.listnr == AUDIT_FILTER_TYPE)
878 dont_count = 1; 865 dont_count = 1;
879 #endif 866 #endif
880 867
881 mutex_lock(&audit_filter_mutex); 868 mutex_lock(&audit_filter_mutex);
882 e = audit_find_rule(entry, &list); 869 e = audit_find_rule(entry, &list);
883 if (e) { 870 if (e) {
884 mutex_unlock(&audit_filter_mutex); 871 mutex_unlock(&audit_filter_mutex);
885 err = -EEXIST; 872 err = -EEXIST;
886 /* normally audit_add_tree_rule() will free it on failure */ 873 /* normally audit_add_tree_rule() will free it on failure */
887 if (tree) 874 if (tree)
888 audit_put_tree(tree); 875 audit_put_tree(tree);
889 goto error; 876 goto error;
890 } 877 }
891 878
892 if (watch) { 879 if (watch) {
893 /* audit_filter_mutex is dropped and re-taken during this call */ 880 /* audit_filter_mutex is dropped and re-taken during this call */
894 err = audit_add_watch(&entry->rule, &list); 881 err = audit_add_watch(&entry->rule, &list);
895 if (err) { 882 if (err) {
896 mutex_unlock(&audit_filter_mutex); 883 mutex_unlock(&audit_filter_mutex);
897 /* 884 /*
898 * normally audit_add_tree_rule() will free it 885 * normally audit_add_tree_rule() will free it
899 * on failure 886 * on failure
900 */ 887 */
901 if (tree) 888 if (tree)
902 audit_put_tree(tree); 889 audit_put_tree(tree);
903 goto error; 890 goto error;
904 } 891 }
905 } 892 }
906 if (tree) { 893 if (tree) {
907 err = audit_add_tree_rule(&entry->rule); 894 err = audit_add_tree_rule(&entry->rule);
908 if (err) { 895 if (err) {
909 mutex_unlock(&audit_filter_mutex); 896 mutex_unlock(&audit_filter_mutex);
910 goto error; 897 goto error;
911 } 898 }
912 } 899 }
913 900
914 entry->rule.prio = ~0ULL; 901 entry->rule.prio = ~0ULL;
915 if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 902 if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
916 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 903 if (entry->rule.flags & AUDIT_FILTER_PREPEND)
917 entry->rule.prio = ++prio_high; 904 entry->rule.prio = ++prio_high;
918 else 905 else
919 entry->rule.prio = --prio_low; 906 entry->rule.prio = --prio_low;
920 } 907 }
921 908
922 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 909 if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
923 list_add(&entry->rule.list, 910 list_add(&entry->rule.list,
924 &audit_rules_list[entry->rule.listnr]); 911 &audit_rules_list[entry->rule.listnr]);
925 list_add_rcu(&entry->list, list); 912 list_add_rcu(&entry->list, list);
926 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 913 entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
927 } else { 914 } else {
928 list_add_tail(&entry->rule.list, 915 list_add_tail(&entry->rule.list,
929 &audit_rules_list[entry->rule.listnr]); 916 &audit_rules_list[entry->rule.listnr]);
930 list_add_tail_rcu(&entry->list, list); 917 list_add_tail_rcu(&entry->list, list);
931 } 918 }
932 #ifdef CONFIG_AUDITSYSCALL 919 #ifdef CONFIG_AUDITSYSCALL
933 if (!dont_count) 920 if (!dont_count)
934 audit_n_rules++; 921 audit_n_rules++;
935 922
936 if (!audit_match_signal(entry)) 923 if (!audit_match_signal(entry))
937 audit_signals++; 924 audit_signals++;
938 #endif 925 #endif
939 mutex_unlock(&audit_filter_mutex); 926 mutex_unlock(&audit_filter_mutex);
940 927
941 return 0; 928 return 0;
942 929
943 error: 930 error:
944 if (watch) 931 if (watch)
945 audit_put_watch(watch); /* tmp watch, matches initial get */ 932 audit_put_watch(watch); /* tmp watch, matches initial get */
946 return err; 933 return err;
947 } 934 }
948 935
949 /* Remove an existing rule from filterlist. */ 936 /* Remove an existing rule from filterlist. */
950 static inline int audit_del_rule(struct audit_entry *entry) 937 static inline int audit_del_rule(struct audit_entry *entry)
951 { 938 {
