auditfilter.c 45.9 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/* auditfilter.c -- filtering of audit events
 *
 * Copyright 2003-2004 Red Hat, Inc.
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
 * Copyright 2005 IBM Corporation
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#include <linux/kernel.h>
#include <linux/audit.h>
#include <linux/kthread.h>
Amy Griffis's avatar
Amy Griffis committed
25
26
27
#include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/namei.h>
28
#include <linux/netlink.h>
Amy Griffis's avatar
Amy Griffis committed
29
30
#include <linux/sched.h>
#include <linux/inotify.h>
31
#include <linux/security.h>
32
33
#include "audit.h"

Amy Griffis's avatar
Amy Griffis committed
34
35
36
37
38
39
40
/*
 * Locking model:
 *
 * audit_filter_mutex:
 * 		Synchronizes writes and blocking reads of audit's filterlist
 * 		data.  Rcu is used to traverse the filterlist and access
 * 		contents of structs audit_entry, audit_watch and opaque
41
 * 		LSM rules during filtering.  If modified, these structures
Amy Griffis's avatar
Amy Griffis committed
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 * 		must be copied and replace their counterparts in the filterlist.
 * 		An audit_parent struct is not accessed during filtering, so may
 * 		be written directly provided audit_filter_mutex is held.
 */

/*
 * Reference counting:
 *
 * audit_parent: lifetime is from audit_init_parent() to receipt of an IN_IGNORED
 * 	event.  Each audit_watch holds a reference to its associated parent.
 *
 * audit_watch: if added to lists, lifetime is from audit_init_watch() to
 * 	audit_remove_watch().  Additionally, an audit_watch may exist
 * 	temporarily to assist in searching existing filter data.  Each
 * 	audit_krule holds a reference to its associated watch.
 */

struct audit_parent {
	struct list_head	ilist;	/* entry in inotify registration list */
	struct list_head	watches; /* associated watches */
	struct inotify_watch	wdata;	/* inotify watch data */
	unsigned		flags;	/* status flags */
};

/*
 * audit_parent status flags:
 *
 * AUDIT_PARENT_INVALID - set anytime rules/watches are auto-removed due to
 * a filesystem event to ensure we're adding audit watches to a valid parent.
 * Technically not needed for IN_DELETE_SELF or IN_UNMOUNT events, as we cannot
 * receive them while we have nameidata, but must be used for IN_MOVE_SELF which
 * we can receive while holding nameidata.
 */
#define AUDIT_PARENT_INVALID	0x001

/* Audit filter lists, defined in <linux/audit.h> */
78
79
80
81
82
83
84
85
86
87
88
struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
	LIST_HEAD_INIT(audit_filter_list[0]),
	LIST_HEAD_INIT(audit_filter_list[1]),
	LIST_HEAD_INIT(audit_filter_list[2]),
	LIST_HEAD_INIT(audit_filter_list[3]),
	LIST_HEAD_INIT(audit_filter_list[4]),
	LIST_HEAD_INIT(audit_filter_list[5]),
#if AUDIT_NR_FILTERS != 6
#error Fix audit_filter_list initialiser
#endif
};
Al Viro's avatar
Al Viro committed
89
90
91
92
93
94
95
96
static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
	LIST_HEAD_INIT(audit_rules_list[0]),
	LIST_HEAD_INIT(audit_rules_list[1]),
	LIST_HEAD_INIT(audit_rules_list[2]),
	LIST_HEAD_INIT(audit_rules_list[3]),
	LIST_HEAD_INIT(audit_rules_list[4]),
	LIST_HEAD_INIT(audit_rules_list[5]),
};
97

Al Viro's avatar
Al Viro committed
98
DEFINE_MUTEX(audit_filter_mutex);
Amy Griffis's avatar
Amy Griffis committed
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

/* Inotify events we care about. */
#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF

void audit_free_parent(struct inotify_watch *i_watch)
{
	struct audit_parent *parent;

	parent = container_of(i_watch, struct audit_parent, wdata);
	WARN_ON(!list_empty(&parent->watches));
	kfree(parent);
}

static inline void audit_get_watch(struct audit_watch *watch)
{
	atomic_inc(&watch->count);
}

static void audit_put_watch(struct audit_watch *watch)
{
	if (atomic_dec_and_test(&watch->count)) {
		WARN_ON(watch->parent);
		WARN_ON(!list_empty(&watch->rules));
		kfree(watch->path);
		kfree(watch);
	}
}

static void audit_remove_watch(struct audit_watch *watch)
{
	list_del(&watch->wlist);
	put_inotify_watch(&watch->parent->wdata);
	watch->parent = NULL;
	audit_put_watch(watch); /* match initial get */
}

135
static inline void audit_free_rule(struct audit_entry *e)
136
{
137
	int i;
138
	struct audit_krule *erule = &e->rule;
Amy Griffis's avatar
Amy Griffis committed
139
	/* some rules don't have associated watches */
140
141
142
143
144
	if (erule->watch)
		audit_put_watch(erule->watch);
	if (erule->fields)
		for (i = 0; i < erule->field_count; i++) {
			struct audit_field *f = &erule->fields[i];
145
146
			kfree(f->lsm_str);
			security_audit_rule_free(f->lsm_rule);
147
		}
148
149
	kfree(erule->fields);
	kfree(erule->filterkey);
150
151
152
	kfree(e);
}

Al Viro's avatar
Al Viro committed
153
void audit_free_rule_rcu(struct rcu_head *head)
154
155
156
157
158
{
	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
	audit_free_rule(e);
}

Amy Griffis's avatar
Amy Griffis committed
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
/* Initialize a parent watch entry. */
static struct audit_parent *audit_init_parent(struct nameidata *ndp)
{
	struct audit_parent *parent;
	s32 wd;

	parent = kzalloc(sizeof(*parent), GFP_KERNEL);
	if (unlikely(!parent))
		return ERR_PTR(-ENOMEM);

	INIT_LIST_HEAD(&parent->watches);
	parent->flags = 0;

	inotify_init_watch(&parent->wdata);
	/* grab a ref so inotify watch hangs around until we take audit_filter_mutex */
	get_inotify_watch(&parent->wdata);
175
176
	wd = inotify_add_watch(audit_ih, &parent->wdata,
			       ndp->path.dentry->d_inode, AUDIT_IN_WATCH);
Amy Griffis's avatar
Amy Griffis committed
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
	if (wd < 0) {
		audit_free_parent(&parent->wdata);
		return ERR_PTR(wd);
	}

	return parent;
}

/* Initialize a watch entry. */
static struct audit_watch *audit_init_watch(char *path)
{
	struct audit_watch *watch;

	watch = kzalloc(sizeof(*watch), GFP_KERNEL);
	if (unlikely(!watch))
		return ERR_PTR(-ENOMEM);

