Version:  2.0.40 2.2.26 2.4.37 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10

Linux/kernel/auditfilter.c

  1 /* auditfilter.c -- filtering of audit events
  2  *
  3  * Copyright 2003-2004 Red Hat, Inc.
  4  * Copyright 2005 Hewlett-Packard Development Company, L.P.
  5  * Copyright 2005 IBM Corporation
  6  *
  7  * This program is free software; you can redistribute it and/or modify
  8  * it under the terms of the GNU General Public License as published by
  9  * the Free Software Foundation; either version 2 of the License, or
 10  * (at your option) any later version.
 11  *
 12  * This program is distributed in the hope that it will be useful,
 13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15  * GNU General Public License for more details.
 16  *
 17  * You should have received a copy of the GNU General Public License
 18  * along with this program; if not, write to the Free Software
 19  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 20  */
 21 
 22 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 23 
 24 #include <linux/kernel.h>
 25 #include <linux/audit.h>
 26 #include <linux/kthread.h>
 27 #include <linux/mutex.h>
 28 #include <linux/fs.h>
 29 #include <linux/namei.h>
 30 #include <linux/netlink.h>
 31 #include <linux/sched.h>
 32 #include <linux/slab.h>
 33 #include <linux/security.h>
 34 #include <net/net_namespace.h>
 35 #include <net/sock.h>
 36 #include "audit.h"
 37 
 38 /*
 39  * Locking model:
 40  *
 41  * audit_filter_mutex:
 42  *              Synchronizes writes and blocking reads of audit's filterlist
 43  *              data.  Rcu is used to traverse the filterlist and access
 44  *              contents of structs audit_entry, audit_watch and opaque
 45  *              LSM rules during filtering.  If modified, these structures
 46  *              must be copied and replace their counterparts in the filterlist.
 47  *              An audit_parent struct is not accessed during filtering, so may
 48  *              be written directly provided audit_filter_mutex is held.
 49  */
 50 
 51 /* Audit filter lists, defined in <linux/audit.h> */
 52 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
 53         LIST_HEAD_INIT(audit_filter_list[0]),
 54         LIST_HEAD_INIT(audit_filter_list[1]),
 55         LIST_HEAD_INIT(audit_filter_list[2]),
 56         LIST_HEAD_INIT(audit_filter_list[3]),
 57         LIST_HEAD_INIT(audit_filter_list[4]),
 58         LIST_HEAD_INIT(audit_filter_list[5]),
 59 #if AUDIT_NR_FILTERS != 6
 60 #error Fix audit_filter_list initialiser
 61 #endif
 62 };
 63 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
 64         LIST_HEAD_INIT(audit_rules_list[0]),
 65         LIST_HEAD_INIT(audit_rules_list[1]),
 66         LIST_HEAD_INIT(audit_rules_list[2]),
 67         LIST_HEAD_INIT(audit_rules_list[3]),
 68         LIST_HEAD_INIT(audit_rules_list[4]),
 69         LIST_HEAD_INIT(audit_rules_list[5]),
 70 };
 71 
 72 DEFINE_MUTEX(audit_filter_mutex);
 73 
 74 static void audit_free_lsm_field(struct audit_field *f)
 75 {
 76         switch (f->type) {
 77         case AUDIT_SUBJ_USER:
 78         case AUDIT_SUBJ_ROLE:
 79         case AUDIT_SUBJ_TYPE:
 80         case AUDIT_SUBJ_SEN:
 81         case AUDIT_SUBJ_CLR:
 82         case AUDIT_OBJ_USER:
 83         case AUDIT_OBJ_ROLE:
 84         case AUDIT_OBJ_TYPE:
 85         case AUDIT_OBJ_LEV_LOW:
 86         case AUDIT_OBJ_LEV_HIGH:
 87                 kfree(f->lsm_str);
 88                 security_audit_rule_free(f->lsm_rule);
 89         }
 90 }
 91 
 92 static inline void audit_free_rule(struct audit_entry *e)
 93 {
 94         int i;
 95         struct audit_krule *erule = &e->rule;
 96 
 97         /* some rules don't have associated watches */
 98         if (erule->watch)
 99                 audit_put_watch(erule->watch);
100         if (erule->fields)
101                 for (i = 0; i < erule->field_count; i++)
102                         audit_free_lsm_field(&erule->fields[i]);
103         kfree(erule->fields);
104         kfree(erule->filterkey);
105         kfree(e);
106 }
107 
108 void audit_free_rule_rcu(struct rcu_head *head)
109 {
110         struct audit_entry *e = container_of(head, struct audit_entry, rcu);
111         audit_free_rule(e);
112 }
113 
114 /* Initialize an audit filterlist entry. */
115 static inline struct audit_entry *audit_init_entry(u32 field_count)
116 {
117         struct audit_entry *entry;
118         struct audit_field *fields;
119 
120         entry = kzalloc(sizeof(*entry), GFP_KERNEL);
121         if (unlikely(!entry))
122                 return NULL;
123 
124         fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
125         if (unlikely(!fields)) {
126                 kfree(entry);
127                 return NULL;
128         }
129         entry->rule.fields = fields;
130 
131         return entry;
132 }
133 
134 /* Unpack a filter field's string representation from user-space
135  * buffer. */
136 char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
137 {
138         char *str;
139 
140         if (!*bufp || (len == 0) || (len > *remain))
141                 return ERR_PTR(-EINVAL);
142 
143         /* Of the currently implemented string fields, PATH_MAX
144          * defines the longest valid length.