952 struct audit_entry *e; 939 struct audit_entry *e;
953 struct audit_watch *watch = entry->rule.watch; 940 struct audit_watch *watch = entry->rule.watch;
954 struct audit_tree *tree = entry->rule.tree; 941 struct audit_tree *tree = entry->rule.tree;
955 struct list_head *list; 942 struct list_head *list;
956 int ret = 0; 943 int ret = 0;
957 #ifdef CONFIG_AUDITSYSCALL 944 #ifdef CONFIG_AUDITSYSCALL
958 int dont_count = 0; 945 int dont_count = 0;
959 946
960 /* If either of these, don't count towards total */ 947 /* If either of these, don't count towards total */
961 if (entry->rule.listnr == AUDIT_FILTER_USER || 948 if (entry->rule.listnr == AUDIT_FILTER_USER ||
962 entry->rule.listnr == AUDIT_FILTER_TYPE) 949 entry->rule.listnr == AUDIT_FILTER_TYPE)
963 dont_count = 1; 950 dont_count = 1;
964 #endif 951 #endif
965 952
966 mutex_lock(&audit_filter_mutex); 953 mutex_lock(&audit_filter_mutex);
967 e = audit_find_rule(entry, &list); 954 e = audit_find_rule(entry, &list);
968 if (!e) { 955 if (!e) {
969 mutex_unlock(&audit_filter_mutex); 956 mutex_unlock(&audit_filter_mutex);
970 ret = -ENOENT; 957 ret = -ENOENT;
971 goto out; 958 goto out;
972 } 959 }
973 960
974 if (e->rule.watch) 961 if (e->rule.watch)
975 audit_remove_watch_rule(&e->rule); 962 audit_remove_watch_rule(&e->rule);
976 963
977 if (e->rule.tree) 964 if (e->rule.tree)
978 audit_remove_tree_rule(&e->rule); 965 audit_remove_tree_rule(&e->rule);
979 966
980 list_del_rcu(&e->list); 967 list_del_rcu(&e->list);
981 list_del(&e->rule.list); 968 list_del(&e->rule.list);
982 call_rcu(&e->rcu, audit_free_rule_rcu); 969 call_rcu(&e->rcu, audit_free_rule_rcu);
983 970
984 #ifdef CONFIG_AUDITSYSCALL 971 #ifdef CONFIG_AUDITSYSCALL
985 if (!dont_count) 972 if (!dont_count)
986 audit_n_rules--; 973 audit_n_rules--;
987 974
988 if (!audit_match_signal(entry)) 975 if (!audit_match_signal(entry))
989 audit_signals--; 976 audit_signals--;
990 #endif 977 #endif
991 mutex_unlock(&audit_filter_mutex); 978 mutex_unlock(&audit_filter_mutex);
992 979
993 out: 980 out:
994 if (watch) 981 if (watch)
995 audit_put_watch(watch); /* match initial get */ 982 audit_put_watch(watch); /* match initial get */
996 if (tree) 983 if (tree)
997 audit_put_tree(tree); /* that's the temporary one */ 984 audit_put_tree(tree); /* that's the temporary one */
998 985
999 return ret; 986 return ret;
1000 } 987 }
1001 988
1002 /* List rules using struct audit_rule_data. */ 989 /* List rules using struct audit_rule_data. */
1003 static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q) 990 static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q)
1004 { 991 {
1005 struct sk_buff *skb; 992 struct sk_buff *skb;
1006 struct audit_krule *r; 993 struct audit_krule *r;
1007 int i; 994 int i;
1008 995
1009 /* This is a blocking read, so use audit_filter_mutex instead of rcu 996 /* This is a blocking read, so use audit_filter_mutex instead of rcu
1010 * iterator to sync with list writers. */ 997 * iterator to sync with list writers. */
1011 for (i=0; i<AUDIT_NR_FILTERS; i++) { 998 for (i=0; i<AUDIT_NR_FILTERS; i++) {
1012 list_for_each_entry(r, &audit_rules_list[i], list) { 999 list_for_each_entry(r, &audit_rules_list[i], list) {
1013 struct audit_rule_data *data; 1000 struct audit_rule_data *data;
1014 1001
1015 data = audit_krule_to_data(r); 1002 data = audit_krule_to_data(r);
1016 if (unlikely(!data)) 1003 if (unlikely(!data))
1017 break; 1004 break;
1018 skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1005 skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES,
1019 0, 1, data, 1006 0, 1, data,
1020 sizeof(*data) + data->buflen); 1007 sizeof(*data) + data->buflen);
1021 if (skb) 1008 if (skb)
1022 skb_queue_tail(q, skb); 1009 skb_queue_tail(q, skb);
