LXR linux/kernel/auditfilter.c

   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* auditfilter.c -- filtering of audit events
   3 *
   4 * Copyright 2003-2004 Red Hat, Inc.
   5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   6 * Copyright 2005 IBM Corporation
   7 */
   8
   9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  10
  11#include <linux/kernel.h>
  12#include <linux/audit.h>
  13#include <linux/kthread.h>
  14#include <linux/mutex.h>
  15#include <linux/fs.h>
  16#include <linux/namei.h>
  17#include <linux/netlink.h>
  18#include <linux/sched.h>
  19#include <linux/slab.h>
  20#include <linux/security.h>
  21#include <net/net_namespace.h>
  22#include <net/sock.h>
  23#include "audit.h"
  24
  25/*
  26 * Locking model:
  27 *
  28 * audit_filter_mutex:
  29 *              Synchronizes writes and blocking reads of audit's filterlist
  30 *              data.  Rcu is used to traverse the filterlist and access
  31 *              contents of structs audit_entry, audit_watch and opaque
  32 *              LSM rules during filtering.  If modified, these structures
  33 *              must be copied and replace their counterparts in the filterlist.
  34 *              An audit_parent struct is not accessed during filtering, so may
  35 *              be written directly provided audit_filter_mutex is held.
  36 */
  37
  38/* Audit filter lists, defined in <linux/audit.h> */
  39struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  40        LIST_HEAD_INIT(audit_filter_list[0]),
  41        LIST_HEAD_INIT(audit_filter_list[1]),
  42        LIST_HEAD_INIT(audit_filter_list[2]),
  43        LIST_HEAD_INIT(audit_filter_list[3]),
  44        LIST_HEAD_INIT(audit_filter_list[4]),
  45        LIST_HEAD_INIT(audit_filter_list[5]),
  46        LIST_HEAD_INIT(audit_filter_list[6]),
  47        LIST_HEAD_INIT(audit_filter_list[7]),
  48#if AUDIT_NR_FILTERS != 8
  49#error Fix audit_filter_list initialiser
  50#endif
  51};
  52static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  53        LIST_HEAD_INIT(audit_rules_list[0]),
  54        LIST_HEAD_INIT(audit_rules_list[1]),
  55        LIST_HEAD_INIT(audit_rules_list[2]),
  56        LIST_HEAD_INIT(audit_rules_list[3]),
  57        LIST_HEAD_INIT(audit_rules_list[4]),
  58        LIST_HEAD_INIT(audit_rules_list[5]),
  59        LIST_HEAD_INIT(audit_rules_list[6]),
  60        LIST_HEAD_INIT(audit_rules_list[7]),
  61};
  62
  63DEFINE_MUTEX(audit_filter_mutex);
  64
  65static void audit_free_lsm_field(struct audit_field *f)
  66{
  67        switch (f->type) {
  68        case AUDIT_SUBJ_USER:
  69        case AUDIT_SUBJ_ROLE:
  70        case AUDIT_SUBJ_TYPE:
  71        case AUDIT_SUBJ_SEN:
  72        case AUDIT_SUBJ_CLR:
  73        case AUDIT_OBJ_USER:
  74        case AUDIT_OBJ_ROLE:
  75        case AUDIT_OBJ_TYPE:
  76        case AUDIT_OBJ_LEV_LOW:
  77        case AUDIT_OBJ_LEV_HIGH:
  78                kfree(f->lsm_str);
  79                security_audit_rule_free(f->lsm_rule);
  80        }
  81}
  82
  83static inline void audit_free_rule(struct audit_entry *e)
  84{
  85        int i;
  86        struct audit_krule *erule = &e->rule;
  87
  88        /* some rules don't have associated watches */
  89        if (erule->watch)
  90                audit_put_watch(erule->watch);
  91        if (erule->fields)
  92                for (i = 0; i < erule->field_count; i++)
  93                        audit_free_lsm_field(&erule->fields[i]);
  94        kfree(erule->fields);
  95        kfree(erule->filterkey);
  96        kfree(e);
  97}
  98
  99void audit_free_rule_rcu(struct rcu_head *head)
 100{
 101        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
 102        audit_free_rule(e);
 103}
 104
 105/* Initialize an audit filterlist entry. */
 106static inline struct audit_entry *audit_init_entry(u32 field_count)
 107{
 108        struct audit_entry *entry;
 109        struct audit_field *fields;
 110
 111        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 112        if (unlikely(!entry))
 113                return NULL;
 114
 115        fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
 116        if (unlikely(!fields)) {
 117                kfree(entry);
 118                return NULL;
 119        }
 120        entry->rule.fields = fields;
 121
 122        return entry;
 123}
 124
 125/* Unpack a filter field's string representation from user-space
 126 * buffer. */
 127char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 128{
 129        char *str;
 130
 131        if (!*bufp || (len == 0) || (len > *remain))
 132                return ERR_PTR(-EINVAL);
 133
 134        /* Of the currently implemented string fields, PATH_MAX
 135         * defines the longest valid length.
