LXR linux/kernel/auditfilter.c

   1/* auditfilter.c -- filtering of audit events
   2 *
   3 * Copyright 2003-2004 Red Hat, Inc.
   4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   5 * Copyright 2005 IBM Corporation
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * This program is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  20 */
  21
  22#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  23
  24#include <linux/kernel.h>
  25#include <linux/audit.h>
  26#include <linux/kthread.h>
  27#include <linux/mutex.h>
  28#include <linux/fs.h>
  29#include <linux/namei.h>
  30#include <linux/netlink.h>
  31#include <linux/sched.h>
  32#include <linux/slab.h>
  33#include <linux/security.h>
  34#include <net/net_namespace.h>
  35#include <net/sock.h>
  36#include "audit.h"
  37
  38/*
  39 * Locking model:
  40 *
  41 * audit_filter_mutex:
  42 *              Synchronizes writes and blocking reads of audit's filterlist
  43 *              data.  Rcu is used to traverse the filterlist and access
  44 *              contents of structs audit_entry, audit_watch and opaque
  45 *              LSM rules during filtering.  If modified, these structures
  46 *              must be copied and replace their counterparts in the filterlist.
  47 *              An audit_parent struct is not accessed during filtering, so may
  48 *              be written directly provided audit_filter_mutex is held.
  49 */
  50
  51/* Audit filter lists, defined in <linux/audit.h> */
  52struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  53        LIST_HEAD_INIT(audit_filter_list[0]),
  54        LIST_HEAD_INIT(audit_filter_list[1]),
  55        LIST_HEAD_INIT(audit_filter_list[2]),
  56        LIST_HEAD_INIT(audit_filter_list[3]),
  57        LIST_HEAD_INIT(audit_filter_list[4]),
  58        LIST_HEAD_INIT(audit_filter_list[5]),
  59        LIST_HEAD_INIT(audit_filter_list[6]),
  60#if AUDIT_NR_FILTERS != 7
  61#error Fix audit_filter_list initialiser
  62#endif
  63};
  64static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  65        LIST_HEAD_INIT(audit_rules_list[0]),
  66        LIST_HEAD_INIT(audit_rules_list[1]),
  67        LIST_HEAD_INIT(audit_rules_list[2]),
  68        LIST_HEAD_INIT(audit_rules_list[3]),
  69        LIST_HEAD_INIT(audit_rules_list[4]),
  70        LIST_HEAD_INIT(audit_rules_list[5]),
  71        LIST_HEAD_INIT(audit_rules_list[6]),
  72};
  73
  74DEFINE_MUTEX(audit_filter_mutex);
  75
  76static void audit_free_lsm_field(struct audit_field *f)
  77{
  78        switch (f->type) {
  79        case AUDIT_SUBJ_USER:
  80        case AUDIT_SUBJ_ROLE:
  81        case AUDIT_SUBJ_TYPE:
  82        case AUDIT_SUBJ_SEN:
  83        case AUDIT_SUBJ_CLR:
  84        case AUDIT_OBJ_USER:
  85        case AUDIT_OBJ_ROLE:
  86        case AUDIT_OBJ_TYPE:
  87        case AUDIT_OBJ_LEV_LOW:
  88        case AUDIT_OBJ_LEV_HIGH:
  89                kfree(f->lsm_str);
  90                security_audit_rule_free(f->lsm_rule);
  91        }
  92}
  93
  94static inline void audit_free_rule(struct audit_entry *e)
  95{
  96        int i;
  97        struct audit_krule *erule = &e->rule;
  98
  99        /* some rules don't have associated watches */
 100        if (erule->watch)
 101                audit_put_watch(erule->watch);
 102        if (erule->fields)
 103                for (i = 0; i < erule->field_count; i++)
 104                        audit_free_lsm_field(&erule->fields[i]);
 105        kfree(erule->fields);
 106        kfree(erule->filterkey);
 107        kfree(e);
 108}
 109
 110void audit_free_rule_rcu(struct rcu_head *head)
 111{
 112        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
 113        audit_free_rule(e);
 114}
 115
 116/* Initialize an audit filterlist entry. */
 117static inline struct audit_entry *audit_init_entry(u32 field_count)
 118{
 119        struct audit_entry *entry;
 120        struct audit_field *fields;
 121
 122        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 123        if (unlikely(!entry))
 124                return NULL;
 125
 126        fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
 127        if (unlikely(!fields)) {
 128                kfree(entry);
 129                return NULL;
 130        }
 131        entry->rule.fields = fields;
 132
 133        return entry;
 134}
 135
 136/* Unpack a filter field's string representation from user-space
 137 * buffer. */
 138char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 139{
 140        char *str;
 141
 142        if (!*bufp || (len == 0) || (len > *remain))
 143                return ERR_PTR(-EINVAL);
 144
 145        /* Of the currently implemented string fields, PATH_MAX
 146         * defines the longest valid length.
