LXR linux/kernel/auditfilter.c

   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* auditfilter.c -- filtering of audit events
   3 *
   4 * Copyright 2003-2004 Red Hat, Inc.
   5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   6 * Copyright 2005 IBM Corporation
   7 */
   8
   9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  10
  11#include <linux/kernel.h>
  12#include <linux/audit.h>
  13#include <linux/kthread.h>
  14#include <linux/mutex.h>
  15#include <linux/fs.h>
  16#include <linux/namei.h>
  17#include <linux/netlink.h>
  18#include <linux/sched.h>
  19#include <linux/slab.h>
  20#include <linux/security.h>
  21#include <net/net_namespace.h>
  22#include <net/sock.h>
  23#include "audit.h"
  24
  25/*
  26 * Locking model:
  27 *
  28 * audit_filter_mutex:
  29 *              Synchronizes writes and blocking reads of audit's filterlist
  30 *              data.  Rcu is used to traverse the filterlist and access
  31 *              contents of structs audit_entry, audit_watch and opaque
  32 *              LSM rules during filtering.  If modified, these structures
  33 *              must be copied and replace their counterparts in the filterlist.
  34 *              An audit_parent struct is not accessed during filtering, so may
  35 *              be written directly provided audit_filter_mutex is held.
  36 */
  37
  38/* Audit filter lists, defined in <linux/audit.h> */
  39struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  40        LIST_HEAD_INIT(audit_filter_list[0]),
  41        LIST_HEAD_INIT(audit_filter_list[1]),
  42        LIST_HEAD_INIT(audit_filter_list[2]),
  43        LIST_HEAD_INIT(audit_filter_list[3]),
  44        LIST_HEAD_INIT(audit_filter_list[4]),
  45        LIST_HEAD_INIT(audit_filter_list[5]),
  46        LIST_HEAD_INIT(audit_filter_list[6]),
  47#if AUDIT_NR_FILTERS != 7
  48#error Fix audit_filter_list initialiser
  49#endif
  50};
  51static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  52        LIST_HEAD_INIT(audit_rules_list[0]),
  53        LIST_HEAD_INIT(audit_rules_list[1]),
  54        LIST_HEAD_INIT(audit_rules_list[2]),
  55        LIST_HEAD_INIT(audit_rules_list[3]),
  56        LIST_HEAD_INIT(audit_rules_list[4]),
  57        LIST_HEAD_INIT(audit_rules_list[5]),
  58        LIST_HEAD_INIT(audit_rules_list[6]),
  59};
  60
  61DEFINE_MUTEX(audit_filter_mutex);
  62
  63static void audit_free_lsm_field(struct audit_field *f)
  64{
  65        switch (f->type) {
  66        case AUDIT_SUBJ_USER:
  67        case AUDIT_SUBJ_ROLE:
  68        case AUDIT_SUBJ_TYPE:
  69        case AUDIT_SUBJ_SEN:
  70        case AUDIT_SUBJ_CLR:
  71        case AUDIT_OBJ_USER:
  72        case AUDIT_OBJ_ROLE:
  73        case AUDIT_OBJ_TYPE:
  74        case AUDIT_OBJ_LEV_LOW:
  75        case AUDIT_OBJ_LEV_HIGH:
  76                kfree(f->lsm_str);
  77                security_audit_rule_free(f->lsm_rule);
  78        }
  79}
  80
  81static inline void audit_free_rule(struct audit_entry *e)
  82{
  83        int i;
  84        struct audit_krule *erule = &e->rule;
  85
  86        /* some rules don't have associated watches */
  87        if (erule->watch)
  88                audit_put_watch(erule->watch);
  89        if (erule->fields)
  90                for (i = 0; i < erule->field_count; i++)
  91                        audit_free_lsm_field(&erule->fields[i]);
  92        kfree(erule->fields);
  93        kfree(erule->filterkey);
  94        kfree(e);
  95}
  96
  97void audit_free_rule_rcu(struct rcu_head *head)
  98{
  99        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
 100        audit_free_rule(e);
 101}
 102
 103/* Initialize an audit filterlist entry. */
 104static inline struct audit_entry *audit_init_entry(u32 field_count)
 105{
 106        struct audit_entry *entry;
 107        struct audit_field *fields;
 108
 109        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 110        if (unlikely(!entry))
 111                return NULL;
 112
 113        fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
 114        if (unlikely(!fields)) {
 115                kfree(entry);
 116                return NULL;
 117        }
 118        entry->rule.fields = fields;
 119
 120        return entry;
 121}
 122
 123/* Unpack a filter field's string representation from user-space
 124 * buffer. */
 125char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 126{
 127        char *str;
 128
 129        if (!*bufp || (len == 0) || (len > *remain))
 130                return ERR_PTR(-EINVAL);
 131
 132        /* Of the currently implemented string fields, PATH_MAX
 133         * defines the longest valid length.
