linux/kernel/audit_tree.c
<<
>>
Prefs 
   1#include "audit.h"
   2#include <linux/fsnotify_backend.h>
   3#include <linux/namei.h>
   4#include <linux/mount.h>
   5#include <linux/kthread.h>
   6#include <linux/refcount.h>
   7#include <linux/slab.h>
   8
   9struct audit_tree;
  10struct audit_chunk;
  11
  12struct audit_tree {
  13        refcount_t count;
  14        int goner;
  15        struct audit_chunk *root;
  16        struct list_head chunks;
  17        struct list_head rules;
  18        struct list_head list;
  19        struct list_head same_root;
  20        struct rcu_head head;
  21        char pathname[];
  22};
  23
  24struct audit_chunk {
  25        struct list_head hash;
  26        struct fsnotify_mark mark;
  27        struct list_head trees;         /* with root here */
  28        int dead;
  29        int count;
  30        atomic_long_t refs;
  31        struct rcu_head head;
  32        struct node {
  33                struct list_head list;
  34                struct audit_tree *owner;
  35                unsigned index;         /* index; upper bit indicates 'will prune' */
  36        } owners[];
  37};
  38
  39static LIST_HEAD(tree_list);
  40static LIST_HEAD(prune_list);
  41static struct task_struct *prune_thread;
  42
  43/*
  44 * One struct chunk is attached to each inode of interest.
  45 * We replace struct chunk on tagging/untagging.
  46 * Rules have pointer to struct audit_tree.
  47 * Rules have struct list_head rlist forming a list of rules over
  48 * the same tree.
  49 * References to struct chunk are collected at audit_inode{,_child}()
  50 * time and used in AUDIT_TREE rule matching.
  51 * These references are dropped at the same time we are calling
  52 * audit_free_names(), etc.
  53 *
  54 * Cyclic lists galore:
  55 * tree.chunks anchors chunk.owners[].list                      hash_lock
  56 * tree.rules anchors rule.rlist                                audit_filter_mutex
  57 * chunk.trees anchors tree.same_root                           hash_lock
  58 * chunk.hash is a hash with middle bits of watch.inode as
  59 * a hash function.                                             RCU, hash_lock
  60 *
  61 * tree is refcounted; one reference for "some rules on rules_list refer to
  62 * it", one for each chunk with pointer to it.
  63 *
  64 * chunk is refcounted by embedded fsnotify_mark + .refs (non-zero refcount
  65 * of watch contributes 1 to .refs).
  66 *
  67 * node.index allows to get from node.list to containing chunk.
  68 * MSB of that sucker is stolen to mark taggings that we might have to
  69 * revert - several operations have very unpleasant cleanup logics and
  70 * that makes a difference.  Some.
  71 */
  72
  73static struct fsnotify_group *audit_tree_group;
  74
  75static struct audit_tree *alloc_tree(const char *s)
  76{
  77        struct audit_tree *tree;
  78
  79        tree = kmalloc(sizeof(struct audit_tree) + strlen(s) + 1, GFP_KERNEL);
  80        if (tree) {
  81                refcount_set(&tree->count, 1);
  82                tree->goner = 0;
  83                INIT_LIST_HEAD(&tree->chunks);
  84                INIT_LIST_HEAD(&tree->rules);
  85                INIT_LIST_HEAD(&tree->list);
  86                INIT_LIST_HEAD(&tree->same_root);
  87                tree->root = NULL;
  88                strcpy(tree->pathname, s);
  89        }
  90        return tree;
  91}
  92
  93static inline void get_tree(struct audit_tree *tree)
  94{
  95        refcount_inc(&tree->count);
  96}
  97
  98static inline void put_tree(struct audit_tree *tree)
  99{
 100        if (refcount_dec_and_test(&tree->count))
 101                kfree_rcu(tree, head);
 102}
 103
 104/* to avoid bringing the entire thing in audit.h */
 105const char *audit_tree_path(struct audit_tree *tree)
 106{
 107        return tree->pathname;
 108}
 109
 110static void free_chunk(struct audit_chunk *chunk)
 111{
 112        int i;
 113
 114        for (i = 0; i < chunk->count; i++) {
 115                if (chunk->owners[i].owner)
 116                        put_tree(chunk->owners[i].owner);
 117        }
 118        kfree(chunk);
 119}
 120
 121void audit_put_chunk(struct audit_chunk *chunk)
 122{
 123        if (atomic_long_dec_and_test(&chunk->refs))
 124                free_chunk(chunk);
 125}
 126
 127static void __put_chunk(struct rcu_head *rcu)
 128{
