1 /* auditfilter.c -- filtering of audit events
3 * Copyright 2003-2004 Red Hat, Inc.
4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
5 * Copyright 2005 IBM Corporation
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 #include <linux/kernel.h>
23 #include <linux/audit.h>
24 #include <linux/kthread.h>
25 #include <linux/mutex.h>
27 #include <linux/namei.h>
28 #include <linux/netlink.h>
29 #include <linux/sched.h>
30 #include <linux/inotify.h>
31 #include <linux/security.h>
38 * Synchronizes writes and blocking reads of audit's filterlist
39 * data. Rcu is used to traverse the filterlist and access
40 * contents of structs audit_entry, audit_watch and opaque
41 * LSM rules during filtering. If modified, these structures
42 * must be copied and replace their counterparts in the filterlist.
43 * An audit_parent struct is not accessed during filtering, so may
44 * be written directly provided audit_filter_mutex is held.
50 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED
51 * event. Each audit_watch holds a reference to its associated parent.
53 * audit_watch: if added to lists, lifetime is from audit_init_watch() to
54 * audit_remove_watch(). Additionally, an audit_watch may exist
55 * temporarily to assist in searching existing filter data. Each
56 * audit_krule holds a reference to its associated watch.
60 struct list_head ilist
; /* entry in inotify registration list */
61 struct list_head watches
; /* associated watches */
62 struct inotify_watch wdata
; /* inotify watch data */
63 unsigned flags
; /* status flags */
67 * audit_parent status flags:
69 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to
70 * a filesystem event to ensure we're adding audit watches to a valid parent.
71 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot
72 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which
73 * we can receive while holding nameidata.
75 #define AUDIT_PARENT_INVALID 0x001
77 /* Audit filter lists, defined in <linux/audit.h> */
78 struct list_head audit_filter_list
[AUDIT_NR_FILTERS
] = {
79 LIST_HEAD_INIT(audit_filter_list
[0]),
80 LIST_HEAD_INIT(audit_filter_list
[1]),
81 LIST_HEAD_INIT(audit_filter_list
[2]),
82 LIST_HEAD_INIT(audit_filter_list
[3]),
83 LIST_HEAD_INIT(audit_filter_list
[4]),
84 LIST_HEAD_INIT(audit_filter_list
[5]),
85 #if AUDIT_NR_FILTERS != 6
86 #error Fix audit_filter_list initialiser
89 static struct list_head audit_rules_list
[AUDIT_NR_FILTERS
] = {
90 LIST_HEAD_INIT(audit_rules_list
[0]),
91 LIST_HEAD_INIT(audit_rules_list
[1]),
92 LIST_HEAD_INIT(audit_rules_list
[2]),
93 LIST_HEAD_INIT(audit_rules_list
[3]),
94 LIST_HEAD_INIT(audit_rules_list
[4]),
95 LIST_HEAD_INIT(audit_rules_list
[5]),
98 DEFINE_MUTEX(audit_filter_mutex
);
100 /* Inotify events we care about. */
101 #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
103 void audit_free_parent(struct inotify_watch
*i_watch
)
105 struct audit_parent
*parent
;
107 parent
= container_of(i_watch
, struct audit_parent
, wdata
);
108 WARN_ON(!list_empty(&parent
->watches
));
112 static inline void audit_get_watch(struct audit_watch
*watch
)
114 atomic_inc(&watch
->count
);
117 static void audit_put_watch(struct audit_watch
*watch
)
119 if (atomic_dec_and_test(&watch
->count
)) {
120 WARN_ON(watch
->parent
);
121 WARN_ON(!list_empty(&watch
->rules
));
127 static void audit_remove_watch(struct audit_watch
*watch
)
129 list_del(&watch
->wlist
);
130 put_inotify_watch(&watch
->parent
->wdata
);
131 watch
->parent
= NULL
;
132 audit_put_watch(watch
); /* match initial get */
135 static inline void audit_free_rule(struct audit_entry
*e
)
139 /* some rules don't have associated watches */
141 audit_put_watch(e
->rule
.watch
);
143 for (i
= 0; i
< e
->rule
.field_count
; i
++) {
144 struct audit_field
*f
= &e
->rule
.fields
[i
];
146 security_audit_rule_free(f
->lsm_rule
);
148 kfree(e
->rule
.fields
);
149 kfree(e
->rule
.filterkey
);
153 void audit_free_rule_rcu(struct rcu_head
*head
)
155 struct audit_entry
*e
= container_of(head
, struct audit_entry
, rcu
);
159 /* Initialize a parent watch entry. */
160 static struct audit_parent
*audit_init_parent(struct nameidata
*ndp
)
162 struct audit_parent
*parent
;
165 parent
= kzalloc(sizeof(*parent
), GFP_KERNEL
);
166 if (unlikely(!parent
))
167 return ERR_PTR(-ENOMEM
);
169 INIT_LIST_HEAD(&parent
->watches
);
172 inotify_init_watch(&parent
->wdata
);
173 /* grab a ref so inotify watch hangs around until we take audit_filter_mutex */
174 get_inotify_watch(&parent
->wdata
);
175 wd
= inotify_add_watch(audit_ih
, &parent
->wdata
,
176 ndp
->path
.dentry
->d_inode
, AUDIT_IN_WATCH
);
178 audit_free_parent(&parent
->wdata
);
185 /* Initialize a watch entry. */
186 static struct audit_watch
*audit_init_watch(char *path
)
188 struct audit_watch
*watch
;
190 watch
= kzalloc(sizeof(*watch
), GFP_KERNEL
);
191 if (unlikely(!watch
))
192 return ERR_PTR(-ENOMEM
);
194 INIT_LIST_HEAD(&watch
->rules
);
195 atomic_set(&watch
->count
, 1);
197 watch
->dev
= (dev_t
)-1;
198 watch
->ino
= (unsigned long)-1;
203 /* Initialize an audit filterlist entry. */
204 static inline struct audit_entry
*audit_init_entry(u32 field_count
)
206 struct audit_entry
*entry
;
207 struct audit_field
*fields
;
209 entry
= kzalloc(sizeof(*entry
), GFP_KERNEL
);
210 if (unlikely(!entry
))
213 fields
= kzalloc(sizeof(*fields
) * field_count
, GFP_KERNEL
);
214 if (unlikely(!fields
)) {
218 entry
->rule
.fields
= fields
;
223 /* Unpack a filter field's string representation from user-space
225 char *audit_unpack_string(void **bufp
, size_t *remain
, size_t len
)
229 if (!*bufp
|| (len
== 0) || (len
> *remain
))
230 return ERR_PTR(-EINVAL
);
232 /* Of the currently implemented string fields, PATH_MAX
233 * defines the longest valid length.
