LXR linux/kernel/auditfilter.c

   1/* auditfilter.c -- filtering of audit events
   2 *
   3 * Copyright 2003-2004 Red Hat, Inc.
   4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   5 * Copyright 2005 IBM Corporation
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * This program is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  20 */
  21
  22#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  23
  24#include <linux/kernel.h>
  25#include <linux/audit.h>
  26#include <linux/kthread.h>
  27#include <linux/mutex.h>
  28#include <linux/fs.h>
  29#include <linux/namei.h>
  30#include <linux/netlink.h>
  31#include <linux/sched.h>
  32#include <linux/slab.h>
  33#include <linux/security.h>
  34#include <net/net_namespace.h>
  35#include <net/sock.h>
  36#include "audit.h"
  37
  38/*
  39 * Locking model:
  40 *
  41 * audit_filter_mutex:
  42 *              Synchronizes writes and blocking reads of audit's filterlist
  43 *              data.  Rcu is used to traverse the filterlist and access
  44 *              contents of structs audit_entry, audit_watch and opaque
  45 *              LSM rules during filtering.  If modified, these structures
  46 *              must be copied and replace their counterparts in the filterlist.
  47 *              An audit_parent struct is not accessed during filtering, so may
  48 *              be written directly provided audit_filter_mutex is held.
  49 */
  50
  51/* Audit filter lists, defined in <linux/audit.h> */
  52struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  53        LIST_HEAD_INIT(audit_filter_list[0]),
  54        LIST_HEAD_INIT(audit_filter_list[1]),
  55        LIST_HEAD_INIT(audit_filter_list[2]),
  56        LIST_HEAD_INIT(audit_filter_list[3]),
  57        LIST_HEAD_INIT(audit_filter_list[4]),
  58        LIST_HEAD_INIT(audit_filter_list[5]),
  59#if AUDIT_NR_FILTERS != 6
  60#error Fix audit_filter_list initialiser
  61#endif
  62};
  63static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  64        LIST_HEAD_INIT(audit_rules_list[0]),
  65        LIST_HEAD_INIT(audit_rules_list[1]),
  66        LIST_HEAD_INIT(audit_rules_list[2]),
  67        LIST_HEAD_INIT(audit_rules_list[3]),
  68        LIST_HEAD_INIT(audit_rules_list[4]),
  69        LIST_HEAD_INIT(audit_rules_list[5]),
  70};
  71
  72DEFINE_MUTEX(audit_filter_mutex);
  73
  74static inline void audit_free_rule(struct audit_entry *e)
  75{
  76        int i;
  77        struct audit_krule *erule = &e->rule;
  78
  79        /* some rules don't have associated watches */
  80        if (erule->watch)
  81                audit_put_watch(erule->watch);
  82        if (erule->fields)
  83                for (i = 0; i < erule->field_count; i++) {
  84                        struct audit_field *f = &erule->fields[i];
  85                        kfree(f->lsm_str);
  86                        security_audit_rule_free(f->lsm_rule);
  87                }
  88        kfree(erule->fields);
  89        kfree(erule->filterkey);
  90        kfree(e);
  91}
  92
  93void audit_free_rule_rcu(struct rcu_head *head)
  94{
  95        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
  96        audit_free_rule(e);
  97}
  98
  99/* Initialize an audit filterlist entry. */
 100static inline struct audit_entry *audit_init_entry(u32 field_count)
 101{
 102        struct audit_entry *entry;
 103        struct audit_field *fields;
 104
 105        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 106        if (unlikely(!entry))
 107                return NULL;
 108
 109        fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
 110        if (unlikely(!fields)) {
 111                kfree(entry);
 112                return NULL;
 113        }
 114        entry->rule.fields = fields;
 115
 116        return entry;
 117}
 118
 119/* Unpack a filter field's string representation from user-space
 120 * buffer. */
 121char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 122{
 123        char *str;
 124
 125        if (!*bufp || (len == 0) || (len > *remain))
 126                return ERR_PTR(-EINVAL);
 127
 128        /* Of the currently implemented string fields, PATH_MAX
 129         * defines the longest valid length.