 129        struct audit_chunk *chunk = container_of(rcu, struct audit_chunk, head);
 130        audit_put_chunk(chunk);
 131}
 132
 133static void audit_tree_destroy_watch(struct fsnotify_mark *entry)
 134{
 135        struct audit_chunk *chunk = container_of(entry, struct audit_chunk, mark);
 136        call_rcu(&chunk->head, __put_chunk);
 137}
 138
 139static struct audit_chunk *alloc_chunk(int count)
 140{
 141        struct audit_chunk *chunk;
 142        size_t size;
 143        int i;
 144
 145        size = offsetof(struct audit_chunk, owners) + count * sizeof(struct node);
 146        chunk = kzalloc(size, GFP_KERNEL);
 147        if (!chunk)
 148                return NULL;
 149
 150        INIT_LIST_HEAD(&chunk->hash);
 151        INIT_LIST_HEAD(&chunk->trees);
 152        chunk->count = count;
 153        atomic_long_set(&chunk->refs, 1);
 154        for (i = 0; i < count; i++) {
 155                INIT_LIST_HEAD(&chunk->owners[i].list);
 156                chunk->owners[i].index = i;
 157        }
 158        fsnotify_init_mark(&chunk->mark, audit_tree_group);
 159        chunk->mark.mask = FS_IN_IGNORED;
 160        return chunk;
 161}
 162
 163enum {HASH_SIZE = 128};
 164static struct list_head chunk_hash_heads[HASH_SIZE];
 165static __cacheline_aligned_in_smp DEFINE_SPINLOCK(hash_lock);
 166
 167/* Function to return search key in our hash from inode. */
 168static unsigned long inode_to_key(const struct inode *inode)
 169{
 170        return (unsigned long)inode;
 171}
 172
 173/*
 174 * Function to return search key in our hash from chunk. Key 0 is special and
 175 * should never be present in the hash.
 176 */
 177static unsigned long chunk_to_key(struct audit_chunk *chunk)
 178{
 179        /*
 180         * We have a reference to the mark so it should be attached to a
 181         * connector.
 182         */
 183        if (WARN_ON_ONCE(!chunk->mark.connector))
 184                return 0;
 185        return (unsigned long)chunk->mark.connector->inode;
 186}
 187
 188static inline struct list_head *chunk_hash(unsigned long key)
 189{
 190        unsigned long n = key / L1_CACHE_BYTES;
 191        return chunk_hash_heads + n % HASH_SIZE;
 192}
 193
 194/* hash_lock & entry->lock is held by caller */
 195static void insert_hash(struct audit_chunk *chunk)
 196{
 197        unsigned long key = chunk_to_key(chunk);
 198        struct list_head *list;
 199
 200        if (!(chunk->mark.flags & FSNOTIFY_MARK_FLAG_ATTACHED))
 201                return;
 202        list = chunk_hash(key);
 203        list_add_rcu(&chunk->hash, list);
 204}
 205
 206/* called under rcu_read_lock */
 207struct audit_chunk *audit_tree_lookup(const struct inode *inode)
 208{
 209        unsigned long key = inode_to_key(inode);
 210        struct list_head *list = chunk_hash(key);
 211        struct audit_chunk *p;
 212
 213        list_for_each_entry_rcu(p, list, hash) {
 214                if (chunk_to_key(p) == key) {
 215                        atomic_long_inc(&p->refs);
 216                        return p;
 217                }
 218        }
 219        return NULL;
 220}
 221
 222bool audit_tree_match(struct audit_chunk *chunk, struct audit_tree *tree)
 223{
 224        int n;
 225        for (n = 0; n < chunk->count; n++)
 226                if (chunk->owners[n].owner == tree)
 227                        return true;
 228        return false;
 229}
 230
 231/* tagging and untagging inodes with trees */
 232
 233static struct audit_chunk *find_chunk(struct node *p)
 234{
 235        int index = p->index & ~(1U<<31);
 236        p -= index;
 237        return container_of(p, struct audit_chunk, owners[0]);
 238}
 239
 240static void untag_chunk(struct node *p)
 241{
 242        struct audit_chunk *chunk = find_chunk(p);
 243        struct fsnotify_mark *entry = &chunk->mark;
 244        struct audit_chunk *new = NULL;
 245        struct audit_tree *owner;
 246        int size = chunk->count - 1;
 247        int i, j;
 248
 249        fsnotify_get_mark(entry);
 250
 251        spin_unlock(&hash_lock);
 252
 253        if (size)
 254                new = alloc_chunk(size);
 255
 256        mutex_lock(&entry->group->mark_mutex);
 257        spin_lock(&entry->lock);
 258        /*
 259         * mark_mutex protects mark from getting detached and thus also from
 260         * mark->connector->inode getting NULL.
