LXR linux/kernel/auditfilter.c

   1/* auditfilter.c -- filtering of audit events
   2 *
   3 * Copyright 2003-2004 Red Hat, Inc.
   4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   5 * Copyright 2005 IBM Corporation
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * This program is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  20 */
  21
  22#include <linux/kernel.h>
  23#include <linux/audit.h>
  24#include <linux/kthread.h>
  25#include <linux/mutex.h>
  26#include <linux/fs.h>
  27#include <linux/namei.h>
  28#include <linux/netlink.h>
  29#include <linux/sched.h>
  30#include <linux/slab.h>
  31#include <linux/security.h>
  32#include "audit.h"
  33
  34/*
  35 * Locking model:
  36 *
  37 * audit_filter_mutex:
  38 *              Synchronizes writes and blocking reads of audit's filterlist
  39 *              data.  Rcu is used to traverse the filterlist and access
  40 *              contents of structs audit_entry, audit_watch and opaque
  41 *              LSM rules during filtering.  If modified, these structures
  42 *              must be copied and replace their counterparts in the filterlist.
  43 *              An audit_parent struct is not accessed during filtering, so may
  44 *              be written directly provided audit_filter_mutex is held.
  45 */
  46
  47/* Audit filter lists, defined in <linux/audit.h> */
  48struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  49        LIST_HEAD_INIT(audit_filter_list[0]),
  50        LIST_HEAD_INIT(audit_filter_list[1]),
  51        LIST_HEAD_INIT(audit_filter_list[2]),
  52        LIST_HEAD_INIT(audit_filter_list[3]),
  53        LIST_HEAD_INIT(audit_filter_list[4]),
  54        LIST_HEAD_INIT(audit_filter_list[5]),
  55#if AUDIT_NR_FILTERS != 6
  56#error Fix audit_filter_list initialiser
  57#endif
  58};
  59static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  60        LIST_HEAD_INIT(audit_rules_list[0]),
  61        LIST_HEAD_INIT(audit_rules_list[1]),
  62        LIST_HEAD_INIT(audit_rules_list[2]),
  63        LIST_HEAD_INIT(audit_rules_list[3]),
  64        LIST_HEAD_INIT(audit_rules_list[4]),
  65        LIST_HEAD_INIT(audit_rules_list[5]),
  66};
  67
  68DEFINE_MUTEX(audit_filter_mutex);
  69
  70static inline void audit_free_rule(struct audit_entry *e)
  71{
  72        int i;
  73        struct audit_krule *erule = &e->rule;
  74
  75        /* some rules don't have associated watches */
  76        if (erule->watch)
  77                audit_put_watch(erule->watch);
  78        if (erule->fields)
  79                for (i = 0; i < erule->field_count; i++) {
  80                        struct audit_field *f = &erule->fields[i];
  81                        kfree(f->lsm_str);
  82                        security_audit_rule_free(f->lsm_rule);
  83                }
  84        kfree(erule->fields);
  85        kfree(erule->filterkey);
  86        kfree(e);
  87}
  88
  89void audit_free_rule_rcu(struct rcu_head *head)
  90{
  91        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
  92        audit_free_rule(e);
  93}
  94
  95/* Initialize an audit filterlist entry. */
  96static inline struct audit_entry *audit_init_entry(u32 field_count)
  97{
  98        struct audit_entry *entry;
  99        struct audit_field *fields;
 100
 101        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 102        if (unlikely(!entry))
 103                return NULL;
 104
 105        fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
 106        if (unlikely(!fields)) {
 107                kfree(entry);
 108                return NULL;
 109        }
 110        entry->rule.fields = fields;
 111
 112        return entry;
 113}
 114
 115/* Unpack a filter field's string representation from user-space
 116 * buffer. */
 117char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 118{
 119        char *str;
 120
 121        if (!*bufp || (len == 0) || (len > *remain))
 122                return ERR_PTR(-EINVAL);
 123
 124        /* Of the currently implemented string fields, PATH_MAX
 125         * defines the longest valid length.
 126         */
 127        if (len > PATH_MAX)
 128                return ERR_PTR(-ENAMETOOLONG);
 129
 130        str = kmalloc(len + 1, GFP_KERNEL);
 131        if (unlikely(!str))
 132                return ERR_PTR(-ENOMEM);
 133
 134        memcpy(str, *bufp, len);
 135        str[len] = 0;
 136        *bufp += len;
 137        *remain -= len;
 138
 139        return str;
 140}
 141
 142/* Translate an inode field to kernel respresentation. */
 143static inline int audit_to_inode(struct audit_krule *krule,
 144                                 struct audit_field *f)
 145{
 146        if (krule->listnr != AUDIT_FILTER_EXIT ||
 147            krule->watch || krule->inode_f || krule->tree ||
 148            (f->op != Audit_equal && f->op != Audit_not_equal))
 149                return -EINVAL;
 150
 151        krule->inode_f = f;
 152        return 0;
 153}
 154
 155static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 156
 157int __init audit_register_class(int class, unsigned *list)
 158{
 159        __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
 160        if (!p)
 161                return -ENOMEM;
 162        while (*list != ~0U) {
 163                unsigned n = *list++;
 164                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 165                        kfree(p);
 166                        return -EINVAL;
 167                }
 168                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
 169        }
 170        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
 171                kfree(p);
 172                return -EINVAL;
 173        }
 174        classes[class] = p;
 175        return 0;
 176}
 177
 178int audit_match_class(int class, unsigned syscall)
 179{
 180        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
 181                return 0;
 182        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
 183                return 0;
 184        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
 185}
 186
 187#ifdef CONFIG_AUDITSYSCALL
 188static inline int audit_match_class_bits(int class, u32 *mask)
 189{
 190        int i;
 191
 192        if (classes[class]) {
 193                for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 194                        if (mask[i] & classes[class][i])
 195                                return 0;
 196        }
 197        return 1;
 198}
 199
 200static int audit_match_signal(struct audit_entry *entry)
 201{
 202        struct audit_field *arch = entry->rule.arch_f;
 203
 204        if (!arch) {
 205                /* When arch is unspecified, we must check both masks on biarch
 206                 * as syscall number alone is ambiguous. */
 207                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 208                                               entry->rule.mask) &&
 209                        audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 210                                               entry->rule.mask));
 211        }
 212
 213        switch(audit_classify_arch(arch->val)) {
 214        case 0: /* native */
 215                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 216                                               entry->rule.mask));
 217        case 1: /* 32bit on biarch */
 218                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 219                                               entry->rule.mask));
 220        default:
 221                return 1;
 222        }
 223}
 224#endif
 225
 226/* Common user-space to kernel rule translation. */