 130         */
 131        if (len > PATH_MAX)
 132                return ERR_PTR(-ENAMETOOLONG);
 133
 134        str = kmalloc(len + 1, GFP_KERNEL);
 135        if (unlikely(!str))
 136                return ERR_PTR(-ENOMEM);
 137
 138        memcpy(str, *bufp, len);
 139        str[len] = 0;
 140        *bufp += len;
 141        *remain -= len;
 142
 143        return str;
 144}
 145
 146/* Translate an inode field to kernel respresentation. */
 147static inline int audit_to_inode(struct audit_krule *krule,
 148                                 struct audit_field *f)
 149{
 150        if (krule->listnr != AUDIT_FILTER_EXIT ||
 151            krule->watch || krule->inode_f || krule->tree ||
 152            (f->op != Audit_equal && f->op != Audit_not_equal))
 153                return -EINVAL;
 154
 155        krule->inode_f = f;
 156        return 0;
 157}
 158
 159static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 160
 161int __init audit_register_class(int class, unsigned *list)
 162{
 163        __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
 164        if (!p)
 165                return -ENOMEM;
 166        while (*list != ~0U) {
 167                unsigned n = *list++;
 168                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 169                        kfree(p);
 170                        return -EINVAL;
 171                }
 172                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
 173        }
 174        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
 175                kfree(p);
 176                return -EINVAL;
 177        }
 178        classes[class] = p;
 179        return 0;
 180}
 181
 182int audit_match_class(int class, unsigned syscall)
 183{
 184        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
 185                return 0;
 186        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
 187                return 0;
 188        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
 189}
 190
 191#ifdef CONFIG_AUDITSYSCALL
 192static inline int audit_match_class_bits(int class, u32 *mask)
 193{
 194        int i;
 195
 196        if (classes[class]) {
 197                for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 198                        if (mask[i] & classes[class][i])
 199                                return 0;
 200        }
 201        return 1;
 202}
 203
 204static int audit_match_signal(struct audit_entry *entry)
 205{
 206        struct audit_field *arch = entry->rule.arch_f;
 207
 208        if (!arch) {
 209                /* When arch is unspecified, we must check both masks on biarch
 210                 * as syscall number alone is ambiguous. */
 211                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 212                                               entry->rule.mask) &&
 213                        audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 214                                               entry->rule.mask));
 215        }
 216
 217        switch(audit_classify_arch(arch->val)) {
 218        case 0: /* native */
 219                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 220                                               entry->rule.mask));
 221        case 1: /* 32bit on biarch */
 222                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 223                                               entry->rule.mask));
 224        default:
 225                return 1;
 226        }
 227}
 228#endif
 229
 230/* Common user-space to kernel rule translation. */
 231static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
 232{
 233        unsigned listnr;
 234        struct audit_entry *entry;
 235        int i, err;
 236
 237        err = -EINVAL;
 238        listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
 239        switch(listnr) {
 240        default:
 241                goto exit_err;
 242#ifdef CONFIG_AUDITSYSCALL
 243        case AUDIT_FILTER_ENTRY:
 244                if (rule->action == AUDIT_ALWAYS)
 245                        goto exit_err;
 246        case AUDIT_FILTER_EXIT:
 247        case AUDIT_FILTER_TASK:
 248#endif
 249        case AUDIT_FILTER_USER:
 250        case AUDIT_FILTER_TYPE:
 251                ;
 252        }
 253        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
 254                pr_err("AUDIT_POSSIBLE is deprecated\n");
 255                goto exit_err;
 256        }
 257        if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
 258                goto exit_err;
 259        if (rule->field_count > AUDIT_MAX_FIELDS)
 260                goto exit_err;
 261
 262        err = -ENOMEM;
 263        entry = audit_init_entry(rule->field_count);
 264        if (!entry)
 265                goto exit_err;
 266
 267        entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
 268        entry->rule.listnr = listnr;
 269        entry->rule.action = rule->action;
 270        entry->rule.field_count = rule->field_count;
 271
 272        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 273                entry->rule.mask[i] = rule->mask[i];
 274
 275        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
 276                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
 277                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
 278                __u32 *class;
 279
 280                if (!(*p & AUDIT_BIT(bit)))
 281                        continue;
 282                *p &= ~AUDIT_BIT(bit);
 283                class = classes[i];
 284                if (class) {
 285                        int j;
 286                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
 287                                entry->rule.mask[j] |= class[j];
 288                }
 289        }
 290
 291        return entry;
 292
 293exit_err:
 294        return ERR_PTR(err);
 295}
 296
 297static u32 audit_ops[] =
 298{
 299        [Audit_equal] = AUDIT_EQUAL,
 300        [Audit_not_equal] = AUDIT_NOT_EQUAL,
 301        [Audit_bitmask] = AUDIT_BIT_MASK,
 302        [Audit_bittest] = AUDIT_BIT_TEST,
 303        [Audit_lt] = AUDIT_LESS_THAN,
 304        [Audit_gt] = AUDIT_GREATER_THAN,
 305        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
 306        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
 307};
 308
 309static u32 audit_to_op(u32 op)
 310{
 311        u32 n;
 312        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
 313                ;
 314        return n;
 315}
 316
 317/* check if an audit field is valid */
 318static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 319{
 320        switch(f->type) {
 321        case AUDIT_MSGTYPE:
 322                if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
 323                    entry->rule.listnr != AUDIT_FILTER_USER)
 324                        return -EINVAL;
 325                break;
 326        };
 327
 328        switch(f->type) {
 329        default:
 330                return -EINVAL;
 331        case AUDIT_UID:
 332        case AUDIT_EUID:
 333        case AUDIT_SUID:
 334        case AUDIT_FSUID:
 335        case AUDIT_LOGINUID:
 336        case AUDIT_OBJ_UID:
 337        case AUDIT_GID:
 338        case AUDIT_EGID:
 339        case AUDIT_SGID:
 340        case AUDIT_FSGID:
 341        case AUDIT_OBJ_GID:
 342        case AUDIT_PID:
 343        case AUDIT_PERS:
 344        case AUDIT_MSGTYPE:
 345        case AUDIT_PPID:
 346        case AUDIT_DEVMAJOR:
 347        case AUDIT_DEVMINOR:
 348        case AUDIT_EXIT:
 349        case AUDIT_SUCCESS:
 350        case AUDIT_INODE:
 351                /* bit ops are only useful on syscall args */
 352                if (f->op == Audit_bitmask || f->op == Audit_bittest)
 353                        return -EINVAL;
 354                break;