 147         */
 148        if (len > PATH_MAX)
 149                return ERR_PTR(-ENAMETOOLONG);
 150
 151        str = kmalloc(len + 1, GFP_KERNEL);
 152        if (unlikely(!str))
 153                return ERR_PTR(-ENOMEM);
 154
 155        memcpy(str, *bufp, len);
 156        str[len] = 0;
 157        *bufp += len;
 158        *remain -= len;
 159
 160        return str;
 161}
 162
 163/* Translate an inode field to kernel representation. */
 164static inline int audit_to_inode(struct audit_krule *krule,
 165                                 struct audit_field *f)
 166{
 167        if (krule->listnr != AUDIT_FILTER_EXIT ||
 168            krule->inode_f || krule->watch || krule->tree ||
 169            (f->op != Audit_equal && f->op != Audit_not_equal))
 170                return -EINVAL;
 171
 172        krule->inode_f = f;
 173        return 0;
 174}
 175
 176static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 177
 178int __init audit_register_class(int class, unsigned *list)
 179{
 180        __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
 181        if (!p)
 182                return -ENOMEM;
 183        while (*list != ~0U) {
 184                unsigned n = *list++;
 185                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 186                        kfree(p);
 187                        return -EINVAL;
 188                }
 189                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
 190        }
 191        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
 192                kfree(p);
 193                return -EINVAL;
 194        }
 195        classes[class] = p;
 196        return 0;
 197}
 198
 199int audit_match_class(int class, unsigned syscall)
 200{
 201        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
 202                return 0;
 203        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
 204                return 0;
 205        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
 206}
 207
 208#ifdef CONFIG_AUDITSYSCALL
 209static inline int audit_match_class_bits(int class, u32 *mask)
 210{
 211        int i;
 212
 213        if (classes[class]) {
 214                for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 215                        if (mask[i] & classes[class][i])
 216                                return 0;
 217        }
 218        return 1;
 219}
 220
 221static int audit_match_signal(struct audit_entry *entry)
 222{
 223        struct audit_field *arch = entry->rule.arch_f;
 224
 225        if (!arch) {
 226                /* When arch is unspecified, we must check both masks on biarch
 227                 * as syscall number alone is ambiguous. */
 228                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 229                                               entry->rule.mask) &&
 230                        audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 231                                               entry->rule.mask));
 232        }
 233
 234        switch(audit_classify_arch(arch->val)) {
 235        case 0: /* native */
 236                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 237                                               entry->rule.mask));
 238        case 1: /* 32bit on biarch */
 239                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 240                                               entry->rule.mask));
 241        default:
 242                return 1;
 243        }
 244}
 245#endif
 246
 247/* Common user-space to kernel rule translation. */
 248static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
 249{
 250        unsigned listnr;
 251        struct audit_entry *entry;
 252        int i, err;
 253
 254        err = -EINVAL;
 255        listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
 256        switch(listnr) {
 257        default:
 258                goto exit_err;
 259#ifdef CONFIG_AUDITSYSCALL
 260        case AUDIT_FILTER_ENTRY:
 261                pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
 262                goto exit_err;
 263        case AUDIT_FILTER_EXIT:
 264        case AUDIT_FILTER_TASK:
 265#endif
 266        case AUDIT_FILTER_USER:
 267        case AUDIT_FILTER_EXCLUDE:
 268        case AUDIT_FILTER_FS:
 269                ;
 270        }
 271        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
 272                pr_err("AUDIT_POSSIBLE is deprecated\n");
 273                goto exit_err;
 274        }
 275        if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
 276                goto exit_err;
 277        if (rule->field_count > AUDIT_MAX_FIELDS)
 278                goto exit_err;
 279
 280        err = -ENOMEM;
 281        entry = audit_init_entry(rule->field_count);
 282        if (!entry)
 283                goto exit_err;
 284
 285        entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
 286        entry->rule.listnr = listnr;
 287        entry->rule.action = rule->action;
 288        entry->rule.field_count = rule->field_count;
 289
 290        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 291                entry->rule.mask[i] = rule->mask[i];
 292
 293        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
 294                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
 295                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
 296                __u32 *class;
 297
 298                if (!(*p & AUDIT_BIT(bit)))
 299                        continue;
 300                *p &= ~AUDIT_BIT(bit);
 301                class = classes[i];
 302                if (class) {
 303                        int j;
 304                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
 305                                entry->rule.mask[j] |= class[j];
 306                }
 307        }
 308
 309        return entry;
 310
 311exit_err:
 312        return ERR_PTR(err);
 313}
 314
 315static u32 audit_ops[] =
 316{
 317        [Audit_equal] = AUDIT_EQUAL,
 318        [Audit_not_equal] = AUDIT_NOT_EQUAL,
 319        [Audit_bitmask] = AUDIT_BIT_MASK,
 320        [Audit_bittest] = AUDIT_BIT_TEST,
 321        [Audit_lt] = AUDIT_LESS_THAN,
 322        [Audit_gt] = AUDIT_GREATER_THAN,
 323        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
 324        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
 325};
 326
 327static u32 audit_to_op(u32 op)
 328{
 329        u32 n;
 330        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
 331                ;
 332        return n;
 333}
 334
 335/* check if an audit field is valid */
 336static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 337{
 338        switch(f->type) {
 339        case AUDIT_MSGTYPE:
 340                if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE &&
 341                    entry->rule.listnr != AUDIT_FILTER_USER)
 342                        return -EINVAL;
 343                break;
 344        case AUDIT_FSTYPE:
 345                if (entry->rule.listnr != AUDIT_FILTER_FS)
 346                        return -EINVAL;
 347                break;
 348        }
 349
 350        switch(entry->rule.listnr) {
