auditfilter.c 33.4 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
/* auditfilter.c -- filtering of audit events
 *
 * Copyright 2003-2004 Red Hat, Inc.
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
 * Copyright 2005 IBM Corporation
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

22 23
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

24 25 26
#include <linux/kernel.h>
#include <linux/audit.h>
#include <linux/kthread.h>
27 28 29
#include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/namei.h>
30
#include <linux/netlink.h>
31
#include <linux/sched.h>
32
#include <linux/slab.h>
33
#include <linux/security.h>
34
#include <net/net_namespace.h>
35
#include <net/sock.h>
36 37
#include "audit.h"

38 39 40 41 42 43 44
/*
 * Locking model:
 *
 * audit_filter_mutex:
 * 		Synchronizes writes and blocking reads of audit's filterlist
 * 		data.  Rcu is used to traverse the filterlist and access
 * 		contents of structs audit_entry, audit_watch and opaque
45
 * 		LSM rules during filtering.  If modified, these structures
46 47 48 49 50 51
 * 		must be copied and replace their counterparts in the filterlist.
 * 		An audit_parent struct is not accessed during filtering, so may
 * 		be written directly provided audit_filter_mutex is held.
 */

/* Audit filter lists, defined in <linux/audit.h> */
52 53 54 55 56 57 58 59 60 61 62
struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
	LIST_HEAD_INIT(audit_filter_list[0]),
	LIST_HEAD_INIT(audit_filter_list[1]),
	LIST_HEAD_INIT(audit_filter_list[2]),
	LIST_HEAD_INIT(audit_filter_list[3]),
	LIST_HEAD_INIT(audit_filter_list[4]),
	LIST_HEAD_INIT(audit_filter_list[5]),
#if AUDIT_NR_FILTERS != 6
#error Fix audit_filter_list initialiser
#endif
};
Al Viro's avatar
Al Viro committed
63 64 65 66 67 68 69 70
static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
	LIST_HEAD_INIT(audit_rules_list[0]),
	LIST_HEAD_INIT(audit_rules_list[1]),
	LIST_HEAD_INIT(audit_rules_list[2]),
	LIST_HEAD_INIT(audit_rules_list[3]),
	LIST_HEAD_INIT(audit_rules_list[4]),
	LIST_HEAD_INIT(audit_rules_list[5]),
};
71

Al Viro's avatar
Al Viro committed
72
DEFINE_MUTEX(audit_filter_mutex);
73

74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
static void audit_free_lsm_field(struct audit_field *f)
{
	switch (f->type) {
	case AUDIT_SUBJ_USER:
	case AUDIT_SUBJ_ROLE:
	case AUDIT_SUBJ_TYPE:
	case AUDIT_SUBJ_SEN:
	case AUDIT_SUBJ_CLR:
	case AUDIT_OBJ_USER:
	case AUDIT_OBJ_ROLE:
	case AUDIT_OBJ_TYPE:
	case AUDIT_OBJ_LEV_LOW:
	case AUDIT_OBJ_LEV_HIGH:
		kfree(f->lsm_str);
		security_audit_rule_free(f->lsm_rule);
	}
}

92
static inline void audit_free_rule(struct audit_entry *e)
93
{
94
	int i;
95
	struct audit_krule *erule = &e->rule;
96

97
	/* some rules don't have associated watches */
98 99 100
	if (erule->watch)
		audit_put_watch(erule->watch);
	if (erule->fields)
101 102
		for (i = 0; i < erule->field_count; i++)
			audit_free_lsm_field(&erule->fields[i]);
103 104
	kfree(erule->fields);
	kfree(erule->filterkey);
105 106 107
	kfree(e);
}

Al Viro's avatar
Al Viro committed
108
void audit_free_rule_rcu(struct rcu_head *head)
109 110 111 112 113
{
	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
	audit_free_rule(e);
}

114 115 116 117 118 119 120 121 122 123
/* Initialize an audit filterlist entry. */
static inline struct audit_entry *audit_init_entry(u32 field_count)
{
	struct audit_entry *entry;
	struct audit_field *fields;

	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
	if (unlikely(!entry))
		return NULL;

124
	fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
125 126 127 128 129 130 131 132 133
	if (unlikely(!fields)) {
		kfree(entry);
		return NULL;
	}
	entry->rule.fields = fields;

	return entry;
}

134 135
/* Unpack a filter field's string representation from user-space
 * buffer. */
Al Viro's avatar
Al Viro committed
136
char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
{
	char *str;

	if (!*bufp || (len == 0) || (len > *remain))
		return ERR_PTR(-EINVAL);