 261         */
 262        if (chunk->dead || !(entry->flags & FSNOTIFY_MARK_FLAG_ATTACHED)) {
 263                spin_unlock(&entry->lock);
 264                mutex_unlock(&entry->group->mark_mutex);
 265                if (new)
 266                        fsnotify_put_mark(&new->mark);
 267                goto out;
 268        }
 269
 270        owner = p->owner;
 271
 272        if (!size) {
 273                chunk->dead = 1;
 274                spin_lock(&hash_lock);
 275                list_del_init(&chunk->trees);
 276                if (owner->root == chunk)
 277                        owner->root = NULL;
 278                list_del_init(&p->list);
 279                list_del_rcu(&chunk->hash);
 280                spin_unlock(&hash_lock);
 281                spin_unlock(&entry->lock);
 282                mutex_unlock(&entry->group->mark_mutex);
 283                fsnotify_destroy_mark(entry, audit_tree_group);
 284                goto out;
 285        }
 286
 287        if (!new)
 288                goto Fallback;
 289
 290        if (fsnotify_add_mark_locked(&new->mark, entry->connector->inode,
 291                                     NULL, 1)) {
 292                fsnotify_put_mark(&new->mark);
 293                goto Fallback;
 294        }
 295
 296        chunk->dead = 1;
 297        spin_lock(&hash_lock);
 298        list_replace_init(&chunk->trees, &new->trees);
 299        if (owner->root == chunk) {
 300                list_del_init(&owner->same_root);
 301                owner->root = NULL;
 302        }
 303
 304        for (i = j = 0; j <= size; i++, j++) {
 305                struct audit_tree *s;
 306                if (&chunk->owners[j] == p) {
 307                        list_del_init(&p->list);
 308                        i--;
 309                        continue;
 310                }
 311                s = chunk->owners[j].owner;
 312                new->owners[i].owner = s;
 313                new->owners[i].index = chunk->owners[j].index - j + i;
 314                if (!s) /* result of earlier fallback */
 315                        continue;
 316                get_tree(s);
 317                list_replace_init(&chunk->owners[j].list, &new->owners[i].list);
 318        }
 319
 320        list_replace_rcu(&chunk->hash, &new->hash);
 321        list_for_each_entry(owner, &new->trees, same_root)
 322                owner->root = new;
 323        spin_unlock(&hash_lock);
 324        spin_unlock(&entry->lock);
 325        mutex_unlock(&entry->group->mark_mutex);
 326        fsnotify_destroy_mark(entry, audit_tree_group);
 327        fsnotify_put_mark(&new->mark);  /* drop initial reference */
 328        goto out;
 329
 330Fallback:
 331        // do the best we can
 332        spin_lock(&hash_lock);
 333        if (owner->root == chunk) {
 334                list_del_init(&owner->same_root);
 335                owner->root = NULL;
 336        }
 337        list_del_init(&p->list);
 338        p->owner = NULL;
 339        put_tree(owner);
 340        spin_unlock(&hash_lock);
 341        spin_unlock(&entry->lock);
 342        mutex_unlock(&entry->group->mark_mutex);
 343out:
 344        fsnotify_put_mark(entry);
 345        spin_lock(&hash_lock);
 346}
 347
 348static int create_chunk(struct inode *inode, struct audit_tree *tree)
 349{
 350        struct fsnotify_mark *entry;
 351        struct audit_chunk *chunk = alloc_chunk(1);
 352        if (!chunk)
 353                return -ENOMEM;
 354
 355        entry = &chunk->mark;
 356        if (fsnotify_add_mark(entry, inode, NULL, 0)) {
 357                fsnotify_put_mark(entry);
 358                return -ENOSPC;
 359        }
 360
 361        spin_lock(&entry->lock);
 362        spin_lock(&hash_lock);
 363        if (tree->goner) {
 364                spin_unlock(&hash_lock);
 365                chunk->dead = 1;
 366                spin_unlock(&entry->lock);
 367                fsnotify_destroy_mark(entry, audit_tree_group);
 368                fsnotify_put_mark(entry);
 369                return 0;
 370        }
 371        chunk->owners[0].index = (1U << 31);
 372        chunk->owners[0].owner = tree;
 373        get_tree(tree);
 374        list_add(&chunk->owners[0].list, &tree->chunks);
 375        if (!tree->root) {
 376                tree->root = chunk;
 377                list_add(&tree->same_root, &chunk->trees);
 378        }
 379        insert_hash(chunk);
 380        spin_unlock(&hash_lock);
 381        spin_unlock(&entry->lock);
 382        fsnotify_put_mark(entry);       /* drop initial reference */
 383        return 0;
 384}
 385
 386/* the first tagged inode becomes root of tree */
 387static int tag_chunk(struct inode *inode, struct audit_tree *tree)
 388{
 389        struct fsnotify_mark *old_entry, *chunk_entry;