 136         */
 137        if (len > PATH_MAX)
 138                return ERR_PTR(-ENAMETOOLONG);
 139
 140        str = kmalloc(len + 1, GFP_KERNEL);
 141        if (unlikely(!str))
 142                return ERR_PTR(-ENOMEM);
 143
 144        memcpy(str, *bufp, len);
 145        str[len] = 0;
 146        *bufp += len;
 147        *remain -= len;
 148
 149        return str;
 150}
 151
 152/* Translate an inode field to kernel representation. */
 153static inline int audit_to_inode(struct audit_krule *krule,
 154                                 struct audit_field *f)
 155{
 156        if ((krule->listnr != AUDIT_FILTER_EXIT &&
 157             krule->listnr != AUDIT_FILTER_URING_EXIT) ||
 158            krule->inode_f || krule->watch || krule->tree ||
 159            (f->op != Audit_equal && f->op != Audit_not_equal))
 160                return -EINVAL;
 161
 162        krule->inode_f = f;
 163        return 0;
 164}
 165
 166static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 167
 168int __init audit_register_class(int class, unsigned *list)
 169{
 170        __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
 171        if (!p)
 172                return -ENOMEM;
 173        while (*list != ~0U) {
 174                unsigned n = *list++;
 175                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 176                        kfree(p);
 177                        return -EINVAL;
 178                }
 179                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
 180        }
 181        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
 182                kfree(p);
 183                return -EINVAL;
 184        }
 185        classes[class] = p;
 186        return 0;
 187}
 188
 189int audit_match_class(int class, unsigned syscall)
 190{
 191        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
 192                return 0;
 193        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
 194                return 0;
 195        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
 196}
 197
 198#ifdef CONFIG_AUDITSYSCALL
 199static inline int audit_match_class_bits(int class, u32 *mask)
 200{
 201        int i;
 202
 203        if (classes[class]) {
 204                for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 205                        if (mask[i] & classes[class][i])
 206                                return 0;
 207        }
 208        return 1;
 209}
 210
 211static int audit_match_signal(struct audit_entry *entry)
 212{
 213        struct audit_field *arch = entry->rule.arch_f;
 214
 215        if (!arch) {
 216                /* When arch is unspecified, we must check both masks on biarch
 217                 * as syscall number alone is ambiguous. */
 218                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 219                                               entry->rule.mask) &&
 220                        audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 221                                               entry->rule.mask));
 222        }
 223
 224        switch(audit_classify_arch(arch->val)) {
 225        case 0: /* native */
 226                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 227                                               entry->rule.mask));
 228        case 1: /* 32bit on biarch */
 229                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 230                                               entry->rule.mask));
 231        default:
 232                return 1;
 233        }
 234}
 235#endif
 236
 237/* Common user-space to kernel rule translation. */
 238static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
 239{
 240        unsigned listnr;
 241        struct audit_entry *entry;
 242        int i, err;
 243
 244        err = -EINVAL;
 245        listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
 246        switch(listnr) {
 247        default:
 248                goto exit_err;
 249#ifdef CONFIG_AUDITSYSCALL
 250        case AUDIT_FILTER_ENTRY:
 251                pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
 252                goto exit_err;
 253        case AUDIT_FILTER_EXIT:
 254        case AUDIT_FILTER_URING_EXIT:
 255        case AUDIT_FILTER_TASK:
 256#endif
 257        case AUDIT_FILTER_USER:
 258        case AUDIT_FILTER_EXCLUDE:
 259        case AUDIT_FILTER_FS:
 260                ;
 261        }
 262        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
 263                pr_err("AUDIT_POSSIBLE is deprecated\n");
 264                goto exit_err;
 265        }
 266        if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
 267                goto exit_err;
 268        if (rule->field_count > AUDIT_MAX_FIELDS)
 269                goto exit_err;
 270
 271        err = -ENOMEM;
 272        entry = audit_init_entry(rule->field_count);
 273        if (!entry)
 274                goto exit_err;
 275
 276        entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
 277        entry->rule.listnr = listnr;
 278        entry->rule.action = rule->action;
 279        entry->rule.field_count = rule->field_count;
 280
 281        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 282                entry->rule.mask[i] = rule->mask[i];
 283
 284        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
 285                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
 286                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
 287                __u32 *class;
 288
 289                if (!(*p & AUDIT_BIT(bit)))
 290                        continue;
 291                *p &= ~AUDIT_BIT(bit);
 292                class = classes[i];
 293                if (class) {
 294                        int j;
 295                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
 296                                entry->rule.mask[j] |= class[j];
 297                }
 298        }
 299
 300        return entry;
 301
 302exit_err:
 303        return ERR_PTR(err);
 304}
 305
 306static u32 audit_ops[] =
 307{
 308        [Audit_equal] = AUDIT_EQUAL,
 309        [Audit_not_equal] = AUDIT_NOT_EQUAL,
 310        [Audit_bitmask] = AUDIT_BIT_MASK,
 311        [Audit_bittest] = AUDIT_BIT_TEST,
 312        [Audit_lt] = AUDIT_LESS_THAN,
 313        [Audit_gt] = AUDIT_GREATER_THAN,
 314        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
 315        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
 316};
 317
 318static u32 audit_to_op(u32 op)
 319{
 320        u32 n;
 321        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
 322                ;
 323        return n;
 324}
 325
 326/* check if an audit field is valid */
 327static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 328{
 329        switch (f->type) {
 330        case AUDIT_MSGTYPE:
 331                if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE &&
 332                    entry->rule.listnr != AUDIT_FILTER_USER)
 333                        return -EINVAL;
 334                break;
 335        case AUDIT_FSTYPE:
 336                if (entry->rule.listnr != AUDIT_FILTER_FS)
 337                        return -EINVAL;
 338                break;
 339        case AUDIT_PERM:
 340                if (entry->rule.listnr == AUDIT_FILTER_URING_EXIT)
 341                        return -EINVAL;
 342                break;
 343        }
 344
 345        switch (entry->rule.listnr) {
 346        case AUDIT_FILTER_FS:
 347                switch(f->type) {