 355        case AUDIT_ARG0:
 356        case AUDIT_ARG1:
 357        case AUDIT_ARG2:
 358        case AUDIT_ARG3:
 359        case AUDIT_SUBJ_USER:
 360        case AUDIT_SUBJ_ROLE:
 361        case AUDIT_SUBJ_TYPE:
 362        case AUDIT_SUBJ_SEN:
 363        case AUDIT_SUBJ_CLR:
 364        case AUDIT_OBJ_USER:
 365        case AUDIT_OBJ_ROLE:
 366        case AUDIT_OBJ_TYPE:
 367        case AUDIT_OBJ_LEV_LOW:
 368        case AUDIT_OBJ_LEV_HIGH:
 369        case AUDIT_WATCH:
 370        case AUDIT_DIR:
 371        case AUDIT_FILTERKEY:
 372                break;
 373        case AUDIT_LOGINUID_SET:
 374                if ((f->val != 0) && (f->val != 1))
 375                        return -EINVAL;
 376        /* FALL THROUGH */
 377        case AUDIT_ARCH:
 378                if (f->op != Audit_not_equal && f->op != Audit_equal)
 379                        return -EINVAL;
 380                break;
 381        case AUDIT_PERM:
 382                if (f->val & ~15)
 383                        return -EINVAL;
 384                break;
 385        case AUDIT_FILETYPE:
 386                if (f->val & ~S_IFMT)
 387                        return -EINVAL;
 388                break;
 389        case AUDIT_FIELD_COMPARE:
 390                if (f->val > AUDIT_MAX_FIELD_COMPARE)
 391                        return -EINVAL;
 392                break;
 393        };
 394        return 0;
 395}
 396
 397/* Translate struct audit_rule_data to kernel's rule respresentation. */
 398static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 399                                               size_t datasz)
 400{
 401        int err = 0;
 402        struct audit_entry *entry;
 403        void *bufp;
 404        size_t remain = datasz - sizeof(struct audit_rule_data);
 405        int i;
 406        char *str;
 407
 408        entry = audit_to_entry_common(data);
 409        if (IS_ERR(entry))
 410                goto exit_nofree;
 411
 412        bufp = data->buf;
 413        entry->rule.vers_ops = 2;
 414        for (i = 0; i < data->field_count; i++) {
 415                struct audit_field *f = &entry->rule.fields[i];
 416
 417                err = -EINVAL;
 418
 419                f->op = audit_to_op(data->fieldflags[i]);
 420                if (f->op == Audit_bad)
 421                        goto exit_free;
 422
 423                f->type = data->fields[i];
 424                f->val = data->values[i];
 425                f->uid = INVALID_UID;
 426                f->gid = INVALID_GID;
 427                f->lsm_str = NULL;
 428                f->lsm_rule = NULL;
 429
 430                /* Support legacy tests for a valid loginuid */
 431                if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
 432                        f->type = AUDIT_LOGINUID_SET;
 433                        f->val = 0;
 434                }
 435
 436                if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
 437                        struct pid *pid;
 438                        rcu_read_lock();
 439                        pid = find_vpid(f->val);
 440                        if (!pid) {
 441                                rcu_read_unlock();
 442                                err = -ESRCH;
 443                                goto exit_free;
 444                        }
 445                        f->val = pid_nr(pid);
 446                        rcu_read_unlock();
 447                }
 448
 449                err = audit_field_valid(entry, f);
 450                if (err)
 451                        goto exit_free;
 452
 453                err = -EINVAL;
 454                switch (f->type) {
 455                case AUDIT_LOGINUID:
 456                case AUDIT_UID:
 457                case AUDIT_EUID:
 458                case AUDIT_SUID:
 459                case AUDIT_FSUID:
 460                case AUDIT_OBJ_UID:
 461                        f->uid = make_kuid(current_user_ns(), f->val);
 462                        if (!uid_valid(f->uid))
 463                                goto exit_free;
 464                        break;
 465                case AUDIT_GID:
 466                case AUDIT_EGID:
 467                case AUDIT_SGID:
 468                case AUDIT_FSGID:
 469                case AUDIT_OBJ_GID:
 470                        f->gid = make_kgid(current_user_ns(), f->val);
 471                        if (!gid_valid(f->gid))
 472                                goto exit_free;
 473                        break;
 474                case AUDIT_ARCH:
 475                        entry->rule.arch_f = f;
 476                        break;
 477                case AUDIT_SUBJ_USER:
 478                case AUDIT_SUBJ_ROLE:
 479                case AUDIT_SUBJ_TYPE:
 480                case AUDIT_SUBJ_SEN:
 481                case AUDIT_SUBJ_CLR:
 482                case AUDIT_OBJ_USER:
 483                case AUDIT_OBJ_ROLE:
 484                case AUDIT_OBJ_TYPE:
 485                case AUDIT_OBJ_LEV_LOW:
 486                case AUDIT_OBJ_LEV_HIGH:
 487                        str = audit_unpack_string(&bufp, &remain, f->val);
 488                        if (IS_ERR(str))
 489                                goto exit_free;
 490                        entry->rule.buflen += f->val;
 491
 492                        err = security_audit_rule_init(f->type, f->op, str,
 493                                                       (void **)&f->lsm_rule);
 494                        /* Keep currently invalid fields around in case they
 495                         * become valid after a policy reload. */
 496                        if (err == -EINVAL) {
 497                                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 498                                        str);
 499                                err = 0;
 500                        }
 501                        if (err) {
 502                                kfree(str);
 503                                goto exit_free;
 504                        } else
 505                                f->lsm_str = str;
 506                        break;
 507                case AUDIT_WATCH:
 508                        str = audit_unpack_string(&bufp, &remain, f->val);
 509                        if (IS_ERR(str))
 510                                goto exit_free;
 511                        entry->rule.buflen += f->val;
 512
 513                        err = audit_to_watch(&entry->rule, str, f->val, f->op);
 514                        if (err) {
 515                                kfree(str);
 516                                goto exit_free;
 517                        }
 518                        break;
 519                case AUDIT_DIR:
 520                        str = audit_unpack_string(&bufp, &remain, f->val);
 521                        if (IS_ERR(str))
 522                                goto exit_free;
 523                        entry->rule.buflen += f->val;
 524
 525                        err = audit_make_tree(&entry->rule, str, f->op);
 526                        kfree(str);
 527                        if (err)
 528                                goto exit_free;
 529                        break;
 530                case AUDIT_INODE:
 531                        err = audit_to_inode(&entry->rule, f);
 532                        if (err)
 533                                goto exit_free;
 534                        break;
 535                case AUDIT_FILTERKEY:
 536                        if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 537                                goto exit_free;
 538                        str = audit_unpack_string(&bufp, &remain, f->val);
 539                        if (IS_ERR(str))
 540                                goto exit_free;
 541                        entry->rule.buflen += f->val;