236 return ERR_PTR(-ENAMETOOLONG
);
238 str
= kmalloc(len
+ 1, GFP_KERNEL
);
240 return ERR_PTR(-ENOMEM
);
242 memcpy(str
, *bufp
, len
);
250 /* Translate an inode field to kernel respresentation. */
251 static inline int audit_to_inode(struct audit_krule
*krule
,
252 struct audit_field
*f
)
254 if (krule
->listnr
!= AUDIT_FILTER_EXIT
||
255 krule
->watch
|| krule
->inode_f
|| krule
->tree
||
256 (f
->op
!= Audit_equal
&& f
->op
!= Audit_not_equal
))
263 /* Translate a watch string to kernel respresentation. */
264 static int audit_to_watch(struct audit_krule
*krule
, char *path
, int len
,
267 struct audit_watch
*watch
;
272 if (path
[0] != '/' || path
[len
-1] == '/' ||
273 krule
->listnr
!= AUDIT_FILTER_EXIT
||
275 krule
->inode_f
|| krule
->watch
|| krule
->tree
)
278 watch
= audit_init_watch(path
);
280 return PTR_ERR(watch
);
282 audit_get_watch(watch
);
283 krule
->watch
= watch
;
288 static __u32
*classes
[AUDIT_SYSCALL_CLASSES
];
290 int __init
audit_register_class(int class, unsigned *list
)
292 __u32
*p
= kzalloc(AUDIT_BITMASK_SIZE
* sizeof(__u32
), GFP_KERNEL
);
295 while (*list
!= ~0U) {
296 unsigned n
= *list
++;
297 if (n
>= AUDIT_BITMASK_SIZE
* 32 - AUDIT_SYSCALL_CLASSES
) {
301 p
[AUDIT_WORD(n
)] |= AUDIT_BIT(n
);
303 if (class >= AUDIT_SYSCALL_CLASSES
|| classes
[class]) {
311 int audit_match_class(int class, unsigned syscall
)
313 if (unlikely(syscall
>= AUDIT_BITMASK_SIZE
* 32))
315 if (unlikely(class >= AUDIT_SYSCALL_CLASSES
|| !classes
[class]))
317 return classes
[class][AUDIT_WORD(syscall
)] & AUDIT_BIT(syscall
);
320 #ifdef CONFIG_AUDITSYSCALL
321 static inline int audit_match_class_bits(int class, u32
*mask
)
325 if (classes
[class]) {
326 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++)
327 if (mask
[i
] & classes
[class][i
])
333 static int audit_match_signal(struct audit_entry
*entry
)
335 struct audit_field
*arch
= entry
->rule
.arch_f
;
338 /* When arch is unspecified, we must check both masks on biarch
339 * as syscall number alone is ambiguous. */
340 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL
,
342 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32
,
346 switch(audit_classify_arch(arch
->val
)) {
348 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL
,
350 case 1: /* 32bit on biarch */
351 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32
,
359 /* Common user-space to kernel rule translation. */
360 static inline struct audit_entry
*audit_to_entry_common(struct audit_rule
*rule
)
363 struct audit_entry
*entry
;
367 listnr
= rule
->flags
& ~AUDIT_FILTER_PREPEND
;
371 case AUDIT_FILTER_USER
:
372 case AUDIT_FILTER_TYPE
:
373 #ifdef CONFIG_AUDITSYSCALL
374 case AUDIT_FILTER_ENTRY
:
375 case AUDIT_FILTER_EXIT
:
376 case AUDIT_FILTER_TASK
:
380 if (unlikely(rule
->action
== AUDIT_POSSIBLE
)) {
381 printk(KERN_ERR
"AUDIT_POSSIBLE is deprecated\n");
384 if (rule
->action
!= AUDIT_NEVER
&& rule
->action
!= AUDIT_ALWAYS
)
386 if (rule
->field_count
> AUDIT_MAX_FIELDS
)
390 entry
= audit_init_entry(rule
->field_count
);
394 entry
->rule
.flags
= rule
->flags
& AUDIT_FILTER_PREPEND
;
395 entry
->rule
.listnr
= listnr
;
396 entry
->rule
.action
= rule
->action
;
397 entry
->rule
.field_count
= rule
->field_count
;
399 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++)
400 entry
->rule
.mask
[i
] = rule
->mask
[i
];
402 for (i
= 0; i
< AUDIT_SYSCALL_CLASSES
; i
++) {
403 int bit
= AUDIT_BITMASK_SIZE
* 32 - i
- 1;
404 __u32
*p
= &entry
->rule
.mask
[AUDIT_WORD(bit
)];
407 if (!(*p
& AUDIT_BIT(bit
)))
409 *p
&= ~AUDIT_BIT(bit
);
413 for (j
= 0; j
< AUDIT_BITMASK_SIZE
; j
++)
414 entry
->rule
.mask
[j
] |= class[j
];
424 static u32 audit_ops
[] =
426 [Audit_equal
] = AUDIT_EQUAL
,
427 [Audit_not_equal
] = AUDIT_NOT_EQUAL
,
428 [Audit_bitmask
] = AUDIT_BIT_MASK
,
429 [Audit_bittest
] = AUDIT_BIT_TEST
,
430 [Audit_lt
] = AUDIT_LESS_THAN
,
431 [Audit_gt
] = AUDIT_GREATER_THAN
,
432 [Audit_le
] = AUDIT_LESS_THAN_OR_EQUAL
,
433 [Audit_ge
] = AUDIT_GREATER_THAN_OR_EQUAL
,
436 static u32
audit_to_op(u32 op
)
439 for (n
= Audit_equal
; n
< Audit_bad
&& audit_ops
[n
] != op
; n
++)
445 /* Translate struct audit_rule to kernel's rule respresentation.