	/* Of the currently implemented string fields, PATH_MAX
	 * defines the longest valid length.
	 */
	if (len > PATH_MAX)
		return ERR_PTR(-ENAMETOOLONG);

	str = kmalloc(len + 1, GFP_KERNEL);
	if (unlikely(!str))
		return ERR_PTR(-ENOMEM);

	memcpy(str, *bufp, len);
	str[len] = 0;
	*bufp += len;
	*remain -= len;

	return str;
}

161 162 163 164 165
/* Translate an inode field to kernel respresentation. */
static inline int audit_to_inode(struct audit_krule *krule,
				 struct audit_field *f)
{
	if (krule->listnr != AUDIT_FILTER_EXIT ||
166
	    krule->inode_f || krule->watch || krule->tree ||
167
	    (f->op != Audit_equal && f->op != Audit_not_equal))
168 169 170 171 172 173
		return -EINVAL;

	krule->inode_f = f;
	return 0;
}

Al Viro's avatar
Al Viro committed
174 175 176 177
static __u32 *classes[AUDIT_SYSCALL_CLASSES];

int __init audit_register_class(int class, unsigned *list)
{
178
	__u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
Al Viro's avatar
Al Viro committed
179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196
	if (!p)
		return -ENOMEM;
	while (*list != ~0U) {
		unsigned n = *list++;
		if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
			kfree(p);
			return -EINVAL;
		}
		p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
	}
	if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
		kfree(p);
		return -EINVAL;
	}
	classes[class] = p;
	return 0;
}

Al Viro's avatar
Al Viro committed
197 198
int audit_match_class(int class, unsigned syscall)
{
199
	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
Al Viro's avatar
Al Viro committed
200 201 202 203 204 205
		return 0;
	if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
		return 0;
	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
}

206
#ifdef CONFIG_AUDITSYSCALL
207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242
static inline int audit_match_class_bits(int class, u32 *mask)
{
	int i;

	if (classes[class]) {
		for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
			if (mask[i] & classes[class][i])
				return 0;
	}
	return 1;
}

static int audit_match_signal(struct audit_entry *entry)
{
	struct audit_field *arch = entry->rule.arch_f;

	if (!arch) {
		/* When arch is unspecified, we must check both masks on biarch
		 * as syscall number alone is ambiguous. */
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
					       entry->rule.mask) &&
			audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
					       entry->rule.mask));
	}

	switch(audit_classify_arch(arch->val)) {
	case 0: /* native */
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
					       entry->rule.mask));
	case 1: /* 32bit on biarch */
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
					       entry->rule.mask));
	default:
		return 1;
	}
}
243
#endif
244

245
/* Common user-space to kernel rule translation. */
246
static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
247 248 249 250 251 252 253 254 255 256 257 258
{
	unsigned listnr;
	struct audit_entry *entry;
	int i, err;

	err = -EINVAL;
	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
	switch(listnr) {
	default:
		goto exit_err;
#ifdef CONFIG_AUDITSYSCALL
	case AUDIT_FILTER_ENTRY:
259 260
		if (rule->action == AUDIT_ALWAYS)
			goto exit_err;
261 262 263
	case AUDIT_FILTER_EXIT:
	case AUDIT_FILTER_TASK:
#endif
264 265
	case AUDIT_FILTER_USER:
	case AUDIT_FILTER_TYPE:
266 267
		;
	}
Al Viro's avatar
Al Viro committed
268
	if (unlikely(rule->action == AUDIT_POSSIBLE)) {
269
		pr_err("AUDIT_POSSIBLE is deprecated\n");
Al Viro's avatar
Al Viro committed
270 271 272
		goto exit_err;
	}
	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
273 274 275 276 277
		goto exit_err;
	if (rule->field_count > AUDIT_MAX_FIELDS)
		goto exit_err;

	err = -ENOMEM;
278 279
	entry = audit_init_entry(rule->field_count);
	if (!entry)
280 281 282 283 284 285 286 287 288 289
		goto exit_err;

	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
	entry->rule.listnr = listnr;
	entry->rule.action = rule->action;
	entry->rule.field_count = rule->field_count;

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
		entry->rule.mask[i] = rule->mask[i];

Al Viro's avatar
Al Viro committed
290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305
	for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
		int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
		__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
		__u32 *class;

		if (!(*p & AUDIT_BIT(bit)))
			continue;
		*p &= ~AUDIT_BIT(bit);
		class = classes[i];
		if (class) {
			int j;
			for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
				entry->rule.mask[j] |= class[j];
		}
	}

306 307 308 309 310 311
	return entry;

exit_err:
	return ERR_PTR(err);
}

312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331
static u32 audit_ops[] =
{
	[Audit_equal] = AUDIT_EQUAL,
	[Audit_not_equal] = AUDIT_NOT_EQUAL,
	[Audit_bitmask] = AUDIT_BIT_MASK,
	[Audit_bittest] = AUDIT_BIT_TEST,
	[Audit_lt] = AUDIT_LESS_THAN,
	[Audit_gt] = AUDIT_GREATER_THAN,
	[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
	[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
};

static u32 audit_to_op(u32 op)
{
	u32 n;
	for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
		;
	return n;
}

332
/* check if an audit field is valid */
333
static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
334
{
335 336 337 338 339 340 341
	switch(f->type) {
	case AUDIT_MSGTYPE:
		if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
		    entry->rule.listnr != AUDIT_FILTER_USER)
			return -EINVAL;
		break;
	};
342