 542                        entry->rule.filterkey = str;
 543                        break;
 544                }
 545        }
 546
 547        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 548                entry->rule.inode_f = NULL;
 549
 550exit_nofree:
 551        return entry;
 552
 553exit_free:
 554        if (entry->rule.watch)
 555                audit_put_watch(entry->rule.watch); /* matches initial get */
 556        if (entry->rule.tree)
 557                audit_put_tree(entry->rule.tree); /* that's the temporary one */
 558        audit_free_rule(entry);
 559        return ERR_PTR(err);
 560}
 561
 562/* Pack a filter field's string representation into data block. */
 563static inline size_t audit_pack_string(void **bufp, const char *str)
 564{
 565        size_t len = strlen(str);
 566
 567        memcpy(*bufp, str, len);
 568        *bufp += len;
 569
 570        return len;
 571}
 572
 573/* Translate kernel rule respresentation to struct audit_rule_data. */
 574static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 575{
 576        struct audit_rule_data *data;
 577        void *bufp;
 578        int i;
 579
 580        data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
 581        if (unlikely(!data))
 582                return NULL;
 583        memset(data, 0, sizeof(*data));
 584
 585        data->flags = krule->flags | krule->listnr;
 586        data->action = krule->action;
 587        data->field_count = krule->field_count;
 588        bufp = data->buf;
 589        for (i = 0; i < data->field_count; i++) {
 590                struct audit_field *f = &krule->fields[i];
 591
 592                data->fields[i] = f->type;
 593                data->fieldflags[i] = audit_ops[f->op];
 594                switch(f->type) {
 595                case AUDIT_SUBJ_USER:
 596                case AUDIT_SUBJ_ROLE:
 597                case AUDIT_SUBJ_TYPE:
 598                case AUDIT_SUBJ_SEN:
 599                case AUDIT_SUBJ_CLR:
 600                case AUDIT_OBJ_USER:
 601                case AUDIT_OBJ_ROLE:
 602                case AUDIT_OBJ_TYPE:
 603                case AUDIT_OBJ_LEV_LOW:
 604                case AUDIT_OBJ_LEV_HIGH:
 605                        data->buflen += data->values[i] =
 606                                audit_pack_string(&bufp, f->lsm_str);
 607                        break;
 608                case AUDIT_WATCH:
 609                        data->buflen += data->values[i] =
 610                                audit_pack_string(&bufp,
 611                                                  audit_watch_path(krule->watch));
 612                        break;
 613                case AUDIT_DIR:
 614                        data->buflen += data->values[i] =
 615                                audit_pack_string(&bufp,
 616                                                  audit_tree_path(krule->tree));
 617                        break;
 618                case AUDIT_FILTERKEY:
 619                        data->buflen += data->values[i] =
 620                                audit_pack_string(&bufp, krule->filterkey);
 621                        break;
 622                default:
 623                        data->values[i] = f->val;
 624                }
 625        }
 626        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
 627
 628        return data;
 629}
 630
 631/* Compare two rules in kernel format.  Considered success if rules
 632 * don't match. */
 633static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
 634{
 635        int i;
 636
 637        if (a->flags != b->flags ||
 638            a->listnr != b->listnr ||
 639            a->action != b->action ||
 640            a->field_count != b->field_count)
 641                return 1;
 642
 643        for (i = 0; i < a->field_count; i++) {
 644                if (a->fields[i].type != b->fields[i].type ||
 645                    a->fields[i].op != b->fields[i].op)
 646                        return 1;
 647
 648                switch(a->fields[i].type) {
 649                case AUDIT_SUBJ_USER:
 650                case AUDIT_SUBJ_ROLE:
 651                case AUDIT_SUBJ_TYPE:
 652                case AUDIT_SUBJ_SEN:
 653                case AUDIT_SUBJ_CLR:
 654                case AUDIT_OBJ_USER:
 655                case AUDIT_OBJ_ROLE:
 656                case AUDIT_OBJ_TYPE:
 657                case AUDIT_OBJ_LEV_LOW:
 658                case AUDIT_OBJ_LEV_HIGH:
 659                        if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
 660                                return 1;
 661                        break;
 662                case AUDIT_WATCH:
 663                        if (strcmp(audit_watch_path(a->watch),
 664                                   audit_watch_path(b->watch)))
 665                                return 1;
 666                        break;
 667                case AUDIT_DIR:
 668                        if (strcmp(audit_tree_path(a->tree),
 669                                   audit_tree_path(b->tree)))
 670                                return 1;
 671                        break;
 672                case AUDIT_FILTERKEY:
 673                        /* both filterkeys exist based on above type compare */
 674                        if (strcmp(a->filterkey, b->filterkey))
 675                                return 1;
 676                        break;
 677                case AUDIT_UID:
 678                case AUDIT_EUID:
 679                case AUDIT_SUID:
 680                case AUDIT_FSUID:
 681                case AUDIT_LOGINUID:
 682                case AUDIT_OBJ_UID:
 683                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
 684                                return 1;
 685                        break;
 686                case AUDIT_GID:
 687                case AUDIT_EGID:
 688                case AUDIT_SGID:
 689                case AUDIT_FSGID:
 690                case AUDIT_OBJ_GID:
 691                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
 692                                return 1;
 693                        break;
 694                default:
 695                        if (a->fields[i].val != b->fields[i].val)
 696                                return 1;
 697                }
 698        }
 699
 700        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 701                if (a->mask[i] != b->mask[i])
 702                        return 1;
 703
 704        return 0;
 705}
 706
 707/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
 708 * re-initialized. */
 709static inline int audit_dupe_lsm_field(struct audit_field *df,
 710                                           struct audit_field *sf)
 711{
 712        int ret = 0;
 713        char *lsm_str;
 714
 715        /* our own copy of lsm_str */
 716        lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
 717        if (unlikely(!lsm_str))
 718                return -ENOMEM;
 719        df->lsm_str = lsm_str;
 720
 721        /* our own (refreshed) copy of lsm_rule */
 722        ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
 723                                       (void **)&df->lsm_rule);
 724        /* Keep currently invalid fields around in case they
 725         * become valid after a policy reload. */
 726        if (ret == -EINVAL) {
 727                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 728                        df->lsm_str);
 729                ret = 0;
 730        }
 731
 732        return ret;
 733}
 734
 735/* Duplicate an audit rule.  This will be a deep copy with the exception
 736 * of the watch - that pointer is carried over.  The LSM specific fields
 737 * will be updated in the copy.  The point is to be able to replace the old
 738 * rule with the new rule in the filterlist, then free the old rule.
