LXR linux/kernel/auditfilter.c

   1/* auditfilter.c -- filtering of audit events
   2 *
   3 * Copyright 2003-2004 Red Hat, Inc.
   4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   5 * Copyright 2005 IBM Corporation
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * This program is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  20 */
  21
  22#include <linux/kernel.h>
  23#include <linux/audit.h>
  24#include <linux/kthread.h>
  25#include <linux/mutex.h>
  26#include <linux/fs.h>
  27#include <linux/namei.h>
  28#include <linux/netlink.h>
  29#include <linux/sched.h>
  30#include <linux/slab.h>
  31#include <linux/security.h>
  32#include "audit.h"
  33
  34/*
  35 * Locking model:
  36 *
  37 * audit_filter_mutex:
  38 *              Synchronizes writes and blocking reads of audit's filterlist
  39 *              data.  Rcu is used to traverse the filterlist and access
  40 *              contents of structs audit_entry, audit_watch and opaque
  41 *              LSM rules during filtering.  If modified, these structures
  42 *              must be copied and replace their counterparts in the filterlist.
  43 *              An audit_parent struct is not accessed during filtering, so may
  44 *              be written directly provided audit_filter_mutex is held.
  45 */
  46
  47/* Audit filter lists, defined in <linux/audit.h> */
  48struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  49        LIST_HEAD_INIT(audit_filter_list[0]),
  50        LIST_HEAD_INIT(audit_filter_list[1]),
  51        LIST_HEAD_INIT(audit_filter_list[2]),
  52        LIST_HEAD_INIT(audit_filter_list[3]),
  53        LIST_HEAD_INIT(audit_filter_list[4]),
  54        LIST_HEAD_INIT(audit_filter_list[5]),
  55#if AUDIT_NR_FILTERS != 6
  56#error Fix audit_filter_list initialiser
  57#endif
  58};
  59static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  60        LIST_HEAD_INIT(audit_rules_list[0]),
  61        LIST_HEAD_INIT(audit_rules_list[1]),
  62        LIST_HEAD_INIT(audit_rules_list[2]),
  63        LIST_HEAD_INIT(audit_rules_list[3]),
  64        LIST_HEAD_INIT(audit_rules_list[4]),
  65        LIST_HEAD_INIT(audit_rules_list[5]),
  66};
  67
  68DEFINE_MUTEX(audit_filter_mutex);
  69
  70static inline void audit_free_rule(struct audit_entry *e)
  71{
  72        int i;
  73        struct audit_krule *erule = &e->rule;
  74
  75        /* some rules don't have associated watches */
  76        if (erule->watch)
  77                audit_put_watch(erule->watch);
  78        if (erule->fields)
  79                for (i = 0; i < erule->field_count; i++) {
  80                        struct audit_field *f = &erule->fields[i];
  81                        kfree(f->lsm_str);
  82                        security_audit_rule_free(f->lsm_rule);
  83                }
  84        kfree(erule->fields);
  85        kfree(erule->filterkey);
  86        kfree(e);
  87}
  88
  89void audit_free_rule_rcu(struct rcu_head *head)
  90{
  91        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
  92        audit_free_rule(e);
  93}
  94
  95/* Initialize an audit filterlist entry. */
  96static inline struct audit_entry *audit_init_entry(u32 field_count)
  97{
  98        struct audit_entry *entry;
  99        struct audit_field *fields;
 100
 101        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 102        if (unlikely(!entry))
 103                return NULL;
 104
 105        fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
 106        if (unlikely(!fields)) {
 107                kfree(entry);
 108                return NULL;
 109        }
 110        entry->rule.fields = fields;
 111
 112        return entry;
 113}
 114
 115/* Unpack a filter field's string representation from user-space
 116 * buffer. */
 117char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 118{
 119        char *str;
 120
 121        if (!*bufp || (len == 0) || (len > *remain))
 122                return ERR_PTR(-EINVAL);
 123
 124        /* Of the currently implemented string fields, PATH_MAX
 125         * defines the longest valid length.