 134         */
 135        if (len > PATH_MAX)
 136                return ERR_PTR(-ENAMETOOLONG);
 137
 138        str = kmalloc(len + 1, GFP_KERNEL);
 139        if (unlikely(!str))
 140                return ERR_PTR(-ENOMEM);
 141
 142        memcpy(str, *bufp, len);
 143        str[len] = 0;
 144        *bufp += len;
 145        *remain -= len;
 146
 147        return str;
 148}
 149
 150/* Translate an inode field to kernel representation. */
 151static inline int audit_to_inode(struct audit_krule *krule,
 152                                 struct audit_field *f)
 153{
 154        if (krule->listnr != AUDIT_FILTER_EXIT ||
 155            krule->inode_f || krule->watch || krule->tree ||
 156            (f->op != Audit_equal && f->op != Audit_not_equal))
 157                return -EINVAL;
 158
 159        krule->inode_f = f;
 160        return 0;
 161}
 162
 163static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 164
 165int __init audit_register_class(int class, unsigned *list)
 166{
 167        __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
 168        if (!p)
 169                return -ENOMEM;
 170        while (*list != ~0U) {
 171                unsigned n = *list++;
 172                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 173                        kfree(p);
 174                        return -EINVAL;
 175                }
 176                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
 177        }
 178        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
 179                kfree(p);
 180                return -EINVAL;
 181        }
 182        classes[class] = p;
 183        return 0;
 184}
 185
 186int audit_match_class(int class, unsigned syscall)
 187{
 188        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
 189                return 0;
 190        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
 191                return 0;
 192        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
 193}
 194
 195#ifdef CONFIG_AUDITSYSCALL
 196static inline int audit_match_class_bits(int class, u32 *mask)
 197{
 198        int i;
 199
 200        if (classes[class]) {
 201                for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 202                        if (mask[i] & classes[class][i])
 203                                return 0;
 204        }
 205        return 1;
 206}
 207
 208static int audit_match_signal(struct audit_entry *entry)
 209{
 210        struct audit_field *arch = entry->rule.arch_f;
 211
 212        if (!arch) {
 213                /* When arch is unspecified, we must check both masks on biarch
 214                 * as syscall number alone is ambiguous. */
 215                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 216                                               entry->rule.mask) &&
 217                        audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 218                                               entry->rule.mask));
 219        }
 220
 221        switch(audit_classify_arch(arch->val)) {
 222        case 0: /* native */
 223                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 224                                               entry->rule.mask));
 225        case 1: /* 32bit on biarch */
 226                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 227                                               entry->rule.mask));
 228        default:
 229                return 1;
 230        }
 231}
 232#endif
 233
 234/* Common user-space to kernel rule translation. */
 235static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
 236{
 237        unsigned listnr;
 238        struct audit_entry *entry;
 239        int i, err;
 240
 241        err = -EINVAL;
 242        listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
 243        switch(listnr) {
 244        default:
 245                goto exit_err;
 246#ifdef CONFIG_AUDITSYSCALL
 247        case AUDIT_FILTER_ENTRY:
 248                pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
 249                goto exit_err;
 250        case AUDIT_FILTER_EXIT:
 251        case AUDIT_FILTER_TASK:
 252#endif
 253        case AUDIT_FILTER_USER:
 254        case AUDIT_FILTER_EXCLUDE:
 255        case AUDIT_FILTER_FS:
 256                ;
 257        }
 258        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
 259                pr_err("AUDIT_POSSIBLE is deprecated\n");
 260                goto exit_err;
 261        }
 262        if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
 263                goto exit_err;
 264        if (rule->field_count > AUDIT_MAX_FIELDS)
 265                goto exit_err;
 266
 267        err = -ENOMEM;
 268        entry = audit_init_entry(rule->field_count);
 269        if (!entry)
 270                goto exit_err;
 271
 272        entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
 273        entry->rule.listnr = listnr;
 274        entry->rule.action = rule->action;
 275        entry->rule.field_count = rule->field_count;
 276
 277        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 278                entry->rule.mask[i] = rule->mask[i];
 279
 280        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
 281                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
 282                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
 283                __u32 *class;
 284
 285                if (!(*p & AUDIT_BIT(bit)))
 286                        continue;
 287                *p &= ~AUDIT_BIT(bit);
 288                class = classes[i];
 289                if (class) {
 290                        int j;
 291                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
 292                                entry->rule.mask[j] |= class[j];
 293                }
 294        }
 295
 296        return entry;
 297
 298exit_err:
 299        return ERR_PTR(err);
 300}
 301
 302static u32 audit_ops[] =
 303{
 304        [Audit_equal] = AUDIT_EQUAL,
 305        [Audit_not_equal] = AUDIT_NOT_EQUAL,
 306        [Audit_bitmask] = AUDIT_BIT_MASK,
 307        [Audit_bittest] = AUDIT_BIT_TEST,
 308        [Audit_lt] = AUDIT_LESS_THAN,
 309        [Audit_gt] = AUDIT_GREATER_THAN,
 310        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
 311        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
 312};
 313
 314static u32 audit_to_op(u32 op)
 315{
 316        u32 n;
 317        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
 318                ;
 319        return n;
 320}
 321
 322/* check if an audit field is valid */
 323static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 324{
 325        switch (f->type) {
 326        case AUDIT_MSGTYPE:
 327                if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE &&
 328                    entry->rule.listnr != AUDIT_FILTER_USER)
 329                        return -EINVAL;
 330                break;
 331        case AUDIT_FSTYPE:
 332                if (entry->rule.listnr != AUDIT_FILTER_FS)
 333                        return -EINVAL;
 334                break;
 335        }
 336
 337        switch (entry->rule.listnr) {
 338        case AUDIT_FILTER_FS:
 339                switch(f->type) {
 340                case AUDIT_FSTYPE:
 341                case AUDIT_FILTERKEY:
 342                        break;
 343                default:
 344                        return -EINVAL;
 345                }
 346        }
 347
 348        /* Check for valid field type and op */
 349        switch (f->type) {
 350        case AUDIT_ARG0:
 351        case AUDIT_ARG1:
 352        case AUDIT_ARG2:
 353        case AUDIT_ARG3:
 354        case AUDIT_PERS: /* <uapi/linux/personality.h> */
 355        case AUDIT_DEVMINOR:
 356                /* all ops are valid */
 357                break;
 358        case AUDIT_UID:
 359        case AUDIT_EUID:
 360        case AUDIT_SUID:
 361        case AUDIT_FSUID:
 362        case AUDIT_LOGINUID:
 363        case AUDIT_OBJ_UID:
 364        case AUDIT_GID:
 365        case AUDIT_EGID:
 366        case AUDIT_SGID:
 367        case AUDIT_FSGID:
 368        case AUDIT_OBJ_GID:
 369        case AUDIT_PID:
 370        case AUDIT_MSGTYPE:
 371        case AUDIT_PPID:
 372        case AUDIT_DEVMAJOR:
 373        case AUDIT_EXIT:
 374        case AUDIT_SUCCESS:
 375        case AUDIT_INODE:
 376        case AUDIT_SESSIONID:
 377        case AUDIT_SUBJ_SEN:
 378        case AUDIT_SUBJ_CLR:
 379        case AUDIT_OBJ_LEV_LOW:
 380        case AUDIT_OBJ_LEV_HIGH:
 381        case AUDIT_SADDR_FAM:
 382                /* bit ops are only useful on syscall args */
 383                if (f->op == Audit_bitmask || f->op == Audit_bittest)
 384                        return -EINVAL;
 385                break;
 386        case AUDIT_SUBJ_USER:
 387        case AUDIT_SUBJ_ROLE:
 388        case AUDIT_SUBJ_TYPE:
 389        case AUDIT_OBJ_USER:
 390        case AUDIT_OBJ_ROLE:
 391        case AUDIT_OBJ_TYPE:
 392        case AUDIT_WATCH:
 393        case AUDIT_DIR:
 394        case AUDIT_FILTERKEY:
 395        case AUDIT_LOGINUID_SET:
 396        case AUDIT_ARCH:
 397        case AUDIT_FSTYPE:
 398        case AUDIT_PERM:
 399        case AUDIT_FILETYPE:
 400        case AUDIT_FIELD_COMPARE:
 401        case AUDIT_EXE:
 402                /* only equal and not equal valid ops */
 403                if (f->op != Audit_not_equal && f->op != Audit_equal)
 404                        return -EINVAL;
 405                break;
 406        default:
 407                /* field not recognized */
 408                return -EINVAL;
 409        }
 410
 411        /* Check for select valid field values */
 412        switch (f->type) {
 413        case AUDIT_LOGINUID_SET:
 414                if ((f->val != 0) && (f->val != 1))
 415                        return -EINVAL;
 416                break;
 417        case AUDIT_PERM:
 418                if (f->val & ~15)
 419                        return -EINVAL;
 420                break;
 421        case AUDIT_FILETYPE:
 422                if (f->val & ~S_IFMT)
 423                        return -EINVAL;
 424                break;
 425        case AUDIT_FIELD_COMPARE:
 426                if (f->val > AUDIT_MAX_FIELD_COMPARE)
 427                        return -EINVAL;
 428                break;
 429        case AUDIT_SADDR_FAM:
 430                if (f->val >= AF_MAX)
 431                        return -EINVAL;
 432                break;
 433        default:
 434                break;
 435        }
 436
 437        return 0;
 438}
 439
 440/* Translate struct audit_rule_data to kernel's rule representation. */
 441static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 442                                               size_t datasz)
 443{
 444        int err = 0;
 445        struct audit_entry *entry;
 446        void *bufp;
 447        size_t remain = datasz - sizeof(struct audit_rule_data);
 448        int i;
 449        char *str;
 450        struct audit_fsnotify_mark *audit_mark;
 451
 452        entry = audit_to_entry_common(data);
 453        if (IS_ERR(entry))
 454                goto exit_nofree;
 455
 456        bufp = data->buf;
 457        for (i = 0; i < data->field_count; i++) {
 458                struct audit_field *f = &entry->rule.fields[i];
 459
 460                err = -EINVAL;
 461
 462                f->op = audit_to_op(data->fieldflags[i]);
 463                if (f->op == Audit_bad)
 464                        goto exit_free;
 465
 466                f->type = data->fields[i];
 467                f->val = data->values[i];
 468
 469                /* Support legacy tests for a valid loginuid */
 470                if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
 471                        f->type = AUDIT_LOGINUID_SET;
 472                        f->val = 0;
 473                        entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
 474                }
 475
 476                err = audit_field_valid(entry, f);
 477                if (err)
 478                        goto exit_free;
 479
 480                err = -EINVAL;
 481                switch (f->type) {
 482                case AUDIT_LOGINUID:
 483                case AUDIT_UID:
 484                case AUDIT_EUID:
 485                case AUDIT_SUID:
 486                case AUDIT_FSUID:
 487                case AUDIT_OBJ_UID:
 488                        f->uid = make_kuid(current_user_ns(), f->val);
 489                        if (!uid_valid(f->uid))
 490                                goto exit_free;
 491                        break;
 492                case AUDIT_GID:
 493                case AUDIT_EGID:
 494                case AUDIT_SGID:
 495                case AUDIT_FSGID:
 496                case AUDIT_OBJ_GID:
 497                        f->gid = make_kgid(current_user_ns(), f->val);
 498                        if (!gid_valid(f->gid))
 499                                goto exit_free;
 500                        break;
 501                case AUDIT_ARCH:
 502                        entry->rule.arch_f = f;
 503                        break;
 504                case AUDIT_SUBJ_USER:
 505                case AUDIT_SUBJ_ROLE:
 506                case AUDIT_SUBJ_TYPE:
 507                case AUDIT_SUBJ_SEN:
 508                case AUDIT_SUBJ_CLR:
 509                case AUDIT_OBJ_USER:
 510                case AUDIT_OBJ_ROLE:
 511                case AUDIT_OBJ_TYPE:
 512                case AUDIT_OBJ_LEV_LOW:
 513                case AUDIT_OBJ_LEV_HIGH:
 514                        str = audit_unpack_string(&bufp, &remain, f->val);
 515                        if (IS_ERR(str))
 516                                goto exit_free;
 517                        entry->rule.buflen += f->val;
 518
 519                        err = security_audit_rule_init(f->type, f->op, str,
 520                                                       (void **)&f->lsm_rule);
 521                        /* Keep currently invalid fields around in case they
 522                         * become valid after a policy reload. */
 523                        if (err == -EINVAL) {
 524                                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 525                                        str);
 526                                err = 0;
 527                        }
 528                        if (err) {
 529                                kfree(str);
 530                                goto exit_free;
 531                        } else
 532                                f->lsm_str = str;
 533                        break;
 534                case AUDIT_WATCH:
 535                        str = audit_unpack_string(&bufp, &remain, f->val);
 536                        if (IS_ERR(str))
 537                                goto exit_free;
 538                        entry->rule.buflen += f->val;
 539
 540                        err = audit_to_watch(&entry->rule, str, f->val, f->op);
 541                        if (err) {
 542                                kfree(str);
 543                                goto exit_free;
 544                        }
 545                        break;
 546                case AUDIT_DIR:
 547                        str = audit_unpack_string(&bufp, &remain, f->val);
 548                        if (IS_ERR(str))
 549                                goto exit_free;
 550                        entry->rule.buflen += f->val;
 551
 552                        err = audit_make_tree(&entry->rule, str, f->op);
 553                        kfree(str);
 554                        if (err)
 555                                goto exit_free;
 556                        break;
 557                case AUDIT_INODE:
 558                        err = audit_to_inode(&entry->rule, f);
 559                        if (err)
 560                                goto exit_free;
 561                        break;
 562                case AUDIT_FILTERKEY:
 563                        if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 564                                goto exit_free;
 565                        str = audit_unpack_string(&bufp, &remain, f->val);
 566                        if (IS_ERR(str))
 567                                goto exit_free;
 568                        entry->rule.buflen += f->val;
 569                        entry->rule.filterkey = str;
 570                        break;
 571                case AUDIT_EXE:
 572                        if (entry->rule.exe || f->val > PATH_MAX)
 573                                goto exit_free;
 574                        str = audit_unpack_string(&bufp, &remain, f->val);
 575                        if (IS_ERR(str)) {
 576                                err = PTR_ERR(str);
 577                                goto exit_free;
 578                        }
 579                        entry->rule.buflen += f->val;
 580
 581                        audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
 582                        if (IS_ERR(audit_mark)) {
 583                                kfree(str);
 584                                err = PTR_ERR(audit_mark);
 585                                goto exit_free;
 586                        }
 587                        entry->rule.exe = audit_mark;
 588                        break;
 589                }
 590        }
 591
 592        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 593                entry->rule.inode_f = NULL;
 594
 595exit_nofree:
 596        return entry;
 597
 598exit_free:
 599        if (entry->rule.tree)
 600                audit_put_tree(entry->rule.tree); /* that's the temporary one */
 601        if (entry->rule.exe)
 602                audit_remove_mark(entry->rule.exe); /* that's the template one */
 603        audit_free_rule(entry);
 604        return ERR_PTR(err);
 605}
 606
 607/* Pack a filter field's string representation into data block. */
 608static inline size_t audit_pack_string(void **bufp, const char *str)
 609{
 610        size_t len = strlen(str);
 611
 612        memcpy(*bufp, str, len);
 613        *bufp += len;
 614
 615        return len;
 616}
 617
 618/* Translate kernel rule representation to struct audit_rule_data. */
 619static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 620{
 621        struct audit_rule_data *data;
 622        void *bufp;
 623        int i;
 624
 625        data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
 626        if (unlikely(!data))
 627                return NULL;
 628        memset(data, 0, sizeof(*data));
 629
 630        data->flags = krule->flags | krule->listnr;
 631        data->action = krule->action;
 632        data->field_count = krule->field_count;
 633        bufp = data->buf;
 634        for (i = 0; i < data->field_count; i++) {
 635                struct audit_field *f = &krule->fields[i];
 636
 637                data->fields[i] = f->type;
 638                data->fieldflags[i] = audit_ops[f->op];
 639                switch(f->type) {
 640                case AUDIT_SUBJ_USER:
 641                case AUDIT_SUBJ_ROLE:
 642                case AUDIT_SUBJ_TYPE:
 643                case AUDIT_SUBJ_SEN:
 644                case AUDIT_SUBJ_CLR:
 645                case AUDIT_OBJ_USER:
 646                case AUDIT_OBJ_ROLE:
 647                case AUDIT_OBJ_TYPE:
 648                case AUDIT_OBJ_LEV_LOW:
 649                case AUDIT_OBJ_LEV_HIGH:
 650                        data->buflen += data->values[i] =
 651                                audit_pack_string(&bufp, f->lsm_str);
 652                        break;
 653                case AUDIT_WATCH:
 654                        data->buflen += data->values[i] =
 655                                audit_pack_string(&bufp,
 656                                                  audit_watch_path(krule->watch));
 657                        break;
 658                case AUDIT_DIR:
 659                        data->buflen += data->values[i] =
 660                                audit_pack_string(&bufp,
 661                                                  audit_tree_path(krule->tree));
 662                        break;
 663                case AUDIT_FILTERKEY:
 664                        data->buflen += data->values[i] =
 665                                audit_pack_string(&bufp, krule->filterkey);
 666                        break;
 667                case AUDIT_EXE:
 668                        data->buflen += data->values[i] =
 669                                audit_pack_string(&bufp, audit_mark_path(krule->exe));
 670                        break;
 671                case AUDIT_LOGINUID_SET:
 672                        if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
 673                                data->fields[i] = AUDIT_LOGINUID;
 674                                data->values[i] = AUDIT_UID_UNSET;
 675                                break;
 676                        }
 677                        /* fall through - if set */
 678                default:
 679                        data->values[i] = f->val;
 680                }
 681        }
 682        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
 683
 684        return data;
 685}
 686
 687/* Compare two rules in kernel format.  Considered success if rules
 688 * don't match. */
 689static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
 690{
 691        int i;
 692
 693        if (a->flags != b->flags ||
 694            a->pflags != b->pflags ||
 695            a->listnr != b->listnr ||
 696            a->action != b->action ||
 697            a->field_count != b->field_count)
 698                return 1;
 699
 700        for (i = 0; i < a->field_count; i++) {
 701                if (a->fields[i].type != b->fields[i].type ||
 702                    a->fields[i].op != b->fields[i].op)
 703                        return 1;
 704
 705                switch(a->fields[i].type) {
 706                case AUDIT_SUBJ_USER:
 707                case AUDIT_SUBJ_ROLE:
 708                case AUDIT_SUBJ_TYPE:
 709                case AUDIT_SUBJ_SEN:
 710                case AUDIT_SUBJ_CLR:
 711                case AUDIT_OBJ_USER:
 712                case AUDIT_OBJ_ROLE:
 713                case AUDIT_OBJ_TYPE:
 714                case AUDIT_OBJ_LEV_LOW:
 715                case AUDIT_OBJ_LEV_HIGH:
 716                        if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
 717                                return 1;
 718                        break;
 719                case AUDIT_WATCH:
 720                        if (strcmp(audit_watch_path(a->watch),
 721                                   audit_watch_path(b->watch)))
 722                                return 1;
 723                        break;
 724                case AUDIT_DIR:
 725                        if (strcmp(audit_tree_path(a->tree),
 726                                   audit_tree_path(b->tree)))
 727                                return 1;
 728                        break;
 729                case AUDIT_FILTERKEY:
 730                        /* both filterkeys exist based on above type compare */
 731                        if (strcmp(a->filterkey, b->filterkey))
 732                                return 1;
 733                        break;
 734                case AUDIT_EXE:
 735                        /* both paths exist based on above type compare */
 736                        if (strcmp(audit_mark_path(a->exe),
 737                                   audit_mark_path(b->exe)))
 738                                return 1;
 739                        break;
 740                case AUDIT_UID:
 741                case AUDIT_EUID:
 742                case AUDIT_SUID:
 743                case AUDIT_FSUID:
 744                case AUDIT_LOGINUID:
 745                case AUDIT_OBJ_UID:
 746                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
 747                                return 1;
 748                        break;
 749                case AUDIT_GID:
 750                case AUDIT_EGID:
 751                case AUDIT_SGID:
 752                case AUDIT_FSGID:
 753                case AUDIT_OBJ_GID:
 754                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
 755                                return 1;
 756                        break;
 757                default:
 758                        if (a->fields[i].val != b->fields[i].val)
 759                                return 1;
 760                }
 761        }
 762
 763        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 764                if (a->mask[i] != b->mask[i])
 765                        return 1;
 766
 767        return 0;
 768}
 769
 770/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
 771 * re-initialized. */
 772static inline int audit_dupe_lsm_field(struct audit_field *df,
 773                                           struct audit_field *sf)
 774{
 775        int ret = 0;
 776        char *lsm_str;
 777
 778        /* our own copy of lsm_str */
 779        lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
 780        if (unlikely(!lsm_str))
 781                return -ENOMEM;
 782        df->lsm_str = lsm_str;
 783
 784        /* our own (refreshed) copy of lsm_rule */
 785        ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
 786                                       (void **)&df->lsm_rule);
 787        /* Keep currently invalid fields around in case they
 788         * become valid after a policy reload. */
 789        if (ret == -EINVAL) {
 790                pr_warn("audit rule for LSM \'%s\' is invalid\n",
 791                        df->lsm_str);
 792                ret = 0;
 793        }
 794
 795        return ret;
 796}
 797
 798/* Duplicate an audit rule.  This will be a deep copy with the exception
 799 * of the watch - that pointer is carried over.  The LSM specific fields
 800 * will be updated in the copy.  The point is to be able to replace the old
 801 * rule with the new rule in the filterlist, then free the old rule.
 802 * The rlist element is undefined; list manipulations are handled apart from
 803 * the initial copy. */
 804struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 805{
 806        u32 fcount = old->field_count;
 807        struct audit_entry *entry;
 808        struct audit_krule *new;
 809        char *fk;
 810        int i, err = 0;
 811
 812        entry = audit_init_entry(fcount);
 813        if (unlikely(!entry))
 814                return ERR_PTR(-ENOMEM);
 815
 816        new = &entry->rule;
 817        new->flags = old->flags;
 818        new->pflags = old->pflags;
 819        new->listnr = old->listnr;
 820        new->action = old->action;
 821        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 822                new->mask[i] = old->mask[i];
 823        new->prio = old->prio;
 824        new->buflen = old->buflen;
 825        new->inode_f = old->inode_f;
 826        new->field_count = old->field_count;
 827
 828        /*
 829         * note that we are OK with not refcounting here; audit_match_tree()
 830         * never dereferences tree and we can't get false positives there
 831         * since we'd have to have rule gone from the list *and* removed
 832         * before the chunks found by lookup had been allocated, i.e. before
 833         * the beginning of list scan.
 834         */
 835        new->tree = old->tree;
 836        memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
 837
 838        /* deep copy this information, updating the lsm_rule fields, because
 839         * the originals will all be freed when the old rule is freed. */
 840        for (i = 0; i < fcount; i++) {
 841                switch (new->fields[i].type) {
 842                case AUDIT_SUBJ_USER:
 843                case AUDIT_SUBJ_ROLE:
 844                case AUDIT_SUBJ_TYPE:
 845                case AUDIT_SUBJ_SEN:
 846                case AUDIT_SUBJ_CLR:
 847                case AUDIT_OBJ_USER:
 848                case AUDIT_OBJ_ROLE:
 849                case AUDIT_OBJ_TYPE:
 850                case AUDIT_OBJ_LEV_LOW:
 851                case AUDIT_OBJ_LEV_HIGH:
 852                        err = audit_dupe_lsm_field(&new->fields[i],
 853                                                       &old->fields[i]);
 854                        break;
 855                case AUDIT_FILTERKEY:
 856                        fk = kstrdup(old->filterkey, GFP_KERNEL);
 857                        if (unlikely(!fk))
 858                                err = -ENOMEM;
 859                        else
 860                                new->filterkey = fk;
 861                        break;
 862                case AUDIT_EXE:
 863                        err = audit_dupe_exe(new, old);
 864                        break;
 865                }
 866                if (err) {
 867                        if (new->exe)
 868                                audit_remove_mark(new->exe);
 869                        audit_free_rule(entry);
 870                        return ERR_PTR(err);
 871                }
 872        }
 873
 874        if (old->watch) {
 875                audit_get_watch(old->watch);
 876                new->watch = old->watch;
 877        }
 878
 879        return entry;
 880}
 881
 882/* Find an existing audit rule.