145          */
146         if (len > PATH_MAX)
147                 return ERR_PTR(-ENAMETOOLONG);
148 
149         str = kmalloc(len + 1, GFP_KERNEL);
150         if (unlikely(!str))
151                 return ERR_PTR(-ENOMEM);
152 
153         memcpy(str, *bufp, len);
154         str[len] = 0;
155         *bufp += len;
156         *remain -= len;
157 
158         return str;
159 }
160 
161 /* Translate an inode field to kernel representation. */
162 static inline int audit_to_inode(struct audit_krule *krule,
163                                  struct audit_field *f)
164 {
165         if (krule->listnr != AUDIT_FILTER_EXIT ||
166             krule->inode_f || krule->watch || krule->tree ||
167             (f->op != Audit_equal && f->op != Audit_not_equal))
168                 return -EINVAL;
169 
170         krule->inode_f = f;
171         return 0;
172 }
173 
174 static __u32 *classes[AUDIT_SYSCALL_CLASSES];
175 
176 int __init audit_register_class(int class, unsigned *list)
177 {
178         __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
179         if (!p)
180                 return -ENOMEM;
181         while (*list != ~0U) {
182                 unsigned n = *list++;
183                 if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
184                         kfree(p);
185                         return -EINVAL;
186                 }
187                 p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
188         }
189         if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
190                 kfree(p);
191                 return -EINVAL;
192         }
193         classes[class] = p;
194         return 0;
195 }
196 
197 int audit_match_class(int class, unsigned syscall)
198 {
199         if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
200                 return 0;
201         if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
202                 return 0;
203         return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
204 }
205 
206 #ifdef CONFIG_AUDITSYSCALL
207 static inline int audit_match_class_bits(int class, u32 *mask)
208 {
209         int i;
210 
211         if (classes[class]) {
212                 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
213                         if (mask[i] & classes[class][i])
214                                 return 0;
215         }
216         return 1;
217 }
218 
219 static int audit_match_signal(struct audit_entry *entry)
220 {
221         struct audit_field *arch = entry->rule.arch_f;
222 
223         if (!arch) {
224                 /* When arch is unspecified, we must check both masks on biarch
225                  * as syscall number alone is ambiguous. */
226                 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
227                                                entry->rule.mask) &&
228                         audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
229                                                entry->rule.mask));
230         }
231 
232         switch(audit_classify_arch(arch->val)) {
233         case 0: /* native */
234                 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
235                                                entry->rule.mask));
236         case 1: /* 32bit on biarch */
237                 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
238                                                entry->rule.mask));
239         default:
240                 return 1;
241         }
242 }
243 #endif
244 
245 /* Common user-space to kernel rule translation. */
246 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
247 {
248         unsigned listnr;
249         struct audit_entry *entry;
250         int i, err;
251 
252         err = -EINVAL;
253         listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
254         switch(listnr) {
255         default:
256                 goto exit_err;
257 #ifdef CONFIG_AUDITSYSCALL
258         case AUDIT_FILTER_ENTRY:
259                 if (rule->action == AUDIT_ALWAYS)
260                         goto exit_err;
261         case AUDIT_FILTER_EXIT:
262         case AUDIT_FILTER_TASK:
263 #endif
264         case AUDIT_FILTER_USER:
265         case AUDIT_FILTER_TYPE:
266                 ;
267         }
268         if (unlikely(rule->action == AUDIT_POSSIBLE)) {
269                 pr_err("AUDIT_POSSIBLE is deprecated\n");
270                 goto exit_err;
271         }
272         if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
273                 goto exit_err;
274         if (rule->field_count > AUDIT_MAX_FIELDS)
275                 goto exit_err;
276 
277         err = -ENOMEM;
278         entry = audit_init_entry(rule->field_count);
279         if (!entry)
280                 goto exit_err;
281 
282         entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
283         entry->rule.listnr = listnr;
284         entry->rule.action = rule->action;
285         entry->rule.field_count = rule->field_count;
286 
287         for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
288                 entry->rule.mask[i] = rule->mask[i];
289 
290         for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
291                 int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
292                 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
293                 __u32 *class;
294 
295                 if (!(*p & AUDIT_BIT(bit)))
296                         continue;
297                 *p &= ~AUDIT_BIT(bit);
298                 class = classes[i];
299                 if (class) {
300                         int j;
301                         for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
302                                 entry->rule.mask[j] |= class[j];
303                 }
304         }
305 
306         return entry;
307 
308 exit_err:
309         return ERR_PTR(err);
310 }
311 
312 static u32 audit_ops[] =
313 {
314         [Audit_equal] = AUDIT_EQUAL,
315         [Audit_not_equal] = AUDIT_NOT_EQUAL,
316         [Audit_bitmask] = AUDIT_BIT_MASK,
317         [Audit_bittest] = AUDIT_BIT_TEST,
318         [Audit_lt] = AUDIT_LESS_THAN,
319         [Audit_gt] = AUDIT_GREATER_THAN,
320         [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
321         [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
322 };
323 
324 static u32 audit_to_op(u32 op)
325 {
326         u32 n;
327         for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
328                 ;
329         return n;
330 }
331 
332 /* check if an audit field is valid */
333 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
334 {
335         switch(f->type) {
336         case AUDIT_MSGTYPE:
337                 if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
338                     entry->rule.listnr != AUDIT_FILTER_USER)
339                         return -EINVAL;
340                 break;
341         };
342 
343         switch(f->type) {
344         default:
345                 return -EINVAL;
346         case AUDIT_UID:
347         case AUDIT_EUID:
348         case AUDIT_SUID:
349         case AUDIT_FSUID:
350         case AUDIT_LOGINUID:
351         case AUDIT_OBJ_UID:
352         case AUDIT_GID:
353         case AUDIT_EGID:
354         case AUDIT_SGID:
355         case AUDIT_FSGID:
356         case AUDIT_OBJ_GID:
357         case AUDIT_PID:
358         case AUDIT_PERS:
359         case AUDIT_MSGTYPE:
360         case AUDIT_PPID:
361         case AUDIT_DEVMAJOR:
362         case AUDIT_DEVMINOR:
363         case AUDIT_EXIT:
364         case AUDIT_SUCCESS:
365         case AUDIT_INODE:
366         case AUDIT_SESSIONID:
367                 /* bit ops are only useful on syscall args */
368                 if (f->op == Audit_bitmask || f->op == Audit_bittest)
369                         return -EINVAL;
370                 break;
371         case AUDIT_ARG0:
372         case AUDIT_ARG1:
373         case AUDIT_ARG2:
374         case AUDIT_ARG3:
375         case AUDIT_SUBJ_USER:
376         case AUDIT_SUBJ_ROLE:
377         case AUDIT_SUBJ_TYPE:
378         case AUDIT_SUBJ_SEN:
379         case AUDIT_SUBJ_CLR:
380         case AUDIT_OBJ_USER:
381         case AUDIT_OBJ_ROLE:
382         case AUDIT_OBJ_TYPE:
383         case AUDIT_OBJ_LEV_LOW:
384         case AUDIT_OBJ_LEV_HIGH:
385         case AUDIT_WATCH:
386         case AUDIT_DIR:
387         case AUDIT_FILTERKEY:
388                 break;
389         case AUDIT_LOGINUID_SET:
390                 if ((f->val != 0) && (f->val != 1))
391                         return -EINVAL;
392         /* FALL THROUGH */
393         case AUDIT_ARCH:
394                 if (f->op != Audit_not_equal && f->op != Audit_equal)
395                         return -EINVAL;
396                 break;
397         case AUDIT_PERM:
398                 if (f->val & ~15)
399                         return -EINVAL;
400                 break;
401         case AUDIT_FILETYPE:
402                 if (f->val & ~S_IFMT)
403                         return -EINVAL;
404                 break;
405         case AUDIT_FIELD_COMPARE:
406                 if (f->val > AUDIT_MAX_FIELD_COMPARE)
407                         return -EINVAL;
408                 break;
409         case AUDIT_EXE:
410                 if (f->op != Audit_equal)
411                         return -EINVAL;
412                 if (entry->rule.listnr != AUDIT_FILTER_EXIT)
413                         return -EINVAL;
414                 break;
415         };
416         return 0;
417 }
418 
419 /* Translate struct audit_rule_data to kernel's rule representation. */
420 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
421                                                size_t datasz)
422 {
423         int err = 0;
424         struct audit_entry *entry;
425         void *bufp;
426         size_t remain = datasz - sizeof(struct audit_rule_data);
427         int i;
428         char *str;
429         struct audit_fsnotify_mark *audit_mark;
430 
431         entry = audit_to_entry_common(data);
432         if (IS_ERR(entry))
433                 goto exit_nofree;
434 
435         bufp = data->buf;
436         for (i = 0; i < data->field_count; i++) {
437                 struct audit_field *f = &entry->rule.fields[i];
438 
439                 err = -EINVAL;
440 
441                 f->op = audit_to_op(data->fieldflags[i]);
442                 if (f->op == Audit_bad)
443                         goto exit_free;
444 
445                 f->type = data->fields[i];
446                 f->val = data->values[i];
447 
448                 /* Support legacy tests for a valid loginuid */
449                 if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
450                         f->type = AUDIT_LOGINUID_SET;
451                         f->val = 0;
452                         entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
453                 }
454 
455                 err = audit_field_valid(entry, f);
456                 if (err)
457                         goto exit_free;
458 
459                 err = -EINVAL;
460                 switch (f->type) {
461                 case AUDIT_LOGINUID:
462                 case AUDIT_UID:
463                 case AUDIT_EUID:
464                 case AUDIT_SUID:
465                 case AUDIT_FSUID:
466                 case AUDIT_OBJ_UID:
467                         f->uid = make_kuid(current_user_ns(), f->val);
468                         if (!uid_valid(f->uid))
469                                 goto exit_free;
470                         break;
471                 case AUDIT_GID:
472                 case AUDIT_EGID:
473                 case AUDIT_SGID:
474                 case AUDIT_FSGID:
475                 case AUDIT_OBJ_GID:
476                         f->gid = make_kgid(current_user_ns(), f->val);
477                         if (!gid_valid(f->gid))
478                                 goto exit_free;
479                         break;
480                 case AUDIT_SESSIONID:
481                 case AUDIT_ARCH:
482                         entry->rule.arch_f = f;
483                         break;
484                 case AUDIT_SUBJ_USER:
485                 case AUDIT_SUBJ_ROLE:
486                 case AUDIT_SUBJ_TYPE:
487                 case AUDIT_SUBJ_SEN:
488                 case AUDIT_SUBJ_CLR:
489                 case AUDIT_OBJ_USER:
490                 case AUDIT_OBJ_ROLE:
491                 case AUDIT_OBJ_TYPE:
492                 case AUDIT_OBJ_LEV_LOW:
493                 case AUDIT_OBJ_LEV_HIGH:
494                         str = audit_unpack_string(&bufp, &remain, f->val);
495                         if (IS_ERR(str))
496                                 goto exit_free;
497                         entry->rule.buflen += f->val;
498 
499                         err = security_audit_rule_init(f->type, f->op, str,
500                                                        (void **)&f->lsm_rule);
501                         /* Keep currently invalid fields around in case they
502                          * become valid after a policy reload. */
503                         if (err == -EINVAL) {
504                                 pr_warn("audit rule for LSM \'%s\' is invalid\n",
505                                         str);
506                                 err = 0;
507                         }
508                         if (err) {
509                                 kfree(str);
510                                 goto exit_free;
511                         } else
512                                 f->lsm_str = str;
513                         break;
514                 case AUDIT_WATCH:
515                         str = audit_unpack_string(&bufp, &remain, f->val);
516                         if (IS_ERR(str))
517                                 goto exit_free;
518                         entry->rule.buflen += f->val;
519 
520                         err = audit_to_watch(&entry->rule, str, f->val, f->op);
521                         if (err) {
522                                 kfree(str);
523                                 goto exit_free;
524                         }
525                         break;