	INIT_LIST_HEAD(&watch->rules);
	atomic_set(&watch->count, 1);
	watch->path = path;
	watch->dev = (dev_t)-1;
	watch->ino = (unsigned long)-1;

	return watch;
}

203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
/* Initialize an audit filterlist entry. */
static inline struct audit_entry *audit_init_entry(u32 field_count)
{
	struct audit_entry *entry;
	struct audit_field *fields;

	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
	if (unlikely(!entry))
		return NULL;

	fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
	if (unlikely(!fields)) {
		kfree(entry);
		return NULL;
	}
	entry->rule.fields = fields;

	return entry;
}

223
224
/* Unpack a filter field's string representation from user-space
 * buffer. */
Al Viro's avatar
Al Viro committed
225
char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
{
	char *str;

	if (!*bufp || (len == 0) || (len > *remain))
		return ERR_PTR(-EINVAL);

	/* Of the currently implemented string fields, PATH_MAX
	 * defines the longest valid length.
	 */
	if (len > PATH_MAX)
		return ERR_PTR(-ENAMETOOLONG);

	str = kmalloc(len + 1, GFP_KERNEL);
	if (unlikely(!str))
		return ERR_PTR(-ENOMEM);

	memcpy(str, *bufp, len);
	str[len] = 0;
	*bufp += len;
	*remain -= len;

	return str;
}

Amy Griffis's avatar
Amy Griffis committed
250
251
252
253
254
/* Translate an inode field to kernel respresentation. */
static inline int audit_to_inode(struct audit_krule *krule,
				 struct audit_field *f)
{
	if (krule->listnr != AUDIT_FILTER_EXIT ||
255
256
	    krule->watch || krule->inode_f || krule->tree ||
	    (f->op != Audit_equal && f->op != Audit_not_equal))
Amy Griffis's avatar
Amy Griffis committed
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
		return -EINVAL;

	krule->inode_f = f;
	return 0;
}

/* Translate a watch string to kernel respresentation. */
static int audit_to_watch(struct audit_krule *krule, char *path, int len,
			  u32 op)
{
	struct audit_watch *watch;

	if (!audit_ih)
		return -EOPNOTSUPP;

	if (path[0] != '/' || path[len-1] == '/' ||
	    krule->listnr != AUDIT_FILTER_EXIT ||
274
	    op != Audit_equal ||
Al Viro's avatar
Al Viro committed
275
	    krule->inode_f || krule->watch || krule->tree)
Amy Griffis's avatar
Amy Griffis committed
276
277
278
		return -EINVAL;

	watch = audit_init_watch(path);
279
	if (IS_ERR(watch))
Amy Griffis's avatar
Amy Griffis committed
280
281
282
283
284
285
286
287
		return PTR_ERR(watch);

	audit_get_watch(watch);
	krule->watch = watch;

	return 0;
}

Al Viro's avatar
Al Viro committed
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
static __u32 *classes[AUDIT_SYSCALL_CLASSES];

int __init audit_register_class(int class, unsigned *list)
{
	__u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
	if (!p)
		return -ENOMEM;
	while (*list != ~0U) {
		unsigned n = *list++;
		if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
			kfree(p);
			return -EINVAL;
		}
		p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
	}
	if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
		kfree(p);
		return -EINVAL;
	}
	classes[class] = p;
	return 0;
}

Al Viro's avatar
Al Viro committed
311
312
int audit_match_class(int class, unsigned syscall)
{
313
	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
Al Viro's avatar
Al Viro committed
314
315
316
317
318
319
		return 0;
	if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
		return 0;
	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
}

320
#ifdef CONFIG_AUDITSYSCALL
Amy Griffis's avatar
Amy Griffis committed
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
static inline int audit_match_class_bits(int class, u32 *mask)
{
	int i;

	if (classes[class]) {
		for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
			if (mask[i] & classes[class][i])
				return 0;
	}
	return 1;
}

static int audit_match_signal(struct audit_entry *entry)
{
	struct audit_field *arch = entry->rule.arch_f;

	if (!arch) {
		/* When arch is unspecified, we must check both masks on biarch
		 * as syscall number alone is ambiguous. */
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
					       entry->rule.mask) &&
			audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
					       entry->rule.mask));
	}

	switch(audit_classify_arch(arch->val)) {
	case 0: /* native */
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
					       entry->rule.mask));
	case 1: /* 32bit on biarch */
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
					       entry->rule.mask));
	default:
		return 1;
	}
}
357
#endif
Amy Griffis's avatar
Amy Griffis committed
358

359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
/* Common user-space to kernel rule translation. */
static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
{
	unsigned listnr;
	struct audit_entry *entry;
	int i, err;

	err = -EINVAL;
	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
	switch(listnr) {
	default:
		goto exit_err;
	case AUDIT_FILTER_USER:
	case AUDIT_FILTER_TYPE:
#ifdef CONFIG_AUDITSYSCALL
	case AUDIT_FILTER_ENTRY:
	case AUDIT_FILTER_EXIT:
	case AUDIT_FILTER_TASK:
#endif
		;
	}
Al Viro's avatar
Al Viro committed
380
381
382
383
384
	if (unlikely(rule->action == AUDIT_POSSIBLE)) {
		printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
		goto exit_err;
	}
	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
385
386
387
388
389
		goto exit_err;
	if (rule->field_count > AUDIT_MAX_FIELDS)
		goto exit_err;

	err = -ENOMEM;
390
391
	entry = audit_init_entry(rule->field_count);
	if (!entry)
392
393
394
395
396
397
398
399
400
401
		goto exit_err;

	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
	entry->rule.listnr = listnr;
	entry->rule.action = rule->action;
	entry->rule.field_count = rule->field_count;

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
		entry->rule.mask[i] = rule->mask[i];

Al Viro's avatar
Al Viro committed
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
	for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
		int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
		__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
		__u32 *class;

		if (!(*p & AUDIT_BIT(bit)))
			continue;
		*p &= ~AUDIT_BIT(bit);
		class = classes[i];
		if (class) {
			int j;
			for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
				entry->rule.mask[j] |= class[j];
		}
	}