 351        case AUDIT_FILTER_FS:
 352                switch(f->type) {
 353                case AUDIT_FSTYPE:
 354                case AUDIT_FILTERKEY:
 355                        break;
 356                default:
 357                        return -EINVAL;
 358                }
 359        }
 360
 361        switch(f->type) {
 362        default:
 363                return -EINVAL;
 364        case AUDIT_UID:
 365        case AUDIT_EUID:
 366        case AUDIT_SUID:
 367        case AUDIT_FSUID:
 368        case AUDIT_LOGINUID:
 369        case AUDIT_OBJ_UID:
 370        case AUDIT_GID:
 371        case AUDIT_EGID:
 372        case AUDIT_SGID:
 373        case AUDIT_FSGID:
 374        case AUDIT_OBJ_GID:
 375        case AUDIT_PID:
 376        case AUDIT_PERS:
 377        case AUDIT_MSGTYPE:
 378        case AUDIT_PPID:
 379        case AUDIT_DEVMAJOR:
 380        case AUDIT_DEVMINOR:
 381        case AUDIT_EXIT:
 382        case AUDIT_SUCCESS:
 383        case AUDIT_INODE:
 384        case AUDIT_SESSIONID:
 385                /* bit ops are only useful on syscall args */
 386                if (f->op == Audit_bitmask || f->op == Audit_bittest)
 387                        return -EINVAL;
 388                break;
 389        case AUDIT_ARG0:
 390        case AUDIT_ARG1:
 391        case AUDIT_ARG2:
 392        case AUDIT_ARG3:
 393        case AUDIT_SUBJ_USER:
 394        case AUDIT_SUBJ_ROLE:
 395        case AUDIT_SUBJ_TYPE:
 396        case AUDIT_SUBJ_SEN:
 397        case AUDIT_SUBJ_CLR:
 398        case AUDIT_OBJ_USER:
 399        case AUDIT_OBJ_ROLE:
 400        case AUDIT_OBJ_TYPE:
 401        case AUDIT_OBJ_LEV_LOW:
 402        case AUDIT_OBJ_LEV_HIGH:
 403        case AUDIT_WATCH:
 404        case AUDIT_DIR:
 405        case AUDIT_FILTERKEY:
 406                break;
 407        case AUDIT_LOGINUID_SET:
 408                if ((f->val != 0) && (f->val != 1))
 409                        return -EINVAL;
 410        /* FALL THROUGH */
 411        case AUDIT_ARCH:
 412        case AUDIT_FSTYPE:
 413                if (f->op != Audit_not_equal && f->op != Audit_equal)
 414                        return -EINVAL;
 415                break;
 416        case AUDIT_PERM:
 417                if (f->val & ~15)
 418                        return -EINVAL;
 419                break;
 420        case AUDIT_FILETYPE:
 421                if (f->val & ~S_IFMT)
 422                        return -EINVAL;
 423                break;
 424        case AUDIT_FIELD_COMPARE:
 425                if (f->val > AUDIT_MAX_FIELD_COMPARE)
 426                        return -EINVAL;
 427                break;
 428        case AUDIT_EXE:
 429                if (f->op != Audit_not_equal && f->op != Audit_equal)
 430                        return -EINVAL;
 431                break;
 432        }
 433        return 0;
 434}
 435
 436/* Translate struct audit_rule_data to kernel's rule representation. */
 437static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 438                                               size_t datasz)
 439{
 440        int err = 0;
 441        struct audit_entry *entry;
 442        void *bufp;
 443        size_t remain = datasz - sizeof(struct audit_rule_data);
 444        int i;
 445        char *str;
 446        struct audit_fsnotify_mark *audit_mark;
 447
 448        entry = audit_to_entry_common(data);
 449        if (IS_ERR(entry))
 450                goto exit_nofree;
 451
 452        bufp = data->buf;
 453        for (i = 0; i < data->field_count; i++) {
 454                struct audit_field *f = &entry->rule.fields[i];
 455
 456                err = -EINVAL;
 457
 458                f->op = audit_to_op(data->fieldflags[i]);
 459                if (f->op == Audit_bad)
 460                        goto exit_free;
 461
 462                f->type = data->fields[i];
 463                f->val = data->values[i];
 464
 465                /* Support legacy tests for a valid loginuid */
 466                if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
 467                        f->type = AUDIT_LOGINUID_SET;
 468                        f->val = 0;
 469                        entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
 470                }
 471
 472                err = audit_field_valid(entry, f);
 473                if (err)
 474                        goto exit_free;
 475
 476                err = -EINVAL;
 477                switch (f->type) {
 478                case AUDIT_LOGINUID:
 479                case AUDIT_UID:
 480                case AUDIT_EUID:
 481                case AUDIT_SUID:
 482                case AUDIT_FSUID:
 483                case AUDIT_OBJ_UID:
 484                        f->uid = make_kuid(current_user_ns(), f->val);
 485                        if (!uid_valid(f->uid))
 486                                goto exit_free;
 487                        break;
 488                case AUDIT_GID:
 489                case AUDIT_EGID:
 490                case AUDIT_SGID:
 491                case AUDIT_FSGID:
 492                case AUDIT_OBJ_GID:
 493                        f->gid = make_kgid(current_user_ns(), f->val);
 494                        if (!gid_valid(f->gid))
 495                                goto exit_free;
 496                        break;
 497                case AUDIT_ARCH:
 498                        entry->rule.arch_f = f;
 499                        break;
 500                case AUDIT_SUBJ_USER:
 501                case AUDIT_SUBJ_ROLE:
 502                case AUDIT_SUBJ_TYPE:
 503                case AUDIT_SUBJ_SEN:
 504                case AUDIT_SUBJ_CLR:
 505                case AUDIT_OBJ_USER:
 506                case AUDIT_OBJ_ROLE:
 507                case AUDIT_OBJ_TYPE:
 508                case AUDIT_OBJ_LEV_LOW:
 509                case AUDIT_OBJ_LEV_HIGH:
 510                        str = audit_unpack_string(&bufp, &remain, f->val);
 511                        if (IS_ERR(str))
 512                                goto exit_free;
 513                        entry->rule.buflen += f->val;
 514
 515                        err = security_audit_rule_init(f->type, f->op, str,
 516                                                       (void **)&f->lsm_rule);
 517                        /* Keep currently invalid fields around in case they
 518                         * become valid after a policy reload. */
 519                        if (err == -EINVAL) {
 520                                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 521                                        str);
 522                                err = 0;
 523                        }
 524                        if (err) {
 525                                kfree(str);
 526                                goto exit_free;
 527                        } else
 528                                f->lsm_str = str;
 529                        break;
 530                case AUDIT_WATCH:
 531                        str = audit_unpack_string(&bufp, &remain, f->val);
 532                        if (IS_ERR(str))
 533                                goto exit_free;
 534                        entry->rule.buflen += f->val;
 535