 883 * Caller must hold audit_filter_mutex to prevent stale rule data. */
 884static struct audit_entry *audit_find_rule(struct audit_entry *entry,
 885                                           struct list_head **p)
 886{
 887        struct audit_entry *e, *found = NULL;
 888        struct list_head *list;
 889        int h;
 890
 891        if (entry->rule.inode_f) {
 892                h = audit_hash_ino(entry->rule.inode_f->val);
 893                *p = list = &audit_inode_hash[h];
 894        } else if (entry->rule.watch) {
 895                /* we don't know the inode number, so must walk entire hash */
 896                for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
 897                        list = &audit_inode_hash[h];
 898                        list_for_each_entry(e, list, list)
 899                                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 900                                        found = e;
 901                                        goto out;
 902                                }
 903                }
 904                goto out;
 905        } else {
 906                *p = list = &audit_filter_list[entry->rule.listnr];
 907        }
 908
 909        list_for_each_entry(e, list, list)
 910                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 911                        found = e;
 912                        goto out;
 913                }
 914
 915out:
 916        return found;
 917}
 918
 919static u64 prio_low = ~0ULL/2;
 920static u64 prio_high = ~0ULL/2 - 1;
 921
 922/* Add rule to given filterlist if not a duplicate. */
 923static inline int audit_add_rule(struct audit_entry *entry)
 924{
 925        struct audit_entry *e;
 926        struct audit_watch *watch = entry->rule.watch;
 927        struct audit_tree *tree = entry->rule.tree;
 928        struct list_head *list;
 929        int err = 0;
 930#ifdef CONFIG_AUDITSYSCALL
 931        int dont_count = 0;
 932
 933        /* If any of these, don't count towards total */
 934        switch(entry->rule.listnr) {
 935        case AUDIT_FILTER_USER:
 936        case AUDIT_FILTER_EXCLUDE:
 937        case AUDIT_FILTER_FS:
 938                dont_count = 1;
 939        }
 940#endif
 941
 942        mutex_lock(&audit_filter_mutex);
 943        e = audit_find_rule(entry, &list);
 944        if (e) {
 945                mutex_unlock(&audit_filter_mutex);
 946                err = -EEXIST;
 947                /* normally audit_add_tree_rule() will free it on failure */
 948                if (tree)
 949                        audit_put_tree(tree);
 950                return err;
 951        }
 952
 953        if (watch) {
 954                /* audit_filter_mutex is dropped and re-taken during this call */
 955                err = audit_add_watch(&entry->rule, &list);
 956                if (err) {
 957                        mutex_unlock(&audit_filter_mutex);
 958                        /*
 959                         * normally audit_add_tree_rule() will free it
 960                         * on failure
 961                         */
 962                        if (tree)
 963                                audit_put_tree(tree);
 964                        return err;
 965                }
 966        }
 967        if (tree) {
 968                err = audit_add_tree_rule(&entry->rule);
 969                if (err) {
 970                        mutex_unlock(&audit_filter_mutex);
 971                        return err;
 972                }
 973        }
 974
 975        entry->rule.prio = ~0ULL;
 976        if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
 977                if (entry->rule.flags & AUDIT_FILTER_PREPEND)
 978                        entry->rule.prio = ++prio_high;
 979                else
 980                        entry->rule.prio = --prio_low;
 981        }
 982
 983        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
 984                list_add(&entry->rule.list,
 985                         &audit_rules_list[entry->rule.listnr]);
 986                list_add_rcu(&entry->list, list);
 987                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
 988        } else {
 989                list_add_tail(&entry->rule.list,
 990                              &audit_rules_list[entry->rule.listnr]);
 991                list_add_tail_rcu(&entry->list, list);
 992        }
 993#ifdef CONFIG_AUDITSYSCALL
 994        if (!dont_count)
 995                audit_n_rules++;
 996
 997        if (!audit_match_signal(entry))
 998                audit_signals++;
 999#endif
1000        mutex_unlock(&audit_filter_mutex);

1001
1002        return err;
1003}
1004
1005/* Remove an existing rule from filterlist. */
1006int audit_del_rule(struct audit_entry *entry)
1007{
1008        struct audit_entry  *e;
1009        struct audit_tree *tree = entry->rule.tree;
1010        struct list_head *list;
1011        int ret = 0;
1012#ifdef CONFIG_AUDITSYSCALL
1013        int dont_count = 0;
1014
1015        /* If any of these, don't count towards total */
1016        switch(entry->rule.listnr) {
1017        case AUDIT_FILTER_USER:
1018        case AUDIT_FILTER_EXCLUDE:
1019        case AUDIT_FILTER_FS:
1020                dont_count = 1;
1021        }
1022#endif
1023
1024        mutex_lock(&audit_filter_mutex);
1025        e = audit_find_rule(entry, &list);
1026        if (!e) {
1027                ret = -ENOENT;
1028                goto out;
1029        }
1030
1031        if (e->rule.watch)
1032                audit_remove_watch_rule(&e->rule);
1033
1034        if (e->rule.tree)
1035                audit_remove_tree_rule(&e->rule);
1036
1037        if (e->rule.exe)
1038                audit_remove_mark_rule(&e->rule);
1039
1040#ifdef CONFIG_AUDITSYSCALL
1041        if (!dont_count)
1042                audit_n_rules--;
1043
1044        if (!audit_match_signal(entry))
1045                audit_signals--;
1046#endif
1047
1048        list_del_rcu(&e->list);
1049        list_del(&e->rule.list);
1050        call_rcu(&e->rcu, audit_free_rule_rcu);
1051
1052out:
1053        mutex_unlock(&audit_filter_mutex);
1054
1055        if (tree)
1056                audit_put_tree(tree);   /* that's the temporary one */
1057
1058        return ret;
1059}
1060
1061/* List rules using struct audit_rule_data. */
1062static void audit_list_rules(int seq, struct sk_buff_head *q)
1063{
1064        struct sk_buff *skb;
1065        struct audit_krule *r;
1066        int i;
1067
1068        /* This is a blocking read, so use audit_filter_mutex instead of rcu
1069         * iterator to sync with list writers. */
1070        for (i=0; i<AUDIT_NR_FILTERS; i++) {
1071                list_for_each_entry(r, &audit_rules_list[i], list) {
1072                        struct audit_rule_data *data;
1073
1074                        data = audit_krule_to_data(r);
1075                        if (unlikely(!data))
1076                                break;
1077                        skb = audit_make_reply(seq, AUDIT_LIST_RULES, 0, 1,
1078                                               data,