526                 case AUDIT_DIR:
527                         str = audit_unpack_string(&bufp, &remain, f->val);
528                         if (IS_ERR(str))
529                                 goto exit_free;
530                         entry->rule.buflen += f->val;
531 
532                         err = audit_make_tree(&entry->rule, str, f->op);
533                         kfree(str);
534                         if (err)
535                                 goto exit_free;
536                         break;
537                 case AUDIT_INODE:
538                         err = audit_to_inode(&entry->rule, f);
539                         if (err)
540                                 goto exit_free;
541                         break;
542                 case AUDIT_FILTERKEY:
543                         if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
544                                 goto exit_free;
545                         str = audit_unpack_string(&bufp, &remain, f->val);
546                         if (IS_ERR(str))
547                                 goto exit_free;
548                         entry->rule.buflen += f->val;
549                         entry->rule.filterkey = str;
550                         break;
551                 case AUDIT_EXE:
552                         if (entry->rule.exe || f->val > PATH_MAX)
553                                 goto exit_free;
554                         str = audit_unpack_string(&bufp, &remain, f->val);
555                         if (IS_ERR(str)) {
556                                 err = PTR_ERR(str);
557                                 goto exit_free;
558                         }
559                         entry->rule.buflen += f->val;
560 
561                         audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
562                         if (IS_ERR(audit_mark)) {
563                                 kfree(str);
564                                 err = PTR_ERR(audit_mark);
565                                 goto exit_free;
566                         }
567                         entry->rule.exe = audit_mark;
568                         break;
569                 }
570         }
571 
572         if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
573                 entry->rule.inode_f = NULL;
574 
575 exit_nofree:
576         return entry;
577 
578 exit_free:
579         if (entry->rule.tree)
580                 audit_put_tree(entry->rule.tree); /* that's the temporary one */
581         if (entry->rule.exe)
582                 audit_remove_mark(entry->rule.exe); /* that's the template one */
583         audit_free_rule(entry);
584         return ERR_PTR(err);
585 }
586 
587 /* Pack a filter field's string representation into data block. */
588 static inline size_t audit_pack_string(void **bufp, const char *str)
589 {
590         size_t len = strlen(str);
591 
592         memcpy(*bufp, str, len);
593         *bufp += len;
594 
595         return len;
596 }
597 
598 /* Translate kernel rule representation to struct audit_rule_data. */
599 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
600 {
601         struct audit_rule_data *data;
602         void *bufp;
603         int i;
604 
605         data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
606         if (unlikely(!data))
607                 return NULL;
608         memset(data, 0, sizeof(*data));
609 
610         data->flags = krule->flags | krule->listnr;
611         data->action = krule->action;
612         data->field_count = krule->field_count;
613         bufp = data->buf;
614         for (i = 0; i < data->field_count; i++) {
615                 struct audit_field *f = &krule->fields[i];
616 
617                 data->fields[i] = f->type;
618                 data->fieldflags[i] = audit_ops[f->op];
619                 switch(f->type) {
620                 case AUDIT_SUBJ_USER:
621                 case AUDIT_SUBJ_ROLE:
622                 case AUDIT_SUBJ_TYPE:
623                 case AUDIT_SUBJ_SEN:
624                 case AUDIT_SUBJ_CLR:
625                 case AUDIT_OBJ_USER:
626                 case AUDIT_OBJ_ROLE:
627                 case AUDIT_OBJ_TYPE:
628                 case AUDIT_OBJ_LEV_LOW:
629                 case AUDIT_OBJ_LEV_HIGH:
630                         data->buflen += data->values[i] =
631                                 audit_pack_string(&bufp, f->lsm_str);
632                         break;
633                 case AUDIT_WATCH:
634                         data->buflen += data->values[i] =
635                                 audit_pack_string(&bufp,
636                                                   audit_watch_path(krule->watch));
637                         break;
638                 case AUDIT_DIR:
639                         data->buflen += data->values[i] =
640                                 audit_pack_string(&bufp,
641                                                   audit_tree_path(krule->tree));
642                         break;
643                 case AUDIT_FILTERKEY:
644                         data->buflen += data->values[i] =
645                                 audit_pack_string(&bufp, krule->filterkey);
646                         break;
647                 case AUDIT_EXE:
648                         data->buflen += data->values[i] =
649                                 audit_pack_string(&bufp, audit_mark_path(krule->exe));
650                         break;
651                 case AUDIT_LOGINUID_SET:
652                         if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
653                                 data->fields[i] = AUDIT_LOGINUID;
654                                 data->values[i] = AUDIT_UID_UNSET;
655                                 break;
656                         }
657                         /* fallthrough if set */
658                 default:
659                         data->values[i] = f->val;
660                 }
661         }
662         for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
663 
664         return data;
665 }
666 
667 /* Compare two rules in kernel format.  Considered success if rules
668  * don't match. */
669 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
670 {
671         int i;
672 
673         if (a->flags != b->flags ||
674             a->pflags != b->pflags ||
675             a->listnr != b->listnr ||
676             a->action != b->action ||
677             a->field_count != b->field_count)
678                 return 1;
679 
680         for (i = 0; i < a->field_count; i++) {
681                 if (a->fields[i].type != b->fields[i].type ||
682                     a->fields[i].op != b->fields[i].op)
683                         return 1;
684 
685                 switch(a->fields[i].type) {
686                 case AUDIT_SUBJ_USER:
687                 case AUDIT_SUBJ_ROLE:
688                 case AUDIT_SUBJ_TYPE:
689                 case AUDIT_SUBJ_SEN:
690                 case AUDIT_SUBJ_CLR:
691                 case AUDIT_OBJ_USER:
692                 case AUDIT_OBJ_ROLE:
693                 case AUDIT_OBJ_TYPE:
694                 case AUDIT_OBJ_LEV_LOW:
695                 case AUDIT_OBJ_LEV_HIGH:
696                         if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
697                                 return 1;
698                         break;
699                 case AUDIT_WATCH:
700                         if (strcmp(audit_watch_path(a->watch),
701                                    audit_watch_path(b->watch)))
702                                 return 1;
703                         break;
704                 case AUDIT_DIR:
705                         if (strcmp(audit_tree_path(a->tree),
706                                    audit_tree_path(b->tree)))
707                                 return 1;
708                         break;
709                 case AUDIT_FILTERKEY:
710                         /* both filterkeys exist based on above type compare */
711                         if (strcmp(a->filterkey, b->filterkey))
712                                 return 1;
713                         break;
714                 case AUDIT_EXE:
715                         /* both paths exist based on above type compare */
716                         if (strcmp(audit_mark_path(a->exe),
717                                    audit_mark_path(b->exe)))
718                                 return 1;
719                         break;
720                 case AUDIT_UID:
721                 case AUDIT_EUID:
722                 case AUDIT_SUID:
723                 case AUDIT_FSUID:
724                 case AUDIT_LOGINUID:
725                 case AUDIT_OBJ_UID:
726                         if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
727                                 return 1;
728                         break;
729                 case AUDIT_GID:
730                 case AUDIT_EGID:
731                 case AUDIT_SGID:
732                 case AUDIT_FSGID:
733                 case AUDIT_OBJ_GID:
734                         if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
735                                 return 1;
736                         break;
737                 default:
738                         if (a->fields[i].val != b->fields[i].val)
739                                 return 1;
740                 }
741         }
742 
743         for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
744                 if (a->mask[i] != b->mask[i])
745                         return 1;
746 
747         return 0;
748 }
749 
750 /* Duplicate LSM field information.  The lsm_rule is opaque, so must be
751  * re-initialized. */
752 static inline int audit_dupe_lsm_field(struct audit_field *df,
753                                            struct audit_field *sf)
754 {
755         int ret = 0;
756         char *lsm_str;
757 
758         /* our own copy of lsm_str */
759         lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
760         if (unlikely(!lsm_str))
761                 return -ENOMEM;
762         df->lsm_str = lsm_str;
763 
764         /* our own (refreshed) copy of lsm_rule */
765         ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
766                                        (void **)&df->lsm_rule);
767         /* Keep currently invalid fields around in case they
768          * become valid after a policy reload. */
769         if (ret == -EINVAL) {
770                 pr_warn("audit rule for LSM \'%s\' is invalid\n",
771                         df->lsm_str);
772                 ret = 0;
773         }
774 
775         return ret;
776 }
777 
778 /* Duplicate an audit rule.  This will be a deep copy with the exception
779  * of the watch - that pointer is carried over.  The LSM specific fields
780  * will be updated in the copy.  The point is to be able to replace the old
781  * rule with the new rule in the filterlist, then free the old rule.
782  * The rlist element is undefined; list manipulations are handled apart from
783  * the initial copy. */
784 struct audit_entry *audit_dupe_rule(struct audit_krule *old)
785 {
786         u32 fcount = old->field_count;
787         struct audit_entry *entry;
788         struct audit_krule *new;
789         char *fk;
790         int i, err = 0;
791 
792         entry = audit_init_entry(fcount);
793         if (unlikely(!entry))
794                 return ERR_PTR(-ENOMEM);
795 
796         new = &entry->rule;
797         new->flags = old->flags;
798         new->pflags = old->pflags;
799         new->listnr = old->listnr;
800         new->action = old->action;
801         for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
802                 new->mask[i] = old->mask[i];
803         new->prio = old->prio;
804         new->buflen = old->buflen;
805         new->inode_f = old->inode_f;
806         new->field_count = old->field_count;
807 
808         /*
809          * note that we are OK with not refcounting here; audit_match_tree()
810          * never dereferences tree and we can't get false positives there
811          * since we'd have to have rule gone from the list *and* removed
812          * before the chunks found by lookup had been allocated, i.e. before
813          * the beginning of list scan.
814          */
815         new->tree = old->tree;
816         memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
817 
818         /* deep copy this information, updating the lsm_rule fields, because
819          * the originals will all be freed when the old rule is freed. */
820         for (i = 0; i < fcount; i++) {
821                 switch (new->fields[i].type) {
822                 case AUDIT_SUBJ_USER:
823                 case AUDIT_SUBJ_ROLE:
824                 case AUDIT_SUBJ_TYPE:
825                 case AUDIT_SUBJ_SEN:
826                 case AUDIT_SUBJ_CLR:
827                 case AUDIT_OBJ_USER:
828                 case AUDIT_OBJ_ROLE:
829                 case AUDIT_OBJ_TYPE:
830                 case AUDIT_OBJ_LEV_LOW:
831                 case AUDIT_OBJ_LEV_HIGH:
832                         err = audit_dupe_lsm_field(&new->fields[i],
833                                                        &old->fields[i]);
834                         break;
835                 case AUDIT_FILTERKEY:
836                         fk = kstrdup(old->filterkey, GFP_KERNEL);
837                         if (unlikely(!fk))
838                                 err = -ENOMEM;
839                         else
840                                 new->filterkey = fk;
841                         break;
842                 case AUDIT_EXE:
843                         err = audit_dupe_exe(new, old);
844                         break;
845                 }
846                 if (err) {
847                         if (new->exe)
848                                 audit_remove_mark(new->exe);
849                         audit_free_rule(entry);
850                         return ERR_PTR(err);
851                 }
852         }
853 
854         if (old->watch) {
855                 audit_get_watch(old->watch);
856                 new->watch = old->watch;
857         }
858 
859         return entry;
860 }
861 
862 /* Find an existing audit rule.