 348                case AUDIT_FSTYPE:
 349                case AUDIT_FILTERKEY:
 350                        break;
 351                default:
 352                        return -EINVAL;
 353                }
 354        }
 355
 356        /* Check for valid field type and op */
 357        switch (f->type) {
 358        case AUDIT_ARG0:
 359        case AUDIT_ARG1:
 360        case AUDIT_ARG2:
 361        case AUDIT_ARG3:
 362        case AUDIT_PERS: /* <uapi/linux/personality.h> */
 363        case AUDIT_DEVMINOR:
 364                /* all ops are valid */
 365                break;
 366        case AUDIT_UID:
 367        case AUDIT_EUID:
 368        case AUDIT_SUID:
 369        case AUDIT_FSUID:
 370        case AUDIT_LOGINUID:
 371        case AUDIT_OBJ_UID:
 372        case AUDIT_GID:
 373        case AUDIT_EGID:
 374        case AUDIT_SGID:
 375        case AUDIT_FSGID:
 376        case AUDIT_OBJ_GID:
 377        case AUDIT_PID:
 378        case AUDIT_MSGTYPE:
 379        case AUDIT_PPID:
 380        case AUDIT_DEVMAJOR:
 381        case AUDIT_EXIT:
 382        case AUDIT_SUCCESS:
 383        case AUDIT_INODE:
 384        case AUDIT_SESSIONID:
 385        case AUDIT_SUBJ_SEN:
 386        case AUDIT_SUBJ_CLR:
 387        case AUDIT_OBJ_LEV_LOW:
 388        case AUDIT_OBJ_LEV_HIGH:
 389        case AUDIT_SADDR_FAM:
 390                /* bit ops are only useful on syscall args */
 391                if (f->op == Audit_bitmask || f->op == Audit_bittest)
 392                        return -EINVAL;
 393                break;
 394        case AUDIT_SUBJ_USER:
 395        case AUDIT_SUBJ_ROLE:
 396        case AUDIT_SUBJ_TYPE:
 397        case AUDIT_OBJ_USER:
 398        case AUDIT_OBJ_ROLE:
 399        case AUDIT_OBJ_TYPE:
 400        case AUDIT_WATCH:
 401        case AUDIT_DIR:
 402        case AUDIT_FILTERKEY:
 403        case AUDIT_LOGINUID_SET:
 404        case AUDIT_ARCH:
 405        case AUDIT_FSTYPE:
 406        case AUDIT_PERM:
 407        case AUDIT_FILETYPE:
 408        case AUDIT_FIELD_COMPARE:
 409        case AUDIT_EXE:
 410                /* only equal and not equal valid ops */
 411                if (f->op != Audit_not_equal && f->op != Audit_equal)
 412                        return -EINVAL;
 413                break;
 414        default:
 415                /* field not recognized */
 416                return -EINVAL;
 417        }
 418
 419        /* Check for select valid field values */
 420        switch (f->type) {
 421        case AUDIT_LOGINUID_SET:
 422                if ((f->val != 0) && (f->val != 1))
 423                        return -EINVAL;
 424                break;
 425        case AUDIT_PERM:
 426                if (f->val & ~15)
 427                        return -EINVAL;
 428                break;
 429        case AUDIT_FILETYPE:
 430                if (f->val & ~S_IFMT)
 431                        return -EINVAL;
 432                break;
 433        case AUDIT_FIELD_COMPARE:
 434                if (f->val > AUDIT_MAX_FIELD_COMPARE)
 435                        return -EINVAL;
 436                break;
 437        case AUDIT_SADDR_FAM:
 438                if (f->val >= AF_MAX)
 439                        return -EINVAL;
 440                break;
 441        default:
 442                break;
 443        }
 444
 445        return 0;
 446}
 447
 448/* Translate struct audit_rule_data to kernel's rule representation. */
 449static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 450                                               size_t datasz)
 451{
 452        int err = 0;
 453        struct audit_entry *entry;
 454        void *bufp;
 455        size_t remain = datasz - sizeof(struct audit_rule_data);
 456        int i;
 457        char *str;
 458        struct audit_fsnotify_mark *audit_mark;
 459
 460        entry = audit_to_entry_common(data);
 461        if (IS_ERR(entry))
 462                goto exit_nofree;
 463
 464        bufp = data->buf;
 465        for (i = 0; i < data->field_count; i++) {
 466                struct audit_field *f = &entry->rule.fields[i];
 467                u32 f_val;
 468
 469                err = -EINVAL;
 470
 471                f->op = audit_to_op(data->fieldflags[i]);
 472                if (f->op == Audit_bad)
 473                        goto exit_free;
 474
 475                f->type = data->fields[i];
 476                f_val = data->values[i];
 477
 478                /* Support legacy tests for a valid loginuid */
 479                if ((f->type == AUDIT_LOGINUID) && (f_val == AUDIT_UID_UNSET)) {
 480                        f->type = AUDIT_LOGINUID_SET;
 481                        f_val = 0;
 482                        entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
 483                }
 484
 485                err = audit_field_valid(entry, f);
 486                if (err)
 487                        goto exit_free;
 488
 489                err = -EINVAL;
 490                switch (f->type) {
 491                case AUDIT_LOGINUID:
 492                case AUDIT_UID:
 493                case AUDIT_EUID:
 494                case AUDIT_SUID:
 495                case AUDIT_FSUID:
 496                case AUDIT_OBJ_UID:
 497                        f->uid = make_kuid(current_user_ns(), f_val);
 498                        if (!uid_valid(f->uid))
 499                                goto exit_free;
 500                        break;
 501                case AUDIT_GID:
 502                case AUDIT_EGID:
 503                case AUDIT_SGID:
 504                case AUDIT_FSGID:
 505                case AUDIT_OBJ_GID:
 506                        f->gid = make_kgid(current_user_ns(), f_val);
 507                        if (!gid_valid(f->gid))
 508                                goto exit_free;
 509                        break;
 510                case AUDIT_ARCH:
 511                        f->val = f_val;
 512                        entry->rule.arch_f = f;
 513                        break;
 514                case AUDIT_SUBJ_USER:
 515                case AUDIT_SUBJ_ROLE:
 516                case AUDIT_SUBJ_TYPE:
 517                case AUDIT_SUBJ_SEN:
 518                case AUDIT_SUBJ_CLR:
 519                case AUDIT_OBJ_USER:
 520                case AUDIT_OBJ_ROLE:
 521                case AUDIT_OBJ_TYPE:
 522                case AUDIT_OBJ_LEV_LOW:
 523                case AUDIT_OBJ_LEV_HIGH:
 524                        str = audit_unpack_string(&bufp, &remain, f_val);
 525                        if (IS_ERR(str)) {
 526                                err = PTR_ERR(str);
 527                                goto exit_free;
 528                        }
 529                        entry->rule.buflen += f_val;
 530                        f->lsm_str = str;
 531                        err = security_audit_rule_init(f->type, f->op, str,
 532                                                       (void **)&f->lsm_rule);
 533                        /* Keep currently invalid fields around in case they
 534                         * become valid after a policy reload. */
 535                        if (err == -EINVAL) {
 536                                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 537                                        str);
 538                                err = 0;
 539                        } else if (err)
 540                                goto exit_free;
 541                        break;
 542                case AUDIT_WATCH:
 543                        str = audit_unpack_string(&bufp, &remain, f_val);