446 * Exists for backward compatibility with userspace. */
447 static struct audit_entry
*audit_rule_to_entry(struct audit_rule
*rule
)
449 struct audit_entry
*entry
;
453 entry
= audit_to_entry_common(rule
);
457 for (i
= 0; i
< rule
->field_count
; i
++) {
458 struct audit_field
*f
= &entry
->rule
.fields
[i
];
461 n
= rule
->fields
[i
] & (AUDIT_NEGATE
|AUDIT_OPERATORS
);
463 /* Support for legacy operators where
464 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
465 if (n
& AUDIT_NEGATE
)
466 f
->op
= Audit_not_equal
;
470 f
->op
= audit_to_op(n
);
472 entry
->rule
.vers_ops
= (n
& AUDIT_OPERATORS
) ? 2 : 1;
474 f
->type
= rule
->fields
[i
] & ~(AUDIT_NEGATE
|AUDIT_OPERATORS
);
475 f
->val
= rule
->values
[i
];
478 if (f
->op
== Audit_bad
)
501 /* bit ops are only useful on syscall args */
502 if (f
->op
== Audit_bitmask
|| f
->op
== Audit_bittest
)
510 /* arch is only allowed to be = or != */
512 if (f
->op
!= Audit_not_equal
&& f
->op
!= Audit_equal
)
514 entry
->rule
.arch_f
= f
;
521 if ((f
->val
& ~S_IFMT
) > S_IFMT
)
525 err
= audit_to_inode(&entry
->rule
, f
);
532 if (entry
->rule
.inode_f
&& entry
->rule
.inode_f
->op
== Audit_not_equal
)
533 entry
->rule
.inode_f
= NULL
;
539 audit_free_rule(entry
);
543 /* Translate struct audit_rule_data to kernel's rule respresentation. */
544 static struct audit_entry
*audit_data_to_entry(struct audit_rule_data
*data
,
548 struct audit_entry
*entry
;
550 size_t remain
= datasz
- sizeof(struct audit_rule_data
);
554 entry
= audit_to_entry_common((struct audit_rule
*)data
);
559 entry
->rule
.vers_ops
= 2;
560 for (i
= 0; i
< data
->field_count
; i
++) {
561 struct audit_field
*f
= &entry
->rule
.fields
[i
];
565 f
->op
= audit_to_op(data
->fieldflags
[i
]);
566 if (f
->op
== Audit_bad
)
569 f
->type
= data
->fields
[i
];
570 f
->val
= data
->values
[i
];
597 entry
->rule
.arch_f
= f
;
599 case AUDIT_SUBJ_USER
:
600 case AUDIT_SUBJ_ROLE
:
601 case AUDIT_SUBJ_TYPE
:
607 case AUDIT_OBJ_LEV_LOW
:
608 case AUDIT_OBJ_LEV_HIGH
:
609 str
= audit_unpack_string(&bufp
, &remain
, f
->val
);
612 entry
->rule
.buflen
+= f
->val
;
614 err
= security_audit_rule_init(f
->type
, f
->op
, str
,
615 (void **)&f
->lsm_rule
);
616 /* Keep currently invalid fields around in case they
617 * become valid after a policy reload. */
618 if (err
== -EINVAL
) {
619 printk(KERN_WARNING
"audit rule for LSM "
620 "\'%s\' is invalid\n", str
);
630 str
= audit_unpack_string(&bufp
, &remain
, f
->val
);
633 entry
->rule
.buflen
+= f
->val
;
635 err
= audit_to_watch(&entry
->rule
, str
, f
->val
, f
->op
);
642 str
= audit_unpack_string(&bufp
, &remain
, f
->val
);
645 entry
->rule
.buflen
+= f
->val
;
647 err
= audit_make_tree(&entry
->rule
, str
, f
->op
);
653 err
= audit_to_inode(&entry
->rule
, f
);
657 case AUDIT_FILTERKEY
:
659 if (entry
->rule
.filterkey
|| f
->val
> AUDIT_MAX_KEY_LEN
)
661 str
= audit_unpack_string(&bufp
, &remain
, f
->val
);
664 entry
->rule
.buflen
+= f
->val
;
665 entry
->rule
.filterkey
= str
;
672 if ((f
->val
& ~S_IFMT
) > S_IFMT
)
680 if (entry
->rule
.inode_f
&& entry
->rule
.inode_f
->op
== Audit_not_equal
)
681 entry
->rule
.inode_f
= NULL
;
687 audit_free_rule(entry
);
691 /* Pack a filter field's string representation into data block. */
692 static inline size_t audit_pack_string(void **bufp
, const char *str
)
694 size_t len
= strlen(str
);
696 memcpy(*bufp
, str
, len
);
702 /* Translate kernel rule respresentation to struct audit_rule.
703 * Exists for backward compatibility with userspace. */
704 static struct audit_rule
*audit_krule_to_rule(struct audit_krule
*krule
)
706 struct audit_rule
*rule
;
709 rule
= kzalloc(sizeof(*rule
), GFP_KERNEL
);
713 rule
->flags
= krule
->flags
| krule
->listnr
;
714 rule
->action
= krule
->action
;
715 rule
->field_count
= krule
->field_count
;
716 for (i
= 0; i
< rule
->field_count
; i
++) {
717 rule
->values
[i
] = krule
->fields
[i
].val
;
718 rule
->fields
[i
] = krule
->fields
[i
].type
;
720 if (krule
->vers_ops
== 1) {
721 if (krule
->fields
[i
].op
== Audit_not_equal
)
722 rule
->fields
[i
] |= AUDIT_NEGATE
;
724 rule
->fields
[i
] |= audit_ops
[krule
->fields
[i
].op
];
727 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++) rule
->mask
[i
] = krule
->mask
[i
];
732 /* Translate kernel rule respresentation to struct audit_rule_data. */
733 static struct audit_rule_data
*audit_krule_to_data(struct audit_krule
*krule
)
735 struct audit_rule_data
*data
;
739 data
= kmalloc(sizeof(*data
) + krule
->buflen
, GFP_KERNEL
);
742 memset(data
, 0, sizeof(*data
));
744 data
->flags
= krule
