1 /* auditfilter.c -- filtering of audit events
3 * Copyright 2003-2004 Red Hat, Inc.
4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
5 * Copyright 2005 IBM Corporation
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 #include <linux/kernel.h>
23 #include <linux/audit.h>
24 #include <linux/kthread.h>
25 #include <linux/mutex.h>
27 #include <linux/namei.h>
28 #include <linux/netlink.h>
29 #include <linux/sched.h>
30 #include <linux/inotify.h>
31 #include <linux/security.h>
38 * Synchronizes writes and blocking reads of audit's filterlist
39 * data. Rcu is used to traverse the filterlist and access
40 * contents of structs audit_entry, audit_watch and opaque
41 * LSM rules during filtering. If modified, these structures
42 * must be copied and replace their counterparts in the filterlist.
43 * An audit_parent struct is not accessed during filtering, so may
44 * be written directly provided audit_filter_mutex is held.
50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED
51 * event. Each audit_watch holds a reference to its associated parent.
53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to
54 * audit_remove_watch(). Additionally, an audit_watch may exist
55 * temporarily to assist in searching existing filter data. Each
56 * audit_krule holds a reference to its associated watch.
60 struct list_head ilist
; /* entry in inotify registration list */
61 struct list_head watches
; /* associated watches */
62 struct inotify_watch wdata
; /* inotify watch data */
63 unsigned flags
; /* status flags */
67 * audit_parent status flags:
69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to
70 * a filesystem event to ensure we're adding audit watches to a valid parent.
71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot
72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which
73 * we can receive while holding nameidata.
75 #define AUDIT_PARENT_INVALID 0x001
77 /* Audit filter lists, defined in <linux/audit.h> */
78 struct list_head audit_filter_list
[AUDIT_NR_FILTERS
] = {
79 LIST_HEAD_INIT(audit_filter_list
[0]),
80 LIST_HEAD_INIT(audit_filter_list
[1]),
81 LIST_HEAD_INIT(audit_filter_list
[2]),
82 LIST_HEAD_INIT(audit_filter_list
[3]),
83 LIST_HEAD_INIT(audit_filter_list
[4]),
84 LIST_HEAD_INIT(audit_filter_list
[5]),
85 #if AUDIT_NR_FILTERS != 6
86 #error Fix audit_filter_list initialiser
89 static struct list_head audit_rules_list
[AUDIT_NR_FILTERS
] = {
90 LIST_HEAD_INIT(audit_rules_list
[0]),
91 LIST_HEAD_INIT(audit_rules_list
[1]),
92 LIST_HEAD_INIT(audit_rules_list
[2]),
93 LIST_HEAD_INIT(audit_rules_list
[3]),
94 LIST_HEAD_INIT(audit_rules_list
[4]),
95 LIST_HEAD_INIT(audit_rules_list
[5]),
98 DEFINE_MUTEX(audit_filter_mutex
);
100 /* Inotify events we care about. */
101 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
103 void audit_free_parent(struct inotify_watch
*i_watch
)
105 struct audit_parent
*parent
;
107 parent
= container_of(i_watch
, struct audit_parent
, wdata
);
108 WARN_ON(!list_empty(&parent
->watches
));
112 static inline void audit_get_watch(struct audit_watch
*watch
)
114 atomic_inc(&watch
->count
);
117 static void audit_put_watch(struct audit_watch
*watch
)
119 if (atomic_dec_and_test(&watch
->count
)) {
120 WARN_ON(watch
->parent
);
121 WARN_ON(!list_empty(&watch
->rules
));
127 static void audit_remove_watch(struct audit_watch
*watch
)
129 list_del(&watch
->wlist
);
130 put_inotify_watch(&watch
->parent
->wdata
);
131 watch
->parent
= NULL
;
132 audit_put_watch(watch
); /* match initial get */
135 static inline void audit_free_rule(struct audit_entry
*e
)
139 /* some rules don't have associated watches */
141 audit_put_watch(e
->rule
.watch
);
143 for (i
= 0; i
< e
->rule
.field_count
; i
++) {
144 struct audit_field
*f
= &e
->rule
.fields
[i
];
146 security_audit_rule_free(f
->lsm_rule
);
148 kfree(e
->rule
.fields
);
149 kfree(e
->rule
.filterkey
);
153 void audit_free_rule_rcu(struct rcu_head
*head
)
155 struct audit_entry
*e
= container_of(head
, struct audit_entry
, rcu
);
159 /* Initialize a parent watch entry. */
160 static struct audit_parent
*audit_init_parent(struct nameidata
*ndp
)
162 struct audit_parent
*parent
;
165 parent
= kzalloc(sizeof(*parent
), GFP_KERNEL
);
166 if (unlikely(!parent
))
167 return ERR_PTR(-ENOMEM
);
169 INIT_LIST_HEAD(&parent
->watches
);
172 inotify_init_watch(&parent
->wdata
);
173 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */
174 get_inotify_watch(&parent
->wdata
);
175 wd
= inotify_add_watch(audit_ih
, &parent
->wdata
,
176 ndp
->path
.dentry
->d_inode
, AUDIT_IN_WATCH
);
178 audit_free_parent(&parent
->wdata
);
185 /* Initialize a watch entry. */
186 static struct audit_watch
*audit_init_watch(char *path
)
188 struct audit_watch
*watch
;
190 watch
= kzalloc(sizeof(*watch
), GFP_KERNEL
);
191 if (unlikely(!watch
))
192 return ERR_PTR(-ENOMEM
);
194 INIT_LIST_HEAD(&watch
->rules
);
195 atomic_set(&watch
->count
, 1);
197 watch
->dev
= (dev_t
)-1;
198 watch
->ino
= (unsigned long)-1;
203 /* Initialize an audit filterlist entry. */
204 static inline struct audit_entry
*audit_init_entry(u32 field_count
)
206 struct audit_entry
*entry
;
207 struct audit_field
*fields
;
209 entry
= kzalloc(sizeof(*entry
), GFP_KERNEL
);
210 if (unlikely(!entry
))
213 fields
= kzalloc(sizeof(*fields
) * field_count
, GFP_KERNEL
);
214 if (unlikely(!fields
)) {
218 entry
->rule
.fields
= fields
;
223 /* Unpack a filter field's string representation from user-space
225 char *audit_unpack_string(void **bufp
, size_t *remain
, size_t len
)
229 if (!*bufp
|| (len
== 0) || (len
> *remain
))
230 return ERR_PTR(-EINVAL
);
232 /* Of the currently implemented string fields, PATH_MAX
233 * defines the longest valid length.