1079                                               sizeof(*data) + data->buflen);
1080                        if (skb)
1081                                skb_queue_tail(q, skb);
1082                        kfree(data);
1083                }
1084        }
1085        skb = audit_make_reply(seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1086        if (skb)
1087                skb_queue_tail(q, skb);
1088}
1089
1090/* Log rule additions and removals */
1091static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1092{
1093        struct audit_buffer *ab;
1094
1095        if (!audit_enabled)
1096                return;
1097
1098        ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1099        if (!ab)
1100                return;
1101        audit_log_session_info(ab);
1102        audit_log_task_context(ab);
1103        audit_log_format(ab, " op=%s", action);
1104        audit_log_key(ab, rule->filterkey);
1105        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1106        audit_log_end(ab);
1107}
1108
1109/**
1110 * audit_rule_change - apply all rules to the specified message type
1111 * @type: audit message type
1112 * @seq: netlink audit message sequence (serial) number
1113 * @data: payload data
1114 * @datasz: size of payload data
1115 */
1116int audit_rule_change(int type, int seq, void *data, size_t datasz)
1117{
1118        int err = 0;
1119        struct audit_entry *entry;
1120
1121        switch (type) {
1122        case AUDIT_ADD_RULE:
1123                entry = audit_data_to_entry(data, datasz);
1124                if (IS_ERR(entry))
1125                        return PTR_ERR(entry);
1126                err = audit_add_rule(entry);
1127                audit_log_rule_change("add_rule", &entry->rule, !err);
1128                break;
1129        case AUDIT_DEL_RULE:
1130                entry = audit_data_to_entry(data, datasz);
1131                if (IS_ERR(entry))
1132                        return PTR_ERR(entry);
1133                err = audit_del_rule(entry);
1134                audit_log_rule_change("remove_rule", &entry->rule, !err);
1135                break;
1136        default:
1137                WARN_ON(1);
1138                return -EINVAL;
1139        }
1140
1141        if (err || type == AUDIT_DEL_RULE) {
1142                if (entry->rule.exe)
1143                        audit_remove_mark(entry->rule.exe);
1144                audit_free_rule(entry);
1145        }
1146
1147        return err;
1148}
1149
1150/**
1151 * audit_list_rules_send - list the audit rules
1152 * @request_skb: skb of request we are replying to (used to target the reply)
1153 * @seq: netlink audit message sequence (serial) number
1154 */
1155int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1156{
1157        u32 portid = NETLINK_CB(request_skb).portid;
1158        struct net *net = sock_net(NETLINK_CB(request_skb).sk);
1159        struct task_struct *tsk;
1160        struct audit_netlink_list *dest;
1161        int err = 0;
1162
1163        /* We can't just spew out the rules here because we might fill
1164         * the available socket buffer space and deadlock waiting for
1165         * auditctl to read from it... which isn't ever going to
1166         * happen if we're actually running in the context of auditctl
1167         * trying to _send_ the stuff */
1168
1169        dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1170        if (!dest)
1171                return -ENOMEM;
1172        dest->net = get_net(net);
1173        dest->portid = portid;
1174        skb_queue_head_init(&dest->q);
1175
1176        mutex_lock(&audit_filter_mutex);
1177        audit_list_rules(seq, &dest->q);
1178        mutex_unlock(&audit_filter_mutex);
1179
1180        tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1181        if (IS_ERR(tsk)) {
1182                skb_queue_purge(&dest->q);
1183                kfree(dest);
1184                err = PTR_ERR(tsk);
1185        }
1186
1187        return err;
1188}
1189
1190int audit_comparator(u32 left, u32 op, u32 right)
1191{
1192        switch (op) {
1193        case Audit_equal:
1194                return (left == right);
1195        case Audit_not_equal:
1196                return (left != right);
1197        case Audit_lt:
1198                return (left < right);
1199        case Audit_le:
1200                return (left <= right);
1201        case Audit_gt:
1202                return (left > right);
1203        case Audit_ge:
1204                return (left >= right);
1205        case Audit_bitmask:
1206                return (left & right);
1207        case Audit_bittest:
1208                return ((left & right) == right);
1209        default:
1210                return 0;
1211        }
1212}
1213
1214int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1215{
1216        switch (op) {
1217        case Audit_equal:
1218                return uid_eq(left, right);
1219        case Audit_not_equal:
1220                return !uid_eq(left, right);
1221        case Audit_lt:
1222                return uid_lt(left, right);
1223        case Audit_le:
1224                return uid_lte(left, right);
1225        case Audit_gt:
1226                return uid_gt(left, right);
1227        case Audit_ge:
1228                return uid_gte(left, right);
1229        case Audit_bitmask:
1230        case Audit_bittest:
1231        default:
1232                return 0;
1233        }
1234}
1235
1236int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1237{
1238        switch (op) {
1239        case Audit_equal:
1240                return gid_eq(left, right);
1241        case Audit_not_equal:
1242                return !gid_eq(left, right);
1243        case Audit_lt:
1244                return gid_lt(left, right);
1245        case Audit_le:
1246                return gid_lte(left, right);
1247        case Audit_gt:
1248                return gid_gt(left, right);
1249        case Audit_ge:
1250                return gid_gte(left, right);
1251        case Audit_bitmask:
1252        case Audit_bittest:
1253        default:
1254                return 0;
1255        }
1256}
1257
1258/**
1259 * parent_len - find the length of the parent portion of a pathname
1260 * @path: pathname of which to determine length
1261 */
1262int parent_len(const char *path)
1263{
1264        int plen;
1265        const char *p;
1266
1267        plen = strlen(path);
1268
1269        if (plen == 0)
1270                return plen;
1271
1272        /* disregard trailing slashes */
1273        p = path + plen - 1;
1274        while ((*p == '/') && (p > path))
1275                p--;
1276
1277        /* walk backward until we find the next slash or hit beginning */
1278        while ((*p != '/') && (p > path))
1279                p--;
1280
1281        /* did we find a slash? Then increment to include it in path */
1282        if (*p == '/')
1283                p++;
1284
1285        return p - path;
1286}
1287
1288/**
1289 * audit_compare_dname_path - compare given dentry name with last component in
1290 *                            given path. Return of 0 indicates a match.