->flags
| krule
->listnr
;
745 data
->action
= krule
->action
;
746 data
->field_count
= krule
->field_count
;
748 for (i
= 0; i
< data
->field_count
; i
++) {
749 struct audit_field
*f
= &krule
->fields
[i
];
751 data
->fields
[i
] = f
->type
;
752 data
->fieldflags
[i
] = audit_ops
[f
->op
];
754 case AUDIT_SUBJ_USER
:
755 case AUDIT_SUBJ_ROLE
:
756 case AUDIT_SUBJ_TYPE
:
762 case AUDIT_OBJ_LEV_LOW
:
763 case AUDIT_OBJ_LEV_HIGH
:
764 data
->buflen
+= data
->values
[i
] =
765 audit_pack_string(&bufp
, f
->lsm_str
);
768 data
->buflen
+= data
->values
[i
] =
769 audit_pack_string(&bufp
, krule
->watch
->path
);
772 data
->buflen
+= data
->values
[i
] =
773 audit_pack_string(&bufp
,
774 audit_tree_path(krule
->tree
));
776 case AUDIT_FILTERKEY
:
777 data
->buflen
+= data
->values
[i
] =
778 audit_pack_string(&bufp
, krule
->filterkey
);
781 data
->values
[i
] = f
->val
;
784 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++) data
->mask
[i
] = krule
->mask
[i
];
789 /* Compare two rules in kernel format. Considered success if rules
791 static int audit_compare_rule(struct audit_krule
*a
, struct audit_krule
*b
)
795 if (a
->flags
!= b
->flags
||
796 a
->listnr
!= b
->listnr
||
797 a
->action
!= b
->action
||
798 a
->field_count
!= b
->field_count
)
801 for (i
= 0; i
< a
->field_count
; i
++) {
802 if (a
->fields
[i
].type
!= b
->fields
[i
].type
||
803 a
->fields
[i
].op
!= b
->fields
[i
].op
)
806 switch(a
->fields
[i
].type
) {
807 case AUDIT_SUBJ_USER
:
808 case AUDIT_SUBJ_ROLE
:
809 case AUDIT_SUBJ_TYPE
:
815 case AUDIT_OBJ_LEV_LOW
:
816 case AUDIT_OBJ_LEV_HIGH
:
817 if (strcmp(a
->fields
[i
].lsm_str
, b
->fields
[i
].lsm_str
))
821 if (strcmp(a
->watch
->path
, b
->watch
->path
))
825 if (strcmp(audit_tree_path(a
->tree
),
826 audit_tree_path(b
->tree
)))
829 case AUDIT_FILTERKEY
:
830 /* both filterkeys exist based on above type compare */
831 if (strcmp(a
->filterkey
, b
->filterkey
))
835 if (a
->fields
[i
].val
!= b
->fields
[i
].val
)
840 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++)
841 if (a
->mask
[i
] != b
->mask
[i
])
847 /* Duplicate the given audit watch. The new watch's rules list is initialized
848 * to an empty list and wlist is undefined. */
849 static struct audit_watch
*audit_dupe_watch(struct audit_watch
*old
)
852 struct audit_watch
*new;
854 path
= kstrdup(old
->path
, GFP_KERNEL
);
856 return ERR_PTR(-ENOMEM
);
858 new = audit_init_watch(path
);
866 get_inotify_watch(&old
->parent
->wdata
);
867 new->parent
= old
->parent
;
873 /* Duplicate LSM field information. The lsm_rule is opaque, so must be
875 static inline int audit_dupe_lsm_field(struct audit_field
*df
,
876 struct audit_field
*sf
)
881 /* our own copy of lsm_str */
882 lsm_str
= kstrdup(sf
->lsm_str
, GFP_KERNEL
);
883 if (unlikely(!lsm_str
))
885 df
->lsm_str
= lsm_str
;
887 /* our own (refreshed) copy of lsm_rule */
888 ret
= security_audit_rule_init(df
->type
, df
->op
, df
->lsm_str
,
889 (void **)&df
->lsm_rule
);
890 /* Keep currently invalid fields around in case they
891 * become valid after a policy reload. */
892 if (ret
== -EINVAL
) {
893 printk(KERN_WARNING
"audit rule for LSM \'%s\' is "
894 "invalid\n", df
->lsm_str
);
901 /* Duplicate an audit rule. This will be a deep copy with the exception
902 * of the watch - that pointer is carried over. The LSM specific fields
903 * will be updated in the copy. The point is to be able to replace the old
904 * rule with the new rule in the filterlist, then free the old rule.
905 * The rlist element is undefined; list manipulations are handled apart from
906 * the initial copy. */
907 static struct audit_entry
*audit_dupe_rule(struct audit_krule
*old
,
908 struct audit_watch
*watch
)
910 u32 fcount
= old
->field_count
;
911 struct audit_entry
*entry
;
912 struct audit_krule
*new;
916 entry
= audit_init_entry(fcount
);
917 if (unlikely(!entry
))
918 return ERR_PTR(-ENOMEM
);
921 new->vers_ops
= old
->vers_ops
;
922 new->flags
= old
->flags
;
923 new->listnr
= old
->listnr
;
924 new->action
= old
->action
;
925 for (i
= 0; i
< AUDIT_BITMASK_SIZE
; i
++)
926 new->mask
[i
] = old
->mask
[i
];
927 new->prio
= old
->prio
;
928 new->buflen
= old
->buflen
;
929 new->inode_f
= old
->inode_f
;
931 new->field_count
= old
->field_count
;
933 * note that we are OK with not refcounting here; audit_match_tree()
934 * never dereferences tree and we can't get false positives there
935 * since we'd have to have rule gone from the list *and* removed
936 * before the chunks found by lookup had been allocated, i.e. before
937 * the beginning of list scan.