236 return ERR_PTR(-ENAMETOOLONG
);
238 str
= kmalloc(len
+ 1, GFP_KERNEL
);
240 return ERR_PTR(-ENOMEM
);
242 memcpy(str
, *bufp
, len
);
250 /* Translate an inode field to kernel respresentation. */
251 static inline int audit_to_inode(struct audit_krule
*krule
,
252 struct audit_field
*f
)
254 if (krule
->listnr
!= AUDIT_FILTER_EXIT
||
255 krule
->watch
|| krule
->inode_f
|| krule
->tree
)
262 /* Translate a watch string to kernel respresentation. */
263 static int audit_to_watch(struct audit_krule
*krule
, char *path
, int len
,
266 struct audit_watch
*watch
;
271 if (path
[0] != '/' || path
[len
-1] == '/' ||
272 krule
->listnr
!= AUDIT_FILTER_EXIT
||
274 krule
->inode_f
|| krule
->watch
|| krule
->tree
)
277 watch
= audit_init_watch(path
);
279 return PTR_ERR(watch
);
281 audit_get_watch(watch
);
282 krule
->watch
= watch
;
287 static __u32
*classes
[AUDIT_SYSCALL_CLASSES
];
289 int __init
audit_register_class(int class, unsigned *list
)
291 __u32
*p
= kzalloc(AUDIT_BITMASK_SIZE
* sizeof(__u32
), GFP_KERNEL
);
294 while (*list
!= ~0U) {
295 unsigned n
= *list
++;
296 if (n
>= AUDIT_BITMASK_SIZE
* 32 - AUDIT_SYSCALL_CLASSES
) {
300 p
[AUDIT_WORD(n
)] |= AUDIT_BIT(n
);
302 if (class >= AUDIT_SYSCALL_CLASSES
|| classes
[class]) {
310 int audit_match_class(int class, unsigned syscall
)
312 if (unlikely(syscall
>= AUDIT_BITMASK_SIZE
* 32))
314 if (unlikely(class >= AUDIT_SYSCALL_CLASSES
|| !classes
[class]))
316 return classes
[class][AUDIT_WORD(syscall
)] & AUDIT_BIT(syscall
);
319 #ifdef CONFIG_AUDITSYSCALL
320 static inline int audit_match_class_bits(int class, u32
*mask
)
324 if (classes
[class]) {
325 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++)
326 if (mask
[i
] & classes
[class][i
])
332 static int audit_match_signal(struct audit_entry
*entry
)
334 struct audit_field
*arch
= entry
->rule
.arch_f
;
337 /* When arch is unspecified, we must check both masks on biarch
338 * as syscall number alone is ambiguous. */
339 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL
,
341 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32
,
345 switch(audit_classify_arch(arch
->val
)) {
347 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL
,
349 case 1: /* 32bit on biarch */
350 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32
,
358 /* Common user-space to kernel rule translation. */
359 static inline struct audit_entry
*audit_to_entry_common(struct audit_rule
*rule
)
362 struct audit_entry
*entry
;
366 listnr
= rule
->flags
& ~AUDIT_FILTER_PREPEND
;
370 case AUDIT_FILTER_USER
:
371 case AUDIT_FILTER_TYPE
:
372 #ifdef CONFIG_AUDITSYSCALL
373 case AUDIT_FILTER_ENTRY
:
374 case AUDIT_FILTER_EXIT
:
375 case AUDIT_FILTER_TASK
:
379 if (unlikely(rule
->action
== AUDIT_POSSIBLE
)) {
380 printk(KERN_ERR
"AUDIT_POSSIBLE is deprecated\n");
383 if (rule
->action
!= AUDIT_NEVER
&& rule
->action
!= AUDIT_ALWAYS
)
385 if (rule
->field_count
> AUDIT_MAX_FIELDS
)
389 entry
= audit_init_entry(rule
->field_count
);
393 entry
->rule
.flags
= rule
->flags
& AUDIT_FILTER_PREPEND
;
394 entry
->rule
.listnr
= listnr
;
395 entry
->rule
.action
= rule
->action
;
396 entry
->rule
.field_count
= rule
->field_count
;
398 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++)
399 entry
->rule
.mask
[i
] = rule
->mask
[i
];
401 for (i
= 0; i
< AUDIT_SYSCALL_CLASSES
; i
++) {
402 int bit
= AUDIT_BITMASK_SIZE
* 32 - i
- 1;
403 __u32
*p
= &entry
->rule
.mask
[AUDIT_WORD(bit
)];
406 if (!(*p
& AUDIT_BIT(bit
)))
408 *p
&= ~AUDIT_BIT(bit
);
412 for (j
= 0; j
< AUDIT_BITMASK_SIZE
; j
++)
413 entry
->rule
.mask
[j
] |= class[j
];
423 /* Translate struct audit_rule to kernel's rule respresentation.
