LXR linux/kernel/auditfilter.c

   1/* auditfilter.c -- filtering of audit events
   2 *
   3 * Copyright 2003-2004 Red Hat, Inc.
   4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   5 * Copyright 2005 IBM Corporation
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * This program is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  20 */
  21
  22#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  23
  24#include <linux/kernel.h>
  25#include <linux/audit.h>
  26#include <linux/kthread.h>
  27#include <linux/mutex.h>
  28#include <linux/fs.h>
  29#include <linux/namei.h>
  30#include <linux/netlink.h>
  31#include <linux/sched.h>
  32#include <linux/slab.h>
  33#include <linux/security.h>
  34#include <net/net_namespace.h>
  35#include <net/sock.h>
  36#include "audit.h"
  37
  38/*
  39 * Locking model:
  40 *
  41 * audit_filter_mutex:
  42 *              Synchronizes writes and blocking reads of audit's filterlist
  43 *              data.  Rcu is used to traverse the filterlist and access
  44 *              contents of structs audit_entry, audit_watch and opaque
  45 *              LSM rules during filtering.  If modified, these structures
  46 *              must be copied and replace their counterparts in the filterlist.
  47 *              An audit_parent struct is not accessed during filtering, so may
  48 *              be written directly provided audit_filter_mutex is held.
  49 */
  50
  51/* Audit filter lists, defined in <linux/audit.h> */
  52struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  53        LIST_HEAD_INIT(audit_filter_list[0]),
  54        LIST_HEAD_INIT(audit_filter_list[1]),
  55        LIST_HEAD_INIT(audit_filter_list[2]),
  56        LIST_HEAD_INIT(audit_filter_list[3]),
  57        LIST_HEAD_INIT(audit_filter_list[4]),
  58        LIST_HEAD_INIT(audit_filter_list[5]),
  59        LIST_HEAD_INIT(audit_filter_list[6]),
  60#if AUDIT_NR_FILTERS != 7
  61#error Fix audit_filter_list initialiser
  62#endif
  63};
  64static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  65        LIST_HEAD_INIT(audit_rules_list[0]),
  66        LIST_HEAD_INIT(audit_rules_list[1]),
  67        LIST_HEAD_INIT(audit_rules_list[2]),
  68        LIST_HEAD_INIT(audit_rules_list[3]),
  69        LIST_HEAD_INIT(audit_rules_list[4]),
  70        LIST_HEAD_INIT(audit_rules_list[5]),
  71        LIST_HEAD_INIT(audit_rules_list[6]),
  72};
  73
  74DEFINE_MUTEX(audit_filter_mutex);
  75
  76static void audit_free_lsm_field(struct audit_field *f)
  77{
  78        switch (f->type) {
  79        case AUDIT_SUBJ_USER:
  80        case AUDIT_SUBJ_ROLE:
  81        case AUDIT_SUBJ_TYPE:
  82        case AUDIT_SUBJ_SEN:
  83        case AUDIT_SUBJ_CLR:
  84        case AUDIT_OBJ_USER:
  85        case AUDIT_OBJ_ROLE:
  86        case AUDIT_OBJ_TYPE:
  87        case AUDIT_OBJ_LEV_LOW:
  88        case AUDIT_OBJ_LEV_HIGH:
  89                kfree(f->lsm_str);
  90                security_audit_rule_free(f->lsm_rule);
  91        }
  92}
  93
  94static inline void audit_free_rule(struct audit_entry *e)
  95{
  96        int i;
  97        struct audit_krule *erule = &e->rule;
  98
  99        /* some rules don't have associated watches */
 100        if (erule->watch)
 101                audit_put_watch(erule->watch);
 102        if (erule->fields)
 103                for (i = 0; i < erule->field_count; i++)
 104                        audit_free_lsm_field(&erule->fields[i]);
 105        kfree(erule->fields);
 106        kfree(erule->filterkey);
 107        kfree(e);
 108}
 109
 110void audit_free_rule_rcu(struct rcu_head *head)
 111{
 112        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
 113        audit_free_rule(e);
 114}
 115
 116/* Initialize an audit filterlist entry. */
 117static inline struct audit_entry *audit_init_entry(u32 field_count)
 118{
 119        struct audit_entry *entry;
 120        struct audit_field *fields;
 121
 122        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 123        if (unlikely(!entry))
 124                return NULL;
 125
 126        fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
 127        if (unlikely(!fields)) {
 128                kfree(entry);
 129                return NULL;
 130        }
 131        entry->rule.fields = fields;
 132
 133        return entry;
 134}
 135
 136/* Unpack a filter field's string representation from user-space
 137 * buffer. */
 138char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 139{
 140        char *str;
 141
 142        if (!*bufp || (len == 0) || (len > *remain))
 143                return ERR_PTR(-EINVAL);
 144
 145        /* Of the currently implemented string fields, PATH_MAX
 146         * defines the longest valid length.