 227static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
 228{
 229        unsigned listnr;
 230        struct audit_entry *entry;
 231        int i, err;
 232
 233        err = -EINVAL;
 234        listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
 235        switch(listnr) {
 236        default:
 237                goto exit_err;
 238#ifdef CONFIG_AUDITSYSCALL
 239        case AUDIT_FILTER_ENTRY:
 240                if (rule->action == AUDIT_ALWAYS)
 241                        goto exit_err;
 242        case AUDIT_FILTER_EXIT:
 243        case AUDIT_FILTER_TASK:
 244#endif
 245        case AUDIT_FILTER_USER:
 246        case AUDIT_FILTER_TYPE:
 247                ;
 248        }
 249        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
 250                printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
 251                goto exit_err;
 252        }
 253        if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
 254                goto exit_err;
 255        if (rule->field_count > AUDIT_MAX_FIELDS)
 256                goto exit_err;
 257
 258        err = -ENOMEM;
 259        entry = audit_init_entry(rule->field_count);
 260        if (!entry)
 261                goto exit_err;
 262
 263        entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
 264        entry->rule.listnr = listnr;
 265        entry->rule.action = rule->action;
 266        entry->rule.field_count = rule->field_count;
 267
 268        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 269                entry->rule.mask[i] = rule->mask[i];
 270
 271        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
 272                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
 273                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
 274                __u32 *class;
 275
 276                if (!(*p & AUDIT_BIT(bit)))
 277                        continue;
 278                *p &= ~AUDIT_BIT(bit);
 279                class = classes[i];
 280                if (class) {
 281                        int j;
 282                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
 283                                entry->rule.mask[j] |= class[j];
 284                }
 285        }
 286
 287        return entry;
 288
 289exit_err:
 290        return ERR_PTR(err);
 291}
 292
 293static u32 audit_ops[] =
 294{
 295        [Audit_equal] = AUDIT_EQUAL,
 296        [Audit_not_equal] = AUDIT_NOT_EQUAL,
 297        [Audit_bitmask] = AUDIT_BIT_MASK,
 298        [Audit_bittest] = AUDIT_BIT_TEST,
 299        [Audit_lt] = AUDIT_LESS_THAN,
 300        [Audit_gt] = AUDIT_GREATER_THAN,
 301        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
 302        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
 303};
 304
 305static u32 audit_to_op(u32 op)
 306{
 307        u32 n;
 308        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
 309                ;
 310        return n;
 311}
 312
 313
 314/* Translate struct audit_rule to kernel's rule respresentation.
 315 * Exists for backward compatibility with userspace. */
 316static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
 317{
 318        struct audit_entry *entry;
 319        int err = 0;
 320        int i;
 321
 322        entry = audit_to_entry_common(rule);
 323        if (IS_ERR(entry))
 324                goto exit_nofree;
 325
 326        for (i = 0; i < rule->field_count; i++) {
 327                struct audit_field *f = &entry->rule.fields[i];
 328                u32 n;
 329
 330                n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
 331
 332                /* Support for legacy operators where
 333                 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
 334                if (n & AUDIT_NEGATE)
 335                        f->op = Audit_not_equal;
 336                else if (!n)
 337                        f->op = Audit_equal;
 338                else
 339                        f->op = audit_to_op(n);
 340
 341                entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
 342
 343                f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
 344                f->val = rule->values[i];
 345                f->uid = INVALID_UID;
 346                f->gid = INVALID_GID;
 347
 348                err = -EINVAL;
 349                if (f->op == Audit_bad)
 350                        goto exit_free;
 351
 352                switch(f->type) {
 353                default:
 354                        goto exit_free;
 355                case AUDIT_UID:
 356                case AUDIT_EUID:
 357                case AUDIT_SUID:
 358                case AUDIT_FSUID:
 359                case AUDIT_LOGINUID:
 360                        /* bit ops not implemented for uid comparisons */
 361                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
 362                                goto exit_free;
 363
 364                        f->uid = make_kuid(current_user_ns(), f->val);
 365                        if (!uid_valid(f->uid))
 366                                goto exit_free;
 367                        break;
 368                case AUDIT_GID:
 369                case AUDIT_EGID:
 370                case AUDIT_SGID:
 371                case AUDIT_FSGID:
 372                        /* bit ops not implemented for gid comparisons */
 373                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
 374                                goto exit_free;
 375
 376                        f->gid = make_kgid(current_user_ns(), f->val);
 377                        if (!gid_valid(f->gid))
 378                                goto exit_free;
 379                        break;
 380                case AUDIT_PID:
 381                case AUDIT_PERS:
 382                case AUDIT_MSGTYPE:
 383                case AUDIT_PPID:
 384                case AUDIT_DEVMAJOR:
 385                case AUDIT_DEVMINOR:
 386                case AUDIT_EXIT:
 387                case AUDIT_SUCCESS:
 388                        /* bit ops are only useful on syscall args */
 389                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
 390                                goto exit_free;
 391                        break;
 392                case AUDIT_ARG0:
 393                case AUDIT_ARG1:
 394                case AUDIT_ARG2:
 395                case AUDIT_ARG3:
 396                        break;
 397                /* arch is only allowed to be = or != */
 398                case AUDIT_ARCH:
 399                        if (f->op != Audit_not_equal && f->op != Audit_equal)
 400                                goto exit_free;
 401                        entry->rule.arch_f = f;
 402                        break;
 403                case AUDIT_PERM:
 404                        if (f->val & ~15)
 405                                goto exit_free;
 406                        break;
 407                case AUDIT_FILETYPE:
 408                        if (f->val & ~S_IFMT)
 409                                goto exit_free;
 410                        break;
 411                case AUDIT_INODE:
 412                        err = audit_to_inode(&entry->rule, f);
 413                        if (err)
 414                                goto exit_free;
 415                        break;
 416                }
 417        }
 418
 419        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 420                entry->rule.inode_f = NULL;
 421
 422exit_nofree:
 423        return entry;
 424
 425exit_free:
 426        audit_free_rule(entry);
 427        return ERR_PTR(err);
 428}
 429