343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364
	switch(f->type) {
	default:
		return -EINVAL;
	case AUDIT_UID:
	case AUDIT_EUID:
	case AUDIT_SUID:
	case AUDIT_FSUID:
	case AUDIT_LOGINUID:
	case AUDIT_OBJ_UID:
	case AUDIT_GID:
	case AUDIT_EGID:
	case AUDIT_SGID:
	case AUDIT_FSGID:
	case AUDIT_OBJ_GID:
	case AUDIT_PID:
	case AUDIT_PERS:
	case AUDIT_MSGTYPE:
	case AUDIT_PPID:
	case AUDIT_DEVMAJOR:
	case AUDIT_DEVMINOR:
	case AUDIT_EXIT:
	case AUDIT_SUCCESS:
365
	case AUDIT_INODE:
366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387
		/* bit ops are only useful on syscall args */
		if (f->op == Audit_bitmask || f->op == Audit_bittest)
			return -EINVAL;
		break;
	case AUDIT_ARG0:
	case AUDIT_ARG1:
	case AUDIT_ARG2:
	case AUDIT_ARG3:
	case AUDIT_SUBJ_USER:
	case AUDIT_SUBJ_ROLE:
	case AUDIT_SUBJ_TYPE:
	case AUDIT_SUBJ_SEN:
	case AUDIT_SUBJ_CLR:
	case AUDIT_OBJ_USER:
	case AUDIT_OBJ_ROLE:
	case AUDIT_OBJ_TYPE:
	case AUDIT_OBJ_LEV_LOW:
	case AUDIT_OBJ_LEV_HIGH:
	case AUDIT_WATCH:
	case AUDIT_DIR:
	case AUDIT_FILTERKEY:
		break;
388 389 390 391
	case AUDIT_LOGINUID_SET:
		if ((f->val != 0) && (f->val != 1))
			return -EINVAL;
	/* FALL THROUGH */
392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408
	case AUDIT_ARCH:
		if (f->op != Audit_not_equal && f->op != Audit_equal)
			return -EINVAL;
		break;
	case AUDIT_PERM:
		if (f->val & ~15)
			return -EINVAL;
		break;
	case AUDIT_FILETYPE:
		if (f->val & ~S_IFMT)
			return -EINVAL;
		break;
	case AUDIT_FIELD_COMPARE:
		if (f->val > AUDIT_MAX_FIELD_COMPARE)
			return -EINVAL;
		break;
	};
409
	return 0;
410 411
}

412 413 414
/* Translate struct audit_rule_data to kernel's rule respresentation. */
static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
					       size_t datasz)
415
{
416 417 418
	int err = 0;
	struct audit_entry *entry;
	void *bufp;
419
	size_t remain = datasz - sizeof(struct audit_rule_data);
420
	int i;
421
	char *str;
422

423
	entry = audit_to_entry_common(data);
424 425
	if (IS_ERR(entry))
		goto exit_nofree;
426

427 428 429 430 431
	bufp = data->buf;
	for (i = 0; i < data->field_count; i++) {
		struct audit_field *f = &entry->rule.fields[i];

		err = -EINVAL;
432 433 434

		f->op = audit_to_op(data->fieldflags[i]);
		if (f->op == Audit_bad)
435 436 437
			goto exit_free;

		f->type = data->fields[i];
438
		f->val = data->values[i];
439

440
		/* Support legacy tests for a valid loginuid */
441
		if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
442 443
			f->type = AUDIT_LOGINUID_SET;
			f->val = 0;
444
			entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
445 446
		}

447 448 449 450 451
		err = audit_field_valid(entry, f);
		if (err)
			goto exit_free;

		err = -EINVAL;
452
		switch (f->type) {
453
		case AUDIT_LOGINUID:
454 455 456 457
		case AUDIT_UID:
		case AUDIT_EUID:
		case AUDIT_SUID:
		case AUDIT_FSUID:
458 459 460 461 462
		case AUDIT_OBJ_UID:
			f->uid = make_kuid(current_user_ns(), f->val);
			if (!uid_valid(f->uid))
				goto exit_free;
			break;
463 464 465 466
		case AUDIT_GID:
		case AUDIT_EGID:
		case AUDIT_SGID:
		case AUDIT_FSGID:
467 468 469 470 471
		case AUDIT_OBJ_GID:
			f->gid = make_kgid(current_user_ns(), f->val);
			if (!gid_valid(f->gid))
				goto exit_free;
			break;
472 473 474
		case AUDIT_ARCH:
			entry->rule.arch_f = f;
			break;
475 476 477 478 479
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
480 481 482 483 484
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
485 486 487 488 489
			str = audit_unpack_string(&bufp, &remain, f->val);
			if (IS_ERR(str))
				goto exit_free;
			entry->rule.buflen += f->val;