 147         */
 148        if (len > PATH_MAX)
 149                return ERR_PTR(-ENAMETOOLONG);
 150
 151        str = kmalloc(len + 1, GFP_KERNEL);
 152        if (unlikely(!str))
 153                return ERR_PTR(-ENOMEM);
 154
 155        memcpy(str, *bufp, len);
 156        str[len] = 0;
 157        *bufp += len;
 158        *remain -= len;
 159
 160        return str;
 161}
 162
 163/* Translate an inode field to kernel representation. */
 164static inline int audit_to_inode(struct audit_krule *krule,
 165                                 struct audit_field *f)
 166{
 167        if (krule->listnr != AUDIT_FILTER_EXIT ||
 168            krule->inode_f || krule->watch || krule->tree ||
 169            (f->op != Audit_equal && f->op != Audit_not_equal))
 170                return -EINVAL;
 171
 172        krule->inode_f = f;
 173        return 0;
 174}
 175
 176static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 177
 178int __init audit_register_class(int class, unsigned *list)
 179{
 180        __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
 181        if (!p)
 182                return -ENOMEM;
 183        while (*list != ~0U) {
 184                unsigned n = *list++;
 185                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 186                        kfree(p);
 187                        return -EINVAL;
 188                }
 189                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
 190        }
 191        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
 192                kfree(p);
 193                return -EINVAL;
 194        }
 195        classes[class] = p;
 196        return 0;
 197}
 198
 199int audit_match_class(int class, unsigned syscall)
 200{
 201        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
 202                return 0;
 203        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
 204                return 0;
 205        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
 206}
 207
 208#ifdef CONFIG_AUDITSYSCALL
 209static inline int audit_match_class_bits(int class, u32 *mask)
 210{
 211        int i;
 212
 213        if (classes[class]) {
 214                for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 215                        if (mask[i] & classes[class][i])
 216                                return 0;
 217        }
 218        return 1;
 219}
 220
 221static int audit_match_signal(struct audit_entry *entry)
 222{
 223        struct audit_field *arch = entry->rule.arch_f;
 224
 225        if (!arch) {
 226                /* When arch is unspecified, we must check both masks on biarch
 227                 * as syscall number alone is ambiguous. */
 228                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 229                                               entry->rule.mask) &&
 230                        audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 231                                               entry->rule.mask));
 232        }
 233
 234        switch(audit_classify_arch(arch->val)) {
 235        case 0: /* native */
 236                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 237                                               entry->rule.mask));
 238        case 1: /* 32bit on biarch */
 239                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 240                                               entry->rule.mask));
 241        default:
 242                return 1;
 243        }
 244}
 245#endif
 246
 247/* Common user-space to kernel rule translation. */
 248static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
 249{
 250        unsigned listnr;
 251        struct audit_entry *entry;
 252        int i, err;
 253
 254        err = -EINVAL;
 255        listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
 256        switch(listnr) {
 257        default:
 258                goto exit_err;
 259#ifdef CONFIG_AUDITSYSCALL
 260        case AUDIT_FILTER_ENTRY:
 261                pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
 262                goto exit_err;
 263        case AUDIT_FILTER_EXIT:
 264        case AUDIT_FILTER_TASK:
 265#endif
 266        case AUDIT_FILTER_USER:
 267        case AUDIT_FILTER_TYPE:
 268        case AUDIT_FILTER_FS:
 269                ;
 270        }
 271        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
 272                pr_err("AUDIT_POSSIBLE is deprecated\n");
 273                goto exit_err;
 274        }
 275        if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
 276                goto exit_err;
 277        if (rule->field_count > AUDIT_MAX_FIELDS)
 278                goto exit_err;
 279
 280        err = -ENOMEM;
 281        entry = audit_init_entry(rule->field_count);
 282        if (!entry)
 283                goto exit_err;
 284
 285        entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
 286        entry->rule.listnr = listnr;
 287        entry->rule.action = rule->action;
 288        entry->rule.field_count = rule->field_count;
 289
 290        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 291                entry->rule.mask[i] = rule->mask[i];
 292
 293        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
 294                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
 295                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
 296                __u32 *class;
 297
 298                if (!(*p & AUDIT_BIT(bit)))
 299                        continue;
 300                *p &= ~AUDIT_BIT(bit);
 301                class = classes[i];
 302                if (class) {
 303                        int j;
 304                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
 305                                entry->rule.mask[j] |= class[j];
 306                }
 307        }
 308
 309        return entry;
 310
 311exit_err:
 312        return ERR_PTR(err);
 313}
 314
 315static u32 audit_ops[] =
 316{
 317        [Audit_equal] = AUDIT_EQUAL,
 318        [Audit_not_equal] = AUDIT_NOT_EQUAL,
 319        [Audit_bitmask] = AUDIT_BIT_MASK,
 320        [Audit_bittest] = AUDIT_BIT_TEST,
 321        [Audit_lt] = AUDIT_LESS_THAN,
 322        [Audit_gt] = AUDIT_GREATER_THAN,
 323        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
 324        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
 325};
 326
 327static u32 audit_to_op(u32 op)
 328{
 329        u32 n;
 330        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
 331                ;
 332        return n;
 333}
 334
 335/* check if an audit field is valid */
 336static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 337{
 338        switch(f->type) {
 339        case AUDIT_MSGTYPE:
 340                if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
 341                    entry->rule.listnr != AUDIT_FILTER_USER)
 342                        return -EINVAL;
 343                break;
 344        case AUDIT_FSTYPE:
 345                if (entry->rule.listnr != AUDIT_FILTER_FS)
 346                        return -EINVAL;
 347                break;
 348        }
 349
 350        switch(entry->rule.listnr) {
 351        case AUDIT_FILTER_FS:
 352                switch(f->type) {
 353                case AUDIT_FSTYPE:
 354                case AUDIT_FILTERKEY:
 355                        break;
 356                default:
 357                        return -EINVAL;
 358                }
 359        }
 360
 361        switch(f->type) {
 362        default:
 363                return -EINVAL;
 364        case AUDIT_UID:
 365        case AUDIT_EUID:
 366        case AUDIT_SUID:
 367        case AUDIT_FSUID:
 368        case AUDIT_LOGINUID:
 369        case AUDIT_OBJ_UID:
 370        case AUDIT_GID:
 371        case AUDIT_EGID:
 372        case AUDIT_SGID:
 373        case AUDIT_FSGID:
 374        case AUDIT_OBJ_GID:
 375        case AUDIT_PID:
 376        case AUDIT_PERS:
 377        case AUDIT_MSGTYPE:
 378        case AUDIT_PPID:
 379        case AUDIT_DEVMAJOR:
 380        case AUDIT_DEVMINOR:
 381        case AUDIT_EXIT:
 382        case AUDIT_SUCCESS:
 383        case AUDIT_INODE:
 384        case AUDIT_SESSIONID:
 385                /* bit ops are only useful on syscall args */
 386                if (f->op == Audit_bitmask || f->op == Audit_bittest)
 387                        return -EINVAL;
 388                break;
 389        case AUDIT_ARG0:
 390        case AUDIT_ARG1:
 391        case AUDIT_ARG2:
 392        case AUDIT_ARG3:
 393        case AUDIT_SUBJ_USER:
 394        case AUDIT_SUBJ_ROLE:
 395        case AUDIT_SUBJ_TYPE:
 396        case AUDIT_SUBJ_SEN:
 397        case AUDIT_SUBJ_CLR:
 398        case AUDIT_OBJ_USER:
 399        case AUDIT_OBJ_ROLE:
 400        case AUDIT_OBJ_TYPE:
 401        case AUDIT_OBJ_LEV_LOW:
 402        case AUDIT_OBJ_LEV_HIGH:
 403        case AUDIT_WATCH:
 404        case AUDIT_DIR:
 405        case AUDIT_FILTERKEY:
 406                break;
 407        case AUDIT_LOGINUID_SET:
 408                if ((f->val != 0) && (f->val != 1))
 409                        return -EINVAL;
 410        /* FALL THROUGH */
 411        case AUDIT_ARCH:
 412        case AUDIT_FSTYPE:
 413                if (f->op != Audit_not_equal && f->op != Audit_equal)
 414                        return -EINVAL;
 415                break;
 416        case AUDIT_PERM:
 417                if (f->val & ~15)
 418                        return -EINVAL;
 419                break;
 420        case AUDIT_FILETYPE:
 421                if (f->val & ~S_IFMT)
 422                        return -EINVAL;
 423                break;
 424        case AUDIT_FIELD_COMPARE:
 425                if (f->val > AUDIT_MAX_FIELD_COMPARE)
 426                        return -EINVAL;
 427                break;
 428        case AUDIT_EXE:
 429                if (f->op != Audit_not_equal && f->op != Audit_equal)
 430                        return -EINVAL;
 431                if (entry->rule.listnr != AUDIT_FILTER_EXIT)
 432                        return -EINVAL;
 433                break;
 434        }
 435        return 0;
 436}
 437
 438/* Translate struct audit_rule_data to kernel's rule representation. */
 439static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 440                                               size_t datasz)
 441{
 442        int err = 0;
 443        struct audit_entry *entry;
 444        void *bufp;
 445        size_t remain = datasz - sizeof(struct audit_rule_data);
 446        int i;
 447        char *str;
 448        struct audit_fsnotify_mark *audit_mark;
 449
 450        entry = audit_to_entry_common(data);
 451        if (IS_ERR(entry))
 452                goto exit_nofree;
 453
 454        bufp = data->buf;
 455        for (i = 0; i < data->field_count; i++) {
 456                struct audit_field *f = &entry->rule.fields[i];
 457
 458                err = -EINVAL;
 459
 460                f->op = audit_to_op(data->fieldflags[i]);
 461                if (f->op == Audit_bad)
 462                        goto exit_free;
 463
 464                f->type = data->fields[i];
 465                f->val = data->values[i];
 466
 467                /* Support legacy tests for a valid loginuid */
 468                if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
 469                        f->type = AUDIT_LOGINUID_SET;
 470                        f->val = 0;
 471                        entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
 472                }
 473
 474                err = audit_field_valid(entry, f);
 475                if (err)
 476                        goto exit_free;
 477
 478                err = -EINVAL;
 479                switch (f->type) {
 480                case AUDIT_LOGINUID:
 481                case AUDIT_UID:
 482                case AUDIT_EUID:
 483                case AUDIT_SUID:
 484                case AUDIT_FSUID:
 485                case AUDIT_OBJ_UID:
 486                        f->uid = make_kuid(current_user_ns(), f->val);
 487                        if (!uid_valid(f->uid))
 488                                goto exit_free;
 489                        break;
 490                case AUDIT_GID:
 491                case AUDIT_EGID:
 492                case AUDIT_SGID:
 493                case AUDIT_FSGID:
 494                case AUDIT_OBJ_GID:
 495                        f->gid = make_kgid(current_user_ns(), f->val);
 496                        if (!gid_valid(f->gid))
 497                                goto exit_free;
 498                        break;
 499                case AUDIT_ARCH:
 500                        entry->rule.arch_f = f;
 501                        break;
 502                case AUDIT_SUBJ_USER:
 503                case AUDIT_SUBJ_ROLE:
 504                case AUDIT_SUBJ_TYPE:
 505                case AUDIT_SUBJ_SEN:
 506                case AUDIT_SUBJ_CLR:
 507                case AUDIT_OBJ_USER:
 508                case AUDIT_OBJ_ROLE:
 509                case AUDIT_OBJ_TYPE:
 510                case AUDIT_OBJ_LEV_LOW:
 511                case AUDIT_OBJ_LEV_HIGH:
 512                        str = audit_unpack_string(&bufp, &remain, f->val);
 513                        if (IS_ERR(str))
 514                                goto exit_free;
 515                        entry->rule.buflen += f->val;
 516
 517                        err = security_audit_rule_init(f->type, f->op, str,
 518                                                       (void **)&f->lsm_rule);
 519                        /* Keep currently invalid fields around in case they
 520                         * become valid after a policy reload. */
 521                        if (err == -EINVAL) {
 522                                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 523                                        str);
 524                                err = 0;
 525                        }
 526                        if (err) {
 527                                kfree(str);
 528                                goto exit_free;
 529                        } else
 530                                f->lsm_str = str;
 531                        break;
 532                case AUDIT_WATCH:
 533                        str = audit_unpack_string(&bufp, &remain, f->val);
 534                        if (IS_ERR(str))
 535                                goto exit_free;
 536                        entry->rule.buflen += f->val;