939 new->tree
= old
->tree
;
940 memcpy(new->fields
, old
->fields
, sizeof(struct audit_field
) * fcount
);
942 /* deep copy this information, updating the lsm_rule fields, because
943 * the originals will all be freed when the old rule is freed. */
944 for (i
= 0; i
< fcount
; i
++) {
945 switch (new->fields
[i
].type
) {
946 case AUDIT_SUBJ_USER
:
947 case AUDIT_SUBJ_ROLE
:
948 case AUDIT_SUBJ_TYPE
:
954 case AUDIT_OBJ_LEV_LOW
:
955 case AUDIT_OBJ_LEV_HIGH
:
956 err
= audit_dupe_lsm_field(&new->fields
[i
],
959 case AUDIT_FILTERKEY
:
960 fk
= kstrdup(old
->filterkey
, GFP_KERNEL
);
967 audit_free_rule(entry
);
973 audit_get_watch(watch
);
980 /* Update inode info in audit rules based on filesystem event. */
981 static void audit_update_watch(struct audit_parent
*parent
,
982 const char *dname
, dev_t dev
,
983 unsigned long ino
, unsigned invalidating
)
985 struct audit_watch
*owatch
, *nwatch
, *nextw
;
986 struct audit_krule
*r
, *nextr
;
987 struct audit_entry
*oentry
, *nentry
;
989 mutex_lock(&audit_filter_mutex
);
990 list_for_each_entry_safe(owatch
, nextw
, &parent
->watches
, wlist
) {
991 if (audit_compare_dname_path(dname
, owatch
->path
, NULL
))
994 /* If the update involves invalidating rules, do the inode-based
995 * filtering now, so we don't omit records. */
996 if (invalidating
&& current
->audit_context
)
997 audit_filter_inodes(current
, current
->audit_context
);
999 nwatch
= audit_dupe_watch(owatch
);
1000 if (IS_ERR(nwatch
)) {
1001 mutex_unlock(&audit_filter_mutex
);
1002 audit_panic("error updating watch, skipping");
1008 list_for_each_entry_safe(r
, nextr
, &owatch
->rules
, rlist
) {
1010 oentry
= container_of(r
, struct audit_entry
, rule
);
1011 list_del(&oentry
->rule
.rlist
);
1012 list_del_rcu(&oentry
->list
);
1014 nentry
= audit_dupe_rule(&oentry
->rule
, nwatch
);
1015 if (IS_ERR(nentry
)) {
1016 list_del(&oentry
->rule
.list
);
1017 audit_panic("error updating watch, removing");
1019 int h
= audit_hash_ino((u32
)ino
);
1020 list_add(&nentry
->rule
.rlist
, &nwatch
->rules
);
1021 list_add_rcu(&nentry
->list
, &audit_inode_hash
[h
]);
1022 list_replace(&oentry
->rule
.list
,
1023 &nentry
->rule
.list
);
1026 call_rcu(&oentry
->rcu
, audit_free_rule_rcu
);
1029 if (audit_enabled
) {
1030 struct audit_buffer
*ab
;
1031 ab
= audit_log_start(NULL
, GFP_KERNEL
,
1032 AUDIT_CONFIG_CHANGE
);
1033 audit_log_format(ab
, "auid=%u ses=%u",
1034 audit_get_loginuid(current
),
1035 audit_get_sessionid(current
));
1036 audit_log_format(ab
,
1037 " op=updated rules specifying path=");
1038 audit_log_untrustedstring(ab
, owatch
->path
);
1039 audit_log_format(ab
, " with dev=%u ino=%lu\n",
1041 audit_log_format(ab
, " list=%d res=1", r
->listnr
);
1044 audit_remove_watch(owatch
);
1045 goto add_watch_to_parent
; /* event applies to a single watch */
1047 mutex_unlock(&audit_filter_mutex
);
1050 add_watch_to_parent
:
1051 list_add(&nwatch
->wlist
, &parent
->watches
);
1052 mutex_unlock(&audit_filter_mutex
);
1056 /* Remove all watches & rules associated with a parent that is going away. */
1057 static void audit_remove_parent_watches(struct audit_parent
*parent
)
1059 struct audit_watch
*w
, *nextw
;
1060 struct audit_krule
*r
, *nextr
;
1061 struct audit_entry
*e
;
1063 mutex_lock(&audit_filter_mutex
);
1064 parent
->flags
|= AUDIT_PARENT_INVALID
;
1065 list_for_each_entry_safe(w
, nextw
, &parent
->watches
, wlist
) {
1066 list_for_each_entry_safe(r
, nextr
, &w
->rules
, rlist
) {
1067 e
= container_of(r
, struct audit_entry
, rule
);
1068 if (audit_enabled
) {
1069 struct audit_buffer
*ab
;
1070 ab
= audit_log_start(NULL
, GFP_KERNEL
,
1071 AUDIT_CONFIG_CHANGE
);
1072 audit_log_format(ab
, "auid=%u ses=%u",
1073 audit_get_loginuid(current
),
1074 audit_get_sessionid(current
));
1075 audit_log_format(ab
, " op=remove rule path=");
1076 audit_log_untrustedstring(ab
, w
->path
);
1078 audit_log_format(ab
, " key=");
1079 audit_log_untrustedstring(ab
,
1082 audit_log_format(ab
, " key=(null)");
1083 audit_log_format(ab
, " list=%d res=1",
1087 list_del(&r
->rlist
);
1089 list_del_rcu(&e
->list
);
1090 call_rcu(&e
->rcu
, audit_free_rule_rcu
);
1092 audit_remove_watch(w
);
1094 mutex_unlock(&audit_filter_mutex
);
1097 /* Unregister inotify watches for parents on in_list.
1098 * Generates an IN_IGNORED event. */
1099 static void audit_inotify_unregister(struct list_head
*in_list
)
1101 struct audit_parent
*p
, *n
;
1103 list_for_each_entry_safe(p
, n
, in_list
, ilist
) {
1104 list_del(&p
->ilist
);
1105 inotify_rm_watch(audit_ih
, &p
->wdata
);
1106 /* the unpin matching the pin in audit_do_del_rule() */
1107 unpin_inotify_watch(&p
->wdata
);
1111 /* Find an existing audit rule.
1112 * Caller must hold audit_filter_mutex to prevent stale rule data. */
1113 static struct audit_entry
*audit_find_rule(struct audit_entry
*entry
,
1114 struct list_head
**p
)
1116 struct audit_entry
*e
, *found
= NULL
;
1117 struct list_head
*list
;
1120 if (entry
->rule
.inode_f
) {
1121 h
= audit_hash_ino(entry
->rule
.inode_f
->val
);
1122 *p
= list
= &audit_inode_hash
[h
];
1123 } else if (entry
->rule
.watch
) {
1124 /* we don't know the inode number, so must walk entire hash */
1125 for (h
= 0; h
< AUDIT_INODE_BUCKETS
; h
++) {
1126 list
= &audit_inode_hash
[h
];
1127 list_for_each_entry(e
, list
, list
)
1128 if (!audit_compare_rule(&entry
->rule
, &e
->rule
)) {
1135 *p
= list
= &audit_filter_list
[entry
->rule
.listnr
];
1138 list_for_each_entry(e
, list
, list
)
1139 if (!audit_compare_rule(&entry
->rule
, &e
->rule
)) {
1148 /* Get path information necessary for adding watches. */
1149 static int audit_get_nd(char *path
, struct nameidata
**ndp
,
1150 struct nameidata
**ndw
)
1152 struct nameidata
*ndparent
, *ndwatch
;
1155 ndparent
= kmalloc(sizeof(*ndparent
), GFP_KERNEL
);
1156 if (unlikely(!ndparent
))
1159 ndwatch
= kmalloc(sizeof(*ndwatch
), GFP_KERNEL
);
1160 if (unlikely(!ndwatch
)) {
1165 err
= path_lookup(path
, LOOKUP_PARENT
, ndparent
);
1172 err
= path_lookup(path
, 0, ndwatch
);
1184 /* Release resources used for watch path information. */
1185 static void audit_put_nd(struct nameidata
*ndp
, struct nameidata
*ndw
)
1188 path_put(&ndp
->path
);
1192 path_put(&ndw
->path
);
1197 /* Associate the given rule with an existing parent inotify_watch.