 430/* Translate struct audit_rule_data to kernel's rule respresentation. */
 431static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 432                                               size_t datasz)
 433{
 434        int err = 0;
 435        struct audit_entry *entry;
 436        void *bufp;
 437        size_t remain = datasz - sizeof(struct audit_rule_data);
 438        int i;
 439        char *str;
 440
 441        entry = audit_to_entry_common((struct audit_rule *)data);
 442        if (IS_ERR(entry))
 443                goto exit_nofree;
 444
 445        bufp = data->buf;
 446        entry->rule.vers_ops = 2;
 447        for (i = 0; i < data->field_count; i++) {
 448                struct audit_field *f = &entry->rule.fields[i];
 449
 450                err = -EINVAL;
 451
 452                f->op = audit_to_op(data->fieldflags[i]);
 453                if (f->op == Audit_bad)
 454                        goto exit_free;
 455
 456                f->type = data->fields[i];
 457                f->val = data->values[i];
 458                f->uid = INVALID_UID;
 459                f->gid = INVALID_GID;
 460                f->lsm_str = NULL;
 461                f->lsm_rule = NULL;
 462                switch(f->type) {
 463                case AUDIT_UID:
 464                case AUDIT_EUID:
 465                case AUDIT_SUID:
 466                case AUDIT_FSUID:
 467                case AUDIT_LOGINUID:
 468                case AUDIT_OBJ_UID:
 469                        /* bit ops not implemented for uid comparisons */
 470                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
 471                                goto exit_free;
 472
 473                        f->uid = make_kuid(current_user_ns(), f->val);
 474                        if (!uid_valid(f->uid))
 475                                goto exit_free;
 476                        break;
 477                case AUDIT_GID:
 478                case AUDIT_EGID:
 479                case AUDIT_SGID:
 480                case AUDIT_FSGID:
 481                case AUDIT_OBJ_GID:
 482                        /* bit ops not implemented for gid comparisons */
 483                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
 484                                goto exit_free;
 485
 486                        f->gid = make_kgid(current_user_ns(), f->val);
 487                        if (!gid_valid(f->gid))
 488                                goto exit_free;
 489                        break;
 490                case AUDIT_PID:
 491                case AUDIT_PERS:
 492                case AUDIT_MSGTYPE:
 493                case AUDIT_PPID:
 494                case AUDIT_DEVMAJOR:
 495                case AUDIT_DEVMINOR:
 496                case AUDIT_EXIT:
 497                case AUDIT_SUCCESS:
 498                case AUDIT_ARG0:
 499                case AUDIT_ARG1:
 500                case AUDIT_ARG2:
 501                case AUDIT_ARG3:
 502                        break;
 503                case AUDIT_ARCH:
 504                        entry->rule.arch_f = f;
 505                        break;
 506                case AUDIT_SUBJ_USER:
 507                case AUDIT_SUBJ_ROLE:
 508                case AUDIT_SUBJ_TYPE:
 509                case AUDIT_SUBJ_SEN:
 510                case AUDIT_SUBJ_CLR:
 511                case AUDIT_OBJ_USER:
 512                case AUDIT_OBJ_ROLE:
 513                case AUDIT_OBJ_TYPE:
 514                case AUDIT_OBJ_LEV_LOW:
 515                case AUDIT_OBJ_LEV_HIGH:
 516                        str = audit_unpack_string(&bufp, &remain, f->val);
 517                        if (IS_ERR(str))
 518                                goto exit_free;
 519                        entry->rule.buflen += f->val;
 520
 521                        err = security_audit_rule_init(f->type, f->op, str,
 522                                                       (void **)&f->lsm_rule);
 523                        /* Keep currently invalid fields around in case they
 524                         * become valid after a policy reload. */
 525                        if (err == -EINVAL) {
 526                                printk(KERN_WARNING "audit rule for LSM "
 527                                       "\'%s\' is invalid\n",  str);
 528                                err = 0;
 529                        }
 530                        if (err) {
 531                                kfree(str);
 532                                goto exit_free;
 533                        } else
 534                                f->lsm_str = str;
 535                        break;
 536                case AUDIT_WATCH:
 537                        str = audit_unpack_string(&bufp, &remain, f->val);
 538                        if (IS_ERR(str))
 539                                goto exit_free;
 540                        entry->rule.buflen += f->val;
 541
 542                        err = audit_to_watch(&entry->rule, str, f->val, f->op);
 543                        if (err) {
 544                                kfree(str);
 545                                goto exit_free;
 546                        }
 547                        break;
 548                case AUDIT_DIR:
 549                        str = audit_unpack_string(&bufp, &remain, f->val);
 550                        if (IS_ERR(str))
 551                                goto exit_free;
 552                        entry->rule.buflen += f->val;
 553
 554                        err = audit_make_tree(&entry->rule, str, f->op);
 555                        kfree(str);
 556                        if (err)
 557                                goto exit_free;
 558                        break;
 559                case AUDIT_INODE:
 560                        err = audit_to_inode(&entry->rule, f);
 561                        if (err)
 562                                goto exit_free;
 563                        break;
 564                case AUDIT_FILTERKEY:
 565                        if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 566                                goto exit_free;
 567                        str = audit_unpack_string(&bufp, &remain, f->val);
 568                        if (IS_ERR(str))
 569                                goto exit_free;
 570                        entry->rule.buflen += f->val;
 571                        entry->rule.filterkey = str;
 572                        break;
 573                case AUDIT_PERM:
 574                        if (f->val & ~15)
 575                                goto exit_free;
 576                        break;
 577                case AUDIT_FILETYPE:
 578                        if (f->val & ~S_IFMT)
 579                                goto exit_free;
 580                        break;
 581                case AUDIT_FIELD_COMPARE:
 582                        if (f->val > AUDIT_MAX_FIELD_COMPARE)
 583                                goto exit_free;
 584                        break;
 585                default:
 586                        goto exit_free;
 587                }
 588        }
 589
 590        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 591                entry->rule.inode_f = NULL;
 592
 593exit_nofree:
 594        return entry;
 595
 596exit_free:
 597        audit_free_rule(entry);
 598        return ERR_PTR(err);
 599}
 600
 601/* Pack a filter field's string representation into data block. */
 602static inline size_t audit_pack_string(void **bufp, const char *str)
 603{
 604        size_t len = strlen(str);
 605
 606        memcpy(*bufp, str, len);
 607        *bufp += len;
 608
 609        return len;
 610}
 611
 612/* Translate kernel rule respresentation to struct audit_rule.