 536                        err = audit_to_watch(&entry->rule, str, f->val, f->op);
 537                        if (err) {
 538                                kfree(str);
 539                                goto exit_free;
 540                        }
 541                        break;
 542                case AUDIT_DIR:
 543                        str = audit_unpack_string(&bufp, &remain, f->val);
 544                        if (IS_ERR(str))
 545                                goto exit_free;
 546                        entry->rule.buflen += f->val;
 547
 548                        err = audit_make_tree(&entry->rule, str, f->op);
 549                        kfree(str);
 550                        if (err)
 551                                goto exit_free;
 552                        break;
 553                case AUDIT_INODE:
 554                        err = audit_to_inode(&entry->rule, f);
 555                        if (err)
 556                                goto exit_free;
 557                        break;
 558                case AUDIT_FILTERKEY:
 559                        if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 560                                goto exit_free;
 561                        str = audit_unpack_string(&bufp, &remain, f->val);
 562                        if (IS_ERR(str))
 563                                goto exit_free;
 564                        entry->rule.buflen += f->val;
 565                        entry->rule.filterkey = str;
 566                        break;
 567                case AUDIT_EXE:
 568                        if (entry->rule.exe || f->val > PATH_MAX)
 569                                goto exit_free;
 570                        str = audit_unpack_string(&bufp, &remain, f->val);
 571                        if (IS_ERR(str)) {
 572                                err = PTR_ERR(str);
 573                                goto exit_free;
 574                        }
 575                        entry->rule.buflen += f->val;
 576
 577                        audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
 578                        if (IS_ERR(audit_mark)) {
 579                                kfree(str);
 580                                err = PTR_ERR(audit_mark);
 581                                goto exit_free;
 582                        }
 583                        entry->rule.exe = audit_mark;
 584                        break;
 585                }
 586        }
 587
 588        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 589                entry->rule.inode_f = NULL;
 590
 591exit_nofree:
 592        return entry;
 593
 594exit_free:
 595        if (entry->rule.tree)
 596                audit_put_tree(entry->rule.tree); /* that's the temporary one */
 597        if (entry->rule.exe)
 598                audit_remove_mark(entry->rule.exe); /* that's the template one */
 599        audit_free_rule(entry);
 600        return ERR_PTR(err);
 601}
 602
 603/* Pack a filter field's string representation into data block. */
 604static inline size_t audit_pack_string(void **bufp, const char *str)
 605{
 606        size_t len = strlen(str);
 607
 608        memcpy(*bufp, str, len);
 609        *bufp += len;
 610
 611        return len;
 612}
 613
 614/* Translate kernel rule representation to struct audit_rule_data. */
 615static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 616{
 617        struct audit_rule_data *data;
 618        void *bufp;
 619        int i;
 620
 621        data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
 622        if (unlikely(!data))
 623                return NULL;
 624        memset(data, 0, sizeof(*data));
 625
 626        data->flags = krule->flags | krule->listnr;
 627        data->action = krule->action;
 628        data->field_count = krule->field_count;
 629        bufp = data->buf;
 630        for (i = 0; i < data->field_count; i++) {
 631                struct audit_field *f = &krule->fields[i];
 632
 633                data->fields[i] = f->type;
 634                data->fieldflags[i] = audit_ops[f->op];
 635                switch(f->type) {
 636                case AUDIT_SUBJ_USER:
 637                case AUDIT_SUBJ_ROLE:
 638                case AUDIT_SUBJ_TYPE:
 639                case AUDIT_SUBJ_SEN:
 640                case AUDIT_SUBJ_CLR:
 641                case AUDIT_OBJ_USER:
 642                case AUDIT_OBJ_ROLE:
 643                case AUDIT_OBJ_TYPE:
 644                case AUDIT_OBJ_LEV_LOW:
 645                case AUDIT_OBJ_LEV_HIGH:
 646                        data->buflen += data->values[i] =
 647                                audit_pack_string(&bufp, f->lsm_str);
 648                        break;
 649                case AUDIT_WATCH:
 650                        data->buflen += data->values[i] =
 651                                audit_pack_string(&bufp,
 652                                                  audit_watch_path(krule->watch));
 653                        break;
 654                case AUDIT_DIR:
 655                        data->buflen += data->values[i] =
 656                                audit_pack_string(&bufp,
 657                                                  audit_tree_path(krule->tree));
 658                        break;
 659                case AUDIT_FILTERKEY:
 660                        data->buflen += data->values[i] =
 661                                audit_pack_string(&bufp, krule->filterkey);
 662                        break;
 663                case AUDIT_EXE:
 664                        data->buflen += data->values[i] =
 665                                audit_pack_string(&bufp, audit_mark_path(krule->exe));
 666                        break;
 667                case AUDIT_LOGINUID_SET:
 668                        if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
 669                                data->fields[i] = AUDIT_LOGINUID;
 670                                data->values[i] = AUDIT_UID_UNSET;
 671                                break;
 672                        }
 673                        /* fallthrough if set */
 674                default:
 675                        data->values[i] = f->val;
 676                }
 677        }
 678        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
 679
 680        return data;
 681}
 682
 683/* Compare two rules in kernel format.  Considered success if rules
 684 * don't match. */
 685static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
 686{
 687        int i;
 688
 689        if (a->flags != b->flags ||
 690            a->pflags != b->pflags ||
 691            a->listnr != b->listnr ||
 692            a->action != b->action ||
 693            a->field_count != b->field_count)
 694                return 1;
 695
 696        for (i = 0; i < a->field_count; i++) {
 697                if (a->fields[i].type != b->fields[i].type ||
 698                    a->fields[i].op != b->fields[i].op)
 699                        return 1;
 700
 701                switch(a->fields[i].type) {
 702                case AUDIT_SUBJ_USER:
 703                case AUDIT_SUBJ_ROLE:
 704                case AUDIT_SUBJ_TYPE:
 705                case AUDIT_SUBJ_SEN:
 706                case AUDIT_SUBJ_CLR:
 707                case AUDIT_OBJ_USER:
 708                case AUDIT_OBJ_ROLE:
 709                case AUDIT_OBJ_TYPE:
 710                case AUDIT_OBJ_LEV_LOW:
 711                case AUDIT_OBJ_LEV_HIGH:
 712                        if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
 713                                return 1;
 714                        break;
 715                case AUDIT_WATCH:
 716                        if (strcmp(audit_watch_path(a->watch),
 717                                   audit_watch_path(b->watch)))
 718                                return 1;
 719                        break;
 720                case AUDIT_DIR:
 721                        if (strcmp(audit_tree_path(a->tree),
 722                                   audit_tree_path(b->tree)))
 723                                return 1;
 724                        break;
 725                case AUDIT_FILTERKEY:
 726                        /* both filterkeys exist based on above type compare */
 727                        if (strcmp(a->filterkey, b->filterkey))
 728                                return 1;
 729                        break;
 730                case AUDIT_EXE:
 731                        /* both paths exist based on above type compare */
 732                        if (strcmp(audit_mark_path(a->exe),
 733                                   audit_mark_path(b->exe)))
 734                                return 1;
 735                        break;
 736                case AUDIT_UID:
 737                case AUDIT_EUID:
 738                case AUDIT_SUID:
 739                case AUDIT_FSUID:
 740                case AUDIT_LOGINUID:
 741                case AUDIT_OBJ_UID:
 742                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
 743                                return 1;
 744                        break;
 745                case AUDIT_GID:
 746                case AUDIT_EGID:
 747                case AUDIT_SGID:
 748                case AUDIT_FSGID:
 749                case AUDIT_OBJ_GID:
 750                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
 751                                return 1;
 752                        break;
 753                default:
 754                        if (a->fields[i].val != b->fields[i].val)
 755                                return 1;
 756                }
 757        }
 758
 759        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 760                if (a->mask[i] != b->mask[i])
 761                        return 1;
 762
 763        return 0;
 764}
 765
 766/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
 767 * re-initialized. */
 768static inline int audit_dupe_lsm_field(struct audit_field *df,
 769                                           struct audit_field *sf)
 770{
 771        int ret = 0;
 772        char *lsm_str;
 773
 774        /* our own copy of lsm_str */
 775        lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
 776        if (unlikely(!lsm_str))
 777                return -ENOMEM;
 778        df->lsm_str = lsm_str;
 779
 780        /* our own (refreshed) copy of lsm_rule */
 781        ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
 782                                       (void **)&df->lsm_rule);
 783        /* Keep currently invalid fields around in case they
 784         * become valid after a policy reload. */
 785        if (ret == -EINVAL) {
 786                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 787                        df->lsm_str);
 788                ret = 0;
 789        }
 790
 791        return ret;
 792}
 793
 794/* Duplicate an audit rule.  This will be a deep copy with the exception
 795 * of the watch - that pointer is carried over.  The LSM specific fields
 796 * will be updated in the copy.  The point is to be able to replace the old
 797 * rule with the new rule in the filterlist, then free the old rule.
 798 * The rlist element is undefined; list manipulations are handled apart from
 799 * the initial copy. */
 800struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 801{
 802        u32 fcount = old->field_count;
 803        struct audit_entry *entry;
 804        struct audit_krule *new;
 805        char *fk;
 806        int i, err = 0;
 807
 808        entry = audit_init_entry(fcount);
 809        if (unlikely(!entry))
 810                return ERR_PTR(-ENOMEM);
 811
 812        new = &entry->rule;
 813        new->flags = old->flags;
 814        new->pflags = old->pflags;
 815        new->listnr = old->listnr;
 816        new->action = old->action;
 817        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 818                new->mask[i] = old->mask[i];
 819        new->prio = old->prio;
 820        new->buflen = old->buflen;
 821        new->inode_f = old->inode_f;
 822        new->field_count = old->field_count;
 823
 824        /*
 825         * note that we are OK with not refcounting here; audit_match_tree()
 826         * never dereferences tree and we can't get false positives there
 827         * since we'd have to have rule gone from the list *and* removed
 828         * before the chunks found by lookup had been allocated, i.e. before
 829         * the beginning of list scan.
 830         */
 831        new->tree = old->tree;
 832        memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
 833
 834        /* deep copy this information, updating the lsm_rule fields, because
 835         * the originals will all be freed when the old rule is freed. */
 836        for (i = 0; i < fcount; i++) {
 837                switch (new->fields[i].type) {
 838                case AUDIT_SUBJ_USER:
 839                case AUDIT_SUBJ_ROLE:
 840                case AUDIT_SUBJ_TYPE:
 841                case AUDIT_SUBJ_SEN:
 842                case AUDIT_SUBJ_CLR:
 843                case AUDIT_OBJ_USER:
 844                case AUDIT_OBJ_ROLE:
 845                case AUDIT_OBJ_TYPE:
 846                case AUDIT_OBJ_LEV_LOW:
 847                case AUDIT_OBJ_LEV_HIGH:
 848                        err = audit_dupe_lsm_field(&new->fields[i],
 849                                                       &old->fields[i]);
 850                        break;
 851                case AUDIT_FILTERKEY:
 852                        fk = kstrdup(old->filterkey, GFP_KERNEL);
 853                        if (unlikely(!fk))
 854                                err = -ENOMEM;
 855                        else
 856                                new->filterkey = fk;
 857                        break;
 858                case AUDIT_EXE:
 859                        err = audit_dupe_exe(new, old);
 860                        break;
 861                }
 862                if (err) {
 863                        if (new->exe)
 864                                audit_remove_mark(new->exe);
 865                        audit_free_rule(entry);
 866                        return ERR_PTR(err);
 867                }
 868        }
 869
 870        if (old->watch) {
 871                audit_get_watch(old->watch);
 872                new->watch = old->watch;
 873        }
 874
 875        return entry;
 876}
 877
 878/* Find an existing audit rule.