418
419
420
421
422
423
	return entry;

exit_err:
	return ERR_PTR(err);
}

424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
static u32 audit_ops[] =
{
	[Audit_equal] = AUDIT_EQUAL,
	[Audit_not_equal] = AUDIT_NOT_EQUAL,
	[Audit_bitmask] = AUDIT_BIT_MASK,
	[Audit_bittest] = AUDIT_BIT_TEST,
	[Audit_lt] = AUDIT_LESS_THAN,
	[Audit_gt] = AUDIT_GREATER_THAN,
	[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
	[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
};

static u32 audit_to_op(u32 op)
{
	u32 n;
	for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
		;
	return n;
}


445
446
447
448
449
450
/* Translate struct audit_rule to kernel's rule respresentation.
 * Exists for backward compatibility with userspace. */
static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
{
	struct audit_entry *entry;
	int err = 0;
451
452
	int i;

453
454
455
456
457
458
	entry = audit_to_entry_common(rule);
	if (IS_ERR(entry))
		goto exit_nofree;

	for (i = 0; i < rule->field_count; i++) {
		struct audit_field *f = &entry->rule.fields[i];
459
460
461
462
463
464
465
466
467
468
469
470
471
472
		u32 n;

		n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);

		/* Support for legacy operators where
		 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
		if (n & AUDIT_NEGATE)
			f->op = Audit_not_equal;
		else if (!n)
			f->op = Audit_equal;
		else
			f->op = audit_to_op(n);

		entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
473
474
475
476

		f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
		f->val = rule->values[i];

Amy Griffis's avatar
Amy Griffis committed
477
		err = -EINVAL;
478
479
480
		if (f->op == Audit_bad)
			goto exit_free;

Amy Griffis's avatar
Amy Griffis committed
481
		switch(f->type) {
Al Viro's avatar
Al Viro committed
482
		default:
483
			goto exit_free;
Al Viro's avatar
Al Viro committed
484
485
486
487
488
489
490
491
492
493
494
495
		case AUDIT_PID:
		case AUDIT_UID:
		case AUDIT_EUID:
		case AUDIT_SUID:
		case AUDIT_FSUID:
		case AUDIT_GID:
		case AUDIT_EGID:
		case AUDIT_SGID:
		case AUDIT_FSGID:
		case AUDIT_LOGINUID:
		case AUDIT_PERS:
		case AUDIT_MSGTYPE:
496
		case AUDIT_PPID:
Al Viro's avatar
Al Viro committed
497
498
499
500
		case AUDIT_DEVMAJOR:
		case AUDIT_DEVMINOR:
		case AUDIT_EXIT:
		case AUDIT_SUCCESS:
501
			/* bit ops are only useful on syscall args */
502
			if (f->op == Audit_bitmask || f->op == Audit_bittest)
503
504
				goto exit_free;
			break;
Al Viro's avatar
Al Viro committed
505
506
507
508
509
		case AUDIT_ARG0:
		case AUDIT_ARG1:
		case AUDIT_ARG2:
		case AUDIT_ARG3:
			break;
510
511
		/* arch is only allowed to be = or != */
		case AUDIT_ARCH:
512
			if (f->op != Audit_not_equal && f->op != Audit_equal)
513
				goto exit_free;
Amy Griffis's avatar
Amy Griffis committed
514
			entry->rule.arch_f = f;
515
			break;
Al Viro's avatar
Al Viro committed
516
517
518
519
		case AUDIT_PERM:
			if (f->val & ~15)
				goto exit_free;
			break;
520
521
522
523
		case AUDIT_FILETYPE:
			if ((f->val & ~S_IFMT) > S_IFMT)
				goto exit_free;
			break;
Amy Griffis's avatar
Amy Griffis committed
524
525
526
527
528
		case AUDIT_INODE:
			err = audit_to_inode(&entry->rule, f);
			if (err)
				goto exit_free;
			break;
529
		}
530
	}
531

532
533
	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
		entry->rule.inode_f = NULL;
Amy Griffis's avatar
Amy Griffis committed
534

535
536
537
538
539
540
exit_nofree:
	return entry;

exit_free:
	audit_free_rule(entry);
	return ERR_PTR(err);
541
542
}

543
544
545
/* Translate struct audit_rule_data to kernel's rule respresentation. */
static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
					       size_t datasz)
546
{
547
548
549
	int err = 0;
	struct audit_entry *entry;
	void *bufp;
550
	size_t remain = datasz - sizeof(struct audit_rule_data);
551
	int i;
552
	char *str;
553

554
555
556
	entry = audit_to_entry_common((struct audit_rule *)data);
	if (IS_ERR(entry))
		goto exit_nofree;
557

558
559
560
561
562
563
	bufp = data->buf;
	entry->rule.vers_ops = 2;
	for (i = 0; i < data->field_count; i++) {
		struct audit_field *f = &entry->rule.fields[i];

		err = -EINVAL;
564
565
566

		f->op = audit_to_op(data->fieldflags[i]);
		if (f->op == Audit_bad)
567
568
569
			goto exit_free;

		f->type = data->fields[i];
570
		f->val = data->values[i];
571
572
		f->lsm_str = NULL;
		f->lsm_rule = NULL;
573
		switch(f->type) {
Al Viro's avatar
Al Viro committed
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
		case AUDIT_PID:
		case AUDIT_UID:
		case AUDIT_EUID:
		case AUDIT_SUID:
		case AUDIT_FSUID:
		case AUDIT_GID:
		case AUDIT_EGID:
		case AUDIT_SGID:
		case AUDIT_FSGID:
		case AUDIT_LOGINUID:
		case AUDIT_PERS:
		case AUDIT_MSGTYPE:
		case AUDIT_PPID:
		case AUDIT_DEVMAJOR:
		case AUDIT_DEVMINOR:
		case AUDIT_EXIT:
		case AUDIT_SUCCESS:
		case AUDIT_ARG0:
		case AUDIT_ARG1:
		case AUDIT_ARG2:
		case AUDIT_ARG3:
			break;
Amy Griffis's avatar
Amy Griffis committed
596
597
598
		case AUDIT_ARCH:
			entry->rule.arch_f = f;
			break;
599
600
601
602
603
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
604
605
606
607
608
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
609
610
611
612
613
			str = audit_unpack_string(&bufp, &remain, f->val);
			if (IS_ERR(str))
				goto exit_free;
			entry->rule.buflen += f->val;