424 * Exists for backward compatibility with userspace. */
425 static struct audit_entry
*audit_rule_to_entry(struct audit_rule
*rule
)
427 struct audit_entry
*entry
;
428 struct audit_field
*ino_f
;
432 entry
= audit_to_entry_common(rule
);
436 for (i
= 0; i
< rule
->field_count
; i
++) {
437 struct audit_field
*f
= &entry
->rule
.fields
[i
];
439 f
->op
= rule
->fields
[i
] & (AUDIT_NEGATE
|AUDIT_OPERATORS
);
440 f
->type
= rule
->fields
[i
] & ~(AUDIT_NEGATE
|AUDIT_OPERATORS
);
441 f
->val
= rule
->values
[i
];
464 /* bit ops are only useful on syscall args */
465 if (f
->op
== AUDIT_BIT_MASK
||
466 f
->op
== AUDIT_BIT_TEST
) {
476 /* arch is only allowed to be = or != */
478 if ((f
->op
!= AUDIT_NOT_EQUAL
) && (f
->op
!= AUDIT_EQUAL
)
479 && (f
->op
!= AUDIT_NEGATE
) && (f
->op
)) {
483 entry
->rule
.arch_f
= f
;
490 if ((f
->val
& ~S_IFMT
) > S_IFMT
)
494 err
= audit_to_inode(&entry
->rule
, f
);
500 entry
->rule
.vers_ops
= (f
->op
& AUDIT_OPERATORS
) ? 2 : 1;
502 /* Support for legacy operators where
503 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
504 if (f
->op
& AUDIT_NEGATE
)
505 f
->op
= AUDIT_NOT_EQUAL
;
508 else if (f
->op
== AUDIT_OPERATORS
) {
514 ino_f
= entry
->rule
.inode_f
;
517 case AUDIT_NOT_EQUAL
:
518 entry
->rule
.inode_f
= NULL
;
531 audit_free_rule(entry
);
535 /* Translate struct audit_rule_data to kernel's rule respresentation. */
536 static struct audit_entry
*audit_data_to_entry(struct audit_rule_data
*data
,
540 struct audit_entry
*entry
;
541 struct audit_field
*ino_f
;
543 size_t remain
= datasz
- sizeof(struct audit_rule_data
);
547 entry
= audit_to_entry_common((struct audit_rule
*)data
);
552 entry
->rule
.vers_ops
= 2;
553 for (i
= 0; i
< data
->field_count
; i
++) {
554 struct audit_field
*f
= &entry
->rule
.fields
[i
];
557 if (!(data
->fieldflags
[i
] & AUDIT_OPERATORS
) ||
558 data
->fieldflags
[i
] & ~AUDIT_OPERATORS
)
561 f
->op
= data
->fieldflags
[i
] & AUDIT_OPERATORS
;
562 f
->type
= data
->fields
[i
];
563 f
->val
= data
->values
[i
];
590 entry
->rule
.arch_f
= f
;
592 case AUDIT_SUBJ_USER
:
593 case AUDIT_SUBJ_ROLE
:
594 case AUDIT_SUBJ_TYPE
:
600 case AUDIT_OBJ_LEV_LOW
:
601 case AUDIT_OBJ_LEV_HIGH
:
602 str
= audit_unpack_string(&bufp
, &remain
, f
->val
);
605 entry
->rule
.buflen
+= f
->val
;
607 err
= security_audit_rule_init(f
->type
, f
->op
, str
,
608 (void **)&f
->lsm_rule
);
609 /* Keep currently invalid fields around in case they
610 * become valid after a policy reload. */
611 if (err
== -EINVAL
) {
612 printk(KERN_WARNING
"audit rule for LSM "
613 "\'%s\' is invalid\n", str
);
623 str
= audit_unpack_string(&bufp
, &remain
, f
->val
);
626 entry
->rule
.buflen
+= f
->val
;
628 err
= audit_to_watch(&entry
->rule
, str
, f
->val
, f
->op
);
635 str
= audit_unpack_string(&bufp
, &remain
, f
->val
);
638 entry
->rule
.buflen
+= f
->val
;
640 err
= audit_make_tree(&entry
->rule
, str
, f
->op
);
646 err
= audit_to_inode(&entry
->rule
, f
);
650 case AUDIT_FILTERKEY
:
652 if (entry
->rule
.filterkey
|| f
->val
> AUDIT_MAX_KEY_LEN
)
654 str
= audit_unpack_string(&bufp
, &remain
, f
->val
);
657 entry
->rule
.buflen
+= f
->val
;
658 entry
->rule
.filterkey
= str
;
665 if ((f
->val
& ~S_IFMT
) > S_IFMT
)
673 ino_f
= entry
->rule
.inode_f
;
676 case AUDIT_NOT_EQUAL
:
677 entry
->rule
.inode_f
= NULL
;
690 audit_free_rule(entry
);
694 /* Pack a filter field's string representation into data block. */
695 static inline size_t audit_pack_string(void **bufp
, const char *str
)
697 size_t len
= strlen(str
);
699 memcpy(*bufp
, str
, len
);
705 /* Translate kernel rule respresentation to struct audit_rule.
706 * Exists for backward compatibility with userspace. */
707 static struct audit_rule
*audit_krule_to_rule(struct audit_krule
*krule
)
709 struct audit_rule
*rule
;
712 rule
= kzalloc(sizeof(*rule
), GFP_KERNEL
);
716 rule
->flags
= krule
->flags
| krule
->listnr
;
717 rule
->action
= krule
->action
;
718 rule
->field_count
= krule
->field_count
;
719 for (i
= 0; i
< rule
->field_count
; i
++) {
720 rule
->values
[i
] = krule
->fields
[i
].val
;
721 rule
->fields
[i
] = krule
->fields
[i
].type
;
723 if (krule
->vers_ops
== 1) {
724 if (krule
->fields
[i
].op
& AUDIT_NOT_EQUAL
)
725 rule
->fields
[i
] |= AUDIT_NEGATE
;
727 rule
->fields
[i
] |= krule
->fields
[i
].op
;
730 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++) rule
->mask
[i
] = krule
->mask
[i
];
735 /* Translate kernel rule respresentation to struct audit_rule_data. */
736 static struct audit_rule_data
*audit_krule_to_data(struct audit_krule
*krule
)
738 struct audit_rule_data
*data
;
742 data
= kmalloc(sizeof(*data
) + krule
->buflen
, GFP_KERNEL
);
745 memset(data
, 0, sizeof(*data
));
747 data
->flags
= krule
->flags
| krule
->listnr
;
748 data
->action
= krule
->action
;
749 data
->field_count
= krule
->field_count
;
751 for (i
= 0; i
< data
->field_count
; i
++) {
752 struct audit_field
*f
= &krule
->fields
[i
];
754 data
->fields
[i
] = f
->type
;
755 data
->fieldflags
[i
] = f
->op
;
757 case AUDIT_SUBJ_USER
:
758 case AUDIT_SUBJ_ROLE
:
759 case AUDIT_SUBJ_TYPE
:
765 case AUDIT_OBJ_LEV_LOW
:
766 case AUDIT_OBJ_LEV_HIGH
:
767 data
->buflen
+= data
->values
[i
] =
768 audit_pack_string(&bufp
, f
->lsm_str
);
771 data
->buflen
+= data
->values
[i
] =
772 audit_pack_string(&bufp
, krule
->watch
->path
);
775 data
->buflen
+= data
->values
[i
] =
776 audit_pack_string(&bufp
,
777 audit_tree_path(krule