490
			err = security_audit_rule_init(f->type, f->op, str,
491
						       (void **)&f->lsm_rule);
492 493 494
			/* Keep currently invalid fields around in case they
			 * become valid after a policy reload. */
			if (err == -EINVAL) {
495 496
				pr_warn("audit rule for LSM \'%s\' is invalid\n",
					str);
497 498 499 500 501 502
				err = 0;
			}
			if (err) {
				kfree(str);
				goto exit_free;
			} else
503
				f->lsm_str = str;
504
			break;
505 506 507 508 509 510 511 512 513 514 515 516
		case AUDIT_WATCH:
			str = audit_unpack_string(&bufp, &remain, f->val);
			if (IS_ERR(str))
				goto exit_free;
			entry->rule.buflen += f->val;

			err = audit_to_watch(&entry->rule, str, f->val, f->op);
			if (err) {
				kfree(str);
				goto exit_free;
			}
			break;
Al Viro's avatar
Al Viro committed
517 518 519 520 521 522 523 524 525 526 527
		case AUDIT_DIR:
			str = audit_unpack_string(&bufp, &remain, f->val);
			if (IS_ERR(str))
				goto exit_free;
			entry->rule.buflen += f->val;

			err = audit_make_tree(&entry->rule, str, f->op);
			kfree(str);
			if (err)
				goto exit_free;
			break;
528 529 530 531 532
		case AUDIT_INODE:
			err = audit_to_inode(&entry->rule, f);
			if (err)
				goto exit_free;
			break;
Amy Griffis's avatar
Amy Griffis committed
533 534 535 536 537 538 539 540 541
		case AUDIT_FILTERKEY:
			if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
				goto exit_free;
			str = audit_unpack_string(&bufp, &remain, f->val);
			if (IS_ERR(str))
				goto exit_free;
			entry->rule.buflen += f->val;
			entry->rule.filterkey = str;
			break;
542 543 544
		}
	}

545 546
	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
		entry->rule.inode_f = NULL;
547 548 549 550 551

exit_nofree:
	return entry;

exit_free:
552 553
	if (entry->rule.tree)
		audit_put_tree(entry->rule.tree); /* that's the temporary one */
554 555 556 557 558
	audit_free_rule(entry);
	return ERR_PTR(err);
}

/* Pack a filter field's string representation into data block. */
Al Viro's avatar
Al Viro committed
559
static inline size_t audit_pack_string(void **bufp, const char *str)
560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577
{
	size_t len = strlen(str);

	memcpy(*bufp, str, len);
	*bufp += len;

	return len;
}

/* Translate kernel rule respresentation to struct audit_rule_data. */
static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
{
	struct audit_rule_data *data;
	void *bufp;
	int i;

	data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
	if (unlikely(!data))
578
		return NULL;
579 580 581 582 583 584 585 586 587 588
	memset(data, 0, sizeof(*data));

	data->flags = krule->flags | krule->listnr;
	data->action = krule->action;
	data->field_count = krule->field_count;
	bufp = data->buf;
	for (i = 0; i < data->field_count; i++) {
		struct audit_field *f = &krule->fields[i];

		data->fields[i] = f->type;
589
		data->fieldflags[i] = audit_ops[f->op];
590
		switch(f->type) {
591 592 593 594 595
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
596 597 598 599 600
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
601
			data->buflen += data->values[i] =
602
				audit_pack_string(&bufp, f->lsm_str);
603
			break;
604 605
		case AUDIT_WATCH:
			data->buflen += data->values[i] =
606 607
				audit_pack_string(&bufp,
						  audit_watch_path(krule->watch));
608
			break;
Al Viro's avatar
Al Viro committed
609 610 611 612 613
		case AUDIT_DIR:
			data->buflen += data->values[i] =
				audit_pack_string(&bufp,
						  audit_tree_path(krule->tree));
			break;
Amy Griffis's avatar
Amy Griffis committed
614 615 616 617
		case AUDIT_FILTERKEY:
			data->buflen += data->values[i] =
				audit_pack_string(&bufp, krule->filterkey);
			break;
618 619 620 621 622 623 624
		case AUDIT_LOGINUID_SET:
			if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
				data->fields[i] = AUDIT_LOGINUID;
				data->values[i] = AUDIT_UID_UNSET;
				break;
			}
			/* fallthrough if set */
625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640
		default:
			data->values[i] = f->val;
		}
	}
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];

	return data;
}

/* Compare two rules in kernel format.  Considered success if rules
 * don't match. */
static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
{
	int i;

	if (a->flags != b->flags ||
641
	    a->pflags != b->pflags ||
642 643 644
	    a->listnr != b->listnr ||
	    a->action != b->action ||
	    a->field_count != b->field_count)
645 646 647
		return 1;

	for (i = 0; i < a->field_count; i++) {
648 649
		if (a->fields[i].type != b->fields[i].type ||
		    a->fields[i].op != b->fields[i].op)
650
			return 1;
651 652