 390        struct audit_tree *owner;
 391        struct audit_chunk *chunk, *old;
 392        struct node *p;
 393        int n;
 394
 395        old_entry = fsnotify_find_mark(&inode->i_fsnotify_marks,
 396                                       audit_tree_group);
 397        if (!old_entry)
 398                return create_chunk(inode, tree);
 399
 400        old = container_of(old_entry, struct audit_chunk, mark);
 401
 402        /* are we already there? */
 403        spin_lock(&hash_lock);
 404        for (n = 0; n < old->count; n++) {
 405                if (old->owners[n].owner == tree) {
 406                        spin_unlock(&hash_lock);
 407                        fsnotify_put_mark(old_entry);
 408                        return 0;
 409                }
 410        }
 411        spin_unlock(&hash_lock);
 412
 413        chunk = alloc_chunk(old->count + 1);
 414        if (!chunk) {
 415                fsnotify_put_mark(old_entry);
 416                return -ENOMEM;
 417        }
 418
 419        chunk_entry = &chunk->mark;
 420
 421        mutex_lock(&old_entry->group->mark_mutex);
 422        spin_lock(&old_entry->lock);
 423        /*
 424         * mark_mutex protects mark from getting detached and thus also from
 425         * mark->connector->inode getting NULL.
 426         */
 427        if (!(old_entry->flags & FSNOTIFY_MARK_FLAG_ATTACHED)) {
 428                /* old_entry is being shot, lets just lie */
 429                spin_unlock(&old_entry->lock);
 430                mutex_unlock(&old_entry->group->mark_mutex);
 431                fsnotify_put_mark(old_entry);
 432                fsnotify_put_mark(&chunk->mark);
 433                return -ENOENT;
 434        }
 435
 436        if (fsnotify_add_mark_locked(chunk_entry,
 437                             old_entry->connector->inode, NULL, 1)) {
 438                spin_unlock(&old_entry->lock);
 439                mutex_unlock(&old_entry->group->mark_mutex);
 440                fsnotify_put_mark(chunk_entry);
 441                fsnotify_put_mark(old_entry);
 442                return -ENOSPC;
 443        }
 444
 445        /* even though we hold old_entry->lock, this is safe since chunk_entry->lock could NEVER have been grabbed before */
 446        spin_lock(&chunk_entry->lock);
 447        spin_lock(&hash_lock);
 448
 449        /* we now hold old_entry->lock, chunk_entry->lock, and hash_lock */
 450        if (tree->goner) {
 451                spin_unlock(&hash_lock);
 452                chunk->dead = 1;
 453                spin_unlock(&chunk_entry->lock);
 454                spin_unlock(&old_entry->lock);
 455                mutex_unlock(&old_entry->group->mark_mutex);
 456
 457                fsnotify_destroy_mark(chunk_entry, audit_tree_group);
 458
 459                fsnotify_put_mark(chunk_entry);
 460                fsnotify_put_mark(old_entry);
 461                return 0;
 462        }
 463        list_replace_init(&old->trees, &chunk->trees);
 464        for (n = 0, p = chunk->owners; n < old->count; n++, p++) {
 465                struct audit_tree *s = old->owners[n].owner;
 466                p->owner = s;
 467                p->index = old->owners[n].index;
 468                if (!s) /* result of fallback in untag */
 469                        continue;
 470                get_tree(s);
 471                list_replace_init(&old->owners[n].list, &p->list);
 472        }
 473        p->index = (chunk->count - 1) | (1U<<31);
 474        p->owner = tree;
 475        get_tree(tree);
 476        list_add(&p->list, &tree->chunks);
 477        list_replace_rcu(&old->hash, &chunk->hash);
 478        list_for_each_entry(owner, &chunk->trees, same_root)
 479                owner->root = chunk;
 480        old->dead = 1;
 481        if (!tree->root) {
 482                tree->root = chunk;
 483                list_add(&tree->same_root, &chunk->trees);
 484        }
 485        spin_unlock(&hash_lock);
 486        spin_unlock(&chunk_entry->lock);
 487        spin_unlock(&old_entry->lock);
 488        mutex_unlock(&old_entry->group->mark_mutex);
 489        fsnotify_destroy_mark(old_entry, audit_tree_group);
 490        fsnotify_put_mark(chunk_entry); /* drop initial reference */
 491        fsnotify_put_mark(old_entry); /* pair to fsnotify_find mark_entry */
 492        return 0;
 493}
 494
 495static void audit_tree_log_remove_rule(struct audit_krule *rule)
 496{
 497        struct audit_buffer *ab;
 498
 499        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
 500        if (unlikely(!ab))
 501                return;
 502        audit_log_format(ab, "op=remove_rule");
 503        audit_log_format(ab, " dir=");
 504        audit_log_untrustedstring(ab, rule->tree->pathname);