->tree
));
779 case AUDIT_FILTERKEY
:
780 data
->buflen
+= data
->values
[i
] =
781 audit_pack_string(&bufp
, krule
->filterkey
);
784 data
->values
[i
] = f
->val
;
787 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++) data
->mask
[i
] = krule
->mask
[i
];
792 /* Compare two rules in kernel format. Considered success if rules
794 static int audit_compare_rule(struct audit_krule
*a
, struct audit_krule
*b
)
798 if (a
->flags
!= b
->flags
||
799 a
->listnr
!= b
->listnr
||
800 a
->action
!= b
->action
||
801 a
->field_count
!= b
->field_count
)
804 for (i
= 0; i
< a
->field_count
; i
++) {
805 if (a
->fields
[i
].type
!= b
->fields
[i
].type
||
806 a
->fields
[i
].op
!= b
->fields
[i
].op
)
809 switch(a
->fields
[i
].type
) {
810 case AUDIT_SUBJ_USER
:
811 case AUDIT_SUBJ_ROLE
:
812 case AUDIT_SUBJ_TYPE
:
818 case AUDIT_OBJ_LEV_LOW
:
819 case AUDIT_OBJ_LEV_HIGH
:
820 if (strcmp(a
->fields
[i
].lsm_str
, b
->fields
[i
].lsm_str
))
824 if (strcmp(a
->watch
->path
, b
->watch
->path
))
828 if (strcmp(audit_tree_path(a
->tree
),
829 audit_tree_path(b
->tree
)))
832 case AUDIT_FILTERKEY
:
833 /* both filterkeys exist based on above type compare */
834 if (strcmp(a
->filterkey
, b
->filterkey
))
838 if (a
->fields
[i
].val
!= b
->fields
[i
].val
)
843 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++)
844 if (a
->mask
[i
] != b
->mask
[i
])
850 /* Duplicate the given audit watch. The new watch's rules list is initialized
851 * to an empty list and wlist is undefined. */
852 static struct audit_watch
*audit_dupe_watch(struct audit_watch
*old
)
855 struct audit_watch
*new;
857 path
= kstrdup(old
->path
, GFP_KERNEL
);
859 return ERR_PTR(-ENOMEM
);
861 new = audit_init_watch(path
);
869 get_inotify_watch(&old
->parent
->wdata
);
870 new->parent
= old
->parent
;
876 /* Duplicate LSM field information. The lsm_rule is opaque, so must be
878 static inline int audit_dupe_lsm_field(struct audit_field
*df
,
879 struct audit_field
*sf
)
884 /* our own copy of lsm_str */
885 lsm_str
= kstrdup(sf
->lsm_str
, GFP_KERNEL
);
886 if (unlikely(!lsm_str
))
888 df
->lsm_str
= lsm_str
;
890 /* our own (refreshed) copy of lsm_rule */
891 ret
= security_audit_rule_init(df
->type
, df
->op
, df
->lsm_str
,
892 (void **)&df
->lsm_rule
);
893 /* Keep currently invalid fields around in case they
894 * become valid after a policy reload. */
895 if (ret
== -EINVAL
) {
896 printk(KERN_WARNING
"audit rule for LSM \'%s\' is "
897 "invalid\n", df
->lsm_str
);
904 /* Duplicate an audit rule. This will be a deep copy with the exception
905 * of the watch - that pointer is carried over. The LSM specific fields
906 * will be updated in the copy. The point is to be able to replace the old
907 * rule with the new rule in the filterlist, then free the old rule.
908 * The rlist element is undefined; list manipulations are handled apart from
909 * the initial copy. */
910 static struct audit_entry
*audit_dupe_rule(struct audit_krule
*old
,
911 struct audit_watch
*watch
)
913 u32 fcount
= old
->field_count
;
914 struct audit_entry
*entry
;
915 struct audit_krule
*new;
919 entry
= audit_init_entry(fcount
);
920 if (unlikely(!entry
))
921 return ERR_PTR(-ENOMEM
);
924 new->vers_ops
= old
->vers_ops
;
925 new->flags
= old
->flags
;
926 new->listnr
= old
->listnr
;
927 new->action
= old
->action
;
928 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++)
929 new->mask
[i
] = old
->mask
[i
];
930 new->prio
= old
->prio
;
931 new->buflen
= old
->buflen
;
932 new->inode_f
= old
->inode_f
;
934 new->field_count
= old
->field_count
;
936 * note that we are OK with not refcounting here; audit_match_tree()
937 * never dereferences tree and we can't get false positives there
938 * since we'd have to have rule gone from the list *and* removed
939 * before the chunks found by lookup had been allocated, i.e. before
940 * the beginning of list scan.
942 new->tree
= old
->tree
;
943 memcpy(new->fields
, old
->fields
, sizeof(struct audit_field
) * fcount
);
945 /* deep copy this information, updating the lsm_rule fields, because
946 * the originals will all be freed when the old rule is freed. */
947 for (i
= 0; i
< fcount
; i
++) {
948 switch (new->fields
[i
].type
) {
949 case AUDIT_SUBJ_USER
:
950 case AUDIT_SUBJ_ROLE
:
951 case AUDIT_SUBJ_TYPE
:
957 case AUDIT_OBJ_LEV_LOW
:
958 case AUDIT_OBJ_LEV_HIGH
:
959 err
= audit_dupe_lsm_field(&new->fields
[i
],
962 case AUDIT_FILTERKEY
:
963 fk
= kstrdup(old
->filterkey
, GFP_KERNEL
);
970 audit_free_rule(entry
);
976 audit_get_watch(watch
);
983 /* Update inode info in audit rules based on filesystem event. */
984 static void audit_update_watch(struct audit_parent
*parent
,
985 const char *dname
, dev_t dev
,
986 unsigned long ino
, unsigned invalidating
)
988 struct audit_watch
*owatch
, *nwatch
, *nextw
;
989 struct audit_krule
*r
, *nextr
;
990 struct audit_entry
*oentry
, *nentry
;
992 mutex_lock(&audit_filter_mutex
);
993 list_for_each_entry_safe(owatch
, nextw
, &parent
->watches
, wlist
) {
994 if (audit_compare_dname_path(dname
, owatch
->path
, NULL
))
997 /* If the update involves invalidating rules, do the inode-based
998 * filtering now, so we don't omit records. */
999 if (invalidating
&& current
->audit_context
)
1000 audit_filter_inodes(current
, current
->audit_context
);
1002 nwatch
= audit_dupe_watch(owatch
);
1003 if (IS_ERR(nwatch
)) {
1004 mutex_unlock(&audit_filter_mutex
);
1005 audit_panic("error updating watch, skipping");