1023 kfree(data); 1010 kfree(data);
1024 } 1011 }
1025 } 1012 }
1026 skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 1013 skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1027 if (skb) 1014 if (skb)
1028 skb_queue_tail(q, skb); 1015 skb_queue_tail(q, skb);
1029 } 1016 }
1030 1017
1031 /* Log rule additions and removals */ 1018 /* Log rule additions and removals */
1032 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) 1019 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1033 { 1020 {
1034 struct audit_buffer *ab; 1021 struct audit_buffer *ab;
1035 uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 1022 uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
1036 unsigned int sessionid = audit_get_sessionid(current); 1023 unsigned int sessionid = audit_get_sessionid(current);
1037 1024
1038 if (!audit_enabled) 1025 if (!audit_enabled)
1039 return; 1026 return;
1040 1027
1041 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1028 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1042 if (!ab) 1029 if (!ab)
1043 return; 1030 return;
1044 audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); 1031 audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
1045 audit_log_task_context(ab); 1032 audit_log_task_context(ab);
1046 audit_log_format(ab, " op="); 1033 audit_log_format(ab, " op=");
1047 audit_log_string(ab, action); 1034 audit_log_string(ab, action);
1048 audit_log_key(ab, rule->filterkey); 1035 audit_log_key(ab, rule->filterkey);
1049 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); 1036 audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1050 audit_log_end(ab); 1037 audit_log_end(ab);
1051 } 1038 }
1052 1039
1053 /** 1040 /**
1054 * audit_rule_change - apply all rules to the specified message type 1041 * audit_rule_change - apply all rules to the specified message type
1055 * @type: audit message type 1042 * @type: audit message type
1056 * @portid: target port id for netlink audit messages 1043 * @portid: target port id for netlink audit messages
1057 * @seq: netlink audit message sequence (serial) number 1044 * @seq: netlink audit message sequence (serial) number
1058 * @data: payload data 1045 * @data: payload data
1059 * @datasz: size of payload data 1046 * @datasz: size of payload data
1060 */ 1047 */
1061 int audit_rule_change(int type, __u32 portid, int seq, void *data, 1048 int audit_rule_change(int type, __u32 portid, int seq, void *data,
1062 size_t datasz) 1049 size_t datasz)
1063 { 1050 {
1064 int err = 0; 1051 int err = 0;
1065 struct audit_entry *entry; 1052 struct audit_entry *entry;
1066 1053
1067 entry = audit_data_to_entry(data, datasz); 1054 entry = audit_data_to_entry(data, datasz);
1068 if (IS_ERR(entry)) 1055 if (IS_ERR(entry))
1069 return PTR_ERR(entry); 1056 return PTR_ERR(entry);
1070 1057
1071 switch (type) { 1058 switch (type) {
1072 case AUDIT_ADD_RULE: 1059 case AUDIT_ADD_RULE:
1073 err = audit_add_rule(entry); 1060 err = audit_add_rule(entry);
1074 audit_log_rule_change("add_rule", &entry->rule, !err); 1061 audit_log_rule_change("add_rule", &entry->rule, !err);
1075 break; 1062 break;
1076 case AUDIT_DEL_RULE: 1063 case AUDIT_DEL_RULE:
1077 err = audit_del_rule(entry); 1064 err = audit_del_rule(entry);
1078 audit_log_rule_change("remove_rule", &entry->rule, !err); 1065 audit_log_rule_change("remove_rule", &entry->rule, !err);
1079 break; 1066 break;
1080 default: 1067 default:
1081 err = -EINVAL; 1068 err = -EINVAL;
1082 WARN_ON(1); 1069 WARN_ON(1);
1083 } 1070 }
1084 1071
1085 if (err || type == AUDIT_DEL_RULE) 1072 if (err || type == AUDIT_DEL_RULE)
1086 audit_free_rule(entry); 1073 audit_free_rule(entry);
1087 1074
1088 return err; 1075 return err;
1089 } 1076 }
1090 1077
1091 /** 1078 /**