614
			err = security_audit_rule_init(f->type, f->op, str,
615
						       (void **)&f->lsm_rule);
616
617
618
			/* Keep currently invalid fields around in case they
			 * become valid after a policy reload. */
			if (err == -EINVAL) {
619
				printk(KERN_WARNING "audit rule for LSM "
620
621
622
623
624
625
626
				       "\'%s\' is invalid\n",  str);
				err = 0;
			}
			if (err) {
				kfree(str);
				goto exit_free;
			} else
627
				f->lsm_str = str;
628
			break;
Amy Griffis's avatar
Amy Griffis committed
629
630
631
632
633
634
635
636
637
638
639
640
		case AUDIT_WATCH:
			str = audit_unpack_string(&bufp, &remain, f->val);
			if (IS_ERR(str))
				goto exit_free;
			entry->rule.buflen += f->val;

			err = audit_to_watch(&entry->rule, str, f->val, f->op);
			if (err) {
				kfree(str);
				goto exit_free;
			}
			break;
Al Viro's avatar
Al Viro committed
641
642
643
644
645
646
647
648
649
650
651
		case AUDIT_DIR:
			str = audit_unpack_string(&bufp, &remain, f->val);
			if (IS_ERR(str))
				goto exit_free;
			entry->rule.buflen += f->val;

			err = audit_make_tree(&entry->rule, str, f->op);
			kfree(str);
			if (err)
				goto exit_free;
			break;
Amy Griffis's avatar
Amy Griffis committed
652
653
654
655
656
		case AUDIT_INODE:
			err = audit_to_inode(&entry->rule, f);
			if (err)
				goto exit_free;
			break;
Amy Griffis's avatar
Amy Griffis committed
657
658
659
660
661
662
663
664
665
666
		case AUDIT_FILTERKEY:
			err = -EINVAL;
			if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
				goto exit_free;
			str = audit_unpack_string(&bufp, &remain, f->val);
			if (IS_ERR(str))
				goto exit_free;
			entry->rule.buflen += f->val;
			entry->rule.filterkey = str;
			break;
Al Viro's avatar
Al Viro committed
667
668
669
670
		case AUDIT_PERM:
			if (f->val & ~15)
				goto exit_free;
			break;
671
672
673
674
		case AUDIT_FILETYPE:
			if ((f->val & ~S_IFMT) > S_IFMT)
				goto exit_free;
			break;
Al Viro's avatar
Al Viro committed
675
676
		default:
			goto exit_free;
Amy Griffis's avatar
Amy Griffis committed
677
678
679
		}
	}

680
681
	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
		entry->rule.inode_f = NULL;
682
683
684
685
686
687
688
689
690
691

exit_nofree:
	return entry;

exit_free:
	audit_free_rule(entry);
	return ERR_PTR(err);
}

/* Pack a filter field's string representation into data block. */
Al Viro's avatar
Al Viro committed
692
static inline size_t audit_pack_string(void **bufp, const char *str)
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
{
	size_t len = strlen(str);

	memcpy(*bufp, str, len);
	*bufp += len;

	return len;
}

/* Translate kernel rule respresentation to struct audit_rule.
 * Exists for backward compatibility with userspace. */
static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
{
	struct audit_rule *rule;
	int i;

709
	rule = kzalloc(sizeof(*rule), GFP_KERNEL);
710
	if (unlikely(!rule))
711
		return NULL;
712
713
714
715
716
717
718
719
720

	rule->flags = krule->flags | krule->listnr;
	rule->action = krule->action;
	rule->field_count = krule->field_count;
	for (i = 0; i < rule->field_count; i++) {
		rule->values[i] = krule->fields[i].val;
		rule->fields[i] = krule->fields[i].type;

		if (krule->vers_ops == 1) {
721
			if (krule->fields[i].op == Audit_not_equal)
722
723
				rule->fields[i] |= AUDIT_NEGATE;
		} else {
724
			rule->fields[i] |= audit_ops[krule->fields[i].op];
725
726
727
728
729
730
		}
	}
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];

	return rule;
}
731

732
733
734
735
736
737
738
739
740
/* Translate kernel rule respresentation to struct audit_rule_data. */
static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
{
	struct audit_rule_data *data;
	void *bufp;
	int i;

	data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
	if (unlikely(!data))
741
		return NULL;
742
743
744
745
746
747
748
749
750
751
	memset(data, 0, sizeof(*data));

	data->flags = krule->flags | krule->listnr;
	data->action = krule->action;
	data->field_count = krule->field_count;
	bufp = data->buf;
	for (i = 0; i < data->field_count; i++) {
		struct audit_field *f = &krule->fields[i];

		data->fields[i] = f->type;
752
		data->fieldflags[i] = audit_ops[f->op];
753
		switch(f->type) {
754
755
756
757
758
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
759
760
761
762
763
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
764
			data->buflen += data->values[i] =
765
				audit_pack_string(&bufp, f->lsm_str);
766
			break;
Amy Griffis's avatar
Amy Griffis committed
767
768
769
770
		case AUDIT_WATCH:
			data->buflen += data->values[i] =
				audit_pack_string(&bufp, krule->watch->path);
			break;
Al Viro's avatar
Al Viro committed
771
772
773
774
775
		case AUDIT_DIR:
			data->buflen += data->values[i] =
				audit_pack_string(&bufp,
						  audit_tree_path(krule->tree));
			break;
Amy Griffis's avatar
Amy Griffis committed
776
777
778
779
		case AUDIT_FILTERKEY:
			data->buflen += data->values[i] =
				audit_pack_string(&bufp, krule->filterkey);
			break;
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
		default:
			data->values[i] = f->val;
		}
	}
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];

	return data;
}

/* Compare two rules in kernel format.  Considered success if rules
 * don't match. */
static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
{
	int i;

	if (a->flags != b->flags ||
	    a->listnr != b->listnr ||
	    a->action != b->action ||
	    a->field_count != b->field_count)
799
800
801
		return 1;

	for (i = 0; i < a->field_count; i++) {
802
803
		if (a->fields[i].type != b->fields[i].type ||
		    a->fields[i].op != b->fields[i].op)
804
			return 1;
805
806

		switch(a->fields[i].type) {
807
808
809
810
811
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
812
813
814
815
816
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
817
			if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
818
819
				return 1;
			break;
Amy Griffis's avatar
Amy Griffis committed
820
821
822
823
		case AUDIT_WATCH:
			if (strcmp(a->watch->path, b->watch->path))
				return 1;
			break;
Al Viro's avatar
Al Viro committed
824
825
826
827
828
		case AUDIT_DIR:
			if (strcmp(audit_tree_path(a->tree),
				   audit_tree_path(b->tree)))
				return 1;
			break;
Amy Griffis's avatar
Amy Griffis committed
829
830
831
832
833
		case AUDIT_FILTERKEY:
			/* both filterkeys exist based on above type compare */
			if (strcmp(a->filterkey, b->filterkey))
				return 1;
			break;
834
835
836
837
		default:
			if (a->fields[i].val != b->fields[i].val)
				return 1;
		}
838
839
840
841
842
843
844
845
846
	}