 126         */
 127        if (len > PATH_MAX)
 128                return ERR_PTR(-ENAMETOOLONG);
 129
 130        str = kmalloc(len + 1, GFP_KERNEL);
 131        if (unlikely(!str))
 132                return ERR_PTR(-ENOMEM);
 133
 134        memcpy(str, *bufp, len);
 135        str[len] = 0;
 136        *bufp += len;
 137        *remain -= len;
 138
 139        return str;
 140}
 141
 142/* Translate an inode field to kernel respresentation. */
 143static inline int audit_to_inode(struct audit_krule *krule,
 144                                 struct audit_field *f)
 145{
 146        if (krule->listnr != AUDIT_FILTER_EXIT ||
 147            krule->watch || krule->inode_f || krule->tree ||
 148            (f->op != Audit_equal && f->op != Audit_not_equal))
 149                return -EINVAL;
 150
 151        krule->inode_f = f;
 152        return 0;
 153}
 154
 155static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 156
 157int __init audit_register_class(int class, unsigned *list)
 158{
 159        __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
 160        if (!p)
 161                return -ENOMEM;
 162        while (*list != ~0U) {
 163                unsigned n = *list++;
 164                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 165                        kfree(p);
 166                        return -EINVAL;
 167                }
 168                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
 169        }
 170        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
 171                kfree(p);
 172                return -EINVAL;
 173        }
 174        classes[class] = p;
 175        return 0;
 176}
 177
 178int audit_match_class(int class, unsigned syscall)
 179{
 180        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
 181                return 0;
 182        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
 183                return 0;
 184        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
 185}
 186
 187#ifdef CONFIG_AUDITSYSCALL
 188static inline int audit_match_class_bits(int class, u32 *mask)
 189{
 190        int i;
 191
 192        if (classes[class]) {
 193                for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 194                        if (mask[i] & classes[class][i])
 195                                return 0;
 196        }
 197        return 1;
 198}
 199
 200static int audit_match_signal(struct audit_entry *entry)
 201{
 202        struct audit_field *arch = entry->rule.arch_f;
 203
 204        if (!arch) {
 205                /* When arch is unspecified, we must check both masks on biarch
 206                 * as syscall number alone is ambiguous. */
 207                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 208                                               entry->rule.mask) &&
 209                        audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 210                                               entry->rule.mask));
 211        }
 212
 213        switch(audit_classify_arch(arch->val)) {
 214        case 0: /* native */
 215                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 216                                               entry->rule.mask));
 217        case 1: /* 32bit on biarch */
 218                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 219                                               entry->rule.mask));
 220        default:
 221                return 1;
 222        }
 223}
 224#endif
 225
 226/* Common user-space to kernel rule translation. */
 227static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
 228{
 229        unsigned listnr;
 230        struct audit_entry *entry;
 231        int i, err;
 232
 233        err = -EINVAL;
 234        listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
 235        switch(listnr) {
 236        default:
 237                goto exit_err;
 238#ifdef CONFIG_AUDITSYSCALL
 239        case AUDIT_FILTER_ENTRY:
 240                if (rule->action == AUDIT_ALWAYS)
 241                        goto exit_err;
 242        case AUDIT_FILTER_EXIT:
 243        case AUDIT_FILTER_TASK:
 244#endif
 245        case AUDIT_FILTER_USER:
 246        case AUDIT_FILTER_TYPE:
 247                ;
 248        }
 249        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
 250                printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
 251                goto exit_err;
 252        }
 253        if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
 254                goto exit_err;
 255        if (rule->field_count > AUDIT_MAX_FIELDS)
 256                goto exit_err;
 257
 258        err = -ENOMEM;
 259        entry = audit_init_entry(rule->field_count);
 260        if (!entry)
 261                goto exit_err;
 262
 263        entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
 264        entry->rule.listnr = listnr;
 265        entry->rule.action = rule->action;
 266        entry->rule.field_count = rule->field_count;
 267
 268        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 269                entry->rule.mask[i] = rule->mask[i];
 270
 271        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
 272                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
 273                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
 274                __u32 *class;
 275
 276                if (!(*p & AUDIT_BIT(bit)))
 277                        continue;
 278                *p &= ~AUDIT_BIT(bit);
 279                class = classes[i];
 280                if (class) {
 281                        int j;
 282                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
 283                                entry->rule.mask[j] |= class[j];
 284                }
 285        }
 286
 287        return entry;
 288
 289exit_err:
 290        return ERR_PTR(err);
 291}
 292
 293static u32 audit_ops[] =
 294{
 295        [Audit_equal] = AUDIT_EQUAL,
 296        [Audit_not_equal] = AUDIT_NOT_EQUAL,
 297        [Audit_bitmask] = AUDIT_BIT_MASK,
 298        [Audit_bittest] = AUDIT_BIT_TEST,
 299        [Audit_lt] = AUDIT_LESS_THAN,
 300        [Audit_gt] = AUDIT_GREATER_THAN,
 301        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
 302        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
 303};
 304
 305static u32 audit_to_op(u32 op)
 306{
 307        u32 n;
 308        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
 309                ;
 310        return n;
 311}
 312
 313
 314/* Translate struct audit_rule to kernel's rule respresentation.
 315 * Exists for backward compatibility with userspace. */
 316static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
 317{
 318        struct audit_entry *entry;
 319        int err = 0;
 320        int i;
 321
 322        entry = audit_to_entry_common(rule);
 323        if (IS_ERR(entry))
 324                goto exit_nofree;
 325
 326        for (i = 0; i < rule->field_count; i++) {
 327                struct audit_field *f = &entry->rule.fields[i];
 328                u32 n;
 329
 330                n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
 331
 332                /* Support for legacy operators where
 333                 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
 334                if (n & AUDIT_NEGATE)
 335                        f->op = Audit_not_equal;
 336                else if (!n)
 337                        f->op = Audit_equal;
 338                else
 339                        f->op = audit_to_op(n);
 340
 341                entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
 342
 343                f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
 344                f->val = rule->values[i];
 345
 346                err = -EINVAL;
 347                if (f->op == Audit_bad)
 348                        goto exit_free;
 349
 350                switch(f->type) {
 351                default:
 352                        goto exit_free;
 353                case AUDIT_PID:
 354                case AUDIT_UID:
 355                case AUDIT_EUID:
 356                case AUDIT_SUID:
 357                case AUDIT_FSUID:
 358                case AUDIT_GID:
 359                case AUDIT_EGID:
 360                case AUDIT_SGID:
 361                case AUDIT_FSGID:
 362                case AUDIT_LOGINUID:
 363                case AUDIT_PERS:
 364                case AUDIT_MSGTYPE:
 365                case AUDIT_PPID:
 366                case AUDIT_DEVMAJOR:
 367                case AUDIT_DEVMINOR:
 368                case AUDIT_EXIT:
 369                case AUDIT_SUCCESS:
 370                        /* bit ops are only useful on syscall args */
 371                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
 372                                goto exit_free;
 373                        break;
 374                case AUDIT_ARG0:
 375                case AUDIT_ARG1:
 376                case AUDIT_ARG2:
 377                case AUDIT_ARG3:
 378                        break;
 379                /* arch is only allowed to be = or != */
 380                case AUDIT_ARCH:
 381                        if (f->op != Audit_not_equal && f->op != Audit_equal)
 382                                goto exit_free;
 383                        entry->rule.arch_f = f;
 384                        break;
 385                case AUDIT_PERM:
 386                        if (f->val & ~15)
 387                                goto exit_free;
 388                        break;
 389                case AUDIT_FILETYPE:
 390                        if (f->val & ~S_IFMT)
 391                                goto exit_free;
 392                        break;
 393                case AUDIT_INODE:
 394                        err = audit_to_inode(&entry->rule, f);
 395                        if (err)
 396                                goto exit_free;
 397                        break;
 398                }
 399        }
 400
 401        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 402                entry->rule.inode_f = NULL;
 403
 404exit_nofree:
 405        return entry;
 406
 407exit_free:
 408        audit_free_rule(entry);
 409        return ERR_PTR(err);
 410}
 411
 412/* Translate struct audit_rule_data to kernel's rule respresentation. */
 413static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 414                                               size_t datasz)
 415{
 416        int err = 0;
 417        struct audit_entry *entry;
 418        void *bufp;
 419        size_t remain = datasz - sizeof(struct audit_rule_data);
 420        int i;
 421        char *str;
 422
 423        entry = audit_to_entry_common((struct audit_rule *)data);
 424        if (IS_ERR(entry))
 425                goto exit_nofree;
 426
 427        bufp = data->buf;
 428        entry->rule.vers_ops = 2;
 429        for (i = 0; i < data->field_count; i++) {
 430                struct audit_field *f = &entry->rule.fields[i];
 431
 432                err = -EINVAL;
 433
 434                f->op = audit_to_op(data->fieldflags[i]);
 435                if (f->op == Audit_bad)
 436                        goto exit_free;
 437
 438                f->type = data->fields[i];
 439                f->val = data->values[i];
 440                f->lsm_str = NULL;
 441                f->lsm_rule = NULL;
 442                switch(f->type) {
 443                case AUDIT_PID:
 444                case AUDIT_UID:
 445                case AUDIT_EUID:
 446                case AUDIT_SUID:
 447                case AUDIT_FSUID:
 448                case AUDIT_GID:
 449                case AUDIT_EGID:
 450                case AUDIT_SGID:
 451                case AUDIT_FSGID:
 452                case AUDIT_LOGINUID:
 453                case AUDIT_PERS:
 454                case AUDIT_MSGTYPE:
 455                case AUDIT_PPID:
 456                case AUDIT_DEVMAJOR:
 457                case AUDIT_DEVMINOR:
 458                case AUDIT_EXIT:
 459                case AUDIT_SUCCESS:
 460                case AUDIT_ARG0:
 461                case AUDIT_ARG1:
 462                case AUDIT_ARG2:
 463                case AUDIT_ARG3:
 464                case AUDIT_OBJ_UID:
 465                case AUDIT_OBJ_GID:
 466                        break;
 467                case AUDIT_ARCH:
 468                        entry->rule.arch_f = f;
 469                        break;
 470                case AUDIT_SUBJ_USER:
 471                case AUDIT_SUBJ_ROLE:
 472                case AUDIT_SUBJ_TYPE:
 473                case AUDIT_SUBJ_SEN:
 474                case AUDIT_SUBJ_CLR:
 475                case AUDIT_OBJ_USER:
 476                case AUDIT_OBJ_ROLE:
 477                case AUDIT_OBJ_TYPE:
 478                case AUDIT_OBJ_LEV_LOW:
 479                case AUDIT_OBJ_LEV_HIGH:
 480                        str = audit_unpack_string(&bufp, &remain, f->val);
 481                        if (IS_ERR(str))
 482                                goto exit_free;
 483                        entry->rule.buflen += f->val;
 484
 485                        err = security_audit_rule_init(f->type, f->op, str,
 486                                                       (void **)&f->lsm_rule);
 487                        /* Keep currently invalid fields around in case they
 488                         * become valid after a policy reload. */
 489                        if (err == -EINVAL) {
 490                                printk(KERN_WARNING "audit rule for LSM "
 491                                       "\'%s\' is invalid\n",  str);
 492                                err = 0;
 493                        }
 494                        if (err) {
 495                                kfree(str);
 496                                goto exit_free;
 497                        } else
 498                                f->lsm_str = str;
 499                        break;
 500                case AUDIT_WATCH:
 501                        str = audit_unpack_string(&bufp, &remain, f->val);
 502                        if (IS_ERR(str))
 503                                goto exit_free;
 504                        entry->rule.buflen += f->val;
 505
 506                        err = audit_to_watch(&entry->rule, str, f->val, f->op);
 507                        if (err) {
 508                                kfree(str);
 509                                goto exit_free;
 510                        }
 511                        break;
 512                case AUDIT_DIR:
 513                        str = audit_unpack_string(&bufp, &remain, f->val);
 514                        if (IS_ERR(str))
 515                                goto exit_free;
 516                        entry->rule.buflen += f->val;
 517
 518                        err = audit_make_tree(&entry->rule, str, f->op);
 519                        kfree(str);
 520                        if (err)
 521                                goto exit_free;
 522                        break;
 523                case AUDIT_INODE:
 524                        err = audit_to_inode(&entry->rule, f);
 525                        if (err)
 526                                goto exit_free;
 527                        break;
 528                case AUDIT_FILTERKEY:
 529                        if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 530                                goto exit_free;
 531                        str = audit_unpack_string(&bufp, &remain, f->val);
 532                        if (IS_ERR(str))
 533                                goto exit_free;
 534                        entry->rule.buflen += f->val;
 535                        entry->rule.filterkey = str;
 536                        break;
 537                case AUDIT_PERM:
 538                        if (f->val & ~15)
 539                                goto exit_free;
 540                        break;
 541                case AUDIT_FILETYPE:
 542                        if (f->val & ~S_IFMT)
 543                                goto exit_free;
 544                        break;
 545                case AUDIT_FIELD_COMPARE:
 546                        if (f->val > AUDIT_MAX_FIELD_COMPARE)
 547                                goto exit_free;
 548                        break;
 549                default:
 550                        goto exit_free;
 551                }
 552        }
 553
 554        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 555                entry->rule.inode_f = NULL;
 556
 557exit_nofree:
 558        return entry;
 559
 560exit_free:
 561        audit_free_rule(entry);
 562        return ERR_PTR(err);
 563}
 564
 565/* Pack a filter field's string representation into data block. */
 566static inline size_t audit_pack_string(void **bufp, const char *str)
 567{
 568        size_t len = strlen(str);
 569
 570        memcpy(*bufp, str, len);
 571        *bufp += len;
 572
 573        return len;
 574}
 575
 576/* Translate kernel rule respresentation to struct audit_rule.