 613 * Exists for backward compatibility with userspace. */
 614static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
 615{
 616        struct audit_rule *rule;
 617        int i;
 618
 619        rule = kzalloc(sizeof(*rule), GFP_KERNEL);
 620        if (unlikely(!rule))
 621                return NULL;
 622
 623        rule->flags = krule->flags | krule->listnr;
 624        rule->action = krule->action;
 625        rule->field_count = krule->field_count;
 626        for (i = 0; i < rule->field_count; i++) {
 627                rule->values[i] = krule->fields[i].val;
 628                rule->fields[i] = krule->fields[i].type;
 629
 630                if (krule->vers_ops == 1) {
 631                        if (krule->fields[i].op == Audit_not_equal)
 632                                rule->fields[i] |= AUDIT_NEGATE;
 633                } else {
 634                        rule->fields[i] |= audit_ops[krule->fields[i].op];
 635                }
 636        }
 637        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
 638
 639        return rule;
 640}
 641
 642/* Translate kernel rule respresentation to struct audit_rule_data. */
 643static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 644{
 645        struct audit_rule_data *data;
 646        void *bufp;
 647        int i;
 648
 649        data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
 650        if (unlikely(!data))
 651                return NULL;
 652        memset(data, 0, sizeof(*data));
 653
 654        data->flags = krule->flags | krule->listnr;
 655        data->action = krule->action;
 656        data->field_count = krule->field_count;
 657        bufp = data->buf;
 658        for (i = 0; i < data->field_count; i++) {
 659                struct audit_field *f = &krule->fields[i];
 660
 661                data->fields[i] = f->type;
 662                data->fieldflags[i] = audit_ops[f->op];
 663                switch(f->type) {
 664                case AUDIT_SUBJ_USER:
 665                case AUDIT_SUBJ_ROLE:
 666                case AUDIT_SUBJ_TYPE:
 667                case AUDIT_SUBJ_SEN:
 668                case AUDIT_SUBJ_CLR:
 669                case AUDIT_OBJ_USER:
 670                case AUDIT_OBJ_ROLE:
 671                case AUDIT_OBJ_TYPE:
 672                case AUDIT_OBJ_LEV_LOW:
 673                case AUDIT_OBJ_LEV_HIGH:
 674                        data->buflen += data->values[i] =
 675                                audit_pack_string(&bufp, f->lsm_str);
 676                        break;
 677                case AUDIT_WATCH:
 678                        data->buflen += data->values[i] =
 679                                audit_pack_string(&bufp,
 680                                                  audit_watch_path(krule->watch));
 681                        break;
 682                case AUDIT_DIR:
 683                        data->buflen += data->values[i] =
 684                                audit_pack_string(&bufp,
 685                                                  audit_tree_path(krule->tree));
 686                        break;
 687                case AUDIT_FILTERKEY:
 688                        data->buflen += data->values[i] =
 689                                audit_pack_string(&bufp, krule->filterkey);
 690                        break;
 691                default:
 692                        data->values[i] = f->val;
 693                }
 694        }
 695        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
 696
 697        return data;
 698}
 699
 700/* Compare two rules in kernel format.  Considered success if rules
 701 * don't match. */
 702static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
 703{
 704        int i;
 705
 706        if (a->flags != b->flags ||
 707            a->listnr != b->listnr ||
 708            a->action != b->action ||
 709            a->field_count != b->field_count)
 710                return 1;
 711
 712        for (i = 0; i < a->field_count; i++) {
 713                if (a->fields[i].type != b->fields[i].type ||
 714                    a->fields[i].op != b->fields[i].op)
 715                        return 1;
 716
 717                switch(a->fields[i].type) {
 718                case AUDIT_SUBJ_USER:
 719                case AUDIT_SUBJ_ROLE:
 720                case AUDIT_SUBJ_TYPE:
 721                case AUDIT_SUBJ_SEN:
 722                case AUDIT_SUBJ_CLR:
 723                case AUDIT_OBJ_USER:
 724                case AUDIT_OBJ_ROLE:
 725                case AUDIT_OBJ_TYPE:
 726                case AUDIT_OBJ_LEV_LOW:
 727                case AUDIT_OBJ_LEV_HIGH:
 728                        if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
 729                                return 1;
 730                        break;
 731                case AUDIT_WATCH:
 732                        if (strcmp(audit_watch_path(a->watch),
 733                                   audit_watch_path(b->watch)))
 734                                return 1;
 735                        break;
 736                case AUDIT_DIR:
 737                        if (strcmp(audit_tree_path(a->tree),
 738                                   audit_tree_path(b->tree)))
 739                                return 1;
 740                        break;
 741                case AUDIT_FILTERKEY:
 742                        /* both filterkeys exist based on above type compare */
 743                        if (strcmp(a->filterkey, b->filterkey))
 744                                return 1;