863  * Caller must hold audit_filter_mutex to prevent stale rule data. */
864 static struct audit_entry *audit_find_rule(struct audit_entry *entry,
865                                            struct list_head **p)
866 {
867         struct audit_entry *e, *found = NULL;
868         struct list_head *list;
869         int h;
870 
871         if (entry->rule.inode_f) {
872                 h = audit_hash_ino(entry->rule.inode_f->val);
873                 *p = list = &audit_inode_hash[h];
874         } else if (entry->rule.watch) {
875                 /* we don't know the inode number, so must walk entire hash */
876                 for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
877                         list = &audit_inode_hash[h];
878                         list_for_each_entry(e, list, list)
879                                 if (!audit_compare_rule(&entry->rule, &e->rule)) {
880                                         found = e;
881                                         goto out;
882                                 }
883                 }
884                 goto out;
885         } else {
886                 *p = list = &audit_filter_list[entry->rule.listnr];
887         }
888 
889         list_for_each_entry(e, list, list)
890                 if (!audit_compare_rule(&entry->rule, &e->rule)) {
891                         found = e;
892                         goto out;
893                 }
894 
895 out:
896         return found;
897 }
898 
899 static u64 prio_low = ~0ULL/2;
900 static u64 prio_high = ~0ULL/2 - 1;
901 
902 /* Add rule to given filterlist if not a duplicate. */
903 static inline int audit_add_rule(struct audit_entry *entry)
904 {
905         struct audit_entry *e;
906         struct audit_watch *watch = entry->rule.watch;
907         struct audit_tree *tree = entry->rule.tree;
908         struct list_head *list;
909         int err = 0;
910 #ifdef CONFIG_AUDITSYSCALL
911         int dont_count = 0;
912 
913         /* If either of these, don't count towards total */
914         if (entry->rule.listnr == AUDIT_FILTER_USER ||
915                 entry->rule.listnr == AUDIT_FILTER_TYPE)
916                 dont_count = 1;
917 #endif
918 
919         mutex_lock(&audit_filter_mutex);
920         e = audit_find_rule(entry, &list);
921         if (e) {
922                 mutex_unlock(&audit_filter_mutex);
923                 err = -EEXIST;
924                 /* normally audit_add_tree_rule() will free it on failure */
925                 if (tree)
926                         audit_put_tree(tree);
927                 return err;
928         }
929 
930         if (watch) {
931                 /* audit_filter_mutex is dropped and re-taken during this call */
932                 err = audit_add_watch(&entry->rule, &list);
933                 if (err) {
934                         mutex_unlock(&audit_filter_mutex);
935                         /*
936                          * normally audit_add_tree_rule() will free it
937                          * on failure
938                          */
939                         if (tree)
940                                 audit_put_tree(tree);
941                         return err;
942                 }
943         }
944         if (tree) {
945                 err = audit_add_tree_rule(&entry->rule);
946                 if (err) {
947                         mutex_unlock(&audit_filter_mutex);
948                         return err;
949                 }
950         }
951 
952         entry->rule.prio = ~0ULL;
953         if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
954                 if (entry->rule.flags & AUDIT_FILTER_PREPEND)
955                         entry->rule.prio = ++prio_high;
956                 else
957                         entry->rule.prio = --prio_low;
958         }
959 
960         if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
961                 list_add(&entry->rule.list,
962                          &audit_rules_list[entry->rule.listnr]);
963                 list_add_rcu(&entry->list, list);
964                 entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
965         } else {
966                 list_add_tail(&entry->rule.list,
967                               &audit_rules_list[entry->rule.listnr]);
968                 list_add_tail_rcu(&entry->list, list);
969         }
970 #ifdef CONFIG_AUDITSYSCALL
971         if (!dont_count)
972                 audit_n_rules++;
973 
974         if (!audit_match_signal(entry))
975                 audit_signals++;
976 #endif
977         mutex_unlock(&audit_filter_mutex);
978 
979         return err;
980 }
981 
982 /* Remove an existing rule from filterlist. */
983 int audit_del_rule(struct audit_entry *entry)
984 {
985         struct audit_entry  *e;
986         struct audit_tree *tree = entry->rule.tree;
987         struct list_head *list;
988         int ret = 0;
989 #ifdef CONFIG_AUDITSYSCALL
990         int dont_count = 0;
991 
992         /* If either of these, don't count towards total */
993         if (entry->rule.listnr == AUDIT_FILTER_USER ||
994                 entry->rule.listnr == AUDIT_FILTER_TYPE)
995                 dont_count = 1;
996 #endif
997 
998         mutex_lock(&audit_filter_mutex);
999         e = audit_find_rule(entry, &list);
1000         if (!e) {
1001                 ret = -ENOENT;
1002                 goto out;
1003         }
1004 
1005         if (e->rule.watch)
1006                 audit_remove_watch_rule(&e->rule);
1007 
1008         if (e->rule.tree)
1009                 audit_remove_tree_rule(&e->rule);
1010 
1011         if (e->rule.exe)
1012                 audit_remove_mark_rule(&e->rule);
1013 
1014 #ifdef CONFIG_AUDITSYSCALL
1015         if (!dont_count)
1016                 audit_n_rules--;
1017 
1018         if (!audit_match_signal(entry))
1019                 audit_signals--;
1020 #endif
1021 
1022         list_del_rcu(&e->list);
1023         list_del(&e->rule.list);
1024         call_rcu(&e->rcu, audit_free_rule_rcu);
1025 
1026 out:
1027         mutex_unlock(&audit_filter_mutex);
1028 
1029         if (tree)
1030                 audit_put_tree(tree);   /* that's the temporary one */
1031 
1032         return ret;
1033 }
1034 
1035 /* List rules using struct audit_rule_data. */
1036 static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q)
1037 {
1038         struct sk_buff *skb;
1039         struct audit_krule *r;
1040         int i;
1041 
1042         /* This is a blocking read, so use audit_filter_mutex instead of rcu
1043          * iterator to sync with list writers. */
1044         for (i=0; i<AUDIT_NR_FILTERS; i++) {
1045                 list_for_each_entry(r, &audit_rules_list[i], list) {
1046                         struct audit_rule_data *data;
1047 
1048                         data = audit_krule_to_data(r);
1049                         if (unlikely(!data))
1050                                 break;
1051                         skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES,
1052                                                0, 1, data,
1053                                                sizeof(*data) + data->buflen);
1054                         if (skb)
1055                                 skb_queue_tail(q, skb);
1056                         kfree(data);