1011 list_for_each_entry_safe(r
, nextr
, &owatch
->rules
, rlist
) {
1013 oentry
= container_of(r
, struct audit_entry
, rule
);
1014 list_del(&oentry
->rule
.rlist
);
1015 list_del_rcu(&oentry
->list
);
1017 nentry
= audit_dupe_rule(&oentry
->rule
, nwatch
);
1018 if (IS_ERR(nentry
)) {
1019 list_del(&oentry
->rule
.list
);
1020 audit_panic("error updating watch, removing");
1022 int h
= audit_hash_ino((u32
)ino
);
1023 list_add(&nentry
->rule
.rlist
, &nwatch
->rules
);
1024 list_add_rcu(&nentry
->list
, &audit_inode_hash
[h
]);
1025 list_replace(&oentry
->rule
.list
,
1026 &nentry
->rule
.list
);
1029 call_rcu(&oentry
->rcu
, audit_free_rule_rcu
);
1032 if (audit_enabled
) {
1033 struct audit_buffer
*ab
;
1034 ab
= audit_log_start(NULL
, GFP_KERNEL
,
1035 AUDIT_CONFIG_CHANGE
);
1036 audit_log_format(ab
, "auid=%u ses=%u",
1037 audit_get_loginuid(current
),
1038 audit_get_sessionid(current
));
1039 audit_log_format(ab
,
1040 " op=updated rules specifying path=");
1041 audit_log_untrustedstring(ab
, owatch
->path
);
1042 audit_log_format(ab
, " with dev=%u ino=%lu\n",
1044 audit_log_format(ab
, " list=%d res=1", r
->listnr
);
1047 audit_remove_watch(owatch
);
1048 goto add_watch_to_parent
; /* event applies to a single watch */
1050 mutex_unlock(&audit_filter_mutex
);
1053 add_watch_to_parent
:
1054 list_add(&nwatch
->wlist
, &parent
->watches
);
1055 mutex_unlock(&audit_filter_mutex
);
1059 /* Remove all watches & rules associated with a parent that is going away. */
1060 static void audit_remove_parent_watches(struct audit_parent
*parent
)
1062 struct audit_watch
*w
, *nextw
;
1063 struct audit_krule
*r
, *nextr
;
1064 struct audit_entry
*e
;
1066 mutex_lock(&audit_filter_mutex
);
1067 parent
->flags
|= AUDIT_PARENT_INVALID
;
1068 list_for_each_entry_safe(w
, nextw
, &parent
->watches
, wlist
) {
1069 list_for_each_entry_safe(r
, nextr
, &w
->rules
, rlist
) {
1070 e
= container_of(r
, struct audit_entry
, rule
);
1071 if (audit_enabled
) {
1072 struct audit_buffer
*ab
;
1073 ab
= audit_log_start(NULL
, GFP_KERNEL
,
1074 AUDIT_CONFIG_CHANGE
);
1075 audit_log_format(ab
, "auid=%u ses=%u",
1076 audit_get_loginuid(current
),
1077 audit_get_sessionid(current
));
1078 audit_log_format(ab
, " op=remove rule path=");
1079 audit_log_untrustedstring(ab
, w
->path
);
1081 audit_log_format(ab
, " key=");
1082 audit_log_untrustedstring(ab
,
1085 audit_log_format(ab
, " key=(null)");
1086 audit_log_format(ab
, " list=%d res=1",
1090 list_del(&r
->rlist
);
1092 list_del_rcu(&e
->list
);
1093 call_rcu(&e
->rcu
, audit_free_rule_rcu
);
1095 audit_remove_watch(w
);
1097 mutex_unlock(&audit_filter_mutex
);
1100 /* Unregister inotify watches for parents on in_list.
1101 * Generates an IN_IGNORED event. */
1102 static void audit_inotify_unregister(struct list_head
*in_list
)
1104 struct audit_parent
*p
, *n
;
1106 list_for_each_entry_safe(p
, n
, in_list
, ilist
) {
1107 list_del(&p
->ilist
);
1108 inotify_rm_watch(audit_ih
, &p
->wdata
);
1109 /* the unpin matching the pin in audit_do_del_rule() */
1110 unpin_inotify_watch(&p
->wdata
);
1114 /* Find an existing audit rule.
1115 * Caller must hold audit_filter_mutex to prevent stale rule data. */
1116 static struct audit_entry
*audit_find_rule(struct audit_entry
*entry
,
1117 struct list_head
**p
)
1119 struct audit_entry
*e
, *found
= NULL
;
1120 struct list_head
*list
;
1123 if (entry
->rule
.inode_f
) {
1124 h
= audit_hash_ino(entry
->rule
.inode_f
->val
);
1125 *p
= list
= &audit_inode_hash
[h
];
1126 } else if (entry
->rule
.watch
) {
1127 /* we don't know the inode number, so must walk entire hash */
1128 for (h
= 0; h
< AUDIT_INODE_BUCKETS
; h
++) {
1129 list
= &audit_inode_hash
[h
];
1130 list_for_each_entry(e
, list
, list
)
1131 if (!audit_compare_rule(&entry
->rule
, &e
->rule
)) {
1138 *p
= list
= &audit_filter_list
[entry
->rule
.listnr
];
1141 list_for_each_entry(e
, list
, list
)
1142 if (!audit_compare_rule(&entry
->rule
, &e
->rule
)) {
1151 /* Get path information necessary for adding watches. */
1152 static int audit_get_nd(char *path
, struct nameidata
**ndp
,
1153 struct nameidata
**ndw
)
1155 struct nameidata
*ndparent
, *ndwatch
;
1158 ndparent
= kmalloc(sizeof(*ndparent
), GFP_KERNEL
);
1159 if (unlikely(!ndparent
))
1162 ndwatch
= kmalloc(sizeof(*ndwatch
), GFP_KERNEL
);
1163 if (unlikely(!ndwatch
)) {
1168 err
= path_lookup(path
, LOOKUP_PARENT
, ndparent
);
1175 err
= path_lookup(path
, 0, ndwatch
);
1187 /* Release resources used for watch path information. */
1188 static void audit_put_nd(struct nameidata
*ndp
, struct nameidata
*ndw
)
1191 path_put(&ndp
->path
);
1195 path_put(&ndw
->path
);
1200 /* Associate the given rule with an existing parent inotify_watch.
1201 * Caller must hold audit_filter_mutex. */
1202 static void audit_add_to_parent(struct audit_krule
*krule
,
1203 struct audit_parent
*parent
)
1205 struct audit_watch
*w
, *watch
= krule
->watch
;
1206 int watch_found
= 0;
1208 list_for_each_entry(w
, &parent
->watches
, wlist
) {
1209 if (strcmp(watch
->path
, w
->path
))
1214 /* put krule's and initial refs to temporary watch */
1215 audit_put_watch(watch
);
1216 audit_put_watch(watch
);
1219 krule
->watch
= watch
= w
;
1224 get_inotify_watch(&parent
->wdata
);
1225 watch
->parent
= parent
;
1227 list_add(&watch
->wlist
, &parent
->watches
);
1229 list_add(&krule
->rlist
, &watch
->rules
);
1232 /* Find a matching watch entry, or add this one.