1092 * audit_list_rules_send - list the audit rules 1079 * audit_list_rules_send - list the audit rules
1093 * @request_skb: skb of request we are replying to (used to target the reply) 1080 * @request_skb: skb of request we are replying to (used to target the reply)
1094 * @seq: netlink audit message sequence (serial) number 1081 * @seq: netlink audit message sequence (serial) number
1095 */ 1082 */
1096 int audit_list_rules_send(struct sk_buff *request_skb, int seq) 1083 int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1097 { 1084 {
1098 u32 portid = NETLINK_CB(request_skb).portid; 1085 u32 portid = NETLINK_CB(request_skb).portid;
1099 struct net *net = sock_net(NETLINK_CB(request_skb).sk); 1086 struct net *net = sock_net(NETLINK_CB(request_skb).sk);
1100 struct task_struct *tsk; 1087 struct task_struct *tsk;
1101 struct audit_netlink_list *dest; 1088 struct audit_netlink_list *dest;
1102 int err = 0; 1089 int err = 0;
1103 1090
1104 /* We can't just spew out the rules here because we might fill 1091 /* We can't just spew out the rules here because we might fill
1105 * the available socket buffer space and deadlock waiting for 1092 * the available socket buffer space and deadlock waiting for
1106 * auditctl to read from it... which isn't ever going to 1093 * auditctl to read from it... which isn't ever going to
1107 * happen if we're actually running in the context of auditctl 1094 * happen if we're actually running in the context of auditctl
1108 * trying to _send_ the stuff */ 1095 * trying to _send_ the stuff */
1109 1096
1110 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1097 dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1111 if (!dest) 1098 if (!dest)
1112 return -ENOMEM; 1099 return -ENOMEM;
1113 dest->net = get_net(net); 1100 dest->net = get_net(net);
1114 dest->portid = portid; 1101 dest->portid = portid;
1115 skb_queue_head_init(&dest->q); 1102 skb_queue_head_init(&dest->q);
1116 1103
1117 mutex_lock(&audit_filter_mutex); 1104 mutex_lock(&audit_filter_mutex);
1118 audit_list_rules(portid, seq, &dest->q); 1105 audit_list_rules(portid, seq, &dest->q);
1119 mutex_unlock(&audit_filter_mutex); 1106 mutex_unlock(&audit_filter_mutex);
1120 1107
1121 tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1108 tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1122 if (IS_ERR(tsk)) { 1109 if (IS_ERR(tsk)) {
1123 skb_queue_purge(&dest->q); 1110 skb_queue_purge(&dest->q);
1124 kfree(dest); 1111 kfree(dest);
1125 err = PTR_ERR(tsk); 1112 err = PTR_ERR(tsk);
1126 } 1113 }
1127 1114
1128 return err; 1115 return err;
1129 } 1116 }
1130 1117
1131 int audit_comparator(u32 left, u32 op, u32 right) 1118 int audit_comparator(u32 left, u32 op, u32 right)
1132 { 1119 {
1133 switch (op) { 1120 switch (op) {
1134 case Audit_equal: 1121 case Audit_equal:
1135 return (left == right); 1122 return (left == right);
1136 case Audit_not_equal: 1123 case Audit_not_equal:
1137 return (left != right); 1124 return (left != right);
1138 case Audit_lt: 1125 case Audit_lt:
1139 return (left < right); 1126 return (left < right);
1140 case Audit_le: 1127 case Audit_le:
1141 return (left <= right); 1128 return (left <= right);
1142 case Audit_gt: 1129 case Audit_gt:
1143 return (left > right); 1130 return (left > right);
1144 case Audit_ge: 1131 case Audit_ge:
1145 return (left >= right); 1132 return (left >= right);
1146 case Audit_bitmask: 1133 case Audit_bitmask:
1147 return (left & right); 1134 return (left & right);
1148 case Audit_bittest: 1135 case Audit_bittest:
1149 return ((left & right) == right); 1136 return ((left & right) == right);
1150 default: 1137 default:
1151 BUG(); 1138 BUG();
1152 return 0; 1139 return 0;
1153 } 1140 }
1154 } 1141 }
1155 1142