1057                 }
1058         }
1059         skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1060         if (skb)
1061                 skb_queue_tail(q, skb);
1062 }
1063 
1064 /* Log rule additions and removals */
1065 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1066 {
1067         struct audit_buffer *ab;
1068         uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
1069         unsigned int sessionid = audit_get_sessionid(current);
1070 
1071         if (!audit_enabled)
1072                 return;
1073 
1074         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1075         if (!ab)
1076                 return;
1077         audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
1078         audit_log_task_context(ab);
1079         audit_log_format(ab, " op=%s", action);
1080         audit_log_key(ab, rule->filterkey);
1081         audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1082         audit_log_end(ab);
1083 }
1084 
1085 /**
1086  * audit_rule_change - apply all rules to the specified message type
1087  * @type: audit message type
1088  * @portid: target port id for netlink audit messages
1089  * @seq: netlink audit message sequence (serial) number
1090  * @data: payload data
1091  * @datasz: size of payload data
1092  */
1093 int audit_rule_change(int type, __u32 portid, int seq, void *data,
1094                         size_t datasz)
1095 {
1096         int err = 0;
1097         struct audit_entry *entry;
1098 
1099         entry = audit_data_to_entry(data, datasz);
1100         if (IS_ERR(entry))
1101                 return PTR_ERR(entry);
1102 
1103         switch (type) {
1104         case AUDIT_ADD_RULE:
1105                 err = audit_add_rule(entry);
1106                 audit_log_rule_change("add_rule", &entry->rule, !err);
1107                 break;
1108         case AUDIT_DEL_RULE:
1109                 err = audit_del_rule(entry);
1110                 audit_log_rule_change("remove_rule", &entry->rule, !err);
1111                 break;
1112         default:
1113                 err = -EINVAL;
1114                 WARN_ON(1);
1115         }
1116 
1117         if (err || type == AUDIT_DEL_RULE) {
1118                 if (entry->rule.exe)
1119                         audit_remove_mark(entry->rule.exe);
1120                 audit_free_rule(entry);
1121         }
1122 
1123         return err;
1124 }
1125 
1126 /**
1127  * audit_list_rules_send - list the audit rules
1128  * @request_skb: skb of request we are replying to (used to target the reply)
1129  * @seq: netlink audit message sequence (serial) number
1130  */
1131 int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1132 {
1133         u32 portid = NETLINK_CB(request_skb).portid;
1134         struct net *net = sock_net(NETLINK_CB(request_skb).sk);
1135         struct task_struct *tsk;
1136         struct audit_netlink_list *dest;
1137         int err = 0;
1138 
1139         /* We can't just spew out the rules here because we might fill
1140          * the available socket buffer space and deadlock waiting for
1141          * auditctl to read from it... which isn't ever going to
1142          * happen if we're actually running in the context of auditctl
1143          * trying to _send_ the stuff */
1144 
1145         dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1146         if (!dest)
1147                 return -ENOMEM;
1148         dest->net = get_net(net);
1149         dest->portid = portid;
1150         skb_queue_head_init(&dest->q);
1151 
1152         mutex_lock(&audit_filter_mutex);
1153         audit_list_rules(portid, seq, &dest->q);
1154         mutex_unlock(&audit_filter_mutex);
1155 
1156         tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1157         if (IS_ERR(tsk)) {
1158                 skb_queue_purge(&dest->q);
1159                 kfree(dest);
1160                 err = PTR_ERR(tsk);
1161         }
1162 
1163         return err;
1164 }
1165 
1166 int audit_comparator(u32 left, u32 op, u32 right)
1167 {
1168         switch (op) {
1169         case Audit_equal:
1170                 return (left == right);
1171         case Audit_not_equal:
1172                 return (left != right);
1173         case Audit_lt:
1174                 return (left < right);
1175         case Audit_le:
1176                 return (left <= right);
1177         case Audit_gt:
1178                 return (left > right);
1179         case Audit_ge:
1180                 return (left >= right);
1181         case Audit_bitmask:
1182                 return (left & right);
1183         case Audit_bittest:
1184                 return ((left & right) == right);
1185         default:
1186                 BUG();
1187                 return 0;
1188         }
1189 }
1190 
1191 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1192 {
1193         switch (op) {
1194         case Audit_equal:
1195                 return uid_eq(left, right);
1196         case Audit_not_equal:
1197                 return !uid_eq(left, right);
1198         case Audit_lt:
1199                 return uid_lt(left, right);
1200         case Audit_le:
1201                 return uid_lte(left, right);
1202         case Audit_gt:
1203                 return uid_gt(left, right);
1204         case Audit_ge:
1205                 return uid_gte(left, right);
1206         case Audit_bitmask:
1207         case Audit_bittest:
1208         default:
1209                 BUG();
1210                 return 0;
1211         }
1212 }
1213 
1214 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1215 {
1216         switch (op) {
1217         case Audit_equal:
1218                 return gid_eq(left, right);
1219         case Audit_not_equal:
1220                 return !gid_eq(left, right);
1221         case Audit_lt:
1222                 return gid_lt(left, right);
1223         case Audit_le:
1224                 return gid_lte(left, right);
1225         case Audit_gt:
1226                 return gid_gt(left, right);
1227         case Audit_ge:
1228                 return gid_gte(left, right);
1229         case Audit_bitmask:
1230         case Audit_bittest:
1231         default:
1232                 BUG();
1233                 return 0;
1234         }
1235 }
1236 
1237 /**
1238  * parent_len - find the length of the parent portion of a pathname
1239  * @path: pathname of which to determine length
1240  */
1241 int parent_len(const char *path)
1242 {
1243         int plen;
1244         const char *p;
1245 
1246         plen = strlen(path);
1247 
1248         if (plen == 0)
1249                 return plen;
1250 
1251         /* disregard trailing slashes */
1252         p = path + plen - 1;
1253         while ((*p == '/') && (p > path))
1254                 p--;
1255 
1256         /* walk backward until we find the next slash or hit beginning */
1257         while ((*p != '/') && (p > path))
1258                 p--;
1259 
1260         /* did we find a slash? Then increment to include it in path */
1261         if (*p == '/')
1262                 p++;
1263 
1264         return p - path;
1265 }
1266 
1267 /**
1268  * audit_compare_dname_path - compare given dentry name with last component in
1269  *                            given path. Return of 0 indicates a match.