 505        audit_log_key(ab, rule->filterkey);
 506        audit_log_format(ab, " list=%d res=1", rule->listnr);
 507        audit_log_end(ab);
 508}
 509
 510static void kill_rules(struct audit_tree *tree)
 511{
 512        struct audit_krule *rule, *next;
 513        struct audit_entry *entry;
 514
 515        list_for_each_entry_safe(rule, next, &tree->rules, rlist) {
 516                entry = container_of(rule, struct audit_entry, rule);
 517
 518                list_del_init(&rule->rlist);
 519                if (rule->tree) {
 520                        /* not a half-baked one */
 521                        audit_tree_log_remove_rule(rule);
 522                        if (entry->rule.exe)
 523                                audit_remove_mark(entry->rule.exe);
 524                        rule->tree = NULL;
 525                        list_del_rcu(&entry->list);
 526                        list_del(&entry->rule.list);
 527                        call_rcu(&entry->rcu, audit_free_rule_rcu);
 528                }
 529        }
 530}
 531
 532/*
 533 * finish killing struct audit_tree
 534 */
 535static void prune_one(struct audit_tree *victim)
 536{
 537        spin_lock(&hash_lock);
 538        while (!list_empty(&victim->chunks)) {
 539                struct node *p;
 540
 541                p = list_entry(victim->chunks.next, struct node, list);
 542
 543                untag_chunk(p);
 544        }
 545        spin_unlock(&hash_lock);
 546        put_tree(victim);
 547}
 548
 549/* trim the uncommitted chunks from tree */
 550
 551static void trim_marked(struct audit_tree *tree)
 552{
 553        struct list_head *p, *q;
 554        spin_lock(&hash_lock);
 555        if (tree->goner) {
 556                spin_unlock(&hash_lock);
 557                return;
 558        }
 559        /* reorder */
 560        for (p = tree->chunks.next; p != &tree->chunks; p = q) {
 561                struct node *node = list_entry(p, struct node, list);
 562                q = p->next;
 563                if (node->index & (1U<<31)) {
 564                        list_del_init(p);
 565                        list_add(p, &tree->chunks);
 566                }
 567        }
 568
 569        while (!list_empty(&tree->chunks)) {
 570                struct node *node;
 571
 572                node = list_entry(tree->chunks.next, struct node, list);
 573
 574                /* have we run out of marked? */
 575                if (!(node->index & (1U<<31)))
 576                        break;
 577
 578                untag_chunk(node);
 579        }
 580        if (!tree->root && !tree->goner) {
 581                tree->goner = 1;
 582                spin_unlock(&hash_lock);
 583                mutex_lock(&audit_filter_mutex);
 584                kill_rules(tree);
 585                list_del_init(&tree->list);
 586                mutex_unlock(&audit_filter_mutex);
 587                prune_one(tree);
 588        } else {
 589                spin_unlock(&hash_lock);
 590        }
 591}
 592
 593static void audit_schedule_prune(void);
 594
 595/* called with audit_filter_mutex */
 596int audit_remove_tree_rule(struct audit_krule *rule)
 597{
 598        struct audit_tree *tree;
 599        tree = rule->tree;
 600        if (tree) {
 601                spin_lock(&hash_lock);
 602                list_del_init(&rule->rlist);
 603                if (list_empty(&tree->rules) && !tree->goner) {
 604                        tree->root = NULL;
 605                        list_del_init(&tree->same_root);
 606                        tree->goner = 1;
 607                        list_move(&tree->list, &prune_list);
 608                        rule->tree = NULL;
 609                        spin_unlock(&hash_lock);
 610                        audit_schedule_prune();
 611                        return 1;
 612                }
 613                rule->tree = NULL;
 614                spin_unlock(&hash_lock);
 615                return 1;
 616        }
 617        return 0;
 618}
 619
 620static int compare_root(struct vfsmount *mnt, void *arg)
 621{
 622        return inode_to_key(d_backing_inode(mnt->mnt_root)) ==
 623               (unsigned long)arg;
 624}
 625
 626void audit_trim_trees(void)
 627{
 628        struct list_head cursor;
 629
 630        mutex_lock(&audit_filter_mutex);
 631        list_add(&cursor, &tree_list);
 632        while (cursor.next != &tree_list) {
 633                struct audit_tree *tree;
 634                struct path path;
 635                struct vfsmount *root_mnt;
 636                struct node *node;
 637                int err;
 638
 639                tree = container_of(cursor.next, struct audit_tree, list);
 640                get_tree(tree);
 641                list_del(&cursor);
 642                list_add(&cursor, &tree->list);