 544                        if (IS_ERR(str)) {
 545                                err = PTR_ERR(str);
 546                                goto exit_free;
 547                        }
 548                        err = audit_to_watch(&entry->rule, str, f_val, f->op);
 549                        if (err) {
 550                                kfree(str);
 551                                goto exit_free;
 552                        }
 553                        entry->rule.buflen += f_val;
 554                        break;
 555                case AUDIT_DIR:
 556                        str = audit_unpack_string(&bufp, &remain, f_val);
 557                        if (IS_ERR(str)) {
 558                                err = PTR_ERR(str);
 559                                goto exit_free;
 560                        }
 561                        err = audit_make_tree(&entry->rule, str, f->op);
 562                        kfree(str);
 563                        if (err)
 564                                goto exit_free;
 565                        entry->rule.buflen += f_val;
 566                        break;
 567                case AUDIT_INODE:
 568                        f->val = f_val;
 569                        err = audit_to_inode(&entry->rule, f);
 570                        if (err)
 571                                goto exit_free;
 572                        break;
 573                case AUDIT_FILTERKEY:
 574                        if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN)
 575                                goto exit_free;
 576                        str = audit_unpack_string(&bufp, &remain, f_val);
 577                        if (IS_ERR(str)) {
 578                                err = PTR_ERR(str);
 579                                goto exit_free;
 580                        }
 581                        entry->rule.buflen += f_val;
 582                        entry->rule.filterkey = str;
 583                        break;
 584                case AUDIT_EXE:
 585                        if (entry->rule.exe || f_val > PATH_MAX)
 586                                goto exit_free;
 587                        str = audit_unpack_string(&bufp, &remain, f_val);
 588                        if (IS_ERR(str)) {
 589                                err = PTR_ERR(str);
 590                                goto exit_free;
 591                        }
 592                        audit_mark = audit_alloc_mark(&entry->rule, str, f_val);
 593                        if (IS_ERR(audit_mark)) {
 594                                kfree(str);
 595                                err = PTR_ERR(audit_mark);
 596                                goto exit_free;
 597                        }
 598                        entry->rule.buflen += f_val;
 599                        entry->rule.exe = audit_mark;
 600                        break;
 601                default:
 602                        f->val = f_val;
 603                        break;
 604                }
 605        }
 606
 607        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 608                entry->rule.inode_f = NULL;
 609
 610exit_nofree:
 611        return entry;
 612
 613exit_free:
 614        if (entry->rule.tree)
 615                audit_put_tree(entry->rule.tree); /* that's the temporary one */
 616        if (entry->rule.exe)
 617                audit_remove_mark(entry->rule.exe); /* that's the template one */
 618        audit_free_rule(entry);
 619        return ERR_PTR(err);
 620}
 621
 622/* Pack a filter field's string representation into data block. */
 623static inline size_t audit_pack_string(void **bufp, const char *str)
 624{
 625        size_t len = strlen(str);
 626
 627        memcpy(*bufp, str, len);
 628        *bufp += len;
 629
 630        return len;
 631}
 632
 633/* Translate kernel rule representation to struct audit_rule_data. */
 634static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 635{
 636        struct audit_rule_data *data;
 637        void *bufp;
 638        int i;
 639
 640        data = kmalloc(struct_size(data, buf, krule->buflen), GFP_KERNEL);
 641        if (unlikely(!data))
 642                return NULL;
 643        memset(data, 0, sizeof(*data));
 644
 645        data->flags = krule->flags | krule->listnr;
 646        data->action = krule->action;
 647        data->field_count = krule->field_count;
 648        bufp = data->buf;
 649        for (i = 0; i < data->field_count; i++) {
 650                struct audit_field *f = &krule->fields[i];
 651
 652                data->fields[i] = f->type;
 653                data->fieldflags[i] = audit_ops[f->op];
 654                switch(f->type) {
 655                case AUDIT_SUBJ_USER:
 656                case AUDIT_SUBJ_ROLE:
 657                case AUDIT_SUBJ_TYPE:
 658                case AUDIT_SUBJ_SEN:
 659                case AUDIT_SUBJ_CLR:
 660                case AUDIT_OBJ_USER:
 661                case AUDIT_OBJ_ROLE:
 662                case AUDIT_OBJ_TYPE:
 663                case AUDIT_OBJ_LEV_LOW:
 664                case AUDIT_OBJ_LEV_HIGH:
 665                        data->buflen += data->values[i] =
 666                                audit_pack_string(&bufp, f->lsm_str);
 667                        break;
 668                case AUDIT_WATCH:
 669                        data->buflen += data->values[i] =
 670                                audit_pack_string(&bufp,
 671                                                  audit_watch_path(krule->watch));
 672                        break;
 673                case AUDIT_DIR:
 674                        data->buflen += data->values[i] =
 675                                audit_pack_string(&bufp,
 676                                                  audit_tree_path(krule->tree));
 677                        break;
 678                case AUDIT_FILTERKEY:
 679                        data->buflen += data->values[i] =
 680                                audit_pack_string(&bufp, krule->filterkey);
 681                        break;
 682                case AUDIT_EXE:
 683                        data->buflen += data->values[i] =
 684                                audit_pack_string(&bufp, audit_mark_path(krule->exe));
 685                        break;
 686                case AUDIT_LOGINUID_SET:
 687                        if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
 688                                data->fields[i] = AUDIT_LOGINUID;
 689                                data->values[i] = AUDIT_UID_UNSET;
 690                                break;
 691                        }
 692                        fallthrough;    /* if set */
 693                default:
 694                        data->values[i] = f->val;
 695                }
 696        }
 697        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
 698
 699        return data;
 700}
 701
 702/* Compare two rules in kernel format.  Considered success if rules
 703 * don't match. */
 704static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
 705{
 706        int i;
 707
 708        if (a->flags != b->flags ||
 709            a->pflags != b->pflags ||
 710            a->listnr != b->listnr ||
 711            a->action != b->action ||
 712            a->field_count != b->field_count)
 713                return 1;
 714
 715        for (i = 0; i < a->field_count; i++) {
 716                if (a->fields[i].type != b->fields[i].type ||