 879 * Caller must hold audit_filter_mutex to prevent stale rule data. */
 880static struct audit_entry *audit_find_rule(struct audit_entry *entry,
 881                                           struct list_head **p)
 882{
 883        struct audit_entry *e, *found = NULL;
 884        struct list_head *list;
 885        int h;
 886
 887        if (entry->rule.inode_f) {
 888                h = audit_hash_ino(entry->rule.inode_f->val);
 889                *p = list = &audit_inode_hash[h];
 890        } else if (entry->rule.watch) {
 891                /* we don't know the inode number, so must walk entire hash */
 892                for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
 893                        list = &audit_inode_hash[h];
 894                        list_for_each_entry(e, list, list)
 895                                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 896                                        found = e;
 897                                        goto out;
 898                                }
 899                }
 900                goto out;
 901        } else {
 902                *p = list = &audit_filter_list[entry->rule.listnr];
 903        }
 904
 905        list_for_each_entry(e, list, list)
 906                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 907                        found = e;
 908                        goto out;
 909                }
 910
 911out:
 912        return found;
 913}
 914
 915static u64 prio_low = ~0ULL/2;
 916static u64 prio_high = ~0ULL/2 - 1;
 917
 918/* Add rule to given filterlist if not a duplicate. */
 919static inline int audit_add_rule(struct audit_entry *entry)
 920{
 921        struct audit_entry *e;
 922        struct audit_watch *watch = entry->rule.watch;
 923        struct audit_tree *tree = entry->rule.tree;
 924        struct list_head *list;
 925        int err = 0;
 926#ifdef CONFIG_AUDITSYSCALL
 927        int dont_count = 0;
 928
 929        /* If any of these, don't count towards total */
 930        switch(entry->rule.listnr) {
 931        case AUDIT_FILTER_USER:
 932        case AUDIT_FILTER_EXCLUDE:
 933        case AUDIT_FILTER_FS:
 934                dont_count = 1;
 935        }
 936#endif
 937
 938        mutex_lock(&audit_filter_mutex);
 939        e = audit_find_rule(entry, &list);
 940        if (e) {
 941                mutex_unlock(&audit_filter_mutex);
 942                err = -EEXIST;
 943                /* normally audit_add_tree_rule() will free it on failure */
 944                if (tree)
 945                        audit_put_tree(tree);
 946                return err;
 947        }
 948
 949        if (watch) {
 950                /* audit_filter_mutex is dropped and re-taken during this call */
 951                err = audit_add_watch(&entry->rule, &list);
 952                if (err) {
 953                        mutex_unlock(&audit_filter_mutex);
 954                        /*
 955                         * normally audit_add_tree_rule() will free it
 956                         * on failure
 957                         */
 958                        if (tree)
 959                                audit_put_tree(tree);
 960                        return err;
 961                }
 962        }
 963        if (tree) {
 964                err = audit_add_tree_rule(&entry->rule);
 965                if (err) {
 966                        mutex_unlock(&audit_filter_mutex);
 967                        return err;
 968                }
 969        }
 970
 971        entry->rule.prio = ~0ULL;
 972        if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
 973                if (entry->rule.flags & AUDIT_FILTER_PREPEND)
 974                        entry->rule.prio = ++prio_high;
 975                else
 976                        entry->rule.prio = --prio_low;
 977        }
 978
 979        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
 980                list_add(&entry->rule.list,
 981                         &audit_rules_list[entry->rule.listnr]);
 982                list_add_rcu(&entry->list, list);
 983                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
 984        } else {
 985                list_add_tail(&entry->rule.list,
 986                              &audit_rules_list[entry->rule.listnr]);
 987                list_add_tail_rcu(&entry->list, list);
 988        }
 989#ifdef CONFIG_AUDITSYSCALL
 990        if (!dont_count)
 991                audit_n_rules++;
 992
 993        if (!audit_match_signal(entry))
 994                audit_signals++;
 995#endif
 996        mutex_unlock(&audit_filter_mutex);
 997
 998        return err;
 999}
1000

1001/* Remove an existing rule from filterlist. */
1002int audit_del_rule(struct audit_entry *entry)
1003{
1004        struct audit_entry  *e;
1005        struct audit_tree *tree = entry->rule.tree;
1006        struct list_head *list;
1007        int ret = 0;
1008#ifdef CONFIG_AUDITSYSCALL
1009        int dont_count = 0;
1010
1011        /* If any of these, don't count towards total */
1012        switch(entry->rule.listnr) {
1013        case AUDIT_FILTER_USER:
1014        case AUDIT_FILTER_EXCLUDE:
1015        case AUDIT_FILTER_FS:
1016                dont_count = 1;
1017        }
1018#endif
1019
1020        mutex_lock(&audit_filter_mutex);
1021        e = audit_find_rule(entry, &list);
1022        if (!e) {
1023                ret = -ENOENT;
1024                goto out;
1025        }
1026
1027        if (e->rule.watch)
1028                audit_remove_watch_rule(&e->rule);
1029
1030        if (e->rule.tree)
1031                audit_remove_tree_rule(&e->rule);
1032
1033        if (e->rule.exe)
1034                audit_remove_mark_rule(&e->rule);
1035
1036#ifdef CONFIG_AUDITSYSCALL
1037        if (!dont_count)
1038                audit_n_rules--;
1039
1040        if (!audit_match_signal(entry))
1041                audit_signals--;
1042#endif
1043
1044        list_del_rcu(&e->list);
1045        list_del(&e->rule.list);
1046        call_rcu(&e->rcu, audit_free_rule_rcu);
1047
1048out:
1049        mutex_unlock(&audit_filter_mutex);
1050
1051        if (tree)
1052                audit_put_tree(tree);   /* that's the temporary one */
1053
1054        return ret;
1055}
1056
1057/* List rules using struct audit_rule_data. */
1058static void audit_list_rules(int seq, struct sk_buff_head *q)
1059{
1060        struct sk_buff *skb;
1061        struct audit_krule *r;
1062        int i;
1063
1064        /* This is a blocking read, so use audit_filter_mutex instead of rcu
1065         * iterator to sync with list writers. */
1066        for (i=0; i<AUDIT_NR_FILTERS; i++) {
1067                list_for_each_entry(r, &audit_rules_list[i], list) {
1068                        struct audit_rule_data *data;
1069
1070                        data = audit_krule_to_data(r);
1071                        if (unlikely(!data))
1072                                break;
1073                        skb = audit_make_reply(seq, AUDIT_LIST_RULES, 0, 1,