1233 * Caller must hold audit_filter_mutex. */
1234 static int audit_add_watch(struct audit_krule
*krule
, struct nameidata
*ndp
,
1235 struct nameidata
*ndw
)
1237 struct audit_watch
*watch
= krule
->watch
;
1238 struct inotify_watch
*i_watch
;
1239 struct audit_parent
*parent
;
1242 /* update watch filter fields */
1244 watch
->dev
= ndw
->path
.dentry
->d_inode
->i_sb
->s_dev
;
1245 watch
->ino
= ndw
->path
.dentry
->d_inode
->i_ino
;
1248 /* The audit_filter_mutex must not be held during inotify calls because
1249 * we hold it during inotify event callback processing. If an existing
1250 * inotify watch is found, inotify_find_watch() grabs a reference before
1253 mutex_unlock(&audit_filter_mutex
);
1255 if (inotify_find_watch(audit_ih
, ndp
->path
.dentry
->d_inode
,
1257 parent
= audit_init_parent(ndp
);
1258 if (IS_ERR(parent
)) {
1259 /* caller expects mutex locked */
1260 mutex_lock(&audit_filter_mutex
);
1261 return PTR_ERR(parent
);
1264 parent
= container_of(i_watch
, struct audit_parent
, wdata
);
1266 mutex_lock(&audit_filter_mutex
);
1268 /* parent was moved before we took audit_filter_mutex */
1269 if (parent
->flags
& AUDIT_PARENT_INVALID
)
1272 audit_add_to_parent(krule
, parent
);
1274 /* match get in audit_init_parent or inotify_find_watch */
1275 put_inotify_watch(&parent
->wdata
);
1279 static u64 prio_low
= ~0ULL/2;
1280 static u64 prio_high
= ~0ULL/2 - 1;
1282 /* Add rule to given filterlist if not a duplicate. */
1283 static inline int audit_add_rule(struct audit_entry
*entry
)
1285 struct audit_entry
*e
;
1286 struct audit_watch
*watch
= entry
->rule
.watch
;
1287 struct audit_tree
*tree
= entry
->rule
.tree
;
1288 struct nameidata
*ndp
= NULL
, *ndw
= NULL
;
1289 struct list_head
*list
;
1291 #ifdef CONFIG_AUDITSYSCALL
1294 /* If either of these, don't count towards total */
1295 if (entry
->rule
.listnr
== AUDIT_FILTER_USER
||
1296 entry
->rule
.listnr
== AUDIT_FILTER_TYPE
)
1300 mutex_lock(&audit_filter_mutex
);
1301 e
= audit_find_rule(entry
, &list
);
1302 mutex_unlock(&audit_filter_mutex
);
1305 /* normally audit_add_tree_rule() will free it on failure */
1307 audit_put_tree(tree
);
1311 /* Avoid calling path_lookup under audit_filter_mutex. */
1313 err
= audit_get_nd(watch
->path
, &ndp
, &ndw
);
1318 mutex_lock(&audit_filter_mutex
);
1320 /* audit_filter_mutex is dropped and re-taken during this call */
1321 err
= audit_add_watch(&entry
->rule
, ndp
, ndw
);
1323 mutex_unlock(&audit_filter_mutex
);
1326 h
= audit_hash_ino((u32
)watch
->ino
);
1327 list
= &audit_inode_hash
[h
];
1330 err
= audit_add_tree_rule(&entry
->rule
);
1332 mutex_unlock(&audit_filter_mutex
);
1337 entry
->rule
.prio
= ~0ULL;
1338 if (entry
->rule
.listnr
== AUDIT_FILTER_EXIT
) {
1339 if (entry
->rule
.flags
& AUDIT_FILTER_PREPEND
)
1340 entry
->rule
.prio
= ++prio_high
;
1342 entry
->rule
.prio
= --prio_low
;
1345 if (entry
->rule
.flags
& AUDIT_FILTER_PREPEND
) {
1346 list_add(&entry
->rule
.list
,
1347 &audit_rules_list
[entry
->rule
.listnr
]);
1348 list_add_rcu(&entry
->list
, list
);
1349 entry
->rule
.flags
&= ~AUDIT_FILTER_PREPEND
;
1351 list_add_tail(&entry
->rule
.list
,
1352 &audit_rules_list
[entry
->rule
.listnr
]);
1353 list_add_tail_rcu(&entry
->list
, list
);
1355 #ifdef CONFIG_AUDITSYSCALL
1359 if (!audit_match_signal(entry
))
1362 mutex_unlock(&audit_filter_mutex
);
1364 audit_put_nd(ndp
, ndw
); /* NULL args OK */
1368 audit_put_nd(ndp
, ndw
); /* NULL args OK */
1370 audit_put_watch(watch
); /* tmp watch, matches initial get */
1374 /* Remove an existing rule from filterlist. */
1375 static inline int audit_del_rule(struct audit_entry
*entry
)
1377 struct audit_entry
*e
;
1378 struct audit_watch
*watch
, *tmp_watch
= entry
->rule
.watch
;
1379 struct audit_tree
*tree
= entry
->rule
.tree
;
1380 struct list_head
*list
;
1381 LIST_HEAD(inotify_list
);
1383 #ifdef CONFIG_AUDITSYSCALL
1386 /* If either of these, don't count towards total */
1387 if (entry
->rule
.listnr
== AUDIT_FILTER_USER
||
1388 entry
->rule
.listnr
== AUDIT_FILTER_TYPE
)
1392 mutex_lock(&audit_filter_mutex
);
1393 e
= audit_find_rule(entry
, &list
);
1395 mutex_unlock(&audit_filter_mutex
);
1400 watch
= e
->rule
.watch
;
1402 struct audit_parent
*parent
= watch
->parent
;
1404 list_del(&e
->rule
.rlist
);
1406 if (list_empty(&watch
->rules
)) {
1407 audit_remove_watch(watch
);
1409 if (list_empty(&parent
->watches
)) {
1410 /* Put parent on the inotify un-registration
1411 * list. Grab a reference before releasing
1412 * audit_filter_mutex, to be released in
1413 * audit_inotify_unregister().