 717                    a->fields[i].op != b->fields[i].op)
 718                        return 1;
 719
 720                switch(a->fields[i].type) {
 721                case AUDIT_SUBJ_USER:
 722                case AUDIT_SUBJ_ROLE:
 723                case AUDIT_SUBJ_TYPE:
 724                case AUDIT_SUBJ_SEN:
 725                case AUDIT_SUBJ_CLR:
 726                case AUDIT_OBJ_USER:
 727                case AUDIT_OBJ_ROLE:
 728                case AUDIT_OBJ_TYPE:
 729                case AUDIT_OBJ_LEV_LOW:
 730                case AUDIT_OBJ_LEV_HIGH:
 731                        if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
 732                                return 1;
 733                        break;
 734                case AUDIT_WATCH:
 735                        if (strcmp(audit_watch_path(a->watch),
 736                                   audit_watch_path(b->watch)))
 737                                return 1;
 738                        break;
 739                case AUDIT_DIR:
 740                        if (strcmp(audit_tree_path(a->tree),
 741                                   audit_tree_path(b->tree)))
 742                                return 1;
 743                        break;
 744                case AUDIT_FILTERKEY:
 745                        /* both filterkeys exist based on above type compare */
 746                        if (strcmp(a->filterkey, b->filterkey))
 747                                return 1;
 748                        break;
 749                case AUDIT_EXE:
 750                        /* both paths exist based on above type compare */
 751                        if (strcmp(audit_mark_path(a->exe),
 752                                   audit_mark_path(b->exe)))
 753                                return 1;
 754                        break;
 755                case AUDIT_UID:
 756                case AUDIT_EUID:
 757                case AUDIT_SUID:
 758                case AUDIT_FSUID:
 759                case AUDIT_LOGINUID:
 760                case AUDIT_OBJ_UID:
 761                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
 762                                return 1;
 763                        break;
 764                case AUDIT_GID:
 765                case AUDIT_EGID:
 766                case AUDIT_SGID:
 767                case AUDIT_FSGID:
 768                case AUDIT_OBJ_GID:
 769                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
 770                                return 1;
 771                        break;
 772                default:
 773                        if (a->fields[i].val != b->fields[i].val)
 774                                return 1;
 775                }
 776        }
 777
 778        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 779                if (a->mask[i] != b->mask[i])
 780                        return 1;
 781
 782        return 0;
 783}
 784
 785/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
 786 * re-initialized. */
 787static inline int audit_dupe_lsm_field(struct audit_field *df,
 788                                           struct audit_field *sf)
 789{
 790        int ret = 0;
 791        char *lsm_str;
 792
 793        /* our own copy of lsm_str */
 794        lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
 795        if (unlikely(!lsm_str))
 796                return -ENOMEM;
 797        df->lsm_str = lsm_str;
 798
 799        /* our own (refreshed) copy of lsm_rule */
 800        ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
 801                                       (void **)&df->lsm_rule);
 802        /* Keep currently invalid fields around in case they
 803         * become valid after a policy reload. */
 804        if (ret == -EINVAL) {
 805                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 806                        df->lsm_str);
 807                ret = 0;
 808        }
 809
 810        return ret;
 811}
 812
 813/* Duplicate an audit rule.  This will be a deep copy with the exception
 814 * of the watch - that pointer is carried over.  The LSM specific fields
 815 * will be updated in the copy.  The point is to be able to replace the old
 816 * rule with the new rule in the filterlist, then free the old rule.
 817 * The rlist element is undefined; list manipulations are handled apart from
 818 * the initial copy. */
 819struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 820{
 821        u32 fcount = old->field_count;
 822        struct audit_entry *entry;
 823        struct audit_krule *new;
 824        char *fk;
 825        int i, err = 0;
 826
 827        entry = audit_init_entry(fcount);
 828        if (unlikely(!entry))
 829                return ERR_PTR(-ENOMEM);
 830
 831        new = &entry->rule;
 832        new->flags = old->flags;
 833        new->pflags = old->pflags;
 834        new->listnr = old->listnr;
 835        new->action = old->action;
 836        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 837                new->mask[i] = old->mask[i];
 838        new->prio = old->prio;
 839        new->buflen = old->buflen;
 840        new->inode_f = old->inode_f;
 841        new->field_count = old->field_count;
 842
 843        /*
 844         * note that we are OK with not refcounting here; audit_match_tree()
 845         * never dereferences tree and we can't get false positives there
 846         * since we'd have to have rule gone from the list *and* removed
 847         * before the chunks found by lookup had been allocated, i.e. before
 848         * the beginning of list scan.
 849         */
 850        new->tree = old->tree;
 851        memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
 852
 853        /* deep copy this information, updating the lsm_rule fields, because
 854         * the originals will all be freed when the old rule is freed. */
 855        for (i = 0; i < fcount; i++) {
 856                switch (new->fields[i].type) {
 857                case AUDIT_SUBJ_USER:
 858                case AUDIT_SUBJ_ROLE:
 859                case AUDIT_SUBJ_TYPE:
 860                case AUDIT_SUBJ_SEN:
 861                case AUDIT_SUBJ_CLR:
 862                case AUDIT_OBJ_USER:
 863                case AUDIT_OBJ_ROLE:
 864                case AUDIT_OBJ_TYPE:
 865                case AUDIT_OBJ_LEV_LOW:
 866                case AUDIT_OBJ_LEV_HIGH:
 867                        err = audit_dupe_lsm_field(&new->fields[i],
 868                                                       &old->fields[i]);
 869                        break;
 870                case AUDIT_FILTERKEY:
 871                        fk = kstrdup(old->filterkey, GFP_KERNEL);
 872                        if (unlikely(!fk))
 873                                err = -ENOMEM;
 874                        else
 875                                new->filterkey = fk;
 876                        break;
 877                case AUDIT_EXE:
 878                        err = audit_dupe_exe(new, old);
 879                        break;
 880                }
 881                if (err) {
 882                        if (new->exe)
 883                                audit_remove_mark(new->exe);
 884                        audit_free_rule(entry);
 885                        return ERR_PTR(err);
 886                }
 887        }
 888
 889        if (old->watch) {
 890                audit_get_watch(old->watch);
 891                new->watch = old->watch;
 892        }
 893
 894        return entry;
 895}
 896
 897/* Find an existing audit rule.