1074                                               data,
1075                                               sizeof(*data) + data->buflen);
1076                        if (skb)
1077                                skb_queue_tail(q, skb);
1078                        kfree(data);
1079                }
1080        }
1081        skb = audit_make_reply(seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1082        if (skb)
1083                skb_queue_tail(q, skb);
1084}
1085
1086/* Log rule additions and removals */
1087static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1088{
1089        struct audit_buffer *ab;
1090
1091        if (!audit_enabled)
1092                return;
1093
1094        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1095        if (!ab)
1096                return;
1097        audit_log_session_info(ab);
1098        audit_log_task_context(ab);
1099        audit_log_format(ab, " op=%s", action);
1100        audit_log_key(ab, rule->filterkey);
1101        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1102        audit_log_end(ab);
1103}
1104
1105/**
1106 * audit_rule_change - apply all rules to the specified message type
1107 * @type: audit message type
1108 * @seq: netlink audit message sequence (serial) number
1109 * @data: payload data
1110 * @datasz: size of payload data
1111 */
1112int audit_rule_change(int type, int seq, void *data, size_t datasz)
1113{
1114        int err = 0;
1115        struct audit_entry *entry;
1116
1117        entry = audit_data_to_entry(data, datasz);
1118        if (IS_ERR(entry))
1119                return PTR_ERR(entry);
1120
1121        switch (type) {
1122        case AUDIT_ADD_RULE:
1123                err = audit_add_rule(entry);
1124                audit_log_rule_change("add_rule", &entry->rule, !err);
1125                break;
1126        case AUDIT_DEL_RULE:
1127                err = audit_del_rule(entry);
1128                audit_log_rule_change("remove_rule", &entry->rule, !err);
1129                break;
1130        default:
1131                err = -EINVAL;
1132                WARN_ON(1);
1133        }
1134
1135        if (err || type == AUDIT_DEL_RULE) {
1136                if (entry->rule.exe)
1137                        audit_remove_mark(entry->rule.exe);
1138                audit_free_rule(entry);
1139        }
1140
1141        return err;
1142}
1143
1144/**
1145 * audit_list_rules_send - list the audit rules
1146 * @request_skb: skb of request we are replying to (used to target the reply)
1147 * @seq: netlink audit message sequence (serial) number
1148 */
1149int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1150{
1151        u32 portid = NETLINK_CB(request_skb).portid;
1152        struct net *net = sock_net(NETLINK_CB(request_skb).sk);
1153        struct task_struct *tsk;
1154        struct audit_netlink_list *dest;
1155        int err = 0;
1156
1157        /* We can't just spew out the rules here because we might fill
1158         * the available socket buffer space and deadlock waiting for
1159         * auditctl to read from it... which isn't ever going to
1160         * happen if we're actually running in the context of auditctl
1161         * trying to _send_ the stuff */
1162
1163        dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1164        if (!dest)
1165                return -ENOMEM;
1166        dest->net = get_net(net);
1167        dest->portid = portid;
1168        skb_queue_head_init(&dest->q);
1169
1170        mutex_lock(&audit_filter_mutex);
1171        audit_list_rules(seq, &dest->q);
1172        mutex_unlock(&audit_filter_mutex);
1173
1174        tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1175        if (IS_ERR(tsk)) {
1176                skb_queue_purge(&dest->q);
1177                kfree(dest);
1178                err = PTR_ERR(tsk);
1179        }
1180
1181        return err;
1182}
1183
1184int audit_comparator(u32 left, u32 op, u32 right)
1185{
1186        switch (op) {
1187        case Audit_equal:
1188                return (left == right);
1189        case Audit_not_equal:
1190                return (left != right);
1191        case Audit_lt:
1192                return (left < right);
1193        case Audit_le:
1194                return (left <= right);
1195        case Audit_gt:
1196                return (left > right);
1197        case Audit_ge:
1198                return (left >= right);
1199        case Audit_bitmask:
1200                return (left & right);
1201        case Audit_bittest:
1202                return ((left & right) == right);
1203        default:
1204                BUG();
1205                return 0;
1206        }
1207}
1208
1209int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1210{
1211        switch (op) {
1212        case Audit_equal:
1213                return uid_eq(left, right);
1214        case Audit_not_equal:
1215                return !uid_eq(left, right);
1216        case Audit_lt:
1217                return uid_lt(left, right);
1218        case Audit_le:
1219                return uid_lte(left, right);
1220        case Audit_gt:
1221                return uid_gt(left, right);
1222        case Audit_ge:
1223                return uid_gte(left, right);
1224        case Audit_bitmask:
1225        case Audit_bittest:
1226        default:
1227                BUG();
1228                return 0;
1229        }
1230}
1231
1232int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1233{
1234        switch (op) {
1235        case Audit_equal:
1236                return gid_eq(left, right);
1237        case Audit_not_equal:
1238                return !gid_eq(left, right);
1239        case Audit_lt:
1240                return gid_lt(left, right);
1241        case Audit_le:
1242                return gid_lte(left, right);
1243        case Audit_gt:
1244                return gid_gt(left, right);
1245        case Audit_ge:
1246                return gid_gte(left, right);
1247        case Audit_bitmask:
1248        case Audit_bittest:
1249        default:
1250                BUG();
1251                return 0;
1252        }
1253}
1254
1255/**
1256 * parent_len - find the length of the parent portion of a pathname
1257 * @path: pathname of which to determine length
1258 */
1259int parent_len(const char *path)
1260{
1261        int plen;
1262        const char *p;
1263
1264        plen = strlen(path);
1265
1266        if (plen == 0)
1267                return plen;
1268
1269        /* disregard trailing slashes */
1270        p = path + plen - 1;
1271        while ((*p == '/') && (p > path))
1272                p--;
1273
1274        /* walk backward until we find the next slash or hit beginning */
1275        while ((*p != '/') && (p > path))
1276                p--;
1277
1278        /* did we find a slash? Then increment to include it in path */
1279        if (*p == '/')
1280                p++;
1281
1282        return p - path;
1283}
1284
1285/**
1286 * audit_compare_dname_path - compare given dentry name with last component in
1287 *                            given path. Return of 0 indicates a match.