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
		if (a->mask[i] != b->mask[i])
			return 1;

	return 0;
}

Amy Griffis's avatar
Amy Griffis committed
847
848
849
850
851
852
853
854
855
856
857
858
/* Duplicate the given audit watch.  The new watch's rules list is initialized
 * to an empty list and wlist is undefined. */
static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
{
	char *path;
	struct audit_watch *new;

	path = kstrdup(old->path, GFP_KERNEL);
	if (unlikely(!path))
		return ERR_PTR(-ENOMEM);

	new = audit_init_watch(path);
859
	if (IS_ERR(new)) {
Amy Griffis's avatar
Amy Griffis committed
860
861
862
863
864
865
866
867
868
869
870
871
872
		kfree(path);
		goto out;
	}

	new->dev = old->dev;
	new->ino = old->ino;
	get_inotify_watch(&old->parent->wdata);
	new->parent = old->parent;

out:
	return new;
}

873
/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
874
 * re-initialized. */
875
static inline int audit_dupe_lsm_field(struct audit_field *df,
876
877
878
					   struct audit_field *sf)
{
	int ret = 0;
879
	char *lsm_str;
880

881
882
883
	/* our own copy of lsm_str */
	lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
	if (unlikely(!lsm_str))
884
		return -ENOMEM;
885
	df->lsm_str = lsm_str;
886

887
888
889
	/* our own (refreshed) copy of lsm_rule */
	ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
				       (void **)&df->lsm_rule);
890
891
892
	/* Keep currently invalid fields around in case they
	 * become valid after a policy reload. */
	if (ret == -EINVAL) {
893
		printk(KERN_WARNING "audit rule for LSM \'%s\' is "
894
		       "invalid\n", df->lsm_str);
895
896
897
898
899
900
901
		ret = 0;
	}

	return ret;
}

/* Duplicate an audit rule.  This will be a deep copy with the exception
902
 * of the watch - that pointer is carried over.  The LSM specific fields
903
 * will be updated in the copy.  The point is to be able to replace the old
Amy Griffis's avatar
Amy Griffis committed
904
905
906
907
908
 * rule with the new rule in the filterlist, then free the old rule.
 * The rlist element is undefined; list manipulations are handled apart from
 * the initial copy. */
static struct audit_entry *audit_dupe_rule(struct audit_krule *old,
					   struct audit_watch *watch)
909
910
911
912
{
	u32 fcount = old->field_count;
	struct audit_entry *entry;
	struct audit_krule *new;
Amy Griffis's avatar
Amy Griffis committed
913
	char *fk;
914
915
916
917
918
919
920
921
922
923
924
925
926
	int i, err = 0;

	entry = audit_init_entry(fcount);
	if (unlikely(!entry))
		return ERR_PTR(-ENOMEM);

	new = &entry->rule;
	new->vers_ops = old->vers_ops;
	new->flags = old->flags;
	new->listnr = old->listnr;
	new->action = old->action;
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
		new->mask[i] = old->mask[i];
927
	new->prio = old->prio;
928
	new->buflen = old->buflen;
Amy Griffis's avatar
Amy Griffis committed
929
930
	new->inode_f = old->inode_f;
	new->watch = NULL;
931
	new->field_count = old->field_count;
Al Viro's avatar
Al Viro committed
932
933
934
935
936
937
938
939
	/*
	 * note that we are OK with not refcounting here; audit_match_tree()
	 * never dereferences tree and we can't get false positives there
	 * since we'd have to have rule gone from the list *and* removed
	 * before the chunks found by lookup had been allocated, i.e. before
	 * the beginning of list scan.
	 */
	new->tree = old->tree;
940
941
	memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);

942
	/* deep copy this information, updating the lsm_rule fields, because
943
944
945
	 * the originals will all be freed when the old rule is freed. */
	for (i = 0; i < fcount; i++) {
		switch (new->fields[i].type) {
946
947
948
949
950
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
951
952
953
954
955
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
956
			err = audit_dupe_lsm_field(&new->fields[i],
957
						       &old->fields[i]);
Amy Griffis's avatar
Amy Griffis committed
958
959
960
961
962
963
964
			break;
		case AUDIT_FILTERKEY:
			fk = kstrdup(old->filterkey, GFP_KERNEL);
			if (unlikely(!fk))
				err = -ENOMEM;
			else
				new->filterkey = fk;
965
966
967
968
969
970
971
		}
		if (err) {
			audit_free_rule(entry);
			return ERR_PTR(err);
		}
	}

Amy Griffis's avatar
Amy Griffis committed
972
973
974
975
976
	if (watch) {
		audit_get_watch(watch);
		new->watch = watch;
	}

977
978
979
	return entry;
}

Amy Griffis's avatar
Amy Griffis committed
980
981
982
983
984
985
986
987
988
989
990
/* Update inode info in audit rules based on filesystem event. */
static void audit_update_watch(struct audit_parent *parent,
			       const char *dname, dev_t dev,
			       unsigned long ino, unsigned invalidating)
{
	struct audit_watch *owatch, *nwatch, *nextw;
	struct audit_krule *r, *nextr;
	struct audit_entry *oentry, *nentry;

	mutex_lock(&audit_filter_mutex);
	list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
991
		if (audit_compare_dname_path(dname, owatch->path, NULL))
Amy Griffis's avatar
Amy Griffis committed
992
993
994
995
			continue;

		/* If the update involves invalidating rules, do the inode-based
		 * filtering now, so we don't omit records. */
996
997
		if (invalidating && current->audit_context)
			audit_filter_inodes(current, current->audit_context);
Amy Griffis's avatar
Amy Griffis committed
998
999

		nwatch = audit_dupe_watch(owatch);
1000
		if (IS_ERR(nwatch)) {
Amy Griffis's avatar
Amy Griffis committed
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
			mutex_unlock(&audit_filter_mutex);
			audit_panic("error updating watch, skipping");
			return;
		}
		nwatch->dev = dev;
		nwatch->ino = ino;

		list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) {

			oentry = container_of(r, struct audit_entry, rule);
			list_del(&oentry->rule.rlist);
			list_del_rcu(&oentry->list);