 898 * Caller must hold audit_filter_mutex to prevent stale rule data. */
 899static struct audit_entry *audit_find_rule(struct audit_entry *entry,
 900                                           struct list_head **p)
 901{
 902        struct audit_entry *e, *found = NULL;
 903        struct list_head *list;
 904        int h;
 905
 906        if (entry->rule.inode_f) {
 907                h = audit_hash_ino(entry->rule.inode_f->val);
 908                *p = list = &audit_inode_hash[h];
 909        } else if (entry->rule.watch) {
 910                /* we don't know the inode number, so must walk entire hash */
 911                for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
 912                        list = &audit_inode_hash[h];
 913                        list_for_each_entry(e, list, list)
 914                                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 915                                        found = e;
 916                                        goto out;
 917                                }
 918                }
 919                goto out;
 920        } else {
 921                *p = list = &audit_filter_list[entry->rule.listnr];
 922        }
 923
 924        list_for_each_entry(e, list, list)
 925                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 926                        found = e;
 927                        goto out;
 928                }
 929
 930out:
 931        return found;
 932}
 933
 934static u64 prio_low = ~0ULL/2;
 935static u64 prio_high = ~0ULL/2 - 1;
 936
 937/* Add rule to given filterlist if not a duplicate. */
 938static inline int audit_add_rule(struct audit_entry *entry)
 939{
 940        struct audit_entry *e;
 941        struct audit_watch *watch = entry->rule.watch;
 942        struct audit_tree *tree = entry->rule.tree;
 943        struct list_head *list;
 944        int err = 0;
 945#ifdef CONFIG_AUDITSYSCALL
 946        int dont_count = 0;
 947
 948        /* If any of these, don't count towards total */
 949        switch(entry->rule.listnr) {
 950        case AUDIT_FILTER_USER:
 951        case AUDIT_FILTER_EXCLUDE:
 952        case AUDIT_FILTER_FS:
 953                dont_count = 1;
 954        }
 955#endif
 956
 957        mutex_lock(&audit_filter_mutex);
 958        e = audit_find_rule(entry, &list);
 959        if (e) {
 960                mutex_unlock(&audit_filter_mutex);
 961                err = -EEXIST;
 962                /* normally audit_add_tree_rule() will free it on failure */
 963                if (tree)
 964                        audit_put_tree(tree);
 965                return err;
 966        }
 967
 968        if (watch) {
 969                /* audit_filter_mutex is dropped and re-taken during this call */
 970                err = audit_add_watch(&entry->rule, &list);
 971                if (err) {
 972                        mutex_unlock(&audit_filter_mutex);
 973                        /*
 974                         * normally audit_add_tree_rule() will free it
 975                         * on failure
 976                         */
 977                        if (tree)
 978                                audit_put_tree(tree);
 979                        return err;
 980                }
 981        }
 982        if (tree) {
 983                err = audit_add_tree_rule(&entry->rule);
 984                if (err) {
 985                        mutex_unlock(&audit_filter_mutex);
 986                        return err;
 987                }
 988        }
 989
 990        entry->rule.prio = ~0ULL;
 991        if (entry->rule.listnr == AUDIT_FILTER_EXIT ||
 992            entry->rule.listnr == AUDIT_FILTER_URING_EXIT) {
 993                if (entry->rule.flags & AUDIT_FILTER_PREPEND)
 994                        entry->rule.prio = ++prio_high;
 995                else
 996                        entry->rule.prio = --prio_low;
 997        }
 998
 999        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
1000                list_add(&entry->rule.list,

1001                         &audit_rules_list[entry->rule.listnr]);
1002                list_add_rcu(&entry->list, list);
1003                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
1004        } else {
1005                list_add_tail(&entry->rule.list,
1006                              &audit_rules_list[entry->rule.listnr]);
1007                list_add_tail_rcu(&entry->list, list);
1008        }
1009#ifdef CONFIG_AUDITSYSCALL
1010        if (!dont_count)
1011                audit_n_rules++;
1012
1013        if (!audit_match_signal(entry))
1014                audit_signals++;
1015#endif
1016        mutex_unlock(&audit_filter_mutex);
1017
1018        return err;
1019}
1020
1021/* Remove an existing rule from filterlist. */
1022int audit_del_rule(struct audit_entry *entry)
1023{
1024        struct audit_entry  *e;
1025        struct audit_tree *tree = entry->rule.tree;
1026        struct list_head *list;
1027        int ret = 0;
1028#ifdef CONFIG_AUDITSYSCALL
1029        int dont_count = 0;
1030
1031        /* If any of these, don't count towards total */
1032        switch(entry->rule.listnr) {
1033        case AUDIT_FILTER_USER:
1034        case AUDIT_FILTER_EXCLUDE:
1035        case AUDIT_FILTER_FS:
1036                dont_count = 1;
1037        }
1038#endif
1039
1040        mutex_lock(&audit_filter_mutex);
1041        e = audit_find_rule(entry, &list);
1042        if (!e) {
1043                ret = -ENOENT;
1044                goto out;
1045        }
1046
1047        if (e->rule.watch)
1048                audit_remove_watch_rule(&e->rule);
1049
1050        if (e->rule.tree)
1051                audit_remove_tree_rule(&e->rule);
1052
1053        if (e->rule.exe)
1054                audit_remove_mark_rule(&e->rule);
1055
1056#ifdef CONFIG_AUDITSYSCALL
1057        if (!dont_count)
1058                audit_n_rules--;
1059
1060        if (!audit_match_signal(entry))
1061                audit_signals--;
1062#endif
1063
1064        list_del_rcu(&e->list);
1065        list_del(&e->rule.list);
1066        call_rcu(&e->rcu, audit_free_rule_rcu);
1067
1068out:
1069        mutex_unlock(&audit_filter_mutex);
1070
1071        if (tree)
1072                audit_put_tree(tree);   /* that's the temporary one */
1073
1074        return ret;
1075}
1076
1077/* List rules using struct audit_rule_data. */
1078static void audit_list_rules(int seq, struct sk_buff_head *q)
1079{
1080        struct sk_buff *skb;
1081        struct audit_krule *r;
1082        int i;
1083
1084        /* This is a blocking read, so use audit_filter_mutex instead of rcu
1085         * iterator to sync with list writers. */
1086        for (i=0; i<AUDIT_NR_FILTERS; i++) {
1087                list_for_each_entry(r, &audit_rules_list[i], list) {
1088                        struct audit_rule_data *data;
1089
1090                        data = audit_krule_to_data(r);
1091                        if (unlikely(!data))
1092                                break;
1093                        skb = audit_make_reply(seq, AUDIT_LIST_RULES, 0, 1,