 739 * The rlist element is undefined; list manipulations are handled apart from
 740 * the initial copy. */
 741struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 742{
 743        u32 fcount = old->field_count;
 744        struct audit_entry *entry;
 745        struct audit_krule *new;
 746        char *fk;
 747        int i, err = 0;
 748
 749        entry = audit_init_entry(fcount);
 750        if (unlikely(!entry))
 751                return ERR_PTR(-ENOMEM);
 752
 753        new = &entry->rule;
 754        new->vers_ops = old->vers_ops;
 755        new->flags = old->flags;
 756        new->listnr = old->listnr;
 757        new->action = old->action;
 758        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 759                new->mask[i] = old->mask[i];
 760        new->prio = old->prio;
 761        new->buflen = old->buflen;
 762        new->inode_f = old->inode_f;
 763        new->field_count = old->field_count;
 764
 765        /*
 766         * note that we are OK with not refcounting here; audit_match_tree()
 767         * never dereferences tree and we can't get false positives there
 768         * since we'd have to have rule gone from the list *and* removed
 769         * before the chunks found by lookup had been allocated, i.e. before
 770         * the beginning of list scan.
 771         */
 772        new->tree = old->tree;
 773        memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
 774
 775        /* deep copy this information, updating the lsm_rule fields, because
 776         * the originals will all be freed when the old rule is freed. */
 777        for (i = 0; i < fcount; i++) {
 778                switch (new->fields[i].type) {
 779                case AUDIT_SUBJ_USER:
 780                case AUDIT_SUBJ_ROLE:
 781                case AUDIT_SUBJ_TYPE:
 782                case AUDIT_SUBJ_SEN:
 783                case AUDIT_SUBJ_CLR:
 784                case AUDIT_OBJ_USER:
 785                case AUDIT_OBJ_ROLE:
 786                case AUDIT_OBJ_TYPE:
 787                case AUDIT_OBJ_LEV_LOW:
 788                case AUDIT_OBJ_LEV_HIGH:
 789                        err = audit_dupe_lsm_field(&new->fields[i],
 790                                                       &old->fields[i]);
 791                        break;
 792                case AUDIT_FILTERKEY:
 793                        fk = kstrdup(old->filterkey, GFP_KERNEL);
 794                        if (unlikely(!fk))
 795                                err = -ENOMEM;
 796                        else
 797                                new->filterkey = fk;
 798                }
 799                if (err) {
 800                        audit_free_rule(entry);
 801                        return ERR_PTR(err);
 802                }
 803        }
 804
 805        if (old->watch) {
 806                audit_get_watch(old->watch);
 807                new->watch = old->watch;
 808        }
 809
 810        return entry;
 811}
 812
 813/* Find an existing audit rule.