 577 * Exists for backward compatibility with userspace. */
 578static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
 579{
 580        struct audit_rule *rule;
 581        int i;
 582
 583        rule = kzalloc(sizeof(*rule), GFP_KERNEL);
 584        if (unlikely(!rule))
 585                return NULL;
 586
 587        rule->flags = krule->flags | krule->listnr;
 588        rule->action = krule->action;
 589        rule->field_count = krule->field_count;
 590        for (i = 0; i < rule->field_count; i++) {
 591                rule->values[i] = krule->fields[i].val;
 592                rule->fields[i] = krule->fields[i].type;
 593
 594                if (krule->vers_ops == 1) {
 595                        if (krule->fields[i].op == Audit_not_equal)
 596                                rule->fields[i] |= AUDIT_NEGATE;
 597                } else {
 598                        rule->fields[i] |= audit_ops[krule->fields[i].op];
 599                }
 600        }
 601        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
 602
 603        return rule;
 604}
 605
 606/* Translate kernel rule respresentation to struct audit_rule_data. */
 607static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 608{
 609        struct audit_rule_data *data;
 610        void *bufp;
 611        int i;
 612
 613        data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
 614        if (unlikely(!data))
 615                return NULL;
 616        memset(data, 0, sizeof(*data));
 617
 618        data->flags = krule->flags | krule->listnr;
 619        data->action = krule->action;
 620        data->field_count = krule->field_count;
 621        bufp = data->buf;
 622        for (i = 0; i < data->field_count; i++) {
 623                struct audit_field *f = &krule->fields[i];
 624
 625                data->fields[i] = f->type;
 626                data->fieldflags[i] = audit_ops[f->op];
 627                switch(f->type) {
 628                case AUDIT_SUBJ_USER:
 629                case AUDIT_SUBJ_ROLE:
 630                case AUDIT_SUBJ_TYPE:
 631                case AUDIT_SUBJ_SEN:
 632                case AUDIT_SUBJ_CLR:
 633                case AUDIT_OBJ_USER:
 634                case AUDIT_OBJ_ROLE:
 635                case AUDIT_OBJ_TYPE:
 636                case AUDIT_OBJ_LEV_LOW:
 637                case AUDIT_OBJ_LEV_HIGH:
 638                        data->buflen += data->values[i] =
 639                                audit_pack_string(&bufp, f->lsm_str);
 640                        break;
 641                case AUDIT_WATCH:
 642                        data->buflen += data->values[i] =
 643                                audit_pack_string(&bufp,
 644                                                  audit_watch_path(krule->watch));
 645                        break;
 646                case AUDIT_DIR:
 647                        data->buflen += data->values[i] =
 648                                audit_pack_string(&bufp,
 649                                                  audit_tree_path(krule->tree));
 650                        break;
 651                case AUDIT_FILTERKEY:
 652                        data->buflen += data->values[i] =
 653                                audit_pack_string(&bufp, krule->filterkey);
 654                        break;
 655                default:
 656                        data->values[i] = f->val;
 657                }
 658        }
 659        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
 660
 661        return data;
 662}
 663
 664/* Compare two rules in kernel format.  Considered success if rules
 665 * don't match. */
 666static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
 667{
 668        int i;
 669
 670        if (a->flags != b->flags ||
 671            a->listnr != b->listnr ||
 672            a->action != b->action ||
 673            a->field_count != b->field_count)
 674                return 1;
 675
 676        for (i = 0; i < a->field_count; i++) {
 677                if (a->fields[i].type != b->fields[i].type ||
 678                    a->fields[i].op != b->fields[i].op)
 679                        return 1;
 680
 681                switch(a->fields[i].type) {
 682                case AUDIT_SUBJ_USER:
 683                case AUDIT_SUBJ_ROLE:
 684                case AUDIT_SUBJ_TYPE:
 685                case AUDIT_SUBJ_SEN:
 686                case AUDIT_SUBJ_CLR:
 687                case AUDIT_OBJ_USER:
 688                case AUDIT_OBJ_ROLE:
 689                case AUDIT_OBJ_TYPE:
 690                case AUDIT_OBJ_LEV_LOW:
 691                case AUDIT_OBJ_LEV_HIGH:
 692                        if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
 693                                return 1;
 694                        break;
 695                case AUDIT_WATCH:
 696                        if (strcmp(audit_watch_path(a->watch),
 697                                   audit_watch_path(b->watch)))
 698                                return 1;
 699                        break;
 700                case AUDIT_DIR:
 701                        if (strcmp(audit_tree_path(a->tree),