1198 * Caller must hold audit_filter_mutex. */
1199 static void audit_add_to_parent(struct audit_krule
*krule
,
1200 struct audit_parent
*parent
)
1202 struct audit_watch
*w
, *watch
= krule
->watch
;
1203 int watch_found
= 0;
1205 list_for_each_entry(w
, &parent
->watches
, wlist
) {
1206 if (strcmp(watch
->path
, w
->path
))
1211 /* put krule's and initial refs to temporary watch */
1212 audit_put_watch(watch
);
1213 audit_put_watch(watch
);
1216 krule
->watch
= watch
= w
;
1221 get_inotify_watch(&parent
->wdata
);
1222 watch
->parent
= parent
;
1224 list_add(&watch
->wlist
, &parent
->watches
);
1226 list_add(&krule
->rlist
, &watch
->rules
);
1229 /* Find a matching watch entry, or add this one.
1230 * Caller must hold audit_filter_mutex. */
1231 static int audit_add_watch(struct audit_krule
*krule
, struct nameidata
*ndp
,
1232 struct nameidata
*ndw
)
1234 struct audit_watch
*watch
= krule
->watch
;
1235 struct inotify_watch
*i_watch
;
1236 struct audit_parent
*parent
;
1239 /* update watch filter fields */
1241 watch
->dev
= ndw
->path
.dentry
->d_inode
->i_sb
->s_dev
;
1242 watch
->ino
= ndw
->path
.dentry
->d_inode
->i_ino
;
1245 /* The audit_filter_mutex must not be held during inotify calls because
1246 * we hold it during inotify event callback processing. If an existing
1247 * inotify watch is found, inotify_find_watch() grabs a reference before
1250 mutex_unlock(&audit_filter_mutex
);
1252 if (inotify_find_watch(audit_ih
, ndp
->path
.dentry
->d_inode
,
1254 parent
= audit_init_parent(ndp
);
1255 if (IS_ERR(parent
)) {
1256 /* caller expects mutex locked */
1257 mutex_lock(&audit_filter_mutex
);
1258 return PTR_ERR(parent
);
1261 parent
= container_of(i_watch
, struct audit_parent
, wdata
);
1263 mutex_lock(&audit_filter_mutex
);
1265 /* parent was moved before we took audit_filter_mutex */
1266 if (parent
->flags
& AUDIT_PARENT_INVALID
)
1269 audit_add_to_parent(krule
, parent
);
1271 /* match get in audit_init_parent or inotify_find_watch */
1272 put_inotify_watch(&parent
->wdata
);
1276 static u64 prio_low
= ~0ULL/2;
1277 static u64 prio_high
= ~0ULL/2 - 1;
1279 /* Add rule to given filterlist if not a duplicate. */
1280 static inline int audit_add_rule(struct audit_entry
*entry
)
1282 struct audit_entry
*e
;
1283 struct audit_watch
*watch
= entry
->rule
.watch
;
1284 struct audit_tree
*tree
= entry
->rule
.tree
;
1285 struct nameidata
*ndp
= NULL
, *ndw
= NULL
;
1286 struct list_head
*list
;
1288 #ifdef CONFIG_AUDITSYSCALL
1291 /* If either of these, don't count towards total */
1292 if (entry
->rule
.listnr
== AUDIT_FILTER_USER
||
1293 entry
->rule
.listnr
== AUDIT_FILTER_TYPE
)
1297 mutex_lock(&audit_filter_mutex
);
1298 e
= audit_find_rule(entry
, &list
);
1299 mutex_unlock(&audit_filter_mutex
);
1302 /* normally audit_add_tree_rule() will free it on failure */
1304 audit_put_tree(tree
);
1308 /* Avoid calling path_lookup under audit_filter_mutex. */
1310 err
= audit_get_nd(watch
->path
, &ndp
, &ndw
);
1315 mutex_lock(&audit_filter_mutex
);
1317 /* audit_filter_mutex is dropped and re-taken during this call */
1318 err
= audit_add_watch(&entry
->rule
, ndp
, ndw
);
1320 mutex_unlock(&audit_filter_mutex
);
1323 h
= audit_hash_ino((u32
)watch
->ino
);
1324 list
= &audit_inode_hash
[h
];
1327 err
= audit_add_tree_rule(&entry
->rule
);
1329 mutex_unlock(&audit_filter_mutex
);
1334 entry
->rule
.prio
= ~0ULL;
1335 if (entry
->rule
.listnr
== AUDIT_FILTER_EXIT
) {
1336 if (entry
->rule
.flags
& AUDIT_FILTER_PREPEND
)
1337 entry
->rule
.prio
= ++prio_high
;
1339 entry
->rule
.prio
= --prio_low
;
1342 if (entry
->rule
.flags
& AUDIT_FILTER_PREPEND
) {
1343 list_add(&entry
->rule
.list
,
1344 &audit_rules_list
[entry
->rule
.listnr
]);
1345 list_add_rcu(&entry
->list
, list
);
1346 entry
->rule
.flags
&= ~AUDIT_FILTER_PREPEND
;
1348 list_add_tail(&entry
->rule
.list
,
1349 &audit_rules_list
[entry
->rule
.listnr
]);
1350 list_add_tail_rcu(&entry
->list
, list
);
1352 #ifdef CONFIG_AUDITSYSCALL
1356 if (!audit_match_signal(entry
))
1359 mutex_unlock(&audit_filter_mutex
);
1361 audit_put_nd(ndp
, ndw
); /* NULL args OK */
1365 audit_put_nd(ndp
, ndw
); /* NULL args OK */
1367 audit_put_watch(watch
); /* tmp watch, matches initial get */
1371 /* Remove an existing rule from filterlist. */
1372 static inline int audit_del_rule(struct audit_entry
*entry
)
1374 struct audit_entry
*e
;
1375 struct audit_watch
*watch
, *tmp_watch
= entry
->rule
.watch
;
1376 struct audit_tree
*tree
= entry
->rule
.tree
;
1377 struct list_head
*list
;
1378 LIST_HEAD(inotify_list
);
1380 #ifdef CONFIG_AUDITSYSCALL
1383 /* If either of these, don't count towards total */
1384 if (entry
->rule
.listnr
== AUDIT_FILTER_USER
||
1385 entry
->rule
.listnr
== AUDIT_FILTER_TYPE
)
1389 mutex_lock(&audit_filter_mutex
);
1390 e
= audit_find_rule(entry
, &list
);
1392 mutex_unlock(&audit_filter_mutex
);
1397 watch
= e
->rule
.watch
;
1399 struct audit_parent
*parent
= watch
->parent
;
1401 list_del(&e
->rule
.rlist
);
1403 if (list_empty(&watch
->rules
)) {
1404 audit_remove_watch(watch
);
1406 if (list_empty(&parent
->watches
)) {
1407 /* Put parent on the inotify un-registration
1408 * list. Grab a reference before releasing
1409 * audit_filter_mutex, to be released in
1410 * audit_inotify_unregister().