 745                        break;
 746                case AUDIT_UID:
 747                case AUDIT_EUID:
 748                case AUDIT_SUID:
 749                case AUDIT_FSUID:
 750                case AUDIT_LOGINUID:
 751                case AUDIT_OBJ_UID:
 752                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
 753                                return 1;
 754                        break;
 755                case AUDIT_GID:
 756                case AUDIT_EGID:
 757                case AUDIT_SGID:
 758                case AUDIT_FSGID:
 759                case AUDIT_OBJ_GID:
 760                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
 761                                return 1;
 762                        break;
 763                default:
 764                        if (a->fields[i].val != b->fields[i].val)
 765                                return 1;
 766                }
 767        }
 768
 769        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 770                if (a->mask[i] != b->mask[i])
 771                        return 1;
 772
 773        return 0;
 774}
 775
 776/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
 777 * re-initialized. */
 778static inline int audit_dupe_lsm_field(struct audit_field *df,
 779                                           struct audit_field *sf)
 780{
 781        int ret = 0;
 782        char *lsm_str;
 783
 784        /* our own copy of lsm_str */
 785        lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
 786        if (unlikely(!lsm_str))
 787                return -ENOMEM;
 788        df->lsm_str = lsm_str;
 789
 790        /* our own (refreshed) copy of lsm_rule */
 791        ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
 792                                       (void **)&df->lsm_rule);
 793        /* Keep currently invalid fields around in case they
 794         * become valid after a policy reload. */
 795        if (ret == -EINVAL) {
 796                printk(KERN_WARNING "audit rule for LSM \'%s\' is "
 797                       "invalid\n", df->lsm_str);
 798                ret = 0;
 799        }
 800
 801        return ret;
 802}
 803
 804/* Duplicate an audit rule.  This will be a deep copy with the exception
 805 * of the watch - that pointer is carried over.  The LSM specific fields
 806 * will be updated in the copy.  The point is to be able to replace the old
 807 * rule with the new rule in the filterlist, then free the old rule.
 808 * The rlist element is undefined; list manipulations are handled apart from
 809 * the initial copy. */
 810struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 811{
 812        u32 fcount = old->field_count;
 813        struct audit_entry *entry;
 814        struct audit_krule *new;
 815        char *fk;
 816        int i, err = 0;
 817
 818        entry = audit_init_entry(fcount);
 819        if (unlikely(!entry))
 820                return ERR_PTR(-ENOMEM);
 821
 822        new = &entry->rule;
 823        new->vers_ops = old->vers_ops;
 824        new->flags = old->flags;
 825        new->listnr = old->listnr;
 826        new->action = old->action;
 827        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 828                new->mask[i] = old->mask[i];
 829        new->prio = old->prio;
 830        new->buflen = old->buflen;
 831        new->inode_f = old->inode_f;
 832        new->field_count = old->field_count;
 833
 834        /*
 835         * note that we are OK with not refcounting here; audit_match_tree()
 836         * never dereferences tree and we can't get false positives there
 837         * since we'd have to have rule gone from the list *and* removed
 838         * before the chunks found by lookup had been allocated, i.e. before
 839         * the beginning of list scan.
 840         */
 841        new->tree = old->tree;
 842        memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
 843
 844        /* deep copy this information, updating the lsm_rule fields, because
 845         * the originals will all be freed when the old rule is freed. */
 846        for (i = 0; i < fcount; i++) {
 847                switch (new->fields[i].type) {
 848                case AUDIT_SUBJ_USER:
 849                case AUDIT_SUBJ_ROLE:
 850                case AUDIT_SUBJ_TYPE:
 851                case AUDIT_SUBJ_SEN:
 852                case AUDIT_SUBJ_CLR:
 853                case AUDIT_OBJ_USER:
 854                case AUDIT_OBJ_ROLE:
 855                case AUDIT_OBJ_TYPE:
 856                case AUDIT_OBJ_LEV_LOW:
 857                case AUDIT_OBJ_LEV_HIGH:
 858                        err = audit_dupe_lsm_field(&new->fields[i],
 859                                                       &old->fields[i]);
 860                        break;
 861                case AUDIT_FILTERKEY:
 862                        fk = kstrdup(old->filterkey, GFP_KERNEL);
 863                        if (unlikely(!fk))
 864                                err = -ENOMEM;
 865                        else
 866                                new->filterkey = fk;
 867                }
 868                if (err) {
 869                        audit_free_rule(entry);
 870                        return ERR_PTR(err);
 871                }
 872        }
 873
 874        if (old->watch) {
 875                audit_get_watch(old->watch);
 876                new->watch = old->watch;
 877        }
 878
 879        return entry;
 880}
 881
 882/* Find an existing audit rule.