1094                                               data,
1095                                               struct_size(data, buf, data->buflen));
1096                        if (skb)
1097                                skb_queue_tail(q, skb);
1098                        kfree(data);
1099                }
1100        }
1101        skb = audit_make_reply(seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1102        if (skb)
1103                skb_queue_tail(q, skb);
1104}
1105
1106/* Log rule additions and removals */
1107static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1108{
1109        struct audit_buffer *ab;
1110
1111        if (!audit_enabled)
1112                return;
1113
1114        ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1115        if (!ab)
1116                return;
1117        audit_log_session_info(ab);
1118        audit_log_task_context(ab);
1119        audit_log_format(ab, " op=%s", action);
1120        audit_log_key(ab, rule->filterkey);
1121        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1122        audit_log_end(ab);
1123}
1124
1125/**
1126 * audit_rule_change - apply all rules to the specified message type
1127 * @type: audit message type
1128 * @seq: netlink audit message sequence (serial) number
1129 * @data: payload data
1130 * @datasz: size of payload data
1131 */
1132int audit_rule_change(int type, int seq, void *data, size_t datasz)
1133{
1134        int err = 0;
1135        struct audit_entry *entry;
1136
1137        switch (type) {
1138        case AUDIT_ADD_RULE:
1139                entry = audit_data_to_entry(data, datasz);
1140                if (IS_ERR(entry))
1141                        return PTR_ERR(entry);
1142                err = audit_add_rule(entry);
1143                audit_log_rule_change("add_rule", &entry->rule, !err);
1144                break;
1145        case AUDIT_DEL_RULE:
1146                entry = audit_data_to_entry(data, datasz);
1147                if (IS_ERR(entry))
1148                        return PTR_ERR(entry);
1149                err = audit_del_rule(entry);
1150                audit_log_rule_change("remove_rule", &entry->rule, !err);
1151                break;
1152        default:
1153                WARN_ON(1);
1154                return -EINVAL;
1155        }
1156
1157        if (err || type == AUDIT_DEL_RULE) {
1158                if (entry->rule.exe)
1159                        audit_remove_mark(entry->rule.exe);
1160                audit_free_rule(entry);
1161        }
1162
1163        return err;
1164}
1165
1166/**
1167 * audit_list_rules_send - list the audit rules
1168 * @request_skb: skb of request we are replying to (used to target the reply)
1169 * @seq: netlink audit message sequence (serial) number
1170 */
1171int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1172{
1173        struct task_struct *tsk;
1174        struct audit_netlink_list *dest;
1175
1176        /* We can't just spew out the rules here because we might fill
1177         * the available socket buffer space and deadlock waiting for
1178         * auditctl to read from it... which isn't ever going to
1179         * happen if we're actually running in the context of auditctl
1180         * trying to _send_ the stuff */
1181
1182        dest = kmalloc(sizeof(*dest), GFP_KERNEL);
1183        if (!dest)
1184                return -ENOMEM;
1185        dest->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
1186        dest->portid = NETLINK_CB(request_skb).portid;
1187        skb_queue_head_init(&dest->q);
1188
1189        mutex_lock(&audit_filter_mutex);
1190        audit_list_rules(seq, &dest->q);
1191        mutex_unlock(&audit_filter_mutex);
1192
1193        tsk = kthread_run(audit_send_list_thread, dest, "audit_send_list");
1194        if (IS_ERR(tsk)) {
1195                skb_queue_purge(&dest->q);
1196                put_net(dest->net);
1197                kfree(dest);
1198                return PTR_ERR(tsk);
1199        }
1200
1201        return 0;
1202}
1203
1204int audit_comparator(u32 left, u32 op, u32 right)
1205{
1206        switch (op) {
1207        case Audit_equal:
1208                return (left == right);
1209        case Audit_not_equal:
1210                return (left != right);
1211        case Audit_lt:
1212                return (left < right);
1213        case Audit_le:
1214                return (left <= right);
1215        case Audit_gt:
1216                return (left > right);
1217        case Audit_ge:
1218                return (left >= right);
1219        case Audit_bitmask:
1220                return (left & right);
1221        case Audit_bittest:
1222                return ((left & right) == right);
1223        default:
1224                return 0;
1225        }
1226}
1227
1228int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1229{
1230        switch (op) {
1231        case Audit_equal:
1232                return uid_eq(left, right);
1233        case Audit_not_equal:
1234                return !uid_eq(left, right);
1235        case Audit_lt:
1236                return uid_lt(left, right);
1237        case Audit_le:
1238                return uid_lte(left, right);
1239        case Audit_gt:
1240                return uid_gt(left, right);
1241        case Audit_ge:
1242                return uid_gte(left, right);
1243        case Audit_bitmask:
1244        case Audit_bittest:
1245        default:
1246                return 0;
1247        }
1248}
1249
1250int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1251{
1252        switch (op) {
1253        case Audit_equal:
1254                return gid_eq(left, right);
1255        case Audit_not_equal:
1256                return !gid_eq(left, right);
1257        case Audit_lt:
1258                return gid_lt(left, right);
1259        case Audit_le:
1260                return gid_lte(left, right);
1261        case Audit_gt:
1262                return gid_gt(left, right);
1263        case Audit_ge:
1264                return gid_gte(left, right);
1265        case Audit_bitmask:
1266        case Audit_bittest:
1267        default:
1268                return 0;
1269        }
1270}
1271
1272/**
1273 * parent_len - find the length of the parent portion of a pathname
1274 * @path: pathname of which to determine length
1275 */
1276int parent_len(const char *path)
1277{
1278        int plen;
1279        const char *p;
1280
1281        plen = strlen(path);
1282
1283        if (plen == 0)
1284                return plen;
1285
1286        /* disregard trailing slashes */
1287        p = path + plen - 1;
1288        while ((*p == '/') && (p > path))
1289                p--;
1290
1291        /* walk backward until we find the next slash or hit beginning */
1292        while ((*p != '/') && (p > path))
1293                p--;
1294
1295        /* did we find a slash? Then increment to include it in path */
1296        if (*p == '/')
1297                p++;
1298
1299        return p - path;
1300}
1301
1302/**
1303 * audit_compare_dname_path - compare given dentry name with last component in
1304 *                            given path. Return of 0 indicates a match.