1156 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) 1143 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1157 { 1144 {
1158 switch (op) { 1145 switch (op) {
1159 case Audit_equal: 1146 case Audit_equal:
1160 return uid_eq(left, right); 1147 return uid_eq(left, right);
1161 case Audit_not_equal: 1148 case Audit_not_equal:
1162 return !uid_eq(left, right); 1149 return !uid_eq(left, right);
1163 case Audit_lt: 1150 case Audit_lt:
1164 return uid_lt(left, right); 1151 return uid_lt(left, right);
1165 case Audit_le: 1152 case Audit_le:
1166 return uid_lte(left, right); 1153 return uid_lte(left, right);
1167 case Audit_gt: 1154 case Audit_gt:
1168 return uid_gt(left, right); 1155 return uid_gt(left, right);
1169 case Audit_ge: 1156 case Audit_ge:
1170 return uid_gte(left, right); 1157 return uid_gte(left, right);
1171 case Audit_bitmask: 1158 case Audit_bitmask:
1172 case Audit_bittest: 1159 case Audit_bittest:
1173 default: 1160 default:
1174 BUG(); 1161 BUG();
1175 return 0; 1162 return 0;
1176 } 1163 }
1177 } 1164 }
1178 1165
1179 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right) 1166 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1180 { 1167 {
1181 switch (op) { 1168 switch (op) {
1182 case Audit_equal: 1169 case Audit_equal:
1183 return gid_eq(left, right); 1170 return gid_eq(left, right);
1184 case Audit_not_equal: 1171 case Audit_not_equal:
1185 return !gid_eq(left, right); 1172 return !gid_eq(left, right);
1186 case Audit_lt: 1173 case Audit_lt:
1187 return gid_lt(left, right); 1174 return gid_lt(left, right);
1188 case Audit_le: 1175 case Audit_le:
1189 return gid_lte(left, right); 1176 return gid_lte(left, right);
1190 case Audit_gt: 1177 case Audit_gt:
1191 return gid_gt(left, right); 1178 return gid_gt(left, right);
1192 case Audit_ge: 1179 case Audit_ge:
1193 return gid_gte(left, right); 1180 return gid_gte(left, right);
1194 case Audit_bitmask: 1181 case Audit_bitmask:
1195 case Audit_bittest: 1182 case Audit_bittest:
1196 default: 1183 default:
1197 BUG(); 1184 BUG();
1198 return 0; 1185 return 0;
1199 } 1186 }
1200 } 1187 }
1201 1188
1202 /** 1189 /**
1203 * parent_len - find the length of the parent portion of a pathname 1190 * parent_len - find the length of the parent portion of a pathname
1204 * @path: pathname of which to determine length 1191 * @path: pathname of which to determine length
1205 */ 1192 */
1206 int parent_len(const char *path) 1193 int parent_len(const char *path)
1207 { 1194 {
1208 int plen; 1195 int plen;
1209 const char *p; 1196 const char *p;
1210 1197
1211 plen = strlen(path); 1198 plen = strlen(path);
1212 1199
1213 if (plen == 0) 1200 if (plen == 0)
1214 return plen; 1201 return plen;
1215 1202
1216 /* disregard trailing slashes */ 1203 /* disregard trailing slashes */
1217 p = path + plen - 1; 1204 p = path + plen - 1;
1218 while ((*p == '/') && (p > path)) 1205 while ((*p == '/') && (p > path))
1219 p--; 1206 p--;
1220 1207
1221 /* walk backward until we find the next slash or hit beginning */ 1208 /* walk backward until we find the next slash or hit beginning */
1222 while ((*p != '/') && (p > path)) 1209 while ((*p != '/') && (p > path))
1223 p--; 1210 p--;
1224 1211
1225 /* did we find a slash? Then increment to include it in path */ 1212 /* did we find a slash? Then increment to include it in path */
1226 if (*p == '/') 1213 if (*p == '/')
1227 p++; 1214 p++;
1228 1215
1229 return p - path; 1216 return p - path;
1230 } 1217 }
1231 1218
1232 /** 1219 /**
1233 * audit_compare_dname_path - compare given dentry name with last component in 1220 * audit_compare_dname_path - compare given dentry name with last component in
1234 * given path. Return of 0 indicates a match. 1221 * given path. Return of 0 indicates a match.