 537
 538                        err = audit_to_watch(&entry->rule, str, f->val, f->op);
 539                        if (err) {
 540                                kfree(str);
 541                                goto exit_free;
 542                        }
 543                        break;
 544                case AUDIT_DIR:
 545                        str = audit_unpack_string(&bufp, &remain, f->val);
 546                        if (IS_ERR(str))
 547                                goto exit_free;
 548                        entry->rule.buflen += f->val;
 549
 550                        err = audit_make_tree(&entry->rule, str, f->op);
 551                        kfree(str);
 552                        if (err)
 553                                goto exit_free;
 554                        break;
 555                case AUDIT_INODE:
 556                        err = audit_to_inode(&entry->rule, f);
 557                        if (err)
 558                                goto exit_free;
 559                        break;
 560                case AUDIT_FILTERKEY:
 561                        if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 562                                goto exit_free;
 563                        str = audit_unpack_string(&bufp, &remain, f->val);
 564                        if (IS_ERR(str))
 565                                goto exit_free;
 566                        entry->rule.buflen += f->val;
 567                        entry->rule.filterkey = str;
 568                        break;
 569                case AUDIT_EXE:
 570                        if (entry->rule.exe || f->val > PATH_MAX)
 571                                goto exit_free;
 572                        str = audit_unpack_string(&bufp, &remain, f->val);
 573                        if (IS_ERR(str)) {
 574                                err = PTR_ERR(str);
 575                                goto exit_free;
 576                        }
 577                        entry->rule.buflen += f->val;
 578
 579                        audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
 580                        if (IS_ERR(audit_mark)) {
 581                                kfree(str);
 582                                err = PTR_ERR(audit_mark);
 583                                goto exit_free;
 584                        }
 585                        entry->rule.exe = audit_mark;
 586                        break;
 587                }
 588        }
 589
 590        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 591                entry->rule.inode_f = NULL;
 592
 593exit_nofree:
 594        return entry;
 595
 596exit_free:
 597        if (entry->rule.tree)
 598                audit_put_tree(entry->rule.tree); /* that's the temporary one */
 599        if (entry->rule.exe)
 600                audit_remove_mark(entry->rule.exe); /* that's the template one */
 601        audit_free_rule(entry);
 602        return ERR_PTR(err);
 603}
 604
 605/* Pack a filter field's string representation into data block. */
 606static inline size_t audit_pack_string(void **bufp, const char *str)
 607{
 608        size_t len = strlen(str);
 609
 610        memcpy(*bufp, str, len);
 611        *bufp += len;
 612
 613        return len;
 614}
 615
 616/* Translate kernel rule representation to struct audit_rule_data. */
 617static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 618{
 619        struct audit_rule_data *data;
 620        void *bufp;
 621        int i;
 622
 623        data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
 624        if (unlikely(!data))
 625                return NULL;
 626        memset(data, 0, sizeof(*data));
 627
 628        data->flags = krule->flags | krule->listnr;
 629        data->action = krule->action;
 630        data->field_count = krule->field_count;
 631        bufp = data->buf;
 632        for (i = 0; i < data->field_count; i++) {
 633                struct audit_field *f = &krule->fields[i];
 634
 635                data->fields[i] = f->type;
 636                data->fieldflags[i] = audit_ops[f->op];
 637                switch(f->type) {
 638                case AUDIT_SUBJ_USER:
 639                case AUDIT_SUBJ_ROLE:
 640                case AUDIT_SUBJ_TYPE:
 641                case AUDIT_SUBJ_SEN:
 642                case AUDIT_SUBJ_CLR:
 643                case AUDIT_OBJ_USER:
 644                case AUDIT_OBJ_ROLE:
 645                case AUDIT_OBJ_TYPE:
 646                case AUDIT_OBJ_LEV_LOW:
 647                case AUDIT_OBJ_LEV_HIGH:
 648                        data->buflen += data->values[i] =
 649                                audit_pack_string(&bufp, f->lsm_str);
 650                        break;
 651                case AUDIT_WATCH:
 652                        data->buflen += data->values[i] =
 653                                audit_pack_string(&bufp,
 654                                                  audit_watch_path(krule->watch));
 655                        break;
 656                case AUDIT_DIR:
 657                        data->buflen += data->values[i] =
 658                                audit_pack_string(&bufp,
 659                                                  audit_tree_path(krule->tree));
 660                        break;
 661                case AUDIT_FILTERKEY:
 662                        data->buflen += data->values[i] =
 663                                audit_pack_string(&bufp, krule->filterkey);
 664                        break;
 665                case AUDIT_EXE:
 666                        data->buflen += data->values[i] =
 667                                audit_pack_string(&bufp, audit_mark_path(krule->exe));
 668                        break;
 669                case AUDIT_LOGINUID_SET:
 670                        if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
 671                                data->fields[i] = AUDIT_LOGINUID;
 672                                data->values[i] = AUDIT_UID_UNSET;
 673                                break;
 674                        }
 675                        /* fallthrough if set */
 676                default:
 677                        data->values[i] = f->val;
 678                }
 679        }
 680        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
 681
 682        return data;
 683}
 684
 685/* Compare two rules in kernel format.  Considered success if rules
 686 * don't match. */
 687static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
 688{
 689        int i;
 690
 691        if (a->flags != b->flags ||
 692            a->pflags != b->pflags ||
 693            a->listnr != b->listnr ||
 694            a->action != b->action ||
 695            a->field_count != b->field_count)
 696                return 1;
 697
 698        for (i = 0; i < a->field_count; i++) {
 699                if (a->fields[i].type != b->fields[i].type ||
 700                    a->fields[i].op != b->fields[i].op)
 701                        return 1;
 702
 703                switch(a->fields[i].type) {
 704                case AUDIT_SUBJ_USER:
 705                case AUDIT_SUBJ_ROLE:
 706                case AUDIT_SUBJ_TYPE:
 707                case AUDIT_SUBJ_SEN:
 708                case AUDIT_SUBJ_CLR:
 709                case AUDIT_OBJ_USER:
 710                case AUDIT_OBJ_ROLE:
 711                case AUDIT_OBJ_TYPE:
 712                case AUDIT_OBJ_LEV_LOW:
 713                case AUDIT_OBJ_LEV_HIGH:
 714                        if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
 715                                return 1;
 716                        break;
 717                case AUDIT_WATCH:
 718                        if (strcmp(audit_watch_path(a->watch),
 719                                   audit_watch_path(b->watch)))
 720                                return 1;
 721                        break;
 722                case AUDIT_DIR:
 723                        if (strcmp(audit_tree_path(a->tree),
 724                                   audit_tree_path(b->tree)))
 725                                return 1;
 726                        break;
 727                case AUDIT_FILTERKEY:
 728                        /* both filterkeys exist based on above type compare */
 729                        if (strcmp(a->filterkey, b->filterkey))
 730                                return 1;
 731                        break;
 732                case AUDIT_EXE:
 733                        /* both paths exist based on above type compare */
 734                        if (strcmp(audit_mark_path(a->exe),
 735                                   audit_mark_path(b->exe)))
 736                                return 1;
 737                        break;
 738                case AUDIT_UID:
 739                case AUDIT_EUID:
 740                case AUDIT_SUID:
 741                case AUDIT_FSUID:
 742                case AUDIT_LOGINUID:
 743                case AUDIT_OBJ_UID:
 744                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
 745                                return 1;
 746                        break;
 747                case AUDIT_GID:
 748                case AUDIT_EGID:
 749                case AUDIT_SGID:
 750                case AUDIT_FSGID:
 751                case AUDIT_OBJ_GID:
 752                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
 753                                return 1;
 754                        break;
 755                default:
 756                        if (a->fields[i].val != b->fields[i].val)
 757                                return 1;
 758                }
 759        }
 760
 761        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 762                if (a->mask[i] != b->mask[i])
 763                        return 1;
 764
 765        return 0;
 766}
 767
 768/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
 769 * re-initialized. */
 770static inline int audit_dupe_lsm_field(struct audit_field *df,
 771                                           struct audit_field *sf)
 772{
 773        int ret = 0;
 774        char *lsm_str;
 775
 776        /* our own copy of lsm_str */
 777        lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
 778        if (unlikely(!lsm_str))
 779                return -ENOMEM;
 780        df->lsm_str = lsm_str;
 781
 782        /* our own (refreshed) copy of lsm_rule */
 783        ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
 784                                       (void **)&df->lsm_rule);
 785        /* Keep currently invalid fields around in case they
 786         * become valid after a policy reload. */
 787        if (ret == -EINVAL) {
 788                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 789                        df->lsm_str);
 790                ret = 0;
 791        }
 792
 793        return ret;
 794}
 795
 796/* Duplicate an audit rule.  This will be a deep copy with the exception
 797 * of the watch - that pointer is carried over.  The LSM specific fields
 798 * will be updated in the copy.  The point is to be able to replace the old
 799 * rule with the new rule in the filterlist, then free the old rule.
 800 * The rlist element is undefined; list manipulations are handled apart from
 801 * the initial copy. */
 802struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 803{
 804        u32 fcount = old->field_count;
 805        struct audit_entry *entry;
 806        struct audit_krule *new;
 807        char *fk;
 808        int i, err = 0;
 809
 810        entry = audit_init_entry(fcount);
 811        if (unlikely(!entry))
 812                return ERR_PTR(-ENOMEM);
 813
 814        new = &entry->rule;
 815        new->flags = old->flags;
 816        new->pflags = old->pflags;
 817        new->listnr = old->listnr;
 818        new->action = old->action;
 819        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 820                new->mask[i] = old->mask[i];
 821        new->prio = old->prio;
 822        new->buflen = old->buflen;
 823        new->inode_f = old->inode_f;
 824        new->field_count = old->field_count;
 825
 826        /*
 827         * note that we are OK with not refcounting here; audit_match_tree()
 828         * never dereferences tree and we can't get false positives there
 829         * since we'd have to have rule gone from the list *and* removed
 830         * before the chunks found by lookup had been allocated, i.e. before
 831         * the beginning of list scan.
 832         */
 833        new->tree = old->tree;
 834        memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
 835
 836        /* deep copy this information, updating the lsm_rule fields, because
 837         * the originals will all be freed when the old rule is freed. */
 838        for (i = 0; i < fcount; i++) {
 839                switch (new->fields[i].type) {
 840                case AUDIT_SUBJ_USER:
 841                case AUDIT_SUBJ_ROLE:
 842                case AUDIT_SUBJ_TYPE:
 843                case AUDIT_SUBJ_SEN:
 844                case AUDIT_SUBJ_CLR:
 845                case AUDIT_OBJ_USER:
 846                case AUDIT_OBJ_ROLE:
 847                case AUDIT_OBJ_TYPE:
 848                case AUDIT_OBJ_LEV_LOW:
 849                case AUDIT_OBJ_LEV_HIGH:
 850                        err = audit_dupe_lsm_field(&new->fields[i],
 851                                                       &old->fields[i]);
 852                        break;
 853                case AUDIT_FILTERKEY:
 854                        fk = kstrdup(old->filterkey, GFP_KERNEL);
 855                        if (unlikely(!fk))
 856                                err = -ENOMEM;
 857                        else
 858                                new->filterkey = fk;
 859                        break;
 860                case AUDIT_EXE:
 861                        err = audit_dupe_exe(new, old);
 862                        break;
 863                }
 864                if (err) {
 865                        if (new->exe)
 866                                audit_remove_mark(new->exe);
 867                        audit_free_rule(entry);
 868                        return ERR_PTR(err);
 869                }
 870        }
 871
 872        if (old->watch) {
 873                audit_get_watch(old->watch);
 874                new->watch = old->watch;
 875        }
 876
 877        return entry;
 878}
 879
 880/* Find an existing audit rule.