1414 * If filesystem is going away, just leave
1415 * the sucker alone, eviction will take
1418 if (pin_inotify_watch(&parent
->wdata
))
1419 list_add(&parent
->ilist
, &inotify_list
);
1425 audit_remove_tree_rule(&e
->rule
);
1427 list_del_rcu(&e
->list
);
1428 list_del(&e
->rule
.list
);
1429 call_rcu(&e
->rcu
, audit_free_rule_rcu
);
1431 #ifdef CONFIG_AUDITSYSCALL
1435 if (!audit_match_signal(entry
))
1438 mutex_unlock(&audit_filter_mutex
);
1440 if (!list_empty(&inotify_list
))
1441 audit_inotify_unregister(&inotify_list
);
1445 audit_put_watch(tmp_watch
); /* match initial get */
1447 audit_put_tree(tree
); /* that's the temporary one */
1452 /* List rules using struct audit_rule. Exists for backward
1453 * compatibility with userspace. */
1454 static void audit_list(int pid
, int seq
, struct sk_buff_head
*q
)
1456 struct sk_buff
*skb
;
1457 struct audit_krule
*r
;
1460 /* This is a blocking read, so use audit_filter_mutex instead of rcu
1461 * iterator to sync with list writers. */
1462 for (i
=0; i
<AUDIT_NR_FILTERS
; i
++) {
1463 list_for_each_entry(r
, &audit_rules_list
[i
], list
) {
1464 struct audit_rule
*rule
;
1466 rule
= audit_krule_to_rule(r
);
1467 if (unlikely(!rule
))
1469 skb
= audit_make_reply(pid
, seq
, AUDIT_LIST
, 0, 1,
1470 rule
, sizeof(*rule
));
1472 skb_queue_tail(q
, skb
);
1476 skb
= audit_make_reply(pid
, seq
, AUDIT_LIST
, 1, 1, NULL
, 0);
1478 skb_queue_tail(q
, skb
);
1481 /* List rules using struct audit_rule_data. */
1482 static void audit_list_rules(int pid
, int seq
, struct sk_buff_head
*q
)
1484 struct sk_buff
*skb
;
1485 struct audit_krule
*r
;
1488 /* This is a blocking read, so use audit_filter_mutex instead of rcu
1489 * iterator to sync with list writers. */
1490 for (i
=0; i
<AUDIT_NR_FILTERS
; i
++) {
1491 list_for_each_entry(r
, &audit_rules_list
[i
], list
) {
1492 struct audit_rule_data
*data
;
1494 data
= audit_krule_to_data(r
);
1495 if (unlikely(!data
))
1497 skb
= audit_make_reply(pid
, seq
, AUDIT_LIST_RULES
, 0, 1,
1498 data
, sizeof(*data
) + data
->buflen
);
1500 skb_queue_tail(q
, skb
);
1504 skb
= audit_make_reply(pid
, seq
, AUDIT_LIST_RULES
, 1, 1, NULL
, 0);
1506 skb_queue_tail(q
, skb
);
1509 /* Log rule additions and removals */
1510 static void audit_log_rule_change(uid_t loginuid
, u32 sessionid
, u32 sid
,
1511 char *action
, struct audit_krule
*rule
,
1514 struct audit_buffer
*ab
;
1519 ab
= audit_log_start(NULL
, GFP_KERNEL
, AUDIT_CONFIG_CHANGE
);
1522 audit_log_format(ab
, "auid=%u ses=%u", loginuid
, sessionid
);
1526 if (security_secid_to_secctx(sid
, &ctx
, &len
))
1527 audit_log_format(ab
, " ssid=%u", sid
);
1529 audit_log_format(ab
, " subj=%s", ctx
);
1530 security_release_secctx(ctx
, len
);
1533 audit_log_format(ab
, " op=%s rule key=", action
);
1534 if (rule
->filterkey
)
1535 audit_log_untrustedstring(ab
, rule
->filterkey
);
1537 audit_log_format(ab
, "(null)");
1538 audit_log_format(ab
, " list=%d res=%d", rule
->listnr
, res
);
1543 * audit_receive_filter - apply all rules to the specified message type
1544 * @type: audit message type
1545 * @pid: target pid for netlink audit messages
1546 * @uid: target uid for netlink audit messages
1547 * @seq: netlink audit message sequence (serial) number
1548 * @data: payload data
1549 * @datasz: size of payload data
1550 * @loginuid: loginuid of sender
1551 * @sessionid: sessionid for netlink audit message
1552 * @sid: SE Linux Security ID of sender
1554 int audit_receive_filter(int type
, int pid
, int uid
, int seq
, void *data
,
1555 size_t datasz
, uid_t loginuid
, u32 sessionid
, u32 sid
)
1557 struct task_struct
*tsk
;
1558 struct audit_netlink_list
*dest
;
1560 struct audit_entry
*entry
;
1564 case AUDIT_LIST_RULES
:
1565 /* We can't just spew out the rules here because we might fill
1566 * the available socket buffer space and deadlock waiting for
1567 * auditctl to read from it... which isn't ever going to
1568 * happen if we're actually running in the context of auditctl
1569 * trying to _send_ the stuff */
1571 dest
= kmalloc(sizeof(struct audit_netlink_list
), GFP_KERNEL
);
1575 skb_queue_head_init(&dest
->q
);
1577 mutex_lock(&audit_filter_mutex
);
1578 if (type
== AUDIT_LIST
)
1579 audit_list(pid
, seq
, &dest
->q
);
1581 audit_list_rules(pid
, seq
, &dest
->q
);
1582 mutex_unlock(&audit_filter_mutex
);
1584 tsk
= kthread_run(audit_send_list
, dest
, "audit_send_list");
1586 skb_queue_purge(&dest
->q
);
1592 case AUDIT_ADD_RULE
:
1593 if (type
== AUDIT_ADD
)
1594 entry
= audit_rule_to_entry(data
);
1596 entry
= audit_data_to_entry(data
, datasz
);
1598 return PTR_ERR(entry
);
1600 err
= audit_add_rule(entry
);
1601 audit_log_rule_change(loginuid
, sessionid
, sid
, "add",
1602 &entry
->rule
, !err
);
1605 audit_free_rule(entry
);
1608 case AUDIT_DEL_RULE
:
1609 if (type
== AUDIT_DEL
)
1610 entry
= audit_rule_to_entry(data
);
1612 entry
= audit_data_to_entry(data
, datasz
);
1614 return PTR_ERR(entry
);
1616 err
= audit_del_rule(entry
);
1617 audit_log_rule_change(loginuid
, sessionid
, sid
, "remove",
1618 &entry
->rule
, !err
);
1620 audit_free_rule(entry