 643                mutex_unlock(&audit_filter_mutex);
 644
 645                err = kern_path(tree->pathname, 0, &path);
 646                if (err)
 647                        goto skip_it;
 648
 649                root_mnt = collect_mounts(&path);
 650                path_put(&path);
 651                if (IS_ERR(root_mnt))
 652                        goto skip_it;
 653
 654                spin_lock(&hash_lock);
 655                list_for_each_entry(node, &tree->chunks, list) {
 656                        struct audit_chunk *chunk = find_chunk(node);
 657                        /* this could be NULL if the watch is dying else where... */
 658                        node->index |= 1U<<31;
 659                        if (iterate_mounts(compare_root,
 660                                           (void *)chunk_to_key(chunk),
 661                                           root_mnt))
 662                                node->index &= ~(1U<<31);
 663                }
 664                spin_unlock(&hash_lock);
 665                trim_marked(tree);
 666                drop_collected_mounts(root_mnt);
 667skip_it:
 668                put_tree(tree);
 669                mutex_lock(&audit_filter_mutex);
 670        }
 671        list_del(&cursor);
 672        mutex_unlock(&audit_filter_mutex);
 673}
 674
 675int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op)
 676{
 677
 678        if (pathname[0] != '/' ||
 679            rule->listnr != AUDIT_FILTER_EXIT ||
 680            op != Audit_equal ||
 681            rule->inode_f || rule->watch || rule->tree)
 682                return -EINVAL;
 683        rule->tree = alloc_tree(pathname);
 684        if (!rule->tree)
 685                return -ENOMEM;
 686        return 0;
 687}
 688
 689void audit_put_tree(struct audit_tree *tree)
 690{
 691        put_tree(tree);
 692}
 693
 694static int tag_mount(struct vfsmount *mnt, void *arg)
 695{
 696        return tag_chunk(d_backing_inode(mnt->mnt_root), arg);
 697}
 698
 699/*
 700 * That gets run when evict_chunk() ends up needing to kill audit_tree.
 701 * Runs from a separate thread.
 702 */
 703static int prune_tree_thread(void *unused)
 704{
 705        for (;;) {
 706                if (list_empty(&prune_list)) {
 707                        set_current_state(TASK_INTERRUPTIBLE);
 708                        schedule();
 709                }
 710
 711                mutex_lock(&audit_cmd_mutex);
 712                mutex_lock(&audit_filter_mutex);
 713
 714                while (!list_empty(&prune_list)) {
 715                        struct audit_tree *victim;
 716
 717                        victim = list_entry(prune_list.next,
 718                                        struct audit_tree, list);
 719                        list_del_init(&victim->list);
 720
 721                        mutex_unlock(&audit_filter_mutex);
 722
 723                        prune_one(victim);
 724
 725                        mutex_lock(&audit_filter_mutex);
 726                }
 727
 728                mutex_unlock(&audit_filter_mutex);
 729                mutex_unlock(&audit_cmd_mutex);
 730        }
 731        return 0;
 732}
 733
 734static int audit_launch_prune(void)
 735{
 736        if (prune_thread)
 737                return 0;
 738        prune_thread = kthread_run(prune_tree_thread, NULL,
 739                                "audit_prune_tree");
 740        if (IS_ERR(prune_thread)) {
 741                pr_err("cannot start thread audit_prune_tree");
 742                prune_thread = NULL;
 743                return -ENOMEM;
 744        }
 745        return 0;
 746}
 747
 748/* called with audit_filter_mutex */
 749int audit_add_tree_rule(struct audit_krule *rule)
 750{
 751        struct audit_tree *seed = rule->tree, *tree;
 752        struct path path;
 753        struct vfsmount *mnt;
 754        int err;
 755
 756        rule->tree = NULL;
 757        list_for_each_entry(tree, &tree_list, list) {
 758                if (!strcmp(seed->pathname, tree->pathname)) {
 759                        put_tree(seed);
 760                        rule->tree = tree;
 761                        list_add(&rule->rlist, &tree->rules);
 762                        return 0;
 763                }
 764        }
 765        tree = seed;
 766        list_add(&tree->list, &tree_list);
 767        list_add(&rule->rlist, &tree->rules);
 768        /* do not set rule->tree yet */
 769        mutex_unlock(&audit_filter_mutex);
 770
 771        if (unlikely(!prune_thread)) {
 772                err = audit_launch_prune();
 773                if (err)
 774                        goto Err;
 775        }
 776
 777        err = kern_path(tree->pathname, 0, &path);
 778        if (err)
 779                goto Err;