1288 * @dname:      dentry name that we're comparing
1289 * @path:       full pathname that we're comparing
1290 * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1291 *              here indicates that we must compute this value.
1292 */
1293int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1294{
1295        int dlen, pathlen;
1296        const char *p;
1297
1298        dlen = strlen(dname);
1299        pathlen = strlen(path);
1300        if (pathlen < dlen)
1301                return 1;
1302
1303        parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1304        if (pathlen - parentlen != dlen)
1305                return 1;
1306
1307        p = path + parentlen;
1308
1309        return strncmp(p, dname, dlen);
1310}
1311
1312int audit_filter(int msgtype, unsigned int listtype)
1313{
1314        struct audit_entry *e;
1315        int ret = 1; /* Audit by default */
1316
1317        rcu_read_lock();
1318        if (list_empty(&audit_filter_list[listtype]))
1319                goto unlock_and_return;
1320        list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
1321                int i, result = 0;
1322
1323                for (i = 0; i < e->rule.field_count; i++) {
1324                        struct audit_field *f = &e->rule.fields[i];
1325                        pid_t pid;
1326                        u32 sid;
1327
1328                        switch (f->type) {
1329                        case AUDIT_PID:
1330                                pid = task_pid_nr(current);
1331                                result = audit_comparator(pid, f->op, f->val);
1332                                break;
1333                        case AUDIT_UID:
1334                                result = audit_uid_comparator(current_uid(), f->op, f->uid);
1335                                break;
1336                        case AUDIT_GID:
1337                                result = audit_gid_comparator(current_gid(), f->op, f->gid);
1338                                break;
1339                        case AUDIT_LOGINUID:
1340                                result = audit_uid_comparator(audit_get_loginuid(current),
1341                                                              f->op, f->uid);
1342                                break;
1343                        case AUDIT_LOGINUID_SET:
1344                                result = audit_comparator(audit_loginuid_set(current),
1345                                                          f->op, f->val);
1346                                break;
1347                        case AUDIT_MSGTYPE:
1348                                result = audit_comparator(msgtype, f->op, f->val);
1349                                break;
1350                        case AUDIT_SUBJ_USER:
1351                        case AUDIT_SUBJ_ROLE:
1352                        case AUDIT_SUBJ_TYPE:
1353                        case AUDIT_SUBJ_SEN:
1354                        case AUDIT_SUBJ_CLR:
1355                                if (f->lsm_rule) {
1356                                        security_task_getsecid(current, &sid);
1357                                        result = security_audit_rule_match(sid,
1358                                                        f->type, f->op, f->lsm_rule, NULL);
1359                                }
1360                                break;
1361                        case AUDIT_EXE:
1362                                result = audit_exe_compare(current, e->rule.exe);
1363                                if (f->op == Audit_not_equal)
1364                                        result = !result;
1365                                break;
1366                        default:
1367                                goto unlock_and_return;
1368                        }
1369                        if (result < 0) /* error */
1370                                goto unlock_and_return;
1371                        if (!result)
1372                                break;
1373                }
1374                if (result > 0) {
1375                        if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCLUDE)
1376                                ret = 0;
1377                        break;
1378                }
1379        }
1380unlock_and_return:
1381        rcu_read_unlock();
1382        return ret;
1383}
1384
1385static int update_lsm_rule(struct audit_krule *r)
1386{
1387        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1388        struct audit_entry *nentry;
1389        int err = 0;
1390
1391        if (!security_audit_rule_known(r))
1392                return 0;
1393
1394        nentry = audit_dupe_rule(r);
1395        if (entry->rule.exe)
1396                audit_remove_mark(entry->rule.exe);
1397        if (IS_ERR(nentry)) {
1398                /* save the first error encountered for the
1399                 * return value */
1400                err = PTR_ERR(nentry);
1401                audit_panic("error updating LSM filters");
1402                if (r->watch)
1403                        list_del(&r->rlist);
1404                list_del_rcu(&entry->list);
1405                list_del(&r->list);
1406        } else {
1407                if (r->watch || r->tree)
1408                        list_replace_init(&r->rlist, &nentry->rule.rlist);
1409                list_replace_rcu(&entry->list, &nentry->list);
1410                list_replace(&r->list, &nentry->rule.list);
1411        }
1412        call_rcu(&entry->rcu, audit_free_rule_rcu);
1413
1414        return err;
1415}
1416
1417/* This function will re-initialize the lsm_rule field of all applicable rules.
1418 * It will traverse the filter lists serarching for rules that contain LSM
1419 * specific filter fields.  When such a rule is found, it is copied, the
1420 * LSM field is re-initialized, and the old rule is replaced with the
1421 * updated rule. */
1422int audit_update_lsm_rules(void)
1423{
1424        struct audit_krule *r, *n;
1425        int i, err = 0;
1426
1427        /* audit_filter_mutex synchronizes the writers */
1428        mutex_lock(&audit_filter_mutex);
1429
1430        for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1431                list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1432                        int res = update_lsm_rule(r);
1433                        if (!err)
1434                                err = res;
1435                }
1436        }
1437        mutex_unlock(&audit_filter_mutex);
1438
1439        return err;
1440}
1441