);
1629 int audit_comparator(const u32 left
, const u32 op
, const u32 right
)
1633 return (left
== right
);
1634 case AUDIT_NOT_EQUAL
:
1635 return (left
!= right
);
1636 case AUDIT_LESS_THAN
:
1637 return (left
< right
);
1638 case AUDIT_LESS_THAN_OR_EQUAL
:
1639 return (left
<= right
);
1640 case AUDIT_GREATER_THAN
:
1641 return (left
> right
);
1642 case AUDIT_GREATER_THAN_OR_EQUAL
:
1643 return (left
>= right
);
1644 case AUDIT_BIT_MASK
:
1645 return (left
& right
);
1646 case AUDIT_BIT_TEST
:
1647 return ((left
& right
) == right
);
1653 /* Compare given dentry name with last component in given path,
1654 * return of 0 indicates a match. */
1655 int audit_compare_dname_path(const char *dname
, const char *path
,
1661 if (!dname
|| !path
)
1664 dlen
= strlen(dname
);
1665 plen
= strlen(path
);
1669 /* disregard trailing slashes */
1670 p
= path
+ plen
- 1;
1671 while ((*p
== '/') && (p
> path
))
1674 /* find last path component */
1678 else if (p
> path
) {
1685 /* return length of path's directory component */
1688 return strncmp(p
, dname
, dlen
);
1691 static int audit_filter_user_rules(struct netlink_skb_parms
*cb
,
1692 struct audit_krule
*rule
,
1693 enum audit_state
*state
)
1697 for (i
= 0; i
< rule
->field_count
; i
++) {
1698 struct audit_field
*f
= &rule
->fields
[i
];
1703 result
= audit_comparator(cb
->creds
.pid
, f
->op
, f
->val
);
1706 result
= audit_comparator(cb
->creds
.uid
, f
->op
, f
->val
);
1709 result
= audit_comparator(cb
->creds
.gid
, f
->op
, f
->val
);
1711 case AUDIT_LOGINUID
:
1712 result
= audit_comparator(cb
->loginuid
, f
->op
, f
->val
);
1719 switch (rule
->action
) {
1720 case AUDIT_NEVER
: *state
= AUDIT_DISABLED
; break;
1721 case AUDIT_ALWAYS
: *state
= AUDIT_RECORD_CONTEXT
; break;
1726 int audit_filter_user(struct netlink_skb_parms
*cb
)
1728 enum audit_state state
= AUDIT_DISABLED
;
1729 struct audit_entry
*e
;
1733 list_for_each_entry_rcu(e
, &audit_filter_list
[AUDIT_FILTER_USER
], list
) {
1734 if (audit_filter_user_rules(cb
, &e
->rule
, &state
)) {
1735 if (state
== AUDIT_DISABLED
)
1742 return ret
; /* Audit by default */
1745 int audit_filter_type(int type
)
1747 struct audit_entry
*e
;
1751 if (list_empty(&audit_filter_list
[AUDIT_FILTER_TYPE
]))
1752 goto unlock_and_return
;
1754 list_for_each_entry_rcu(e
, &audit_filter_list
[AUDIT_FILTER_TYPE
],
1757 for (i
= 0; i
< e
->rule
.field_count
; i
++) {
1758 struct audit_field
*f
= &e
->rule
.fields
[i
];
1759 if (f
->type
== AUDIT_MSGTYPE
) {
1760 result
= audit_comparator(type
, f
->op
, f
->val
);
1766 goto unlock_and_return
;
1773 static int update_lsm_rule(struct audit_krule
*r
)
1775 struct audit_entry
*entry
= container_of(r
, struct audit_entry
, rule
);
1776 struct audit_entry
*nentry
;
1777 struct audit_watch
*watch
;
1778 struct audit_tree
*tree
;
1781 if (!security_audit_rule_known(r
))
1786 nentry
= audit_dupe_rule(r
, watch
);
1787 if (IS_ERR(nentry
)) {
1788 /* save the first error encountered for the
1790 err
= PTR_ERR(nentry
);
1791 audit_panic("error updating LSM filters");
1793 list_del(&r
->rlist
);
1794 list_del_rcu(&entry
->list
);
1798 list_add(&nentry
->rule
.rlist
, &watch
->rules
);
1799 list_del(&r
->rlist
);
1801 list_replace_init(&r
->rlist
, &nentry
->rule
.rlist
);
1802 list_replace_rcu(&entry
->list
, &nentry
->list
);
1803 list_replace(&r
->list
, &nentry
->rule
.list
);
1805 call_rcu(&entry
->rcu
, audit_free_rule_rcu
);
1810 /* This function will re-initialize the lsm_rule field of all applicable rules.
1811 * It will traverse the filter lists serarching for rules that contain LSM
1812 * specific filter fields. When such a rule is found, it is copied, the
1813 * LSM field is re-initialized, and the old rule is replaced with the
1815 int audit_update_lsm_rules(void)
1817 struct audit_krule
*r
, *n
;
1820 /* audit_filter_mutex synchronizes the writers */
1821 mutex_lock(&audit_filter_mutex
);
1823 for (i
= 0; i
< AUDIT_NR_FILTERS
; i
++) {
1824 list_for_each_entry_safe(r
, n
, &audit_rules_list
[i
], list
) {
1825 int res
= update_lsm_rule(r
);
1830 mutex_unlock(&audit_filter_mutex
);
1835 /* Update watch data in audit rules based on inotify events. */
1836 void audit_handle_ievent(struct inotify_watch
*i_watch
, u32 wd
, u32 mask
,
1837 u32 cookie
, const char *dname
, struct inode
*inode
)
1839 struct audit_parent
*parent
;
1841 parent
= container_of(i_watch
, struct audit_parent
, wdata
);
1843 if (mask
& (IN_CREATE
|IN_MOVED_TO
) && inode
)
1844 audit_update_watch(parent
, dname
, inode
->i_sb
->s_dev
,
1846 else if (mask
& (IN_DELETE
|IN_MOVED_FROM
))
1847 audit_update_watch(parent
, dname
, (dev_t
)-1, (unsigned long)-1, 1);
1848 /* inotify automatically removes the watch and sends IN_IGNORED */
1849 else if (mask
& (IN_DELETE_SELF
|IN_UNMOUNT
))
1850 audit_remove_parent_watches(parent
);
1851 /* inotify does not remove the watch, so remove it manually */
1852 else if(mask
& IN_MOVE_SELF
) {
1853 audit_remove_parent_watches(parent
);
1854 inotify_remove_watch_locked(audit_ih
, i_watch
);
1855 } else if (mask
& IN_IGNORED
)
1856 put_inotify_watch(i_watch
);