 814 * Caller must hold audit_filter_mutex to prevent stale rule data. */
 815static struct audit_entry *audit_find_rule(struct audit_entry *entry,
 816                                           struct list_head **p)
 817{
 818        struct audit_entry *e, *found = NULL;
 819        struct list_head *list;
 820        int h;
 821
 822        if (entry->rule.inode_f) {
 823                h = audit_hash_ino(entry->rule.inode_f->val);
 824                *p = list = &audit_inode_hash[h];
 825        } else if (entry->rule.watch) {
 826                /* we don't know the inode number, so must walk entire hash */
 827                for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
 828                        list = &audit_inode_hash[h];
 829                        list_for_each_entry(e, list, list)
 830                                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 831                                        found = e;
 832                                        goto out;
 833                                }
 834                }
 835                goto out;
 836        } else {
 837                *p = list = &audit_filter_list[entry->rule.listnr];
 838        }
 839
 840        list_for_each_entry(e, list, list)
 841                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 842                        found = e;
 843                        goto out;
 844                }
 845
 846out:
 847        return found;
 848}
 849
 850static u64 prio_low = ~0ULL/2;
 851static u64 prio_high = ~0ULL/2 - 1;
 852
 853/* Add rule to given filterlist if not a duplicate. */
 854static inline int audit_add_rule(struct audit_entry *entry)
 855{
 856        struct audit_entry *e;
 857        struct audit_watch *watch = entry->rule.watch;
 858        struct audit_tree *tree = entry->rule.tree;
 859        struct list_head *list;
 860        int err;
 861#ifdef CONFIG_AUDITSYSCALL
 862        int dont_count = 0;
 863
 864        /* If either of these, don't count towards total */
 865        if (entry->rule.listnr == AUDIT_FILTER_USER ||
 866                entry->rule.listnr == AUDIT_FILTER_TYPE)
 867                dont_count = 1;
 868#endif
 869
 870        mutex_lock(&audit_filter_mutex);
 871        e = audit_find_rule(entry, &list);
 872        if (e) {
 873                mutex_unlock(&audit_filter_mutex);
 874                err = -EEXIST;
 875                /* normally audit_add_tree_rule() will free it on failure */
 876                if (tree)
 877                        audit_put_tree(tree);
 878                goto error;
 879        }
 880
 881        if (watch) {
 882                /* audit_filter_mutex is dropped and re-taken during this call */
 883                err = audit_add_watch(&entry->rule, &list);
 884                if (err) {
 885                        mutex_unlock(&audit_filter_mutex);
 886                        /*
 887                         * normally audit_add_tree_rule() will free it
 888                         * on failure
 889                         */
 890                        if (tree)
 891                                audit_put_tree(tree);
 892                        goto error;
 893                }
 894        }
 895        if (tree) {
 896                err = audit_add_tree_rule(&entry->rule);
 897                if (err) {
 898                        mutex_unlock(&audit_filter_mutex);
 899                        goto error;
 900                }
 901        }
 902
 903        entry->rule.prio = ~0ULL;
 904        if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
 905                if (entry->rule.flags & AUDIT_FILTER_PREPEND)
 906                        entry->rule.prio = ++prio_high;
 907                else
 908                        entry->rule.prio = --prio_low;
 909        }
 910
 911        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
 912                list_add(&entry->rule.list,
 913                         &audit_rules_list[entry->rule.listnr]);
 914                list_add_rcu(&entry->list, list);
 915                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
 916        } else {
 917                list_add_tail(&entry->rule.list,
 918                              &audit_rules_list[entry->rule.listnr]);
 919                list_add_tail_rcu(&entry->list, list);
 920        }
 921#ifdef CONFIG_AUDITSYSCALL
 922        if (!dont_count)
 923                audit_n_rules++;
 924
 925        if (!audit_match_signal(entry))
 926                audit_signals++;
 927#endif
 928        mutex_unlock(&audit_filter_mutex);
 929
 930        return 0;
 931
 932error:
 933        if (watch)
 934                audit_put_watch(watch); /* tmp watch, matches initial get */
 935        return err;
 936}
 937
 938/* Remove an existing rule from filterlist. */
 939static inline int audit_del_rule(struct audit_entry *entry)
 940{
 941        struct audit_entry  *e;
 942        struct audit_watch *watch = entry->rule.watch;
 943        struct audit_tree *tree = entry->rule.tree;
 944        struct list_head *list;
 945        int ret = 0;
 946#ifdef CONFIG_AUDITSYSCALL
 947        int dont_count = 0;
 948
 949        /* If either of these, don't count towards total */
 950        if (entry->rule.listnr == AUDIT_FILTER_USER ||
 951                entry->rule.listnr == AUDIT_FILTER_TYPE)
 952                dont_count = 1;
 953#endif
 954
 955        mutex_lock(&audit_filter_mutex);
 956        e = audit_find_rule(entry, &list);
 957        if (!e) {
 958                mutex_unlock(&audit_filter_mutex);
 959                ret = -ENOENT;
 960                goto out;
 961        }
 962
 963        if (e->rule.watch)
 964                audit_remove_watch_rule(&e->rule);
 965
 966        if (e->rule.tree)
 967                audit_remove_tree_rule(&e->rule);
 968
 969        list_del_rcu(&e->list);
 970        list_del(&e->rule.list);
 971        call_rcu(&e->rcu, audit_free_rule_rcu);
 972
 973#ifdef CONFIG_AUDITSYSCALL
 974        if (!dont_count)
 975                audit_n_rules--;
 976
 977        if (!audit_match_signal(entry))
 978                audit_signals--;
 979#endif
 980        mutex_unlock(&audit_filter_mutex);
 981
 982out:
 983        if (watch)
 984                audit_put_watch(watch); /* match initial get */
 985        if (tree)
 986                audit_put_tree(tree);   /* that's the temporary one */
 987
 988        return ret;
 989}
 990
 991/* List rules using struct audit_rule_data. */
 992static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q)
 993{
 994        struct sk_buff *skb;
 995        struct audit_krule *r;
 996        int i;
 997
 998        /* This is a blocking read, so use audit_filter_mutex instead of rcu
 999         * iterator to sync with list writers. */
1000        for (i=0; i<AUDIT_NR_FILTERS; i++) {

1001                list_for_each_entry(r, &audit_rules_list[i], list) {
1002                        struct audit_rule_data *data;
1003
1004                        data = audit_krule_to_data(r);
1005                        if (unlikely(!data))
1006                                break;
1007                        skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES,
1008                                               0, 1, data,
1009                                               sizeof(*data) + data->buflen);
1010                        if (skb)
1011                                skb_queue_tail(q, skb);