		switch(a->fields[i].type) {
653 654 655 656 657
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
658 659 660 661 662
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
663
			if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
664 665
				return 1;
			break;
666
		case AUDIT_WATCH:
667 668
			if (strcmp(audit_watch_path(a->watch),
				   audit_watch_path(b->watch)))
669 670
				return 1;
			break;
Al Viro's avatar
Al Viro committed
671 672 673 674 675
		case AUDIT_DIR:
			if (strcmp(audit_tree_path(a->tree),
				   audit_tree_path(b->tree)))
				return 1;
			break;
Amy Griffis's avatar
Amy Griffis committed
676 677 678 679 680
		case AUDIT_FILTERKEY:
			/* both filterkeys exist based on above type compare */
			if (strcmp(a->filterkey, b->filterkey))
				return 1;
			break;
681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697
		case AUDIT_UID:
		case AUDIT_EUID:
		case AUDIT_SUID:
		case AUDIT_FSUID:
		case AUDIT_LOGINUID:
		case AUDIT_OBJ_UID:
			if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
				return 1;
			break;
		case AUDIT_GID:
		case AUDIT_EGID:
		case AUDIT_SGID:
		case AUDIT_FSGID:
		case AUDIT_OBJ_GID:
			if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
				return 1;
			break;
698 699 700 701
		default:
			if (a->fields[i].val != b->fields[i].val)
				return 1;
		}
702 703 704 705 706 707 708 709 710
	}

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
		if (a->mask[i] != b->mask[i])
			return 1;

	return 0;
}

711
/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
712
 * re-initialized. */
713
static inline int audit_dupe_lsm_field(struct audit_field *df,
714 715 716
					   struct audit_field *sf)
{
	int ret = 0;
717
	char *lsm_str;
718

719 720 721
	/* our own copy of lsm_str */
	lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
	if (unlikely(!lsm_str))
722
		return -ENOMEM;
723
	df->lsm_str = lsm_str;
724

725 726 727
	/* our own (refreshed) copy of lsm_rule */
	ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
				       (void **)&df->lsm_rule);
728 729 730
	/* Keep currently invalid fields around in case they
	 * become valid after a policy reload. */
	if (ret == -EINVAL) {
731 732
		pr_warn("audit rule for LSM \'%s\' is invalid\n",
			df->lsm_str);
733 734 735 736 737 738 739
		ret = 0;
	}

	return ret;
}

/* Duplicate an audit rule.  This will be a deep copy with the exception
740
 * of the watch - that pointer is carried over.  The LSM specific fields
741
 * will be updated in the copy.  The point is to be able to replace the old
742 743 744
 * rule with the new rule in the filterlist, then free the old rule.
 * The rlist element is undefined; list manipulations are handled apart from
 * the initial copy. */
745
struct audit_entry *audit_dupe_rule(struct audit_krule *old)
746 747 748 749
{
	u32 fcount = old->field_count;
	struct audit_entry *entry;
	struct audit_krule *new;
Amy Griffis's avatar
Amy Griffis committed
750
	char *fk;
751 752 753 754 755 756 757 758
	int i, err = 0;

	entry = audit_init_entry(fcount);
	if (unlikely(!entry))
		return ERR_PTR(-ENOMEM);

	new = &entry->rule;
	new->flags = old->flags;
759
	new->pflags = old->pflags;
760 761 762 763
	new->listnr = old->listnr;
	new->action = old->action;
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
		new->mask[i] = old->mask[i];
764
	new->prio = old->prio;
765
	new->buflen = old->buflen;
766
	new->inode_f = old->inode_f;
767
	new->field_count = old->field_count;
768

Al Viro's avatar
Al Viro committed
769 770 771 772 773 774 775 776
	/*
	 * note that we are OK with not refcounting here; audit_match_tree()
	 * never dereferences tree and we can't get false positives there
	 * since we'd have to have rule gone from the list *and* removed
	 * before the chunks found by lookup had been allocated, i.e. before
	 * the beginning of list scan.
	 */
	new->tree = old->tree;
777 778
	memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);

779
	/* deep copy this information, updating the lsm_rule fields, because
780 781 782
	 * the originals will all be freed when the old rule is freed. */
	for (i = 0; i < fcount; i++) {
		switch (new->fields[i].type) {
783 784 785 786 787
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
788 789 790 791 792
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
793
			err = audit_dupe_lsm_field(&new->fields[i],
794
						       &old->fields[i]);
Amy Griffis's avatar
Amy Griffis committed
795 796 797 798 799 800 801
			break;
		case AUDIT_FILTERKEY:
			fk = kstrdup(old->filterkey, GFP_KERNEL);
			if (unlikely(!fk))
				err = -ENOMEM;
			else
				new->filterkey = fk;
802 803 804 805 806 807 808
		}
		if (err) {
			audit_free_rule(entry);
			return ERR_PTR(err);
		}
	}

809 810 811
	if (old->watch) {
		audit_get_watch(old->watch);
		new->watch = old->watch;
812 813
	}

814 815 816
	return entry;
}

817 818 819
/* Find an existing audit rule.
 * Caller must hold audit_filter_mutex to prevent stale rule data. */
static struct audit_entry *audit_find_rule(struct audit_entry *entry,
820
					   struct list_head **p)
821 822
{
	struct audit_entry *e, *found = NULL;
823
	struct list_head *list;
824 825
	int h;