1235 * @dname: dentry name that we're comparing 1222 * @dname: dentry name that we're comparing
1236 * @path: full pathname that we're comparing 1223 * @path: full pathname that we're comparing
1237 * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL 1224 * @parentlen: length of the parent if known. Passing in AUDIT_NAME_FULL
1238 * here indicates that we must compute this value. 1225 * here indicates that we must compute this value.
1239 */ 1226 */
1240 int audit_compare_dname_path(const char *dname, const char *path, int parentlen) 1227 int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1241 { 1228 {
1242 int dlen, pathlen; 1229 int dlen, pathlen;
1243 const char *p; 1230 const char *p;
1244 1231
1245 dlen = strlen(dname); 1232 dlen = strlen(dname);
1246 pathlen = strlen(path); 1233 pathlen = strlen(path);
1247 if (pathlen < dlen) 1234 if (pathlen < dlen)
1248 return 1; 1235 return 1;
1249 1236
1250 parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen; 1237 parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1251 if (pathlen - parentlen != dlen) 1238 if (pathlen - parentlen != dlen)
1252 return 1; 1239 return 1;
1253 1240
1254 p = path + parentlen; 1241 p = path + parentlen;
1255 1242
1256 return strncmp(p, dname, dlen); 1243 return strncmp(p, dname, dlen);
1257 } 1244 }
1258 1245
1259 static int audit_filter_user_rules(struct audit_krule *rule, int type, 1246 static int audit_filter_user_rules(struct audit_krule *rule, int type,
1260 enum audit_state *state) 1247 enum audit_state *state)
1261 { 1248 {
1262 int i; 1249 int i;
1263 1250
1264 for (i = 0; i < rule->field_count; i++) { 1251 for (i = 0; i < rule->field_count; i++) {
1265 struct audit_field *f = &rule->fields[i]; 1252 struct audit_field *f = &rule->fields[i];
1266 pid_t pid; 1253 pid_t pid;
1267 int result = 0; 1254 int result = 0;
1268 u32 sid; 1255 u32 sid;
1269 1256
1270 switch (f->type) { 1257 switch (f->type) {
1271 case AUDIT_PID: 1258 case AUDIT_PID:
1272 pid = task_pid_nr(current); 1259 pid = task_pid_nr(current);
1273 result = audit_comparator(pid, f->op, f->val); 1260 result = audit_comparator(pid, f->op, f->val);
1274 break; 1261 break;
1275 case AUDIT_UID: 1262 case AUDIT_UID:
1276 result = audit_uid_comparator(current_uid(), f->op, f->uid); 1263 result = audit_uid_comparator(current_uid(), f->op, f->uid);
1277 break; 1264 break;
1278 case AUDIT_GID: 1265 case AUDIT_GID:
1279 result = audit_gid_comparator(current_gid(), f->op, f->gid); 1266 result = audit_gid_comparator(current_gid(), f->op, f->gid);
1280 break; 1267 break;
1281 case AUDIT_LOGINUID: 1268 case AUDIT_LOGINUID:
1282 result = audit_uid_comparator(audit_get_loginuid(current), 1269 result = audit_uid_comparator(audit_get_loginuid(current),
1283 f->op, f->uid); 1270 f->op, f->uid);
1284 break; 1271 break;
1285 case AUDIT_LOGINUID_SET: 1272 case AUDIT_LOGINUID_SET:
1286 result = audit_comparator(audit_loginuid_set(current), 1273 result = audit_comparator(audit_loginuid_set(current),
1287 f->op, f->val); 1274 f->op, f->val);
1288 break; 1275 break;
1289 case AUDIT_MSGTYPE: 1276 case AUDIT_MSGTYPE:
1290 result = audit_comparator(type, f->op, f->val); 1277 result = audit_comparator(type, f->op, f->val);
1291 break; 1278 break;
1292 case AUDIT_SUBJ_USER: 1279 case AUDIT_SUBJ_USER:
1293 case AUDIT_SUBJ_ROLE: 1280 case AUDIT_SUBJ_ROLE:
1294 case AUDIT_SUBJ_TYPE: 1281 case AUDIT_SUBJ_TYPE:
1295 case AUDIT_SUBJ_SEN: 1282 case AUDIT_SUBJ_SEN:
1296 case AUDIT_SUBJ_CLR: 1283 case AUDIT_SUBJ_CLR:
1297 if (f->lsm_rule) { 1284 if (f->lsm_rule) {
1298 security_task_getsecid(current, &sid); 1285 security_task_getsecid(current, &sid);
1299 result = security_audit_rule_match(sid, 1286 result = security_audit_rule_match(sid,
1300 f->type, 1287 f->type,
1301 f->op, 1288 f->op,
1302 f->lsm_rule, 1289 f->lsm_rule,
1303 NULL); 1290 NULL);
1304 } 1291 }
1305 break; 1292 break;
1306 } 1293 }
1307 1294
1308 if (!result) 1295 if (!result)
1309 return 0; 1296 return 0;
1310 } 1297 }
1311 switch (rule->action) { 1298 switch (rule->action) {
1312 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 1299 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
1313 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 1300 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
1314 } 1301 }
1315 return 1; 1302 return 1;
1316 } 1303 }
1317 1304
1318 int audit_filter_user(int type) 1305 int audit_filter_user(int type)
1319 { 1306 {
1320 enum audit_state state = AUDIT_DISABLED; 1307 enum audit_state state = AUDIT_DISABLED;
1321 struct audit_entry *e; 1308 struct audit_entry *e;
1322 int rc, ret; 1309 int rc, ret;
1323 1310
1324 ret = 1; /* Audit by default */ 1311 ret = 1; /* Audit by default */
1325 1312
1326 rcu_read_lock(); 1313 rcu_read_lock();
1327 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1314 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1328 rc = audit_filter_user_rules(&e->rule, type, &state); 1315 rc = audit_filter_user_rules(&e->rule, type, &state);
1329 if (rc) { 1316 if (rc) {
1330 if (rc > 0 && state == AUDIT_DISABLED) 1317 if (rc > 0 && state == AUDIT_DISABLED)
1331 ret = 0; 1318 ret = 0;
1332 break; 1319 break;
1333 } 1320 }
1334 } 1321 }
1335 rcu_read_unlock(); 1322 rcu_read_unlock();
1336 1323
1337 return ret; 1324 return ret;
1338 } 1325 }
1339 1326
1340 int audit_filter_type(int type) 1327 int audit_filter_type(int type)
1341 { 1328 {
1342 struct audit_entry *e; 1329 struct audit_entry *e;
1343 int result = 0; 1330 int result = 0;
1344 1331
1345 rcu_read_lock(); 1332 rcu_read_lock();
1346 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) 1333 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1347 goto unlock_and_return; 1334 goto unlock_and_return;
1348 1335
1349 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], 1336 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1350 list) { 1337 list) {
1351 int i; 1338 int i;
1352 for (i = 0; i < e->rule.field_count; i++) { 1339 for (i = 0; i < e->rule.field_count; i++) {
1353 struct audit_field *f = &e->rule.fields[i]; 1340 struct audit_field *f = &e->rule.fields[i];
1354 if (f->type == AUDIT_MSGTYPE) { 1341 if (f->type == AUDIT_MSGTYPE) {
1355 result = audit_comparator(type, f->op, f->val); 1342 result = audit_comparator(type, f->op, f->val);
1356 if (!result) 1343 if (!result)
1357 break; 1344 break;
1358 } 1345 }
1359 } 1346 }
1360 if (result) 1347 if (result)
1361 goto unlock_and_return; 1348 goto unlock_and_return;
1362 } 1349 }
1363 unlock_and_return: 1350 unlock_and_return:
1364 rcu_read_unlock(); 1351 rcu_read_unlock();
1365 return result; 1352 return result;
1366 } 1353 }
1367 1354