1012                        kfree(data);
1013                }
1014        }
1015        skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1016        if (skb)
1017                skb_queue_tail(q, skb);
1018}
1019
1020/* Log rule additions and removals */
1021static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1022{
1023        struct audit_buffer *ab;
1024        uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
1025        unsigned int sessionid = audit_get_sessionid(current);
1026
1027        if (!audit_enabled)
1028                return;
1029
1030        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1031        if (!ab)
1032                return;
1033        audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
1034        audit_log_task_context(ab);
1035        audit_log_format(ab, " op=");
1036        audit_log_string(ab, action);
1037        audit_log_key(ab, rule->filterkey);
1038        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1039        audit_log_end(ab);
1040}
1041
1042/**
1043 * audit_rule_change - apply all rules to the specified message type
1044 * @type: audit message type
1045 * @portid: target port id for netlink audit messages
1046 * @seq: netlink audit message sequence (serial) number
1047 * @data: payload data
1048 * @datasz: size of payload data
1049 */
1050int audit_rule_change(int type, __u32 portid, int seq, void *data,
1051                        size_t datasz)
1052{
1053        int err = 0;
1054        struct audit_entry *entry;
1055
1056        switch (type) {
1057        case AUDIT_ADD_RULE:
1058                entry = audit_data_to_entry(data, datasz);
1059                if (IS_ERR(entry))
1060                        return PTR_ERR(entry);
1061
1062                err = audit_add_rule(entry);
1063                audit_log_rule_change("add rule", &entry->rule, !err);
1064                if (err)
1065                        audit_free_rule(entry);
1066                break;
1067        case AUDIT_DEL_RULE:
1068                entry = audit_data_to_entry(data, datasz);
1069                if (IS_ERR(entry))
1070                        return PTR_ERR(entry);
1071
1072                err = audit_del_rule(entry);
1073                audit_log_rule_change("remove rule", &entry->rule, !err);
1074                audit_free_rule(entry);
1075                break;
1076        default:
1077                return -EINVAL;
1078        }
1079
1080        return err;
1081}
1082
1083/**
1084 * audit_list_rules_send - list the audit rules
1085 * @request_skb: skb of request we are replying to (used to target the reply)
1086 * @seq: netlink audit message sequence (serial) number
1087 */
1088int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1089{
1090        u32 portid = NETLINK_CB(request_skb).portid;
1091        struct net *net = sock_net(NETLINK_CB(request_skb).sk);
1092        struct task_struct *tsk;
1093        struct audit_netlink_list *dest;
1094        int err = 0;
1095
1096        /* We can't just spew out the rules here because we might fill
1097         * the available socket buffer space and deadlock waiting for
1098         * auditctl to read from it... which isn't ever going to
1099         * happen if we're actually running in the context of auditctl
1100         * trying to _send_ the stuff */
1101
1102        dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1103        if (!dest)
1104                return -ENOMEM;
1105        dest->net = get_net(net);
1106        dest->portid = portid;
1107        skb_queue_head_init(&dest->q);
1108
1109        mutex_lock(&audit_filter_mutex);
1110        audit_list_rules(portid, seq, &dest->q);
1111        mutex_unlock(&audit_filter_mutex);
1112
1113        tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1114        if (IS_ERR(tsk)) {
1115                skb_queue_purge(&dest->q);
1116                kfree(dest);
1117                err = PTR_ERR(tsk);
1118        }
1119
1120        return err;
1121}
1122
1123int audit_comparator(u32 left, u32 op, u32 right)
1124{
1125        switch (op) {
1126        case Audit_equal:
1127                return (left == right);
1128        case Audit_not_equal:
1129                return (left != right);
1130        case Audit_lt:
1131                return (left < right);
1132        case Audit_le:
1133                return (left <= right);
1134        case Audit_gt:
1135                return (left > right);
1136        case Audit_ge:
1137                return (left >= right);
1138        case Audit_bitmask:
1139                return (left & right);
1140        case Audit_bittest:
1141                return ((left & right) == right);
1142        default:
1143                BUG();
1144                return 0;
1145        }
1146}
1147
1148int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1149{
1150        switch (op) {
1151        case Audit_equal:
1152                return uid_eq(left, right);
1153        case Audit_not_equal:
1154                return !uid_eq(left, right);
1155        case Audit_lt:
1156                return uid_lt(left, right);
1157        case Audit_le:
1158                return uid_lte(left, right);
1159        case Audit_gt:
1160                return uid_gt(left, right);
1161        case Audit_ge:
1162                return uid_gte(left, right);
1163        case Audit_bitmask:
1164        case Audit_bittest:
1165        default:
1166                BUG();
1167                return 0;
1168        }
1169}
1170
1171int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1172{
1173        switch (op) {
1174        case Audit_equal:
1175                return gid_eq(left, right);
1176        case Audit_not_equal:
1177                return !gid_eq(left, right);
1178        case Audit_lt:
1179                return gid_lt(left, right);
1180        case Audit_le:
1181                return gid_lte(left, right);
1182        case Audit_gt:
1183                return gid_gt(left, right);
1184        case Audit_ge:
1185                return gid_gte(left, right);
1186        case Audit_bitmask:
1187        case Audit_bittest:
1188        default:
1189                BUG();
1190                return 0;
1191        }
1192}
1193
1194/**
1195 * parent_len - find the length of the parent portion of a pathname
1196 * @path: pathname of which to determine length
1197 */
1198int parent_len(const char *path)
1199{
1200        int plen;
1201        const char *p;
1202
1203        plen = strlen(path);
1204
1205        if (plen == 0)
1206                return plen;
1207
1208        /* disregard trailing slashes */
1209        p = path + plen - 1;
1210        while ((*p == '/') && (p > path))
1211                p--;
1212
1213        /* walk backward until we find the next slash or hit beginning */
1214        while ((*p != '/') && (p > path))
1215                p--;
1216
1217        /* did we find a slash? Then increment to include it in path */
1218        if (*p == '/')
1219                p++;
1220
1221        return p - path;
1222}
1223
1224/**
1225 * audit_compare_dname_path - compare given dentry name with last component in
1226 *                            given path. Return of 0 indicates a match.
1227 * @dname:      dentry name that we're comparing
1228 * @path:       full pathname that we're comparing
1229 * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1230 *              here indicates that we must compute this value.