1411 * If filesystem is going away, just leave
1412 * the sucker alone, eviction will take
1415 if (pin_inotify_watch(&parent
->wdata
))
1416 list_add(&parent
->ilist
, &inotify_list
);
1422 audit_remove_tree_rule(&e
->rule
);
1424 list_del_rcu(&e
->list
);
1425 list_del(&e
->rule
.list
);
1426 call_rcu(&e
->rcu
, audit_free_rule_rcu
);
1428 #ifdef CONFIG_AUDITSYSCALL
1432 if (!audit_match_signal(entry
))
1435 mutex_unlock(&audit_filter_mutex
);
1437 if (!list_empty(&inotify_list
))
1438 audit_inotify_unregister(&inotify_list
);
1442 audit_put_watch(tmp_watch
); /* match initial get */
1444 audit_put_tree(tree
); /* that's the temporary one */
1449 /* List rules using struct audit_rule. Exists for backward
1450 * compatibility with userspace. */
1451 static void audit_list(int pid
, int seq
, struct sk_buff_head
*q
)
1453 struct sk_buff
*skb
;
1454 struct audit_krule
*r
;
1457 /* This is a blocking read, so use audit_filter_mutex instead of rcu
1458 * iterator to sync with list writers. */
1459 for (i
=0; i
<AUDIT_NR_FILTERS
; i
++) {
1460 list_for_each_entry(r
, &audit_rules_list
[i
], list
) {
1461 struct audit_rule
*rule
;
1463 rule
= audit_krule_to_rule(r
);
1464 if (unlikely(!rule
))
1466 skb
= audit_make_reply(pid
, seq
, AUDIT_LIST
, 0, 1,
1467 rule
, sizeof(*rule
));
1469 skb_queue_tail(q
, skb
);
1473 skb
= audit_make_reply(pid
, seq
, AUDIT_LIST
, 1, 1, NULL
, 0);
1475 skb_queue_tail(q
, skb
);
1478 /* List rules using struct audit_rule_data. */
1479 static void audit_list_rules(int pid
, int seq
, struct sk_buff_head
*q
)
1481 struct sk_buff
*skb
;
1482 struct audit_krule
*r
;
1485 /* This is a blocking read, so use audit_filter_mutex instead of rcu
1486 * iterator to sync with list writers. */
1487 for (i
=0; i
<AUDIT_NR_FILTERS
; i
++) {
1488 list_for_each_entry(r
, &audit_rules_list
[i
], list
) {
1489 struct audit_rule_data
*data
;
1491 data
= audit_krule_to_data(r
);
1492 if (unlikely(!data
))
1494 skb
= audit_make_reply(pid
, seq
, AUDIT_LIST_RULES
, 0, 1,
1495 data
, sizeof(*data
) + data
->buflen
);
1497 skb_queue_tail(q
, skb
);
1501 skb
= audit_make_reply(pid
, seq
, AUDIT_LIST_RULES
, 1, 1, NULL
, 0);
1503 skb_queue_tail(q
, skb
);
1506 /* Log rule additions and removals */
1507 static void audit_log_rule_change(uid_t loginuid
, u32 sessionid
, u32 sid
,
1508 char *action
, struct audit_krule
*rule
,
1511 struct audit_buffer
*ab
;
1516 ab
= audit_log_start(NULL
, GFP_KERNEL
, AUDIT_CONFIG_CHANGE
);
1519 audit_log_format(ab
, "auid=%u ses=%u", loginuid
, sessionid
);
1523 if (security_secid_to_secctx(sid
, &ctx
, &len
))
1524 audit_log_format(ab
, " ssid=%u", sid
);
1526 audit_log_format(ab
, " subj=%s", ctx
);
1527 security_release_secctx(ctx
, len
);
1530 audit_log_format(ab
, " op=%s rule key=", action
);
1531 if (rule
->filterkey
)
1532 audit_log_untrustedstring(ab
, rule
->filterkey
);
1534 audit_log_format(ab
, "(null)");
1535 audit_log_format(ab
, " list=%d res=%d", rule
->listnr
, res
);
1540 * audit_receive_filter - apply all rules to the specified message type
1541 * @type: audit message type
1542 * @pid: target pid for netlink audit messages
1543 * @uid: target uid for netlink audit messages
1544 * @seq: netlink audit message sequence (serial) number
1545 * @data: payload data
1546 * @datasz: size of payload data
1547 * @loginuid: loginuid of sender
1548 * @sessionid: sessionid for netlink audit message
1549 * @sid: SE Linux Security ID of sender
1551 int audit_receive_filter(int type
, int pid
, int uid
, int seq
, void *data
,
1552 size_t datasz
, uid_t loginuid
, u32 sessionid
, u32 sid
)
1554 struct task_struct
*tsk
;
1555 struct audit_netlink_list
*dest
;
1557 struct audit_entry
*entry
;
1561 case AUDIT_LIST_RULES
:
1562 /* We can't just spew out the rules here because we might fill
1563 * the available socket buffer space and deadlock waiting for
1564 * auditctl to read from it... which isn't ever going to
1565 * happen if we're actually running in the context of auditctl
1566 * trying to _send_ the stuff */
1568 dest
= kmalloc(sizeof(struct audit_netlink_list
), GFP_KERNEL
);
1572 skb_queue_head_init(&dest
->q
);
1574 mutex_lock(&audit_filter_mutex
);
1575 if (type
== AUDIT_LIST
)
1576 audit_list(pid
, seq
, &dest
->q
);
1578 audit_list_rules(pid
, seq
, &dest
->q
);
1579 mutex_unlock(&audit_filter_mutex
);
1581 tsk
= kthread_run(audit_send_list
, dest
, "audit_send_list");
1583 skb_queue_purge(&dest
->q
);
1589 case AUDIT_ADD_RULE
:
1590 if (type
== AUDIT_ADD
)
1591 entry
= audit_rule_to_entry(data
);
1593 entry
= audit_data_to_entry(data
, datasz
);
1595 return PTR_ERR(entry
);
1597 err
= audit_add_rule(entry
);
1598 audit_log_rule_change(loginuid
, sessionid
, sid
, "add",
1599 &entry
->rule
, !err
);
1602 audit_free_rule(entry
);
1605 case AUDIT_DEL_RULE
:
1606 if (type
== AUDIT_DEL
)
1607 entry
= audit_rule_to_entry(data
);
1609 entry
= audit_data_to_entry(data
, datasz
);
1611 return PTR_ERR(entry
);
1613 err
= audit_del_rule(entry
);