1291 * @dname:      dentry name that we're comparing
1292 * @path:       full pathname that we're comparing
1293 * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1294 *              here indicates that we must compute this value.
1295 */
1296int audit_compare_dname_path(const struct qstr *dname, const char *path, int parentlen)
1297{
1298        int dlen, pathlen;
1299        const char *p;
1300
1301        dlen = dname->len;
1302        pathlen = strlen(path);
1303        if (pathlen < dlen)
1304                return 1;
1305
1306        parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1307        if (pathlen - parentlen != dlen)
1308                return 1;
1309
1310        p = path + parentlen;
1311
1312        return strncmp(p, dname->name, dlen);
1313}
1314
1315int audit_filter(int msgtype, unsigned int listtype)
1316{
1317        struct audit_entry *e;
1318        int ret = 1; /* Audit by default */
1319
1320        rcu_read_lock();
1321        list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
1322                int i, result = 0;
1323
1324                for (i = 0; i < e->rule.field_count; i++) {
1325                        struct audit_field *f = &e->rule.fields[i];
1326                        pid_t pid;
1327                        u32 sid;
1328
1329                        switch (f->type) {
1330                        case AUDIT_PID:
1331                                pid = task_pid_nr(current);
1332                                result = audit_comparator(pid, f->op, f->val);
1333                                break;
1334                        case AUDIT_UID:
1335                                result = audit_uid_comparator(current_uid(), f->op, f->uid);
1336                                break;
1337                        case AUDIT_GID:
1338                                result = audit_gid_comparator(current_gid(), f->op, f->gid);
1339                                break;
1340                        case AUDIT_LOGINUID:
1341                                result = audit_uid_comparator(audit_get_loginuid(current),
1342                                                              f->op, f->uid);
1343                                break;
1344                        case AUDIT_LOGINUID_SET:
1345                                result = audit_comparator(audit_loginuid_set(current),
1346                                                          f->op, f->val);
1347                                break;
1348                        case AUDIT_MSGTYPE:
1349                                result = audit_comparator(msgtype, f->op, f->val);
1350                                break;
1351                        case AUDIT_SUBJ_USER:
1352                        case AUDIT_SUBJ_ROLE:
1353                        case AUDIT_SUBJ_TYPE:
1354                        case AUDIT_SUBJ_SEN:
1355                        case AUDIT_SUBJ_CLR:
1356                                if (f->lsm_rule) {
1357                                        security_task_getsecid(current, &sid);
1358                                        result = security_audit_rule_match(sid,
1359                                                   f->type, f->op, f->lsm_rule);
1360                                }
1361                                break;
1362                        case AUDIT_EXE:
1363                                result = audit_exe_compare(current, e->rule.exe);
1364                                if (f->op == Audit_not_equal)
1365                                        result = !result;
1366                                break;
1367                        default:
1368                                goto unlock_and_return;
1369                        }
1370                        if (result < 0) /* error */
1371                                goto unlock_and_return;
1372                        if (!result)
1373                                break;
1374                }
1375                if (result > 0) {
1376                        if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCLUDE)
1377                                ret = 0;
1378                        break;
1379                }
1380        }
1381unlock_and_return:
1382        rcu_read_unlock();
1383        return ret;
1384}
1385
1386static int update_lsm_rule(struct audit_krule *r)
1387{
1388        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1389        struct audit_entry *nentry;
1390        int err = 0;
1391
1392        if (!security_audit_rule_known(r))
1393                return 0;
1394
1395        nentry = audit_dupe_rule(r);
1396        if (entry->rule.exe)
1397                audit_remove_mark(entry->rule.exe);
1398        if (IS_ERR(nentry)) {
1399                /* save the first error encountered for the
1400                 * return value */
1401                err = PTR_ERR(nentry);
1402                audit_panic("error updating LSM filters");
1403                if (r->watch)
1404                        list_del(&r->rlist);
1405                list_del_rcu(&entry->list);
1406                list_del(&r->list);
1407        } else {
1408                if (r->watch || r->tree)
1409                        list_replace_init(&r->rlist, &nentry->rule.rlist);
1410                list_replace_rcu(&entry->list, &nentry->list);
1411                list_replace(&r->list, &nentry->rule.list);
1412        }
1413        call_rcu(&entry->rcu, audit_free_rule_rcu);
1414
1415        return err;
1416}
1417
1418/* This function will re-initialize the lsm_rule field of all applicable rules.
1419 * It will traverse the filter lists serarching for rules that contain LSM
1420 * specific filter fields.  When such a rule is found, it is copied, the
1421 * LSM field is re-initialized, and the old rule is replaced with the
1422 * updated rule. */
1423int audit_update_lsm_rules(void)
1424{
1425        struct audit_krule *r, *n;
1426        int i, err = 0;
1427
1428        /* audit_filter_mutex synchronizes the writers */
1429        mutex_lock(&audit_filter_mutex);
1430
1431        for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1432                list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1433                        int res = update_lsm_rule(r);
1434                        if (!err)
1435                                err = res;
1436                }
1437        }
1438        mutex_unlock(&audit_filter_mutex);
1439
1440        return err;
1441}
1442