 702                                   audit_tree_path(b->tree)))
 703                                return 1;
 704                        break;
 705                case AUDIT_FILTERKEY:
 706                        /* both filterkeys exist based on above type compare */
 707                        if (strcmp(a->filterkey, b->filterkey))
 708                                return 1;
 709                        break;
 710                default:
 711                        if (a->fields[i].val != b->fields[i].val)
 712                                return 1;
 713                }
 714        }
 715
 716        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 717                if (a->mask[i] != b->mask[i])
 718                        return 1;
 719
 720        return 0;
 721}
 722
 723/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
 724 * re-initialized. */
 725static inline int audit_dupe_lsm_field(struct audit_field *df,
 726                                           struct audit_field *sf)
 727{
 728        int ret = 0;
 729        char *lsm_str;
 730
 731        /* our own copy of lsm_str */
 732        lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
 733        if (unlikely(!lsm_str))
 734                return -ENOMEM;
 735        df->lsm_str = lsm_str;
 736
 737        /* our own (refreshed) copy of lsm_rule */
 738        ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
 739                                       (void **)&df->lsm_rule);
 740        /* Keep currently invalid fields around in case they
 741         * become valid after a policy reload. */
 742        if (ret == -EINVAL) {
 743                printk(KERN_WARNING "audit rule for LSM \'%s\' is "
 744                       "invalid\n", df->lsm_str);
 745                ret = 0;
 746        }
 747
 748        return ret;
 749}
 750
 751/* Duplicate an audit rule.  This will be a deep copy with the exception
 752 * of the watch - that pointer is carried over.  The LSM specific fields
 753 * will be updated in the copy.  The point is to be able to replace the old
 754 * rule with the new rule in the filterlist, then free the old rule.
 755 * The rlist element is undefined; list manipulations are handled apart from
 756 * the initial copy. */
 757struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 758{
 759        u32 fcount = old->field_count;
 760        struct audit_entry *entry;
 761        struct audit_krule *new;
 762        char *fk;
 763        int i, err = 0;
 764
 765        entry = audit_init_entry(fcount);
 766        if (unlikely(!entry))
 767                return ERR_PTR(-ENOMEM);
 768
 769        new = &entry->rule;
 770        new->vers_ops = old->vers_ops;
 771        new->flags = old->flags;
 772        new->listnr = old->listnr;
 773        new->action = old->action;
 774        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 775                new->mask[i] = old->mask[i];
 776        new->prio = old->prio;
 777        new->buflen = old->buflen;
 778        new->inode_f = old->inode_f;
 779        new->field_count = old->field_count;
 780
 781        /*
 782         * note that we are OK with not refcounting here; audit_match_tree()
 783         * never dereferences tree and we can't get false positives there
 784         * since we'd have to have rule gone from the list *and* removed
 785         * before the chunks found by lookup had been allocated, i.e. before
 786         * the beginning of list scan.
 787         */
 788        new->tree = old->tree;
 789        memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
 790
 791        /* deep copy this information, updating the lsm_rule fields, because
 792         * the originals will all be freed when the old rule is freed. */
 793        for (i = 0; i < fcount; i++) {
 794                switch (new->fields[i].type) {
 795                case AUDIT_SUBJ_USER:
 796                case AUDIT_SUBJ_ROLE:
 797                case AUDIT_SUBJ_TYPE:
 798                case AUDIT_SUBJ_SEN:
 799                case AUDIT_SUBJ_CLR:
 800                case AUDIT_OBJ_USER:
 801                case AUDIT_OBJ_ROLE:
 802                case AUDIT_OBJ_TYPE:
 803                case AUDIT_OBJ_LEV_LOW:
 804                case AUDIT_OBJ_LEV_HIGH:
 805                        err = audit_dupe_lsm_field(&new->fields[i],
 806                                                       &old->fields[i]);
 807                        break;
 808                case AUDIT_FILTERKEY:
 809                        fk = kstrdup(old->filterkey, GFP_KERNEL);
 810                        if (unlikely(!fk))
 811                                err = -ENOMEM;
 812                        else
 813                                new->filterkey = fk;
 814                }
 815                if (err) {
 816                        audit_free_rule(entry);
 817                        return ERR_PTR(err);
 818                }
 819        }
 820
 821        if (old->watch) {
 822                audit_get_watch(old->watch);
 823                new->watch = old->watch;
 824        }
 825
 826        return entry;
 827}
 828
 829/* Find an existing audit rule.