			nentry = audit_dupe_rule(&oentry->rule, nwatch);
Al Viro's avatar
Al Viro committed
1015
1016
			if (IS_ERR(nentry)) {
				list_del(&oentry->rule.list);
Amy Griffis's avatar
Amy Griffis committed
1017
				audit_panic("error updating watch, removing");
Al Viro's avatar
Al Viro committed
1018
			} else {
Amy Griffis's avatar
Amy Griffis committed
1019
1020
1021
				int h = audit_hash_ino((u32)ino);
				list_add(&nentry->rule.rlist, &nwatch->rules);
				list_add_rcu(&nentry->list, &audit_inode_hash[h]);
Al Viro's avatar
Al Viro committed
1022
1023
				list_replace(&oentry->rule.list,
					     &nentry->rule.list);
Amy Griffis's avatar
Amy Griffis committed
1024
1025
1026
1027
1028
			}

			call_rcu(&oentry->rcu, audit_free_rule_rcu);
		}

1029
1030
		if (audit_enabled) {
			struct audit_buffer *ab;
1031
			ab = audit_log_start(NULL, GFP_NOFS,
1032
				AUDIT_CONFIG_CHANGE);
1033
1034
1035
			audit_log_format(ab, "auid=%u ses=%u",
				audit_get_loginuid(current),
				audit_get_sessionid(current));
1036
			audit_log_format(ab,
1037
				" op=updated rules specifying path=");
1038
1039
1040
1041
1042
1043
			audit_log_untrustedstring(ab, owatch->path);
			audit_log_format(ab, " with dev=%u ino=%lu\n",
				 dev, ino);
			audit_log_format(ab, " list=%d res=1", r->listnr);
			audit_log_end(ab);
		}
Amy Griffis's avatar
Amy Griffis committed
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
		audit_remove_watch(owatch);
		goto add_watch_to_parent; /* event applies to a single watch */
	}
	mutex_unlock(&audit_filter_mutex);
	return;

add_watch_to_parent:
	list_add(&nwatch->wlist, &parent->watches);
	mutex_unlock(&audit_filter_mutex);
	return;
}

/* Remove all watches & rules associated with a parent that is going away. */
static void audit_remove_parent_watches(struct audit_parent *parent)
{
	struct audit_watch *w, *nextw;
	struct audit_krule *r, *nextr;
	struct audit_entry *e;

	mutex_lock(&audit_filter_mutex);
	parent->flags |= AUDIT_PARENT_INVALID;
	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
		list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
			e = container_of(r, struct audit_entry, rule);
1068
1069
			if (audit_enabled) {
				struct audit_buffer *ab;
1070
				ab = audit_log_start(NULL, GFP_NOFS,
1071
					AUDIT_CONFIG_CHANGE);
1072
1073
1074
1075
				audit_log_format(ab, "auid=%u ses=%u",
					audit_get_loginuid(current),
					audit_get_sessionid(current));
				audit_log_format(ab, " op=remove rule path=");
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
				audit_log_untrustedstring(ab, w->path);
				if (r->filterkey) {
					audit_log_format(ab, " key=");
					audit_log_untrustedstring(ab,
							r->filterkey);
				} else
					audit_log_format(ab, " key=(null)");
				audit_log_format(ab, " list=%d res=1",
					r->listnr);
				audit_log_end(ab);
			}
Amy Griffis's avatar
Amy Griffis committed
1087
			list_del(&r->rlist);
Al Viro's avatar
Al Viro committed
1088
			list_del(&r->list);
Amy Griffis's avatar
Amy Griffis committed
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
			list_del_rcu(&e->list);
			call_rcu(&e->rcu, audit_free_rule_rcu);
		}
		audit_remove_watch(w);
	}
	mutex_unlock(&audit_filter_mutex);
}

/* Unregister inotify watches for parents on in_list.
 * Generates an IN_IGNORED event. */
static void audit_inotify_unregister(struct list_head *in_list)
{
	struct audit_parent *p, *n;

	list_for_each_entry_safe(p, n, in_list, ilist) {
		list_del(&p->ilist);
		inotify_rm_watch(audit_ih, &p->wdata);
1106
1107
		/* the unpin matching the pin in audit_do_del_rule() */
		unpin_inotify_watch(&p->wdata);
Amy Griffis's avatar
Amy Griffis committed
1108
1109
1110
1111
1112
1113
	}
}

/* Find an existing audit rule.
 * Caller must hold audit_filter_mutex to prevent stale rule data. */
static struct audit_entry *audit_find_rule(struct audit_entry *entry,
Al Viro's avatar
Al Viro committed
1114
					   struct list_head **p)
Amy Griffis's avatar
Amy Griffis committed
1115
1116
{
	struct audit_entry *e, *found = NULL;
Al Viro's avatar
Al Viro committed
1117
	struct list_head *list;
Amy Griffis's avatar
Amy Griffis committed
1118
1119
	int h;

Al Viro's avatar
Al Viro committed
1120
1121
1122
1123
	if (entry->rule.inode_f) {
		h = audit_hash_ino(entry->rule.inode_f->val);
		*p = list = &audit_inode_hash[h];
	} else if (entry->rule.watch) {
Amy Griffis's avatar
Amy Griffis committed
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
		/* we don't know the inode number, so must walk entire hash */
		for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
			list = &audit_inode_hash[h];
			list_for_each_entry(e, list, list)
				if (!audit_compare_rule(&entry->rule, &e->rule)) {
					found = e;
					goto out;
				}
		}
		goto out;
Al Viro's avatar
Al Viro committed
1134
1135
	} else {
		*p = list = &audit_filter_list[entry->rule.listnr];
Amy Griffis's avatar
Amy Griffis committed
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
	}

	list_for_each_entry(e, list, list)
		if (!audit_compare_rule(&entry->rule, &e->rule)) {
			found = e;
			goto out;
		}

out:
	return found;
}

/* Get path information necessary for adding watches. */
static int audit_get_nd(char *path, struct nameidata **ndp,
			struct nameidata **ndw)
{
	struct nameidata *ndparent, *ndwatch;
	int err;

	ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL);
	if (unlikely(!ndparent))
		return -ENOMEM;

	ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL);
	if (unlikely(!ndwatch)) {
		kfree(ndparent);
		return -ENOMEM;
	}

	err = path_lookup(path, LOOKUP_PARENT, ndparent);
	if (err) {
		kfree(ndparent);
		kfree(ndwatch);
		return err;
	}

	err = path_lookup(path, 0, ndwatch);
	if (err) {
		kfree(ndwatch);
		ndwatch = NULL;
	}