 883 * Caller must hold audit_filter_mutex to prevent stale rule data. */
 884static struct audit_entry *audit_find_rule(struct audit_entry *entry,
 885                                           struct list_head **p)
 886{
 887        struct audit_entry *e, *found = NULL;
 888        struct list_head *list;
 889        int h;
 890
 891        if (entry->rule.inode_f) {
 892                h = audit_hash_ino(entry->rule.inode_f->val);
 893                *p = list = &audit_inode_hash[h];
 894        } else if (entry->rule.watch) {
 895                /* we don't know the inode number, so must walk entire hash */
 896                for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
 897                        list = &audit_inode_hash[h];
 898                        list_for_each_entry(e, list, list)
 899                                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 900                                        found = e;
 901                                        goto out;
 902                                }
 903                }
 904                goto out;
 905        } else {
 906                *p = list = &audit_filter_list[entry->rule.listnr];
 907        }
 908
 909        list_for_each_entry(e, list, list)
 910                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 911                        found = e;
 912                        goto out;
 913                }
 914
 915out:
 916        return found;
 917}
 918
 919static u64 prio_low = ~0ULL/2;
 920static u64 prio_high = ~0ULL/2 - 1;
 921
 922/* Add rule to given filterlist if not a duplicate. */
 923static inline int audit_add_rule(struct audit_entry *entry)
 924{
 925        struct audit_entry *e;
 926        struct audit_watch *watch = entry->rule.watch;
 927        struct audit_tree *tree = entry->rule.tree;
 928        struct list_head *list;
 929        int err;
 930#ifdef CONFIG_AUDITSYSCALL
 931        int dont_count = 0;
 932
 933        /* If either of these, don't count towards total */
 934        if (entry->rule.listnr == AUDIT_FILTER_USER ||
 935                entry->rule.listnr == AUDIT_FILTER_TYPE)
 936                dont_count = 1;
 937#endif
 938
 939        mutex_lock(&audit_filter_mutex);
 940        e = audit_find_rule(entry, &list);
 941        if (e) {
 942                mutex_unlock(&audit_filter_mutex);
 943                err = -EEXIST;
 944                /* normally audit_add_tree_rule() will free it on failure */
 945                if (tree)
 946                        audit_put_tree(tree);
 947                goto error;
 948        }
 949
 950        if (watch) {
 951                /* audit_filter_mutex is dropped and re-taken during this call */
 952                err = audit_add_watch(&entry->rule, &list);
 953                if (err) {
 954                        mutex_unlock(&audit_filter_mutex);
 955                        goto error;
 956                }
 957        }
 958        if (tree) {
 959                err = audit_add_tree_rule(&entry->rule);
 960                if (err) {
 961                        mutex_unlock(&audit_filter_mutex);
 962                        goto error;
 963                }
 964        }
 965
 966        entry->rule.prio = ~0ULL;
 967        if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
 968                if (entry->rule.flags & AUDIT_FILTER_PREPEND)
 969                        entry->rule.prio = ++prio_high;
 970                else
 971                        entry->rule.prio = --prio_low;
 972        }
 973
 974        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
 975                list_add(&entry->rule.list,
 976                         &audit_rules_list[entry->rule.listnr]);
 977                list_add_rcu(&entry->list, list);
 978                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
 979        } else {
 980                list_add_tail(&entry->rule.list,
 981                              &audit_rules_list[entry->rule.listnr]);
 982                list_add_tail_rcu(&entry->list, list);
 983        }
 984#ifdef CONFIG_AUDITSYSCALL
 985        if (!dont_count)
 986                audit_n_rules++;
 987
 988        if (!audit_match_signal(entry))
 989                audit_signals++;
 990#endif
 991        mutex_unlock(&audit_filter_mutex);
 992
 993        return 0;
 994
 995error:
 996        if (watch)
 997                audit_put_watch(watch); /* tmp watch, matches initial get */
 998        return err;
 999}
1000

1001/* Remove an existing rule from filterlist. */
1002static inline int audit_del_rule(struct audit_entry *entry)
1003{
1004        struct audit_entry  *e;
1005        struct audit_watch *watch = entry->rule.watch;
1006        struct audit_tree *tree = entry->rule.tree;
1007        struct list_head *list;
1008        int ret = 0;
1009#ifdef CONFIG_AUDITSYSCALL
1010        int dont_count = 0;
1011
1012        /* If either of these, don't count towards total */
1013        if (entry->rule.listnr == AUDIT_FILTER_USER ||
1014                entry->rule.listnr == AUDIT_FILTER_TYPE)
1015                dont_count = 1;
1016#endif
1017
1018        mutex_lock(&audit_filter_mutex);
1019        e = audit_find_rule(entry, &list);
1020        if (!e) {
1021                mutex_unlock(&audit_filter_mutex);
1022                ret = -ENOENT;
1023                goto out;
1024        }
1025
1026        if (e->rule.watch)
1027                audit_remove_watch_rule(&e->rule);
1028
1029        if (e->rule.tree)
1030                audit_remove_tree_rule(&e->rule);
1031
1032        list_del_rcu(&e->list);
1033        list_del(&e->rule.list);
1034        call_rcu(&e->rcu, audit_free_rule_rcu);
1035
1036#ifdef CONFIG_AUDITSYSCALL
1037        if (!dont_count)
1038                audit_n_rules--;
1039
1040        if (!audit_match_signal(entry))
1041                audit_signals--;
1042#endif
1043        mutex_unlock(&audit_filter_mutex);
1044
1045out:
1046        if (watch)
1047                audit_put_watch(watch); /* match initial get */
1048        if (tree)
1049                audit_put_tree(tree);   /* that's the temporary one */
1050
1051        return ret;
1052}
1053
1054/* List rules using struct audit_rule.  Exists for backward
1055 * compatibility with userspace. */
1056static void audit_list(int pid, int seq, struct sk_buff_head *q)
1057{
1058        struct sk_buff *skb;
1059        struct audit_krule *r;
1060        int i;
1061
1062        /* This is a blocking read, so use audit_filter_mutex instead of rcu
1063         * iterator to sync with list writers. */
1064        for (i=0; i<AUDIT_NR_FILTERS; i++) {
1065                list_for_each_entry(r, &audit_rules_list[i], list) {
1066                        struct audit_rule *rule;
1067
1068                        rule = audit_krule_to_rule(r);
1069                        if (unlikely(!rule))
1070                                break;
1071                        skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
1072                                         rule, sizeof(*rule));
1073                        if (skb)
1074                                skb_queue_tail(q, skb);
1075                        kfree(rule);
1076                }
1077        }
1078        skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
1079        if (skb)
1080                skb_queue_tail(q, skb);
1081}
1082
1083/* List rules using struct audit_rule_data. */
1084static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1085{
1086        struct sk_buff *skb;
1087        struct audit_krule *r;
1088        int i;
1089
1090        /* This is a blocking read, so use audit_filter_mutex instead of rcu
1091         * iterator to sync with list writers. */
1092        for (i=0; i<AUDIT_NR_FILTERS; i++) {
1093                list_for_each_entry(r, &audit_rules_list[i], list) {
1094                        struct audit_rule_data *data;
1095
1096                        data = audit_krule_to_data(r);
1097                        if (unlikely(!data))
1098                                break;
1099                        skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
1100                                         data, sizeof(*data) + data->buflen);