 830 * Caller must hold audit_filter_mutex to prevent stale rule data. */
 831static struct audit_entry *audit_find_rule(struct audit_entry *entry,
 832                                           struct list_head **p)
 833{
 834        struct audit_entry *e, *found = NULL;
 835        struct list_head *list;
 836        int h;
 837
 838        if (entry->rule.inode_f) {
 839                h = audit_hash_ino(entry->rule.inode_f->val);
 840                *p = list = &audit_inode_hash[h];
 841        } else if (entry->rule.watch) {
 842                /* we don't know the inode number, so must walk entire hash */
 843                for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
 844                        list = &audit_inode_hash[h];
 845                        list_for_each_entry(e, list, list)
 846                                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 847                                        found = e;
 848                                        goto out;
 849                                }
 850                }
 851                goto out;
 852        } else {
 853                *p = list = &audit_filter_list[entry->rule.listnr];
 854        }
 855
 856        list_for_each_entry(e, list, list)
 857                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 858                        found = e;
 859                        goto out;
 860                }
 861
 862out:
 863        return found;
 864}
 865
 866static u64 prio_low = ~0ULL/2;
 867static u64 prio_high = ~0ULL/2 - 1;
 868
 869/* Add rule to given filterlist if not a duplicate. */
 870static inline int audit_add_rule(struct audit_entry *entry)
 871{
 872        struct audit_entry *e;
 873        struct audit_watch *watch = entry->rule.watch;
 874        struct audit_tree *tree = entry->rule.tree;
 875        struct list_head *list;
 876        int err;
 877#ifdef CONFIG_AUDITSYSCALL
 878        int dont_count = 0;
 879
 880        /* If either of these, don't count towards total */
 881        if (entry->rule.listnr == AUDIT_FILTER_USER ||
 882                entry->rule.listnr == AUDIT_FILTER_TYPE)
 883                dont_count = 1;
 884#endif
 885
 886        mutex_lock(&audit_filter_mutex);
 887        e = audit_find_rule(entry, &list);
 888        if (e) {
 889                mutex_unlock(&audit_filter_mutex);
 890                err = -EEXIST;
 891                /* normally audit_add_tree_rule() will free it on failure */
 892                if (tree)
 893                        audit_put_tree(tree);
 894                goto error;
 895        }
 896
 897        if (watch) {
 898                /* audit_filter_mutex is dropped and re-taken during this call */
 899                err = audit_add_watch(&entry->rule, &list);
 900                if (err) {
 901                        mutex_unlock(&audit_filter_mutex);
 902                        goto error;
 903                }
 904        }
 905        if (tree) {
 906                err = audit_add_tree_rule(&entry->rule);
 907                if (err) {
 908                        mutex_unlock(&audit_filter_mutex);
 909                        goto error;
 910                }
 911        }
 912
 913        entry->rule.prio = ~0ULL;
 914        if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
 915                if (entry->rule.flags & AUDIT_FILTER_PREPEND)
 916                        entry->rule.prio = ++prio_high;
 917                else
 918                        entry->rule.prio = --prio_low;
 919        }
 920
 921        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
 922                list_add(&entry->rule.list,
 923                         &audit_rules_list[entry->rule.listnr]);
 924                list_add_rcu(&entry->list, list);
 925                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
 926        } else {
 927                list_add_tail(&entry->rule.list,
 928                              &audit_rules_list[entry->rule.listnr]);
 929                list_add_tail_rcu(&entry->list, list);
 930        }
 931#ifdef CONFIG_AUDITSYSCALL
 932        if (!dont_count)
 933                audit_n_rules++;
 934
 935        if (!audit_match_signal(entry))
 936                audit_signals++;
 937#endif
 938        mutex_unlock(&audit_filter_mutex);
 939
 940        return 0;
 941
 942error:
 943        if (watch)
 944                audit_put_watch(watch); /* tmp watch, matches initial get */
 945        return err;
 946}
 947
 948/* Remove an existing rule from filterlist. */
 949static inline int audit_del_rule(struct audit_entry *entry)
 950{
 951        struct audit_entry  *e;
 952        struct audit_watch *watch = entry->rule.watch;
 953        struct audit_tree *tree = entry->rule.tree;
 954        struct list_head *list;
 955        int ret = 0;
 956#ifdef CONFIG_AUDITSYSCALL
 957        int dont_count = 0;
 958
 959        /* If either of these, don't count towards total */
 960        if (entry->rule.listnr == AUDIT_FILTER_USER ||
 961                entry->rule.listnr == AUDIT_FILTER_TYPE)
 962                dont_count = 1;
 963#endif
 964
 965        mutex_lock(&audit_filter_mutex);
 966        e = audit_find_rule(entry, &list);
 967        if (!e) {
 968                mutex_unlock(&audit_filter_mutex);
 969                ret = -ENOENT;
 970                goto out;
 971        }
 972
 973        if (e->rule.watch)
 974                audit_remove_watch_rule(&e->rule);
 975
 976        if (e->rule.tree)
 977                audit_remove_tree_rule(&e->rule);
 978
 979        list_del_rcu(&e->list);
 980        list_del(&e->rule.list);
 981        call_rcu(&e->rcu, audit_free_rule_rcu);
 982
 983#ifdef CONFIG_AUDITSYSCALL
 984        if (!dont_count)
 985                audit_n_rules--;
 986
 987        if (!audit_match_signal(entry))
 988                audit_signals--;
 989#endif
 990        mutex_unlock(&audit_filter_mutex);
 991
 992out:
 993        if (watch)
 994                audit_put_watch(watch); /* match initial get */
 995        if (tree)
 996                audit_put_tree(tree);   /* that's the temporary one */
 997
 998        return ret;
 999}
1000

1001/* List rules using struct audit_rule.  Exists for backward
1002 * compatibility with userspace. */
1003static void audit_list(int pid, int seq, struct sk_buff_head *q)
1004{
1005        struct sk_buff *skb;
1006        struct audit_krule *r;
1007        int i;
1008
1009        /* This is a blocking read, so use audit_filter_mutex instead of rcu
1010         * iterator to sync with list writers. */
1011        for (i=0; i<AUDIT_NR_FILTERS; i++) {
1012                list_for_each_entry(r, &audit_rules_list[i], list) {
1013                        struct audit_rule *rule;
1014
1015                        rule = audit_krule_to_rule(r);
1016                        if (unlikely(!rule))
1017                                break;
1018                        skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
1019                                         rule, sizeof(*rule));