 881 * Caller must hold audit_filter_mutex to prevent stale rule data. */
 882static struct audit_entry *audit_find_rule(struct audit_entry *entry,
 883                                           struct list_head **p)
 884{
 885        struct audit_entry *e, *found = NULL;
 886        struct list_head *list;
 887        int h;
 888
 889        if (entry->rule.inode_f) {
 890                h = audit_hash_ino(entry->rule.inode_f->val);
 891                *p = list = &audit_inode_hash[h];
 892        } else if (entry->rule.watch) {
 893                /* we don't know the inode number, so must walk entire hash */
 894                for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
 895                        list = &audit_inode_hash[h];
 896                        list_for_each_entry(e, list, list)
 897                                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 898                                        found = e;
 899                                        goto out;
 900                                }
 901                }
 902                goto out;
 903        } else {
 904                *p = list = &audit_filter_list[entry->rule.listnr];
 905        }
 906
 907        list_for_each_entry(e, list, list)
 908                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 909                        found = e;
 910                        goto out;
 911                }
 912
 913out:
 914        return found;
 915}
 916
 917static u64 prio_low = ~0ULL/2;
 918static u64 prio_high = ~0ULL/2 - 1;
 919
 920/* Add rule to given filterlist if not a duplicate. */
 921static inline int audit_add_rule(struct audit_entry *entry)
 922{
 923        struct audit_entry *e;
 924        struct audit_watch *watch = entry->rule.watch;
 925        struct audit_tree *tree = entry->rule.tree;
 926        struct list_head *list;
 927        int err = 0;
 928#ifdef CONFIG_AUDITSYSCALL
 929        int dont_count = 0;
 930
 931        /* If any of these, don't count towards total */
 932        switch(entry->rule.listnr) {
 933        case AUDIT_FILTER_USER:
 934        case AUDIT_FILTER_TYPE:
 935        case AUDIT_FILTER_FS:
 936                dont_count = 1;
 937        }
 938#endif
 939
 940        mutex_lock(&audit_filter_mutex);
 941        e = audit_find_rule(entry, &list);
 942        if (e) {
 943                mutex_unlock(&audit_filter_mutex);
 944                err = -EEXIST;
 945                /* normally audit_add_tree_rule() will free it on failure */
 946                if (tree)
 947                        audit_put_tree(tree);
 948                return err;
 949        }
 950
 951        if (watch) {
 952                /* audit_filter_mutex is dropped and re-taken during this call */
 953                err = audit_add_watch(&entry->rule, &list);
 954                if (err) {
 955                        mutex_unlock(&audit_filter_mutex);
 956                        /*
 957                         * normally audit_add_tree_rule() will free it
 958                         * on failure
 959                         */
 960                        if (tree)
 961                                audit_put_tree(tree);
 962                        return err;
 963                }
 964        }
 965        if (tree) {
 966                err = audit_add_tree_rule(&entry->rule);
 967                if (err) {
 968                        mutex_unlock(&audit_filter_mutex);
 969                        return err;
 970                }
 971        }
 972
 973        entry->rule.prio = ~0ULL;
 974        if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
 975                if (entry->rule.flags & AUDIT_FILTER_PREPEND)
 976                        entry->rule.prio = ++prio_high;
 977                else
 978                        entry->rule.prio = --prio_low;
 979        }
 980
 981        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
 982                list_add(&entry->rule.list,
 983                         &audit_rules_list[entry->rule.listnr]);
 984                list_add_rcu(&entry->list, list);
 985                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
 986        } else {
 987                list_add_tail(&entry->rule.list,
 988                              &audit_rules_list[entry->rule.listnr]);
 989                list_add_tail_rcu(&entry->list, list);
 990        }
 991#ifdef CONFIG_AUDITSYSCALL
 992        if (!dont_count)
 993                audit_n_rules++;
 994
 995        if (!audit_match_signal(entry))
 996                audit_signals++;
 997#endif
 998        mutex_unlock(&audit_filter_mutex);
 999
1000        return err;

1001}
1002
1003/* Remove an existing rule from filterlist. */
1004int audit_del_rule(struct audit_entry *entry)
1005{
1006        struct audit_entry  *e;
1007        struct audit_tree *tree = entry->rule.tree;
1008        struct list_head *list;
1009        int ret = 0;
1010#ifdef CONFIG_AUDITSYSCALL
1011        int dont_count = 0;
1012
1013        /* If any of these, don't count towards total */
1014        switch(entry->rule.listnr) {
1015        case AUDIT_FILTER_USER:
1016        case AUDIT_FILTER_TYPE:
1017        case AUDIT_FILTER_FS:
1018                dont_count = 1;
1019        }
1020#endif
1021
1022        mutex_lock(&audit_filter_mutex);
1023        e = audit_find_rule(entry, &list);
1024        if (!e) {
1025                ret = -ENOENT;
1026                goto out;
1027        }
1028
1029        if (e->rule.watch)
1030                audit_remove_watch_rule(&e->rule);
1031
1032        if (e->rule.tree)
1033                audit_remove_tree_rule(&e->rule);
1034
1035        if (e->rule.exe)
1036                audit_remove_mark_rule(&e->rule);
1037
1038#ifdef CONFIG_AUDITSYSCALL
1039        if (!dont_count)
1040                audit_n_rules--;
1041
1042        if (!audit_match_signal(entry))
1043                audit_signals--;
1044#endif
1045
1046        list_del_rcu(&e->list);
1047        list_del(&e->rule.list);
1048        call_rcu(&e->rcu, audit_free_rule_rcu);
1049
1050out:
1051        mutex_unlock(&audit_filter_mutex);
1052
1053        if (tree)
1054                audit_put_tree(tree);   /* that's the temporary one */
1055
1056        return ret;
1057}
1058
1059/* List rules using struct audit_rule_data. */
1060static void audit_list_rules(int seq, struct sk_buff_head *q)
1061{
1062        struct sk_buff *skb;
1063        struct audit_krule *r;
1064        int i;
1065
1066        /* This is a blocking read, so use audit_filter_mutex instead of rcu
1067         * iterator to sync with list writers. */
1068        for (i=0; i<AUDIT_NR_FILTERS; i++) {
1069                list_for_each_entry(r, &audit_rules_list[i], list) {
1070                        struct audit_rule_data *data;
1071
1072                        data = audit_krule_to_data(r);
1073                        if (unlikely(!data))
1074                                break;
1075                        skb = audit_make_reply(seq, AUDIT_LIST_RULES, 0, 1,
1076                                               data,