1101                        if (skb)
1102                                skb_queue_tail(q, skb);
1103                        kfree(data);
1104                }
1105        }
1106        skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1107        if (skb)
1108                skb_queue_tail(q, skb);
1109}
1110
1111/* Log rule additions and removals */
1112static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
1113                                  char *action, struct audit_krule *rule,
1114                                  int res)
1115{
1116        struct audit_buffer *ab;
1117
1118        if (!audit_enabled)
1119                return;
1120
1121        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1122        if (!ab)
1123                return;
1124        audit_log_format(ab, "auid=%u ses=%u",
1125                         from_kuid(&init_user_ns, loginuid), sessionid);
1126        if (sid) {
1127                char *ctx = NULL;
1128                u32 len;
1129                if (security_secid_to_secctx(sid, &ctx, &len))
1130                        audit_log_format(ab, " ssid=%u", sid);
1131                else {
1132                        audit_log_format(ab, " subj=%s", ctx);
1133                        security_release_secctx(ctx, len);
1134                }
1135        }
1136        audit_log_format(ab, " op=");
1137        audit_log_string(ab, action);
1138        audit_log_key(ab, rule->filterkey);
1139        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1140        audit_log_end(ab);
1141}
1142
1143/**
1144 * audit_receive_filter - apply all rules to the specified message type
1145 * @type: audit message type
1146 * @pid: target pid for netlink audit messages
1147 * @seq: netlink audit message sequence (serial) number
1148 * @data: payload data
1149 * @datasz: size of payload data
1150 * @loginuid: loginuid of sender
1151 * @sessionid: sessionid for netlink audit message
1152 * @sid: SE Linux Security ID of sender
1153 */
1154int audit_receive_filter(int type, int pid, int seq, void *data,
1155                         size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
1156{
1157        struct task_struct *tsk;
1158        struct audit_netlink_list *dest;
1159        int err = 0;
1160        struct audit_entry *entry;
1161
1162        switch (type) {
1163        case AUDIT_LIST:
1164        case AUDIT_LIST_RULES:
1165                /* We can't just spew out the rules here because we might fill
1166                 * the available socket buffer space and deadlock waiting for
1167                 * auditctl to read from it... which isn't ever going to
1168                 * happen if we're actually running in the context of auditctl
1169                 * trying to _send_ the stuff */
1170
1171                dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1172                if (!dest)
1173                        return -ENOMEM;
1174                dest->pid = pid;
1175                skb_queue_head_init(&dest->q);
1176
1177                mutex_lock(&audit_filter_mutex);
1178                if (type == AUDIT_LIST)
1179                        audit_list(pid, seq, &dest->q);
1180                else
1181                        audit_list_rules(pid, seq, &dest->q);
1182                mutex_unlock(&audit_filter_mutex);
1183
1184                tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1185                if (IS_ERR(tsk)) {
1186                        skb_queue_purge(&dest->q);
1187                        kfree(dest);
1188                        err = PTR_ERR(tsk);
1189                }
1190                break;
1191        case AUDIT_ADD:
1192        case AUDIT_ADD_RULE:
1193                if (type == AUDIT_ADD)
1194                        entry = audit_rule_to_entry(data);
1195                else
1196                        entry = audit_data_to_entry(data, datasz);
1197                if (IS_ERR(entry))
1198                        return PTR_ERR(entry);
1199
1200                err = audit_add_rule(entry);
1201                audit_log_rule_change(loginuid, sessionid, sid, "add rule",
1202                                      &entry->rule, !err);
1203
1204                if (err)
1205                        audit_free_rule(entry);
1206                break;
1207        case AUDIT_DEL:
1208        case AUDIT_DEL_RULE:
1209                if (type == AUDIT_DEL)
1210                        entry = audit_rule_to_entry(data);
1211                else
1212                        entry = audit_data_to_entry(data, datasz);
1213                if (IS_ERR(entry))
1214                        return PTR_ERR(entry);
1215
1216                err = audit_del_rule(entry);
1217                audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
1218                                      &entry->rule, !err);
1219
1220                audit_free_rule(entry);
1221                break;
1222        default:
1223                return -EINVAL;
1224        }
1225
1226        return err;
1227}
1228
1229int audit_comparator(u32 left, u32 op, u32 right)
1230{
1231        switch (op) {
1232        case Audit_equal:
1233                return (left == right);
1234        case Audit_not_equal:
1235                return (left != right);
1236        case Audit_lt:
1237                return (left < right);
1238        case Audit_le:
1239                return (left <= right);
1240        case Audit_gt:
1241                return (left > right);
1242        case Audit_ge:
1243                return (left >= right);
1244        case Audit_bitmask:
1245                return (left & right);
1246        case Audit_bittest:
1247                return ((left & right) == right);
1248        default:
1249                BUG();
1250                return 0;
1251        }
1252}
1253
1254int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1255{
1256        switch (op) {
1257        case Audit_equal:
1258                return uid_eq(left, right);
1259        case Audit_not_equal:
1260                return !uid_eq(left, right);
1261        case Audit_lt:
1262                return uid_lt(left, right);
1263        case Audit_le:
1264                return uid_lte(left, right);
1265        case Audit_gt:
1266                return uid_gt(left, right);
1267        case Audit_ge:
1268                return uid_gte(left, right);
1269        case Audit_bitmask:
1270        case Audit_bittest:
1271        default:
1272                BUG();
1273                return 0;
1274        }
1275}
1276
1277int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1278{
1279        switch (op) {
1280        case Audit_equal:
1281                return gid_eq(left, right);
1282        case Audit_not_equal:
1283                return !gid_eq(left, right);
1284        case Audit_lt:
1285                return gid_lt(left, right);
1286        case Audit_le:
1287                return gid_lte(left, right);
1288        case Audit_gt:
1289                return gid_gt(left, right);
1290        case Audit_ge:
1291                return gid_gte(left, right);
1292        case Audit_bitmask:
1293        case Audit_bittest:
1294        default:
1295                BUG();
1296                return 0;
1297        }
1298}
1299
1300/**
1301 * parent_len - find the length of the parent portion of a pathname
1302 * @path: pathname of which to determine length
1303 */
1304int parent_len(const char *path)
1305{
1306        int plen;
1307        const char *p;
1308
1309        plen = strlen(path);
1310
1311        if (plen == 0)
1312                return plen;
1313
1314        /* disregard trailing slashes */
1315        p = path + plen - 1;
1316        while ((*p == '/') && (p > path))
1317                p--;
1318
1319        /* walk backward until we find the next slash or hit beginning */
1320        while ((*p != '/') && (p > path))
1321                p--;
1322
1323        /* did we find a slash? Then increment to include it in path */
1324        if (*p == '/')
1325                p++;
1326
1327        return p - path;
1328}
1329
1330/**
1331 * audit_compare_dname_path - compare given dentry name with last component in
1332 *                            given path. Return of 0 indicates a match.