1020                        if (skb)
1021                                skb_queue_tail(q, skb);
1022                        kfree(rule);
1023                }
1024        }
1025        skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
1026        if (skb)
1027                skb_queue_tail(q, skb);
1028}
1029
1030/* List rules using struct audit_rule_data. */
1031static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1032{
1033        struct sk_buff *skb;
1034        struct audit_krule *r;
1035        int i;
1036
1037        /* This is a blocking read, so use audit_filter_mutex instead of rcu
1038         * iterator to sync with list writers. */
1039        for (i=0; i<AUDIT_NR_FILTERS; i++) {
1040                list_for_each_entry(r, &audit_rules_list[i], list) {
1041                        struct audit_rule_data *data;
1042
1043                        data = audit_krule_to_data(r);
1044                        if (unlikely(!data))
1045                                break;
1046                        skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
1047                                         data, sizeof(*data) + data->buflen);
1048                        if (skb)
1049                                skb_queue_tail(q, skb);
1050                        kfree(data);
1051                }
1052        }
1053        skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1054        if (skb)
1055                skb_queue_tail(q, skb);
1056}
1057
1058/* Log rule additions and removals */
1059static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
1060                                  char *action, struct audit_krule *rule,
1061                                  int res)
1062{
1063        struct audit_buffer *ab;
1064
1065        if (!audit_enabled)
1066                return;
1067
1068        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1069        if (!ab)
1070                return;
1071        audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
1072        if (sid) {
1073                char *ctx = NULL;
1074                u32 len;
1075                if (security_secid_to_secctx(sid, &ctx, &len))
1076                        audit_log_format(ab, " ssid=%u", sid);
1077                else {
1078                        audit_log_format(ab, " subj=%s", ctx);
1079                        security_release_secctx(ctx, len);
1080                }
1081        }
1082        audit_log_format(ab, " op=");
1083        audit_log_string(ab, action);
1084        audit_log_key(ab, rule->filterkey);
1085        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1086        audit_log_end(ab);
1087}
1088
1089/**
1090 * audit_receive_filter - apply all rules to the specified message type
1091 * @type: audit message type
1092 * @pid: target pid for netlink audit messages
1093 * @uid: target uid for netlink audit messages
1094 * @seq: netlink audit message sequence (serial) number
1095 * @data: payload data
1096 * @datasz: size of payload data
1097 * @loginuid: loginuid of sender
1098 * @sessionid: sessionid for netlink audit message
1099 * @sid: SE Linux Security ID of sender
1100 */
1101int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1102                         size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
1103{
1104        struct task_struct *tsk;
1105        struct audit_netlink_list *dest;
1106        int err = 0;
1107        struct audit_entry *entry;
1108
1109        switch (type) {
1110        case AUDIT_LIST:
1111        case AUDIT_LIST_RULES:
1112                /* We can't just spew out the rules here because we might fill
1113                 * the available socket buffer space and deadlock waiting for
1114                 * auditctl to read from it... which isn't ever going to
1115                 * happen if we're actually running in the context of auditctl
1116                 * trying to _send_ the stuff */
1117
1118                dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1119                if (!dest)
1120                        return -ENOMEM;
1121                dest->pid = pid;
1122                skb_queue_head_init(&dest->q);
1123
1124                mutex_lock(&audit_filter_mutex);
1125                if (type == AUDIT_LIST)
1126                        audit_list(pid, seq, &dest->q);
1127                else
1128                        audit_list_rules(pid, seq, &dest->q);
1129                mutex_unlock(&audit_filter_mutex);
1130
1131                tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1132                if (IS_ERR(tsk)) {
1133                        skb_queue_purge(&dest->q);
1134                        kfree(dest);
1135                        err = PTR_ERR(tsk);
1136                }
1137                break;
1138        case AUDIT_ADD:
1139        case AUDIT_ADD_RULE:
1140                if (type == AUDIT_ADD)
1141                        entry = audit_rule_to_entry(data);
1142                else
1143                        entry = audit_data_to_entry(data, datasz);
1144                if (IS_ERR(entry))
1145                        return PTR_ERR(entry);
1146
1147                err = audit_add_rule(entry);
1148                audit_log_rule_change(loginuid, sessionid, sid, "add rule",
1149                                      &entry->rule, !err);
1150
1151                if (err)
1152                        audit_free_rule(entry);
1153                break;
1154        case AUDIT_DEL:
1155        case AUDIT_DEL_RULE:
1156                if (type == AUDIT_DEL)
1157                        entry = audit_rule_to_entry(data);
1158                else
1159                        entry = audit_data_to_entry(data, datasz);
1160                if (IS_ERR(entry))
1161                        return PTR_ERR(entry);
1162
1163                err = audit_del_rule(entry);
1164                audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
1165                                      &entry->rule, !err);
1166
1167                audit_free_rule(entry);
1168                break;
1169        default:
1170                return -EINVAL;
1171        }
1172
1173        return err;
1174}
1175
1176int audit_comparator(u32 left, u32 op, u32 right)
1177{
1178        switch (op) {
1179        case Audit_equal:
1180                return (left == right);
1181        case Audit_not_equal:
1182                return (left != right);
1183        case Audit_lt:
1184                return (left < right);
1185        case Audit_le:
1186                return (left <= right);
1187        case Audit_gt:
1188                return (left > right);
1189        case Audit_ge:
1190                return (left >= right);
1191        case Audit_bitmask:
1192                return (left & right);
1193        case Audit_bittest:
1194                return ((left & right) == right);
1195        default:
1196                BUG();
1197                return 0;
1198        }
1199}
1200
1201/* Compare given dentry name with last component in given path,