 780        mnt = collect_mounts(&path);
 781        path_put(&path);
 782        if (IS_ERR(mnt)) {
 783                err = PTR_ERR(mnt);
 784                goto Err;
 785        }
 786
 787        get_tree(tree);
 788        err = iterate_mounts(tag_mount, tree, mnt);
 789        drop_collected_mounts(mnt);
 790
 791        if (!err) {
 792                struct node *node;
 793                spin_lock(&hash_lock);
 794                list_for_each_entry(node, &tree->chunks, list)
 795                        node->index &= ~(1U<<31);
 796                spin_unlock(&hash_lock);
 797        } else {
 798                trim_marked(tree);
 799                goto Err;
 800        }
 801
 802        mutex_lock(&audit_filter_mutex);
 803        if (list_empty(&rule->rlist)) {
 804                put_tree(tree);
 805                return -ENOENT;
 806        }
 807        rule->tree = tree;
 808        put_tree(tree);
 809
 810        return 0;
 811Err:
 812        mutex_lock(&audit_filter_mutex);
 813        list_del_init(&tree->list);
 814        list_del_init(&tree->rules);
 815        put_tree(tree);
 816        return err;
 817}
 818
 819int audit_tag_tree(char *old, char *new)
 820{
 821        struct list_head cursor, barrier;
 822        int failed = 0;
 823        struct path path1, path2;
 824        struct vfsmount *tagged;
 825        int err;
 826
 827        err = kern_path(new, 0, &path2);
 828        if (err)
 829                return err;
 830        tagged = collect_mounts(&path2);
 831        path_put(&path2);
 832        if (IS_ERR(tagged))
 833                return PTR_ERR(tagged);
 834
 835        err = kern_path(old, 0, &path1);
 836        if (err) {
 837                drop_collected_mounts(tagged);
 838                return err;
 839        }
 840
 841        mutex_lock(&audit_filter_mutex);
 842        list_add(&barrier, &tree_list);
 843        list_add(&cursor, &barrier);
 844
 845        while (cursor.next != &tree_list) {
 846                struct audit_tree *tree;
 847                int good_one = 0;
 848
 849                tree = container_of(cursor.next, struct audit_tree, list);
 850                get_tree(tree);
 851                list_del(&cursor);
 852                list_add(&cursor, &tree->list);
 853                mutex_unlock(&audit_filter_mutex);
 854
 855                err = kern_path(tree->pathname, 0, &path2);
 856                if (!err) {
 857                        good_one = path_is_under(&path1, &path2);
 858                        path_put(&path2);
 859                }
 860
 861                if (!good_one) {
 862                        put_tree(tree);
 863                        mutex_lock(&audit_filter_mutex);
 864                        continue;
 865                }
 866
 867                failed = iterate_mounts(tag_mount, tree, tagged);
 868                if (failed) {
 869                        put_tree(tree);
 870                        mutex_lock(&audit_filter_mutex);
 871                        break;
 872                }
 873
 874                mutex_lock(&audit_filter_mutex);
 875                spin_lock(&hash_lock);
 876                if (!tree->goner) {
 877                        list_del(&tree->list);
 878                        list_add(&tree->list, &tree_list);
 879                }
 880                spin_unlock(&hash_lock);
 881                put_tree(tree);
 882        }
 883
 884        while (barrier.prev != &tree_list) {
 885                struct audit_tree *tree;
 886
 887                tree = container_of(barrier.prev, struct audit_tree, list);
 888                get_tree(tree);
 889                list_del(&tree->list);
 890                list_add(&tree->list, &barrier);
 891                mutex_unlock(&audit_filter_mutex);
 892
 893                if (!failed) {
 894                        struct node *node;
 895                        spin_lock(&hash_lock);
 896                        list_for_each_entry(node, &tree->chunks, list)
 897                                node->index &= ~(1U<<31);
 898                        spin_unlock(&hash_lock);
 899                } else {
 900                        trim_marked(tree);
 901                }
 902
 903                put_tree(tree);
 904                mutex_lock(&audit_filter_mutex);
 905        }
 906        list_del(&barrier);
 907        list_del(&cursor);
 908        mutex_unlock(&audit_filter_mutex);
 909        path_put(&path1);
 910        drop_collected_mounts(tagged);
 911        return failed;
 912}
 913
 914
 915static void audit_schedule_prune(void)
 916{
 917        wake_up_process(prune_thread);
 918}
 919
 920/*
 921 * ... and that one is done if evict_chunk() decides to delay until the end
 922 * of syscall.  Runs synchronously.