	*ndp = ndparent;
	*ndw = ndwatch;

	return 0;
}

/* Release resources used for watch path information. */
static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw)
{
	if (ndp) {
Jan Blunck's avatar
Jan Blunck committed
1188
		path_put(&ndp->path);
Amy Griffis's avatar
Amy Griffis committed
1189
1190
1191
		kfree(ndp);
	}
	if (ndw) {
Jan Blunck's avatar
Jan Blunck committed
1192
		path_put(&ndw->path);
Amy Griffis's avatar
Amy Griffis committed
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
		kfree(ndw);
	}
}

/* Associate the given rule with an existing parent inotify_watch.
 * Caller must hold audit_filter_mutex. */
static void audit_add_to_parent(struct audit_krule *krule,
				struct audit_parent *parent)
{
	struct audit_watch *w, *watch = krule->watch;
	int watch_found = 0;

	list_for_each_entry(w, &parent->watches, wlist) {
		if (strcmp(watch->path, w->path))
			continue;

		watch_found = 1;

		/* put krule's and initial refs to temporary watch */
		audit_put_watch(watch);
		audit_put_watch(watch);

		audit_get_watch(w);
		krule->watch = watch = w;
		break;
	}

	if (!watch_found) {
		get_inotify_watch(&parent->wdata);
		watch->parent = parent;

		list_add(&watch->wlist, &parent->watches);
	}
	list_add(&krule->rlist, &watch->rules);
}

/* Find a matching watch entry, or add this one.
 * Caller must hold audit_filter_mutex. */
static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp,
			   struct nameidata *ndw)
{
	struct audit_watch *watch = krule->watch;
	struct inotify_watch *i_watch;
	struct audit_parent *parent;
	int ret = 0;

	/* update watch filter fields */
	if (ndw) {
1241
1242
		watch->dev = ndw->path.dentry->d_inode->i_sb->s_dev;
		watch->ino = ndw->path.dentry->d_inode->i_ino;
Amy Griffis's avatar
Amy Griffis committed
1243
1244
1245
1246
1247
1248
1249
1250
1251
	}

	/* The audit_filter_mutex must not be held during inotify calls because
	 * we hold it during inotify event callback processing.  If an existing
	 * inotify watch is found, inotify_find_watch() grabs a reference before
	 * returning.
	 */
	mutex_unlock(&audit_filter_mutex);

1252
1253
	if (inotify_find_watch(audit_ih, ndp->path.dentry->d_inode,
			       &i_watch) < 0) {
Amy Griffis's avatar
Amy Griffis committed
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
		parent = audit_init_parent(ndp);
		if (IS_ERR(parent)) {
			/* caller expects mutex locked */
			mutex_lock(&audit_filter_mutex);
			return PTR_ERR(parent);
		}
	} else
		parent = container_of(i_watch, struct audit_parent, wdata);

	mutex_lock(&audit_filter_mutex);

	/* parent was moved before we took audit_filter_mutex */
	if (parent->flags & AUDIT_PARENT_INVALID)
		ret = -ENOENT;
	else
		audit_add_to_parent(krule, parent);

	/* match get in audit_init_parent or inotify_find_watch */
	put_inotify_watch(&parent->wdata);
	return ret;
}

1276
1277
1278
static u64 prio_low = ~0ULL/2;
static u64 prio_high = ~0ULL/2 - 1;

Amy Griffis's avatar
Amy Griffis committed
1279
/* Add rule to given filterlist if not a duplicate. */
Al Viro's avatar
Al Viro committed
1280
static inline int audit_add_rule(struct audit_entry *entry)
1281
{
1282
	struct audit_entry *e;
Amy Griffis's avatar
Amy Griffis committed
1283
	struct audit_watch *watch = entry->rule.watch;
Al Viro's avatar
Al Viro committed
1284
	struct audit_tree *tree = entry->rule.tree;
1285
	struct nameidata *ndp = NULL, *ndw = NULL;
Al Viro's avatar
Al Viro committed
1286
	struct list_head *list;
1287
	int h, err;
1288
1289
1290
1291
1292
1293
1294
1295
#ifdef CONFIG_AUDITSYSCALL
	int dont_count = 0;

	/* If either of these, don't count towards total */
	if (entry->rule.listnr == AUDIT_FILTER_USER ||
		entry->rule.listnr == AUDIT_FILTER_TYPE)
		dont_count = 1;
#endif
Amy Griffis's avatar
Amy Griffis committed
1296
1297

	mutex_lock(&audit_filter_mutex);
Al Viro's avatar
Al Viro committed
1298
	e = audit_find_rule(entry, &list);
Amy Griffis's avatar
Amy Griffis committed
1299
1300
1301
	mutex_unlock(&audit_filter_mutex);
	if (e) {
		err = -EEXIST;
Al Viro's avatar
Al Viro committed
1302
1303
1304
		/* normally audit_add_tree_rule() will free it on failure */
		if (tree)
			audit_put_tree(tree);
Amy Griffis's avatar
Amy Griffis committed
1305
1306
		goto error;
	}
1307

Amy Griffis's avatar
Amy Griffis committed
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
	/* Avoid calling path_lookup under audit_filter_mutex. */
	if (watch) {
		err = audit_get_nd(watch->path, &ndp, &ndw);
		if (err)
			goto error;
	}

	mutex_lock(&audit_filter_mutex);
	if (watch) {
		/* audit_filter_mutex is dropped and re-taken during this call */
		err = audit_add_watch(&entry->rule, ndp, ndw);
		if (err) {
			mutex_unlock(&audit_filter_mutex);
			goto error;
		}
1323
1324
		/* entry->rule.watch may have changed during audit_add_watch() */
		watch = entry->rule.watch;
Amy Griffis's avatar
Amy Griffis committed
1325
1326
		h = audit_hash_ino((u32)watch->ino);
		list = &audit_inode_hash[h];
1327
	}
Al Viro's avatar
Al Viro committed
1328
1329
1330
1331
1332
1333
1334
	if (tree) {
		err = audit_add_tree_rule(&entry->rule);
		if (err) {
			mutex_unlock(&audit_filter_mutex);
			goto error;
		}
	}
1335

1336
1337
1338
1339
1340
1341
1342
1343
	entry->rule.prio = ~0ULL;
	if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
		if (entry->rule.flags & AUDIT_FILTER_PREPEND)
			entry->rule.prio = ++prio_high;
		else
			entry->rule.prio = --prio_low;
	}