1614 audit_log_rule_change(loginuid
, sessionid
, sid
, "remove",
1615 &entry
->rule
, !err
);
1617 audit_free_rule(entry
);
1626 int audit_comparator(u32 left
, u32 op
, u32 right
)
1630 return (left
== right
);
1631 case Audit_not_equal
:
1632 return (left
!= right
);
1634 return (left
< right
);
1636 return (left
<= right
);
1638 return (left
> right
);
1640 return (left
>= right
);
1642 return (left
& right
);
1644 return ((left
& right
) == right
);
1651 /* Compare given dentry name with last component in given path,
1652 * return of 0 indicates a match. */
1653 int audit_compare_dname_path(const char *dname
, const char *path
,
1659 if (!dname
|| !path
)
1662 dlen
= strlen(dname
);
1663 plen
= strlen(path
);
1667 /* disregard trailing slashes */
1668 p
= path
+ plen
- 1;
1669 while ((*p
== '/') && (p
> path
))
1672 /* find last path component */
1676 else if (p
> path
) {
1683 /* return length of path's directory component */
1686 return strncmp(p
, dname
, dlen
);
1689 static int audit_filter_user_rules(struct netlink_skb_parms
*cb
,
1690 struct audit_krule
*rule
,
1691 enum audit_state
*state
)
1695 for (i
= 0; i
< rule
->field_count
; i
++) {
1696 struct audit_field
*f
= &rule
->fields
[i
];
1701 result
= audit_comparator(cb
->creds
.pid
, f
->op
, f
->val
);
1704 result
= audit_comparator(cb
->creds
.uid
, f
->op
, f
->val
);
1707 result
= audit_comparator(cb
->creds
.gid
, f
->op
, f
->val
);
1709 case AUDIT_LOGINUID
:
1710 result
= audit_comparator(cb
->loginuid
, f
->op
, f
->val
);
1717 switch (rule
->action
) {
1718 case AUDIT_NEVER
: *state
= AUDIT_DISABLED
; break;
1719 case AUDIT_ALWAYS
: *state
= AUDIT_RECORD_CONTEXT
; break;
1724 int audit_filter_user(struct netlink_skb_parms
*cb
)
1726 enum audit_state state
= AUDIT_DISABLED
;
1727 struct audit_entry
*e
;
1731 list_for_each_entry_rcu(e
, &audit_filter_list
[AUDIT_FILTER_USER
], list
) {
1732 if (audit_filter_user_rules(cb
, &e
->rule
, &state
)) {
1733 if (state
== AUDIT_DISABLED
)
1740 return ret
; /* Audit by default */
1743 int audit_filter_type(int type
)
1745 struct audit_entry
*e
;
1749 if (list_empty(&audit_filter_list
[AUDIT_FILTER_TYPE
]))
1750 goto unlock_and_return
;
1752 list_for_each_entry_rcu(e
, &audit_filter_list
[AUDIT_FILTER_TYPE
],
1755 for (i
= 0; i
< e
->rule
.field_count
; i
++) {
1756 struct audit_field
*f
= &e
->rule
.fields
[i
];
1757 if (f
->type
== AUDIT_MSGTYPE
) {
1758 result
= audit_comparator(type
, f
->op
, f
->val
);
1764 goto unlock_and_return
;
1771 static int update_lsm_rule(struct audit_krule
*r
)
1773 struct audit_entry
*entry
= container_of(r
, struct audit_entry
, rule
);
1774 struct audit_entry
*nentry
;
1775 struct audit_watch
*watch
;
1776 struct audit_tree
*tree
;
1779 if (!security_audit_rule_known(r
))
1784 nentry
= audit_dupe_rule(r
, watch
);
1785 if (IS_ERR(nentry
)) {
1786 /* save the first error encountered for the
1788 err
= PTR_ERR(nentry
);
1789 audit_panic("error updating LSM filters");
1791 list_del(&r
->rlist
);
1792 list_del_rcu(&entry
->list
);
1796 list_add(&nentry
->rule
.rlist
, &watch
->rules
);
1797 list_del(&r
->rlist
);
1799 list_replace_init(&r
->rlist
, &nentry
->rule
.rlist
);
1800 list_replace_rcu(&entry
->list
, &nentry
->list
);
1801 list_replace(&r
->list
, &nentry
->rule
.list
);
1803 call_rcu(&entry
->rcu
, audit_free_rule_rcu
);
1808 /* This function will re-initialize the lsm_rule field of all applicable rules.
1809 * It will traverse the filter lists serarching for rules that contain LSM
1810 * specific filter fields. When such a rule is found, it is copied, the
1811 * LSM field is re-initialized, and the old rule is replaced with the
1813 int audit_update_lsm_rules(void)
1815 struct audit_krule
*r
, *n
;
1818 /* audit_filter_mutex synchronizes the writers */
1819 mutex_lock(&audit_filter_mutex
);
1821 for (i
= 0; i
< AUDIT_NR_FILTERS
; i
++) {
1822 list_for_each_entry_safe(r
, n
, &audit_rules_list
[i
], list
) {
1823 int res
= update_lsm_rule(r
);
1828 mutex_unlock(&audit_filter_mutex
);
1833 /* Update watch data in audit rules based on inotify events. */
1834 void audit_handle_ievent(struct inotify_watch
*i_watch
, u32 wd
, u32 mask
,
1835 u32 cookie
, const char *dname
, struct inode
*inode
)
1837 struct audit_parent
*parent
;
1839 parent
= container_of(i_watch
, struct audit_parent
, wdata
);
1841 if (mask
& (IN_CREATE
|IN_MOVED_TO
) && inode
)
1842 audit_update_watch(parent
, dname
, inode
->i_sb
->s_dev
,
1844 else if (mask
& (IN_DELETE
|IN_MOVED_FROM
))
1845 audit_update_watch(parent
, dname
, (dev_t
)-1, (unsigned long)-1, 1);
1846 /* inotify automatically removes the watch and sends IN_IGNORED */
1847 else if (mask
& (IN_DELETE_SELF
|IN_UNMOUNT
))
1848 audit_remove_parent_watches(parent
);
1849 /* inotify does not remove the watch, so remove it manually */
1850 else if(mask
& IN_MOVE_SELF
) {
1851 audit_remove_parent_watches(parent
);
1852 inotify_remove_watch_locked(audit_ih
, i_watch
);
1853 } else if (mask
& IN_IGNORED
)
1854 put_inotify_watch(i_watch
);