 923 */
 924void audit_kill_trees(struct list_head *list)
 925{
 926        mutex_lock(&audit_cmd_mutex);
 927        mutex_lock(&audit_filter_mutex);
 928
 929        while (!list_empty(list)) {
 930                struct audit_tree *victim;
 931
 932                victim = list_entry(list->next, struct audit_tree, list);
 933                kill_rules(victim);
 934                list_del_init(&victim->list);
 935
 936                mutex_unlock(&audit_filter_mutex);
 937
 938                prune_one(victim);
 939
 940                mutex_lock(&audit_filter_mutex);
 941        }
 942
 943        mutex_unlock(&audit_filter_mutex);
 944        mutex_unlock(&audit_cmd_mutex);
 945}
 946
 947/*
 948 *  Here comes the stuff asynchronous to auditctl operations
 949 */
 950
 951static void evict_chunk(struct audit_chunk *chunk)
 952{
 953        struct audit_tree *owner;
 954        struct list_head *postponed = audit_killed_trees();
 955        int need_prune = 0;
 956        int n;
 957
 958        if (chunk->dead)
 959                return;
 960
 961        chunk->dead = 1;
 962        mutex_lock(&audit_filter_mutex);
 963        spin_lock(&hash_lock);
 964        while (!list_empty(&chunk->trees)) {
 965                owner = list_entry(chunk->trees.next,
 966                                   struct audit_tree, same_root);
 967                owner->goner = 1;
 968                owner->root = NULL;
 969                list_del_init(&owner->same_root);
 970                spin_unlock(&hash_lock);
 971                if (!postponed) {
 972                        kill_rules(owner);
 973                        list_move(&owner->list, &prune_list);
 974                        need_prune = 1;
 975                } else {
 976                        list_move(&owner->list, postponed);
 977                }
 978                spin_lock(&hash_lock);
 979        }
 980        list_del_rcu(&chunk->hash);
 981        for (n = 0; n < chunk->count; n++)
 982                list_del_init(&chunk->owners[n].list);
 983        spin_unlock(&hash_lock);
 984        mutex_unlock(&audit_filter_mutex);
 985        if (need_prune)
 986                audit_schedule_prune();
 987}
 988
 989static int audit_tree_handle_event(struct fsnotify_group *group,
 990                                   struct inode *to_tell,
 991                                   struct fsnotify_mark *inode_mark,
 992                                   struct fsnotify_mark *vfsmount_mark,
 993                                   u32 mask, const void *data, int data_type,
 994                                   const unsigned char *file_name, u32 cookie,
 995                                   struct fsnotify_iter_info *iter_info)
 996{
 997        return 0;
 998}
 999
1000static void audit_tree_freeing_mark(struct fsnotify_mark *entry, struct fsnotify_group *group)

1001{
1002        struct audit_chunk *chunk = container_of(entry, struct audit_chunk, mark);
1003
1004        evict_chunk(chunk);
1005
1006        /*
1007         * We are guaranteed to have at least one reference to the mark from
1008         * either the inode or the caller of fsnotify_destroy_mark().
1009         */
1010        BUG_ON(atomic_read(&entry->refcnt) < 1);
1011}
1012
1013static const struct fsnotify_ops audit_tree_ops = {
1014        .handle_event = audit_tree_handle_event,
1015        .freeing_mark = audit_tree_freeing_mark,
1016        .free_mark = audit_tree_destroy_watch,
1017};
1018
1019static int __init audit_tree_init(void)
1020{
1021        int i;
1022
1023        audit_tree_group = fsnotify_alloc_group(&audit_tree_ops);
1024        if (IS_ERR(audit_tree_group))
1025                audit_panic("cannot initialize fsnotify group for rectree watches");
1026
1027        for (i = 0; i < HASH_SIZE; i++)
1028                INIT_LIST_HEAD(&chunk_hash_heads[i]);
1029
1030        return 0;
1031}
1032__initcall(audit_tree_init);
1033
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.