1077                                               sizeof(*data) + data->buflen);
1078                        if (skb)
1079                                skb_queue_tail(q, skb);
1080                        kfree(data);
1081                }
1082        }
1083        skb = audit_make_reply(seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1084        if (skb)
1085                skb_queue_tail(q, skb);
1086}
1087
1088/* Log rule additions and removals */
1089static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1090{
1091        struct audit_buffer *ab;
1092
1093        if (!audit_enabled)
1094                return;
1095
1096        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1097        if (!ab)
1098                return;
1099        audit_log_session_info(ab);
1100        audit_log_task_context(ab);
1101        audit_log_format(ab, " op=%s", action);
1102        audit_log_key(ab, rule->filterkey);
1103        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1104        audit_log_end(ab);
1105}
1106
1107/**
1108 * audit_rule_change - apply all rules to the specified message type
1109 * @type: audit message type
1110 * @seq: netlink audit message sequence (serial) number
1111 * @data: payload data
1112 * @datasz: size of payload data
1113 */
1114int audit_rule_change(int type, int seq, void *data, size_t datasz)
1115{
1116        int err = 0;
1117        struct audit_entry *entry;
1118
1119        entry = audit_data_to_entry(data, datasz);
1120        if (IS_ERR(entry))
1121                return PTR_ERR(entry);
1122
1123        switch (type) {
1124        case AUDIT_ADD_RULE:
1125                err = audit_add_rule(entry);
1126                audit_log_rule_change("add_rule", &entry->rule, !err);
1127                break;
1128        case AUDIT_DEL_RULE:
1129                err = audit_del_rule(entry);
1130                audit_log_rule_change("remove_rule", &entry->rule, !err);
1131                break;
1132        default:
1133                err = -EINVAL;
1134                WARN_ON(1);
1135        }
1136
1137        if (err || type == AUDIT_DEL_RULE) {
1138                if (entry->rule.exe)
1139                        audit_remove_mark(entry->rule.exe);
1140                audit_free_rule(entry);
1141        }
1142
1143        return err;
1144}
1145
1146/**
1147 * audit_list_rules_send - list the audit rules
1148 * @request_skb: skb of request we are replying to (used to target the reply)
1149 * @seq: netlink audit message sequence (serial) number
1150 */
1151int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1152{
1153        u32 portid = NETLINK_CB(request_skb).portid;
1154        struct net *net = sock_net(NETLINK_CB(request_skb).sk);
1155        struct task_struct *tsk;
1156        struct audit_netlink_list *dest;
1157        int err = 0;
1158
1159        /* We can't just spew out the rules here because we might fill
1160         * the available socket buffer space and deadlock waiting for
1161         * auditctl to read from it... which isn't ever going to
1162         * happen if we're actually running in the context of auditctl
1163         * trying to _send_ the stuff */
1164
1165        dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1166        if (!dest)
1167                return -ENOMEM;
1168        dest->net = get_net(net);
1169        dest->portid = portid;
1170        skb_queue_head_init(&dest->q);
1171
1172        mutex_lock(&audit_filter_mutex);
1173        audit_list_rules(seq, &dest->q);
1174        mutex_unlock(&audit_filter_mutex);
1175
1176        tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1177        if (IS_ERR(tsk)) {
1178                skb_queue_purge(&dest->q);
1179                kfree(dest);
1180                err = PTR_ERR(tsk);
1181        }
1182
1183        return err;
1184}
1185
1186int audit_comparator(u32 left, u32 op, u32 right)
1187{
1188        switch (op) {
1189        case Audit_equal:
1190                return (left == right);
1191        case Audit_not_equal:
1192                return (left != right);
1193        case Audit_lt:
1194                return (left < right);
1195        case Audit_le:
1196                return (left <= right);
1197        case Audit_gt:
1198                return (left > right);
1199        case Audit_ge:
1200                return (left >= right);
1201        case Audit_bitmask:
1202                return (left & right);
1203        case Audit_bittest:
1204                return ((left & right) == right);
1205        default:
1206                BUG();
1207                return 0;
1208        }
1209}
1210
1211int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1212{
1213        switch (op) {
1214        case Audit_equal:
1215                return uid_eq(left, right);
1216        case Audit_not_equal:
1217                return !uid_eq(left, right);
1218        case Audit_lt:
1219                return uid_lt(left, right);
1220        case Audit_le:
1221                return uid_lte(left, right);
1222        case Audit_gt:
1223                return uid_gt(left, right);
1224        case Audit_ge:
1225                return uid_gte(left, right);
1226        case Audit_bitmask:
1227        case Audit_bittest:
1228        default:
1229                BUG();
1230                return 0;
1231        }
1232}
1233
1234int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1235{
1236        switch (op) {
1237        case Audit_equal:
1238                return gid_eq(left, right);
1239        case Audit_not_equal:
1240                return !gid_eq(left, right);
1241        case Audit_lt:
1242                return gid_lt(left, right);
1243        case Audit_le:
1244                return gid_lte(left, right);
1245        case Audit_gt:
1246                return gid_gt(left, right);
1247        case Audit_ge:
1248                return gid_gte(left, right);
1249        case Audit_bitmask:
1250        case Audit_bittest:
1251        default:
1252                BUG();
1253                return 0;
1254        }
1255}
1256
1257/**
1258 * parent_len - find the length of the parent portion of a pathname
1259 * @path: pathname of which to determine length
1260 */
1261int parent_len(const char *path)
1262{
1263        int plen;
1264        const char *p;
1265
1266        plen = strlen(path);
1267
1268        if (plen == 0)
1269                return plen;
1270
1271        /* disregard trailing slashes */
1272        p = path + plen - 1;
1273        while ((*p == '/') && (p > path))
1274                p--;
1275
1276        /* walk backward until we find the next slash or hit beginning */
1277        while ((*p != '/') && (p > path))
1278                p--;
1279
1280        /* did we find a slash? Then increment to include it in path */
1281        if (*p == '/')
1282                p++;
1283
1284        return p - path;
1285}
1286
1287/**
1288 * audit_compare_dname_path - compare given dentry name with last component in
1289 *                            given path. Return of 0 indicates a match.