1344
	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
Al Viro's avatar
Al Viro committed
1345
1346
		list_add(&entry->rule.list,
			 &audit_rules_list[entry->rule.listnr]);
1347
		list_add_rcu(&entry->list, list);
1348
		entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
1349
	} else {
Al Viro's avatar
Al Viro committed
1350
1351
		list_add_tail(&entry->rule.list,
			      &audit_rules_list[entry->rule.listnr]);
1352
1353
		list_add_tail_rcu(&entry->list, list);
	}
1354
1355
1356
#ifdef CONFIG_AUDITSYSCALL
	if (!dont_count)
		audit_n_rules++;
Amy Griffis's avatar
Amy Griffis committed
1357
1358
1359

	if (!audit_match_signal(entry))
		audit_signals++;
1360
#endif
Amy Griffis's avatar
Amy Griffis committed
1361
	mutex_unlock(&audit_filter_mutex);
1362

1363
	audit_put_nd(ndp, ndw);		/* NULL args OK */
Amy Griffis's avatar
Amy Griffis committed
1364
1365
1366
 	return 0;

error:
1367
	audit_put_nd(ndp, ndw);		/* NULL args OK */
Amy Griffis's avatar
Amy Griffis committed
1368
1369
1370
	if (watch)
		audit_put_watch(watch); /* tmp watch, matches initial get */
	return err;
1371
1372
}

Amy Griffis's avatar
Amy Griffis committed
1373
/* Remove an existing rule from filterlist. */
Al Viro's avatar
Al Viro committed
1374
static inline int audit_del_rule(struct audit_entry *entry)
1375
1376
{
	struct audit_entry  *e;
Amy Griffis's avatar
Amy Griffis committed
1377
	struct audit_watch *watch, *tmp_watch = entry->rule.watch;
Al Viro's avatar
Al Viro committed
1378
	struct audit_tree *tree = entry->rule.tree;
Al Viro's avatar
Al Viro committed
1379
	struct list_head *list;
Amy Griffis's avatar
Amy Griffis committed
1380
	LIST_HEAD(inotify_list);
Al Viro's avatar
Al Viro committed
1381
	int ret = 0;
1382
1383
1384
1385
1386
1387
1388
1389
#ifdef CONFIG_AUDITSYSCALL
	int dont_count = 0;

	/* If either of these, don't count towards total */
	if (entry->rule.listnr == AUDIT_FILTER_USER ||
		entry->rule.listnr == AUDIT_FILTER_TYPE)
		dont_count = 1;
#endif
Amy Griffis's avatar
Amy Griffis committed
1390
1391

	mutex_lock(&audit_filter_mutex);
Al Viro's avatar
Al Viro committed
1392
	e = audit_find_rule(entry, &list);
Amy Griffis's avatar
Amy Griffis committed
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
	if (!e) {
		mutex_unlock(&audit_filter_mutex);
		ret = -ENOENT;
		goto out;
	}

	watch = e->rule.watch;
	if (watch) {
		struct audit_parent *parent = watch->parent;

		list_del(&e->rule.rlist);

		if (list_empty(&watch->rules)) {
			audit_remove_watch(watch);

			if (list_empty(&parent->watches)) {
				/* Put parent on the inotify un-registration
				 * list.  Grab a reference before releasing
				 * audit_filter_mutex, to be released in
1412
1413
1414
1415
1416
1417
1418
				 * audit_inotify_unregister().
				 * If filesystem is going away, just leave
				 * the sucker alone, eviction will take
				 * care of it.
				 */
				if (pin_inotify_watch(&parent->wdata))
					list_add(&parent->ilist, &inotify_list);
Amy Griffis's avatar
Amy Griffis committed
1419
			}
1420
1421
		}
	}
Amy Griffis's avatar
Amy Griffis committed
1422

Al Viro's avatar
Al Viro committed
1423
1424
1425
	if (e->rule.tree)
		audit_remove_tree_rule(&e->rule);

Amy Griffis's avatar
Amy Griffis committed
1426
	list_del_rcu(&e->list);
Al Viro's avatar
Al Viro committed
1427
	list_del(&e->rule.list);
Amy Griffis's avatar
Amy Griffis committed
1428
1429
	call_rcu(&e->rcu, audit_free_rule_rcu);

1430
1431
1432
#ifdef CONFIG_AUDITSYSCALL
	if (!dont_count)
		audit_n_rules--;
Amy Griffis's avatar
Amy Griffis committed
1433
1434
1435

	if (!audit_match_signal(entry))
		audit_signals--;
1436
#endif
Amy Griffis's avatar
Amy Griffis committed
1437
1438
1439
1440
1441
1442
1443
1444
	mutex_unlock(&audit_filter_mutex);

	if (!list_empty(&inotify_list))
		audit_inotify_unregister(&inotify_list);

out:
	if (tmp_watch)
		audit_put_watch(tmp_watch); /* match initial get */
Al Viro's avatar
Al Viro committed
1445
1446
	if (tree)
		audit_put_tree(tree);	/* that's the temporary one */
Amy Griffis's avatar
Amy Griffis committed
1447
1448

	return ret;
1449
1450
}

1451
1452
/* List rules using struct audit_rule.  Exists for backward
 * compatibility with userspace. */
1453
static void audit_list(int pid, int seq, struct sk_buff_head *q)
1454
{
1455
	struct sk_buff *skb;
Al Viro's avatar
Al Viro committed
1456
	struct audit_krule *r;
1457
1458
	int i;

Amy Griffis's avatar
Amy Griffis committed
1459
1460
	/* This is a blocking read, so use audit_filter_mutex instead of rcu
	 * iterator to sync with list writers. */
1461
	for (i=0; i<AUDIT_NR_FILTERS; i++) {
Al Viro's avatar
Al Viro committed
1462
		list_for_each_entry(r, &audit_rules_list[i], list) {
Amy Griffis's avatar
Amy Griffis committed
1463
1464
			struct audit_rule *rule;

Al Viro's avatar
Al Viro committed
1465
			rule = audit_krule_to_rule(r);
Amy Griffis's avatar
Amy Griffis committed
1466
1467
1468
1469
1470
1471
1472
1473
1474
			if (unlikely(!rule))
				break;
			skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
					 rule, sizeof(*rule));
			if (skb)
				skb_queue_tail(q, skb);
			kfree(rule);
		}
	}
1475
1476
1477
	skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
	if (skb)
		skb_queue_tail(q, skb);
1478
1479
}

1480
/* List rules using struct audit_rule_data. */
1481
static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1482
{
1483
	struct sk_buff *skb;
Al Viro's avatar
Al Viro committed
1484
	struct audit_krule *r;
1485
1486
	int i;

Amy Griffis's avatar
Amy Griffis committed
1487
1488
	/* This is a blocking read, so use audit_filter_mutex instead of rcu
	 * iterator to sync with list writers. */
1489
	for (i=0; i<AUDIT_NR_FILTERS; i++) {