826 827 828 829
	if (entry->rule.inode_f) {
		h = audit_hash_ino(entry->rule.inode_f->val);
		*p = list = &audit_inode_hash[h];
	} else if (entry->rule.watch) {
830 831 832 833 834 835 836 837 838 839
		/* we don't know the inode number, so must walk entire hash */
		for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
			list = &audit_inode_hash[h];
			list_for_each_entry(e, list, list)
				if (!audit_compare_rule(&entry->rule, &e->rule)) {
					found = e;
					goto out;
				}
		}
		goto out;
840 841
	} else {
		*p = list = &audit_filter_list[entry->rule.listnr];
842 843 844 845 846 847 848 849 850 851 852 853
	}

	list_for_each_entry(e, list, list)
		if (!audit_compare_rule(&entry->rule, &e->rule)) {
			found = e;
			goto out;
		}

out:
	return found;
}

854 855 856
static u64 prio_low = ~0ULL/2;
static u64 prio_high = ~0ULL/2 - 1;

857
/* Add rule to given filterlist if not a duplicate. */
858
static inline int audit_add_rule(struct audit_entry *entry)
859
{
860
	struct audit_entry *e;
861
	struct audit_watch *watch = entry->rule.watch;
Al Viro's avatar
Al Viro committed
862
	struct audit_tree *tree = entry->rule.tree;
863
	struct list_head *list;
864
	int err = 0;
865 866 867 868 869 870 871 872
#ifdef CONFIG_AUDITSYSCALL
	int dont_count = 0;

	/* If either of these, don't count towards total */
	if (entry->rule.listnr == AUDIT_FILTER_USER ||
		entry->rule.listnr == AUDIT_FILTER_TYPE)
		dont_count = 1;
#endif
873 874

	mutex_lock(&audit_filter_mutex);
875
	e = audit_find_rule(entry, &list);
876
	if (e) {
877
		mutex_unlock(&audit_filter_mutex);
878
		err = -EEXIST;
Al Viro's avatar
Al Viro committed
879 880 881
		/* normally audit_add_tree_rule() will free it on failure */
		if (tree)
			audit_put_tree(tree);
882
		return err;
883
	}
884

885 886
	if (watch) {
		/* audit_filter_mutex is dropped and re-taken during this call */
887
		err = audit_add_watch(&entry->rule, &list);
888 889
		if (err) {
			mutex_unlock(&audit_filter_mutex);
890 891 892 893 894 895
			/*
			 * normally audit_add_tree_rule() will free it
			 * on failure
			 */
			if (tree)
				audit_put_tree(tree);
896
			return err;
897
		}
898
	}
Al Viro's avatar
Al Viro committed
899 900 901 902
	if (tree) {
		err = audit_add_tree_rule(&entry->rule);
		if (err) {
			mutex_unlock(&audit_filter_mutex);
903
			return err;
Al Viro's avatar
Al Viro committed
904 905
		}
	}
906

907 908 909 910 911 912 913 914
	entry->rule.prio = ~0ULL;
	if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
		if (entry->rule.flags & AUDIT_FILTER_PREPEND)
			entry->rule.prio = ++prio_high;
		else
			entry->rule.prio = --prio_low;
	}

915
	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
Al Viro's avatar
Al Viro committed
916 917
		list_add(&entry->rule.list,
			 &audit_rules_list[entry->rule.listnr]);
918
		list_add_rcu(&entry->list, list);
919
		entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
920
	} else {
Al Viro's avatar
Al Viro committed
921 922
		list_add_tail(&entry->rule.list,
			      &audit_rules_list[entry->rule.listnr]);
923 924
		list_add_tail_rcu(&entry->list, list);
	}
925 926 927
#ifdef CONFIG_AUDITSYSCALL
	if (!dont_count)
		audit_n_rules++;
928 929 930

	if (!audit_match_signal(entry))
		audit_signals++;
931
#endif
932
	mutex_unlock(&audit_filter_mutex);
933

934
	return err;
935 936
}

937
/* Remove an existing rule from filterlist. */
938
static inline int audit_del_rule(struct audit_entry *entry)
939 940
{
	struct audit_entry  *e;
Al Viro's avatar
Al Viro committed
941
	struct audit_tree *tree = entry->rule.tree;
942 943
	struct list_head *list;
	int ret = 0;
944 945 946 947 948 949 950 951
#ifdef CONFIG_AUDITSYSCALL
	int dont_count = 0;

	/* If either of these, don't count towards total */
	if (entry->rule.listnr == AUDIT_FILTER_USER ||
		entry->rule.listnr == AUDIT_FILTER_TYPE)
		dont_count = 1;
#endif
952 953

	mutex_lock(&audit_filter_mutex);
954
	e = audit_find_rule(entry, &list);
955 956 957 958 959
	if (!e) {
		ret = -ENOENT;
		goto out;
	}

960
	if (e->rule.watch)
961
		audit_remove_watch_rule(&e->rule);
962

Al Viro's avatar
Al Viro committed
963 964 965
	if (e->rule.tree)
		audit_remove_tree_rule(&e->rule);