1305 * @dname:      dentry name that we're comparing
1306 * @path:       full pathname that we're comparing
1307 * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1308 *              here indicates that we must compute this value.
1309 */
1310int audit_compare_dname_path(const struct qstr *dname, const char *path, int parentlen)
1311{
1312        int dlen, pathlen;
1313        const char *p;
1314
1315        dlen = dname->len;
1316        pathlen = strlen(path);
1317        if (pathlen < dlen)
1318                return 1;
1319
1320        parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1321        if (pathlen - parentlen != dlen)
1322                return 1;
1323
1324        p = path + parentlen;
1325
1326        return strncmp(p, dname->name, dlen);
1327}
1328
1329int audit_filter(int msgtype, unsigned int listtype)
1330{
1331        struct audit_entry *e;
1332        int ret = 1; /* Audit by default */
1333
1334        rcu_read_lock();
1335        list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
1336                int i, result = 0;
1337
1338                for (i = 0; i < e->rule.field_count; i++) {
1339                        struct audit_field *f = &e->rule.fields[i];
1340                        pid_t pid;
1341                        u32 sid;
1342
1343                        switch (f->type) {
1344                        case AUDIT_PID:
1345                                pid = task_pid_nr(current);
1346                                result = audit_comparator(pid, f->op, f->val);
1347                                break;
1348                        case AUDIT_UID:
1349                                result = audit_uid_comparator(current_uid(), f->op, f->uid);
1350                                break;
1351                        case AUDIT_GID:
1352                                result = audit_gid_comparator(current_gid(), f->op, f->gid);
1353                                break;
1354                        case AUDIT_LOGINUID:
1355                                result = audit_uid_comparator(audit_get_loginuid(current),
1356                                                              f->op, f->uid);
1357                                break;
1358                        case AUDIT_LOGINUID_SET:
1359                                result = audit_comparator(audit_loginuid_set(current),
1360                                                          f->op, f->val);
1361                                break;
1362                        case AUDIT_MSGTYPE:
1363                                result = audit_comparator(msgtype, f->op, f->val);
1364                                break;
1365                        case AUDIT_SUBJ_USER:
1366                        case AUDIT_SUBJ_ROLE:
1367                        case AUDIT_SUBJ_TYPE:
1368                        case AUDIT_SUBJ_SEN:
1369                        case AUDIT_SUBJ_CLR:
1370                                if (f->lsm_rule) {
1371                                        security_current_getsecid_subj(&sid);
1372                                        result = security_audit_rule_match(sid,
1373                                                   f->type, f->op, f->lsm_rule);
1374                                }
1375                                break;
1376                        case AUDIT_EXE:
1377                                result = audit_exe_compare(current, e->rule.exe);
1378                                if (f->op == Audit_not_equal)
1379                                        result = !result;
1380                                break;
1381                        default:
1382                                goto unlock_and_return;
1383                        }
1384                        if (result < 0) /* error */
1385                                goto unlock_and_return;
1386                        if (!result)
1387                                break;
1388                }
1389                if (result > 0) {
1390                        if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCLUDE)
1391                                ret = 0;
1392                        break;
1393                }
1394        }
1395unlock_and_return:
1396        rcu_read_unlock();
1397        return ret;
1398}
1399
1400static int update_lsm_rule(struct audit_krule *r)
1401{
1402        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1403        struct audit_entry *nentry;
1404        int err = 0;
1405
1406        if (!security_audit_rule_known(r))
1407                return 0;
1408
1409        nentry = audit_dupe_rule(r);
1410        if (entry->rule.exe)
1411                audit_remove_mark(entry->rule.exe);
1412        if (IS_ERR(nentry)) {
1413                /* save the first error encountered for the
1414                 * return value */
1415                err = PTR_ERR(nentry);
1416                audit_panic("error updating LSM filters");
1417                if (r->watch)
1418                        list_del(&r->rlist);
1419                list_del_rcu(&entry->list);
1420                list_del(&r->list);
1421        } else {
1422                if (r->watch || r->tree)
1423                        list_replace_init(&r->rlist, &nentry->rule.rlist);
1424                list_replace_rcu(&entry->list, &nentry->list);
1425                list_replace(&r->list, &nentry->rule.list);
1426        }
1427        call_rcu(&entry->rcu, audit_free_rule_rcu);
1428
1429        return err;
1430}
1431
1432/* This function will re-initialize the lsm_rule field of all applicable rules.
1433 * It will traverse the filter lists serarching for rules that contain LSM
1434 * specific filter fields.  When such a rule is found, it is copied, the
1435 * LSM field is re-initialized, and the old rule is replaced with the
1436 * updated rule. */
1437int audit_update_lsm_rules(void)
1438{
1439        struct audit_krule *r, *n;
1440        int i, err = 0;
1441
1442        /* audit_filter_mutex synchronizes the writers */
1443        mutex_lock(&audit_filter_mutex);
1444
1445        for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1446                list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1447                        int res = update_lsm_rule(r);
1448                        if (!err)
1449                                err = res;
1450                }
1451        }
1452        mutex_unlock(&audit_filter_mutex);
1453
1454        return err;
1455}
1456