1231 */
1232int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1233{
1234        int dlen, pathlen;
1235        const char *p;
1236
1237        dlen = strlen(dname);
1238        pathlen = strlen(path);
1239        if (pathlen < dlen)
1240                return 1;
1241
1242        parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1243        if (pathlen - parentlen != dlen)
1244                return 1;
1245
1246        p = path + parentlen;
1247
1248        return strncmp(p, dname, dlen);
1249}
1250
1251static int audit_filter_user_rules(struct audit_krule *rule, int type,
1252                                   enum audit_state *state)
1253{
1254        int i;
1255
1256        for (i = 0; i < rule->field_count; i++) {
1257                struct audit_field *f = &rule->fields[i];
1258                pid_t pid;
1259                int result = 0;
1260                u32 sid;
1261
1262                switch (f->type) {
1263                case AUDIT_PID:
1264                        pid = task_pid_nr(current);
1265                        result = audit_comparator(pid, f->op, f->val);
1266                        break;
1267                case AUDIT_UID:
1268                        result = audit_uid_comparator(current_uid(), f->op, f->uid);
1269                        break;
1270                case AUDIT_GID:
1271                        result = audit_gid_comparator(current_gid(), f->op, f->gid);
1272                        break;
1273                case AUDIT_LOGINUID:
1274                        result = audit_uid_comparator(audit_get_loginuid(current),
1275                                                  f->op, f->uid);
1276                        break;
1277                case AUDIT_LOGINUID_SET:
1278                        result = audit_comparator(audit_loginuid_set(current),
1279                                                  f->op, f->val);
1280                        break;
1281                case AUDIT_MSGTYPE:
1282                        result = audit_comparator(type, f->op, f->val);
1283                        break;
1284                case AUDIT_SUBJ_USER:
1285                case AUDIT_SUBJ_ROLE:
1286                case AUDIT_SUBJ_TYPE:
1287                case AUDIT_SUBJ_SEN:
1288                case AUDIT_SUBJ_CLR:
1289                        if (f->lsm_rule) {
1290                                security_task_getsecid(current, &sid);
1291                                result = security_audit_rule_match(sid,
1292                                                                   f->type,
1293                                                                   f->op,
1294                                                                   f->lsm_rule,
1295                                                                   NULL);
1296                        }
1297                        break;
1298                }
1299
1300                if (!result)
1301                        return 0;
1302        }
1303        switch (rule->action) {
1304        case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
1305        case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
1306        }
1307        return 1;
1308}
1309
1310int audit_filter_user(int type)
1311{
1312        enum audit_state state = AUDIT_DISABLED;
1313        struct audit_entry *e;
1314        int rc, ret;
1315
1316        ret = 1; /* Audit by default */
1317
1318        rcu_read_lock();
1319        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1320                rc = audit_filter_user_rules(&e->rule, type, &state);
1321                if (rc) {
1322                        if (rc > 0 && state == AUDIT_DISABLED)
1323                                ret = 0;
1324                        break;
1325                }
1326        }
1327        rcu_read_unlock();
1328
1329        return ret;
1330}
1331
1332int audit_filter_type(int type)
1333{
1334        struct audit_entry *e;
1335        int result = 0;
1336
1337        rcu_read_lock();
1338        if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1339                goto unlock_and_return;
1340
1341        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1342                                list) {
1343                int i;
1344                for (i = 0; i < e->rule.field_count; i++) {
1345                        struct audit_field *f = &e->rule.fields[i];
1346                        if (f->type == AUDIT_MSGTYPE) {
1347                                result = audit_comparator(type, f->op, f->val);
1348                                if (!result)
1349                                        break;
1350                        }
1351                }
1352                if (result)
1353                        goto unlock_and_return;
1354        }
1355unlock_and_return:
1356        rcu_read_unlock();
1357        return result;
1358}
1359
1360static int update_lsm_rule(struct audit_krule *r)
1361{
1362        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1363        struct audit_entry *nentry;
1364        int err = 0;
1365
1366        if (!security_audit_rule_known(r))
1367                return 0;
1368
1369        nentry = audit_dupe_rule(r);
1370        if (IS_ERR(nentry)) {
1371                /* save the first error encountered for the
1372                 * return value */
1373                err = PTR_ERR(nentry);
1374                audit_panic("error updating LSM filters");
1375                if (r->watch)
1376                        list_del(&r->rlist);
1377                list_del_rcu(&entry->list);
1378                list_del(&r->list);
1379        } else {
1380                if (r->watch || r->tree)
1381                        list_replace_init(&r->rlist, &nentry->rule.rlist);
1382                list_replace_rcu(&entry->list, &nentry->list);
1383                list_replace(&r->list, &nentry->rule.list);
1384        }
1385        call_rcu(&entry->rcu, audit_free_rule_rcu);
1386
1387        return err;
1388}
1389
1390/* This function will re-initialize the lsm_rule field of all applicable rules.
1391 * It will traverse the filter lists serarching for rules that contain LSM
1392 * specific filter fields.  When such a rule is found, it is copied, the
1393 * LSM field is re-initialized, and the old rule is replaced with the
1394 * updated rule. */
1395int audit_update_lsm_rules(void)
1396{
1397        struct audit_krule *r, *n;
1398        int i, err = 0;
1399
1400        /* audit_filter_mutex synchronizes the writers */
1401        mutex_lock(&audit_filter_mutex);
1402
1403        for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1404                list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1405                        int res = update_lsm_rule(r);
1406                        if (!err)
1407                                err = res;
1408                }
1409        }
1410        mutex_unlock(&audit_filter_mutex);
1411
1412        return err;
1413}
1414