966 967 968
#ifdef CONFIG_AUDITSYSCALL
	if (!dont_count)
		audit_n_rules--;
969 970 971

	if (!audit_match_signal(entry))
		audit_signals--;
972
#endif
973 974 975 976

	list_del_rcu(&e->list);
	list_del(&e->rule.list);
	call_rcu(&e->rcu, audit_free_rule_rcu);
977 978

out:
979 980
	mutex_unlock(&audit_filter_mutex);

Al Viro's avatar
Al Viro committed
981 982
	if (tree)
		audit_put_tree(tree);	/* that's the temporary one */
983 984

	return ret;
985 986
}

987
/* List rules using struct audit_rule_data. */
988
static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q)
989
{
990
	struct sk_buff *skb;
Al Viro's avatar
Al Viro committed
991
	struct audit_krule *r;
992 993
	int i;

994 995
	/* This is a blocking read, so use audit_filter_mutex instead of rcu
	 * iterator to sync with list writers. */
996
	for (i=0; i<AUDIT_NR_FILTERS; i++) {
Al Viro's avatar
Al Viro committed
997
		list_for_each_entry(r, &audit_rules_list[i], list) {
998 999
			struct audit_rule_data *data;

Al Viro's avatar
Al Viro committed
1000
			data = audit_krule_to_data(r);
1001 1002
			if (unlikely(!data))
				break;
1003 1004 1005
			skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES,
					       0, 1, data,
					       sizeof(*data) + data->buflen);
1006 1007
			if (skb)
				skb_queue_tail(q, skb);
1008 1009 1010
			kfree(data);
		}
	}
1011
	skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1012 1013
	if (skb)
		skb_queue_tail(q, skb);
1014 1015
}

Amy Griffis's avatar
Amy Griffis committed
1016
/* Log rule additions and removals */
1017
static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
Amy Griffis's avatar
Amy Griffis committed
1018 1019
{
	struct audit_buffer *ab;
1020
	uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
1021
	unsigned int sessionid = audit_get_sessionid(current);
Amy Griffis's avatar
Amy Griffis committed
1022

1023 1024 1025
	if (!audit_enabled)
		return;

Amy Griffis's avatar
Amy Griffis committed
1026 1027 1028
	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
	if (!ab)
		return;
1029
	audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
1030
	audit_log_task_context(ab);
1031 1032 1033
	audit_log_format(ab, " op=");
	audit_log_string(ab, action);
	audit_log_key(ab, rule->filterkey);
Amy Griffis's avatar
Amy Griffis committed
1034 1035 1036 1037
	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
	audit_log_end(ab);
}

1038
/**
1039
 * audit_rule_change - apply all rules to the specified message type
1040
 * @type: audit message type
1041
 * @portid: target port id for netlink audit messages
1042 1043
 * @seq: netlink audit message sequence (serial) number
 * @data: payload data
1044
 * @datasz: size of payload data
1045
 */
1046 1047
int audit_rule_change(int type, __u32 portid, int seq, void *data,
			size_t datasz)
1048
{
1049 1050
	int err = 0;
	struct audit_entry *entry;
1051

1052 1053 1054 1055
	entry = audit_data_to_entry(data, datasz);
	if (IS_ERR(entry))
		return PTR_ERR(entry);

1056
	switch (type) {
1057
	case AUDIT_ADD_RULE:
1058
		err = audit_add_rule(entry);
1059
		audit_log_rule_change("add_rule", &entry->rule, !err);
1060
		break;
1061
	case AUDIT_DEL_RULE:
1062
		err = audit_del_rule(entry);
1063
		audit_log_rule_change("remove_rule", &entry->rule, !err);
1064 1065
		break;
	default:
1066 1067
		err = -EINVAL;
		WARN_ON(1);
1068 1069
	}

1070 1071 1072
	if (err || type == AUDIT_DEL_RULE)
		audit_free_rule(entry);

1073 1074 1075
	return err;
}

1076 1077
/**
 * audit_list_rules_send - list the audit rules
1078
 * @request_skb: skb of request we are replying to (used to target the reply)
1079 1080
 * @seq: netlink audit message sequence (serial) number
 */
1081
int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1082
{
1083 1084
	u32 portid = NETLINK_CB(request_skb).portid;
	struct net *net = sock_net(NETLINK_CB(request_skb).sk);
1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097
	struct task_struct *tsk;
	struct audit_netlink_list *dest;
	int err = 0;