1368 static int update_lsm_rule(struct audit_krule *r) 1355 static int update_lsm_rule(struct audit_krule *r)
1369 { 1356 {
1370 struct audit_entry *entry = container_of(r, struct audit_entry, rule); 1357 struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1371 struct audit_entry *nentry; 1358 struct audit_entry *nentry;
1372 int err = 0; 1359 int err = 0;
1373 1360
1374 if (!security_audit_rule_known(r)) 1361 if (!security_audit_rule_known(r))
1375 return 0; 1362 return 0;
1376 1363
1377 nentry = audit_dupe_rule(r); 1364 nentry = audit_dupe_rule(r);
1378 if (IS_ERR(nentry)) { 1365 if (IS_ERR(nentry)) {
1379 /* save the first error encountered for the 1366 /* save the first error encountered for the
1380 * return value */ 1367 * return value */
1381 err = PTR_ERR(nentry); 1368 err = PTR_ERR(nentry);
1382 audit_panic("error updating LSM filters"); 1369 audit_panic("error updating LSM filters");
1383 if (r->watch) 1370 if (r->watch)
1384 list_del(&r->rlist); 1371 list_del(&r->rlist);
1385 list_del_rcu(&entry->list); 1372 list_del_rcu(&entry->list);
1386 list_del(&r->list); 1373 list_del(&r->list);
1387 } else { 1374 } else {
1388 if (r->watch || r->tree) 1375 if (r->watch || r->tree)
1389 list_replace_init(&r->rlist, &nentry->rule.rlist); 1376 list_replace_init(&r->rlist, &nentry->rule.rlist);
1390 list_replace_rcu(&entry->list, &nentry->list); 1377 list_replace_rcu(&entry->list, &nentry->list);
1391 list_replace(&r->list, &nentry->rule.list); 1378 list_replace(&r->list, &nentry->rule.list);
1392 } 1379 }
1393 call_rcu(&entry->rcu, audit_free_rule_rcu); 1380 call_rcu(&entry->rcu, audit_free_rule_rcu);
1394 1381
1395 return err; 1382 return err;
1396 } 1383 }
1397 1384
1398 /* This function will re-initialize the lsm_rule field of all applicable rules. 1385 /* This function will re-initialize the lsm_rule field of all applicable rules.
1399 * It will traverse the filter lists serarching for rules that contain LSM 1386 * It will traverse the filter lists serarching for rules that contain LSM
1400 * specific filter fields. When such a rule is found, it is copied, the 1387 * specific filter fields. When such a rule is found, it is copied, the
1401 * LSM field is re-initialized, and the old rule is replaced with the 1388 * LSM field is re-initialized, and the old rule is replaced with the
1402 * updated rule. */ 1389 * updated rule. */
1403 int audit_update_lsm_rules(void) 1390 int audit_update_lsm_rules(void)
1404 { 1391 {
1405 struct audit_krule *r, *n; 1392 struct audit_krule *r, *n;
1406 int i, err = 0; 1393 int i, err = 0;
1407 1394
1408 /* audit_filter_mutex synchronizes the writers */ 1395 /* audit_filter_mutex synchronizes the writers */
1409 mutex_lock(&audit_filter_mutex); 1396 mutex_lock(&audit_filter_mutex);
1410 1397
1411 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1398 for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1412 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) { 1399 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1413 int res = update_lsm_rule(r); 1400 int res = update_lsm_rule(r);
1414 if (!err) 1401 if (!err)
1415 err = res; 1402 err = res;
1416 } 1403 }
1417 } 1404 }
1418 mutex_unlock(&audit_filter_mutex); 1405 mutex_unlock(&audit_filter_mutex);
1419 1406
1420 return err; 1407 return err;
1421 } 1408 }
1422 1409