1333 * @dname:      dentry name that we're comparing
1334 * @path:       full pathname that we're comparing
1335 * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1336 *              here indicates that we must compute this value.
1337 */
1338int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1339{
1340        int dlen, pathlen;
1341        const char *p;
1342
1343        dlen = strlen(dname);
1344        pathlen = strlen(path);
1345        if (pathlen < dlen)
1346                return 1;
1347
1348        parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1349        if (pathlen - parentlen != dlen)
1350                return 1;
1351
1352        p = path + parentlen;
1353
1354        return strncmp(p, dname, dlen);
1355}
1356
1357static int audit_filter_user_rules(struct audit_krule *rule,
1358                                   enum audit_state *state)
1359{
1360        int i;
1361
1362        for (i = 0; i < rule->field_count; i++) {
1363                struct audit_field *f = &rule->fields[i];
1364                int result = 0;
1365                u32 sid;
1366
1367                switch (f->type) {
1368                case AUDIT_PID:
1369                        result = audit_comparator(task_pid_vnr(current), f->op, f->val);
1370                        break;
1371                case AUDIT_UID:
1372                        result = audit_uid_comparator(current_uid(), f->op, f->uid);
1373                        break;
1374                case AUDIT_GID:
1375                        result = audit_gid_comparator(current_gid(), f->op, f->gid);
1376                        break;
1377                case AUDIT_LOGINUID:
1378                        result = audit_uid_comparator(audit_get_loginuid(current),
1379                                                  f->op, f->uid);
1380                        break;
1381                case AUDIT_SUBJ_USER:
1382                case AUDIT_SUBJ_ROLE:
1383                case AUDIT_SUBJ_TYPE:
1384                case AUDIT_SUBJ_SEN:
1385                case AUDIT_SUBJ_CLR:
1386                        if (f->lsm_rule) {
1387                                security_task_getsecid(current, &sid);
1388                                result = security_audit_rule_match(sid,
1389                                                                   f->type,
1390                                                                   f->op,
1391                                                                   f->lsm_rule,
1392                                                                   NULL);
1393                        }
1394                        break;
1395                }
1396
1397                if (!result)
1398                        return 0;
1399        }
1400        switch (rule->action) {
1401        case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
1402        case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
1403        }
1404        return 1;
1405}
1406
1407int audit_filter_user(void)
1408{
1409        enum audit_state state = AUDIT_DISABLED;
1410        struct audit_entry *e;
1411        int ret = 1;
1412
1413        rcu_read_lock();
1414        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1415                if (audit_filter_user_rules(&e->rule, &state)) {
1416                        if (state == AUDIT_DISABLED)
1417                                ret = 0;
1418                        break;
1419                }
1420        }
1421        rcu_read_unlock();
1422
1423        return ret; /* Audit by default */
1424}
1425
1426int audit_filter_type(int type)
1427{
1428        struct audit_entry *e;
1429        int result = 0;
1430
1431        rcu_read_lock();
1432        if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1433                goto unlock_and_return;
1434
1435        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1436                                list) {
1437                int i;
1438                for (i = 0; i < e->rule.field_count; i++) {
1439                        struct audit_field *f = &e->rule.fields[i];
1440                        if (f->type == AUDIT_MSGTYPE) {
1441                                result = audit_comparator(type, f->op, f->val);
1442                                if (!result)
1443                                        break;
1444                        }
1445                }
1446                if (result)
1447                        goto unlock_and_return;
1448        }
1449unlock_and_return:
1450        rcu_read_unlock();
1451        return result;
1452}
1453
1454static int update_lsm_rule(struct audit_krule *r)
1455{
1456        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1457        struct audit_entry *nentry;
1458        int err = 0;
1459
1460        if (!security_audit_rule_known(r))
1461                return 0;
1462
1463        nentry = audit_dupe_rule(r);
1464        if (IS_ERR(nentry)) {
1465                /* save the first error encountered for the
1466                 * return value */
1467                err = PTR_ERR(nentry);
1468                audit_panic("error updating LSM filters");
1469                if (r->watch)
1470                        list_del(&r->rlist);
1471                list_del_rcu(&entry->list);
1472                list_del(&r->list);
1473        } else {
1474                if (r->watch || r->tree)
1475                        list_replace_init(&r->rlist, &nentry->rule.rlist);
1476                list_replace_rcu(&entry->list, &nentry->list);
1477                list_replace(&r->list, &nentry->rule.list);
1478        }
1479        call_rcu(&entry->rcu, audit_free_rule_rcu);
1480
1481        return err;
1482}
1483
1484/* This function will re-initialize the lsm_rule field of all applicable rules.
1485 * It will traverse the filter lists serarching for rules that contain LSM
1486 * specific filter fields.  When such a rule is found, it is copied, the
1487 * LSM field is re-initialized, and the old rule is replaced with the
1488 * updated rule. */
1489int audit_update_lsm_rules(void)
1490{
1491        struct audit_krule *r, *n;
1492        int i, err = 0;
1493
1494        /* audit_filter_mutex synchronizes the writers */
1495        mutex_lock(&audit_filter_mutex);
1496
1497        for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1498                list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1499                        int res = update_lsm_rule(r);
1500                        if (!err)
1501                                err = res;
1502                }
1503        }
1504        mutex_unlock(&audit_filter_mutex);
1505
1506        return err;
1507}
1508