	/* We can't just spew out the rules here because we might fill
	 * the available socket buffer space and deadlock waiting for
	 * auditctl to read from it... which isn't ever going to
	 * happen if we're actually running in the context of auditctl
	 * trying to _send_ the stuff */

	dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
	if (!dest)
		return -ENOMEM;
1098
	dest->net = get_net(net);
1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115
	dest->portid = portid;
	skb_queue_head_init(&dest->q);

	mutex_lock(&audit_filter_mutex);
	audit_list_rules(portid, seq, &dest->q);
	mutex_unlock(&audit_filter_mutex);

	tsk = kthread_run(audit_send_list, dest, "audit_send_list");
	if (IS_ERR(tsk)) {
		skb_queue_purge(&dest->q);
		kfree(dest);
		err = PTR_ERR(tsk);
	}

	return err;
}

1116
int audit_comparator(u32 left, u32 op, u32 right)
1117 1118
{
	switch (op) {
1119
	case Audit_equal:
1120
		return (left == right);
1121
	case Audit_not_equal:
1122
		return (left != right);
1123
	case Audit_lt:
1124
		return (left < right);
1125
	case Audit_le:
1126
		return (left <= right);
1127
	case Audit_gt:
1128
		return (left > right);
1129
	case Audit_ge:
1130
		return (left >= right);
1131
	case Audit_bitmask:
1132
		return (left & right);
1133
	case Audit_bittest:
1134
		return ((left & right) == right);
1135 1136 1137
	default:
		BUG();
		return 0;
1138 1139 1140
	}
}

1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186
int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
{
	switch (op) {
	case Audit_equal:
		return uid_eq(left, right);
	case Audit_not_equal:
		return !uid_eq(left, right);
	case Audit_lt:
		return uid_lt(left, right);
	case Audit_le:
		return uid_lte(left, right);
	case Audit_gt:
		return uid_gt(left, right);
	case Audit_ge:
		return uid_gte(left, right);
	case Audit_bitmask:
	case Audit_bittest:
	default:
		BUG();
		return 0;
	}
}

int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
{
	switch (op) {
	case Audit_equal:
		return gid_eq(left, right);
	case Audit_not_equal:
		return !gid_eq(left, right);
	case Audit_lt:
		return gid_lt(left, right);
	case Audit_le:
		return gid_lte(left, right);
	case Audit_gt:
		return gid_gt(left, right);
	case Audit_ge:
		return gid_gte(left, right);
	case Audit_bitmask:
	case Audit_bittest:
	default:
		BUG();
		return 0;
	}
}

1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216
/**
 * parent_len - find the length of the parent portion of a pathname
 * @path: pathname of which to determine length
 */
int parent_len(const char *path)
{
	int plen;
	const char *p;

	plen = strlen(path);

	if (plen == 0)
		return plen;

	/* disregard trailing slashes */
	p = path + plen - 1;
	while ((*p == '/') && (p > path))
		p--;

	/* walk backward until we find the next slash or hit beginning */
	while ((*p != '/') && (p > path))
		p--;

	/* did we find a slash? Then increment to include it in path */
	if (*p == '/')
		p++;

	return p - path;
}

1217 1218 1219 1220 1221 1222 1223 1224 1225
/**
 * audit_compare_dname_path - compare given dentry name with last component in
 * 			      given path. Return of 0 indicates a match.
 * @dname:	dentry name that we're comparing
 * @path:	full pathname that we're comparing
 * @parentlen:	length of the parent if known. Passing in AUDIT_NAME_FULL
 * 		here indicates that we must compute this value.
 */
int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1226
{
1227
	int dlen, pathlen;
1228 1229 1230
	const char *p;

	dlen = strlen(dname);
1231 1232
	pathlen = strlen(path);
	if (pathlen < dlen)
1233 1234
		return 1;

1235
	parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1236
	if (pathlen - parentlen != dlen)
1237
		return 1;
1238 1239

	p = path + parentlen;
1240

1241 1242
	return strncmp(p, dname, dlen);
}
1243

1244
static int audit_filter_user_rules(struct audit_krule *rule, int type,
1245 1246 1247 1248 1249
				   enum audit_state *state)
{
	int i;

	for (i = 0; i < rule->field_count; i++) {
1250
		struct audit_field *f = &rule->fields[i];
1251
		pid_t pid;
1252
		int result = 0;
1253
		u32 sid;
1254

1255
		switch (f->type) {
1256
		case AUDIT_PID:
1257 1258
			pid = task_pid_nr(current);
			result = audit_comparator(pid, f->op, f->val);
1259 1260
			break;
		case AUDIT_UID:
1261
			result = audit_uid_comparator(current_uid(), f->op, f->uid);
1262 1263
			break;
		case AUDIT_GID:
1264
			result = audit_gid_comparator(current_gid(), f->op, f->gid);
1265 1266
			break;
		case AUDIT_LOGINUID:
1267 1268
			result = audit_uid_comparator(audit_get_loginuid(current),
						  f->op, f->uid);
1269
			break;
1270 1271 1272 1273
		case AUDIT_LOGINUID_SET:
			result = audit_comparator(audit_loginuid_set(current),
						  f->op, f->val);
			break;
1274 1275 1276
		case AUDIT_MSGTYPE:
			result = audit_comparator(type, f->op, f->val);
			break;
1277 1278 1279 1280 1281
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
1282 1283 1284
			if (f->lsm_rule) {
				security_task_getsecid(current, &sid);
				result = security_audit_rule_match(sid,
1285 1286 1287 1288
								   f->type,
								   f->op,
								   f->lsm_rule,
								   NULL);
1289
			}
1290
			break;
1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302
		}

		if (!result)
			return 0;
	}
	switch (rule->action) {
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
	}
	return 1;
}