1202 * return of 0 indicates a match. */
1203int audit_compare_dname_path(const char *dname, const char *path,
1204                             int *dirlen)
1205{
1206        int dlen, plen;
1207        const char *p;
1208
1209        if (!dname || !path)
1210                return 1;
1211
1212        dlen = strlen(dname);
1213        plen = strlen(path);
1214        if (plen < dlen)
1215                return 1;
1216
1217        /* disregard trailing slashes */
1218        p = path + plen - 1;
1219        while ((*p == '/') && (p > path))
1220                p--;
1221
1222        /* find last path component */
1223        p = p - dlen + 1;
1224        if (p < path)
1225                return 1;
1226        else if (p > path) {
1227                if (*--p != '/')
1228                        return 1;
1229                else
1230                        p++;
1231        }
1232
1233        /* return length of path's directory component */
1234        if (dirlen)
1235                *dirlen = p - path;
1236        return strncmp(p, dname, dlen);
1237}
1238
1239static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1240                                   struct audit_krule *rule,
1241                                   enum audit_state *state)
1242{
1243        int i;
1244
1245        for (i = 0; i < rule->field_count; i++) {
1246                struct audit_field *f = &rule->fields[i];
1247                int result = 0;
1248                u32 sid;
1249
1250                switch (f->type) {
1251                case AUDIT_PID:
1252                        result = audit_comparator(cb->creds.pid, f->op, f->val);
1253                        break;
1254                case AUDIT_UID:
1255                        result = audit_comparator(cb->creds.uid, f->op, f->val);
1256                        break;
1257                case AUDIT_GID:
1258                        result = audit_comparator(cb->creds.gid, f->op, f->val);
1259                        break;
1260                case AUDIT_LOGINUID:
1261                        result = audit_comparator(audit_get_loginuid(current),
1262                                                  f->op, f->val);
1263                        break;
1264                case AUDIT_SUBJ_USER:
1265                case AUDIT_SUBJ_ROLE:
1266                case AUDIT_SUBJ_TYPE:
1267                case AUDIT_SUBJ_SEN:
1268                case AUDIT_SUBJ_CLR:
1269                        if (f->lsm_rule) {
1270                                security_task_getsecid(current, &sid);
1271                                result = security_audit_rule_match(sid,
1272                                                                   f->type,
1273                                                                   f->op,
1274                                                                   f->lsm_rule,
1275                                                                   NULL);
1276                        }
1277                        break;
1278                }
1279
1280                if (!result)
1281                        return 0;
1282        }
1283        switch (rule->action) {
1284        case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
1285        case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
1286        }
1287        return 1;
1288}
1289
1290int audit_filter_user(struct netlink_skb_parms *cb)
1291{
1292        enum audit_state state = AUDIT_DISABLED;
1293        struct audit_entry *e;
1294        int ret = 1;
1295
1296        rcu_read_lock();
1297        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1298                if (audit_filter_user_rules(cb, &e->rule, &state)) {
1299                        if (state == AUDIT_DISABLED)
1300                                ret = 0;
1301                        break;
1302                }
1303        }
1304        rcu_read_unlock();
1305
1306        return ret; /* Audit by default */
1307}
1308
1309int audit_filter_type(int type)
1310{
1311        struct audit_entry *e;
1312        int result = 0;
1313
1314        rcu_read_lock();
1315        if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1316                goto unlock_and_return;
1317
1318        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1319                                list) {
1320                int i;
1321                for (i = 0; i < e->rule.field_count; i++) {
1322                        struct audit_field *f = &e->rule.fields[i];
1323                        if (f->type == AUDIT_MSGTYPE) {
1324                                result = audit_comparator(type, f->op, f->val);
1325                                if (!result)
1326                                        break;
1327                        }
1328                }
1329                if (result)
1330                        goto unlock_and_return;
1331        }
1332unlock_and_return:
1333        rcu_read_unlock();
1334        return result;
1335}
1336
1337static int update_lsm_rule(struct audit_krule *r)
1338{
1339        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1340        struct audit_entry *nentry;
1341        int err = 0;
1342
1343        if (!security_audit_rule_known(r))
1344                return 0;
1345
1346        nentry = audit_dupe_rule(r);
1347        if (IS_ERR(nentry)) {
1348                /* save the first error encountered for the
1349                 * return value */
1350                err = PTR_ERR(nentry);
1351                audit_panic("error updating LSM filters");
1352                if (r->watch)
1353                        list_del(&r->rlist);
1354                list_del_rcu(&entry->list);
1355                list_del(&r->list);
1356        } else {
1357                if (r->watch || r->tree)
1358                        list_replace_init(&r->rlist, &nentry->rule.rlist);
1359                list_replace_rcu(&entry->list, &nentry->list);
1360                list_replace(&r->list, &nentry->rule.list);
1361        }
1362        call_rcu(&entry->rcu, audit_free_rule_rcu);
1363
1364        return err;
1365}
1366
1367/* This function will re-initialize the lsm_rule field of all applicable rules.
1368 * It will traverse the filter lists serarching for rules that contain LSM
1369 * specific filter fields.  When such a rule is found, it is copied, the
1370 * LSM field is re-initialized, and the old rule is replaced with the
1371 * updated rule. */
1372int audit_update_lsm_rules(void)
1373{
1374        struct audit_krule *r, *n;
1375        int i, err = 0;
1376
1377        /* audit_filter_mutex synchronizes the writers */
1378        mutex_lock(&audit_filter_mutex);
1379
1380        for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1381                list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1382                        int res = update_lsm_rule(r);
1383                        if (!err)
1384                                err = res;
1385                }
1386        }
1387        mutex_unlock(&audit_filter_mutex);
1388
1389        return err;
1390}
1391