1290 * @dname:      dentry name that we're comparing
1291 * @path:       full pathname that we're comparing
1292 * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1293 *              here indicates that we must compute this value.
1294 */
1295int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1296{
1297        int dlen, pathlen;
1298        const char *p;
1299
1300        dlen = strlen(dname);
1301        pathlen = strlen(path);
1302        if (pathlen < dlen)
1303                return 1;
1304
1305        parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1306        if (pathlen - parentlen != dlen)
1307                return 1;
1308
1309        p = path + parentlen;
1310
1311        return strncmp(p, dname, dlen);
1312}
1313
1314int audit_filter(int msgtype, unsigned int listtype)
1315{
1316        struct audit_entry *e;
1317        int ret = 1; /* Audit by default */
1318
1319        rcu_read_lock();
1320        if (list_empty(&audit_filter_list[listtype]))
1321                goto unlock_and_return;
1322        list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
1323                int i, result = 0;
1324
1325                for (i = 0; i < e->rule.field_count; i++) {
1326                        struct audit_field *f = &e->rule.fields[i];
1327                        pid_t pid;
1328                        u32 sid;
1329
1330                        switch (f->type) {
1331                        case AUDIT_PID:
1332                                pid = task_pid_nr(current);
1333                                result = audit_comparator(pid, f->op, f->val);
1334                                break;
1335                        case AUDIT_UID:
1336                                result = audit_uid_comparator(current_uid(), f->op, f->uid);
1337                                break;
1338                        case AUDIT_GID:
1339                                result = audit_gid_comparator(current_gid(), f->op, f->gid);
1340                                break;
1341                        case AUDIT_LOGINUID:
1342                                result = audit_uid_comparator(audit_get_loginuid(current),
1343                                                              f->op, f->uid);
1344                                break;
1345                        case AUDIT_LOGINUID_SET:
1346                                result = audit_comparator(audit_loginuid_set(current),
1347                                                          f->op, f->val);
1348                                break;
1349                        case AUDIT_MSGTYPE:
1350                                result = audit_comparator(msgtype, f->op, f->val);
1351                                break;
1352                        case AUDIT_SUBJ_USER:
1353                        case AUDIT_SUBJ_ROLE:
1354                        case AUDIT_SUBJ_TYPE:
1355                        case AUDIT_SUBJ_SEN:
1356                        case AUDIT_SUBJ_CLR:
1357                                if (f->lsm_rule) {
1358                                        security_task_getsecid(current, &sid);
1359                                        result = security_audit_rule_match(sid,
1360                                                        f->type, f->op, f->lsm_rule, NULL);
1361                                }
1362                                break;
1363                        default:
1364                                goto unlock_and_return;
1365                        }
1366                        if (result < 0) /* error */
1367                                goto unlock_and_return;
1368                        if (!result)
1369                                break;
1370                }
1371                if (result > 0) {
1372                        if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
1373                                ret = 0;
1374                        break;
1375                }
1376        }
1377unlock_and_return:
1378        rcu_read_unlock();
1379        return ret;
1380}
1381
1382static int update_lsm_rule(struct audit_krule *r)
1383{
1384        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1385        struct audit_entry *nentry;
1386        int err = 0;
1387
1388        if (!security_audit_rule_known(r))
1389                return 0;
1390
1391        nentry = audit_dupe_rule(r);
1392        if (entry->rule.exe)
1393                audit_remove_mark(entry->rule.exe);
1394        if (IS_ERR(nentry)) {
1395                /* save the first error encountered for the
1396                 * return value */
1397                err = PTR_ERR(nentry);
1398                audit_panic("error updating LSM filters");
1399                if (r->watch)
1400                        list_del(&r->rlist);
1401                list_del_rcu(&entry->list);
1402                list_del(&r->list);
1403        } else {
1404                if (r->watch || r->tree)
1405                        list_replace_init(&r->rlist, &nentry->rule.rlist);
1406                list_replace_rcu(&entry->list, &nentry->list);
1407                list_replace(&r->list, &nentry->rule.list);
1408        }
1409        call_rcu(&entry->rcu, audit_free_rule_rcu);
1410
1411        return err;
1412}
1413
1414/* This function will re-initialize the lsm_rule field of all applicable rules.
1415 * It will traverse the filter lists serarching for rules that contain LSM
1416 * specific filter fields.  When such a rule is found, it is copied, the
1417 * LSM field is re-initialized, and the old rule is replaced with the
1418 * updated rule. */
1419int audit_update_lsm_rules(void)
1420{
1421        struct audit_krule *r, *n;
1422        int i, err = 0;
1423
1424        /* audit_filter_mutex synchronizes the writers */
1425        mutex_lock(&audit_filter_mutex);
1426
1427        for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1428                list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1429                        int res = update_lsm_rule(r);
1430                        if (!err)
1431                                err = res;
1432                }
1433        }
1434        mutex_unlock(&audit_filter_mutex);
1435
1436        return err;
1437}
1438