1270  * @dname:      dentry name that we're comparing
1271  * @path:       full pathname that we're comparing
1272  * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1273  *              here indicates that we must compute this value.
1274  */
1275 int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1276 {
1277         int dlen, pathlen;
1278         const char *p;
1279 
1280         dlen = strlen(dname);
1281         pathlen = strlen(path);
1282         if (pathlen < dlen)
1283                 return 1;
1284 
1285         parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1286         if (pathlen - parentlen != dlen)
1287                 return 1;
1288 
1289         p = path + parentlen;
1290 
1291         return strncmp(p, dname, dlen);
1292 }
1293 
1294 int audit_filter(int msgtype, unsigned int listtype)
1295 {
1296         struct audit_entry *e;
1297         int ret = 1; /* Audit by default */
1298 
1299         rcu_read_lock();
1300         if (list_empty(&audit_filter_list[listtype]))
1301                 goto unlock_and_return;
1302         list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
1303                 int i, result = 0;
1304 
1305                 for (i = 0; i < e->rule.field_count; i++) {
1306                         struct audit_field *f = &e->rule.fields[i];
1307                         pid_t pid;
1308                         u32 sid;
1309 
1310                         switch (f->type) {
1311                         case AUDIT_PID:
1312                                 pid = task_pid_nr(current);
1313                                 result = audit_comparator(pid, f->op, f->val);
1314                                 break;
1315                         case AUDIT_UID:
1316                                 result = audit_uid_comparator(current_uid(), f->op, f->uid);
1317                                 break;
1318                         case AUDIT_GID:
1319                                 result = audit_gid_comparator(current_gid(), f->op, f->gid);
1320                                 break;
1321                         case AUDIT_LOGINUID:
1322                                 result = audit_uid_comparator(audit_get_loginuid(current),
1323                                                               f->op, f->uid);
1324                                 break;
1325                         case AUDIT_LOGINUID_SET:
1326                                 result = audit_comparator(audit_loginuid_set(current),
1327                                                           f->op, f->val);
1328                                 break;
1329                         case AUDIT_MSGTYPE:
1330                                 result = audit_comparator(msgtype, f->op, f->val);
1331                                 break;
1332                         case AUDIT_SUBJ_USER:
1333                         case AUDIT_SUBJ_ROLE:
1334                         case AUDIT_SUBJ_TYPE:
1335                         case AUDIT_SUBJ_SEN:
1336                         case AUDIT_SUBJ_CLR:
1337                                 if (f->lsm_rule) {
1338                                         security_task_getsecid(current, &sid);
1339                                         result = security_audit_rule_match(sid,
1340                                                         f->type, f->op, f->lsm_rule, NULL);
1341                                 }
1342                                 break;
1343                         default:
1344                                 goto unlock_and_return;
1345                         }
1346                         if (result < 0) /* error */
1347                                 goto unlock_and_return;
1348                         if (!result)
1349                                 break;
1350                 }
1351                 if (result > 0) {
1352                         if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
1353                                 ret = 0;
1354                         break;
1355                 }
1356         }
1357 unlock_and_return:
1358         rcu_read_unlock();
1359         return ret;
1360 }
1361 
1362 static int update_lsm_rule(struct audit_krule *r)
1363 {
1364         struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1365         struct audit_entry *nentry;
1366         int err = 0;
1367 
1368         if (!security_audit_rule_known(r))
1369                 return 0;
1370 
1371         nentry = audit_dupe_rule(r);
1372         if (entry->rule.exe)
1373                 audit_remove_mark(entry->rule.exe);
1374         if (IS_ERR(nentry)) {
1375                 /* save the first error encountered for the
1376                  * return value */
1377                 err = PTR_ERR(nentry);
1378                 audit_panic("error updating LSM filters");
1379                 if (r->watch)
1380                         list_del(&r->rlist);
1381                 list_del_rcu(&entry->list);
1382                 list_del(&r->list);
1383         } else {
1384                 if (r->watch || r->tree)
1385                         list_replace_init(&r->rlist, &nentry->rule.rlist);
1386                 list_replace_rcu(&entry->list, &nentry->list);
1387                 list_replace(&r->list, &nentry->rule.list);
1388         }
1389         call_rcu(&entry->rcu, audit_free_rule_rcu);
1390 
1391         return err;
1392 }
1393 
1394 /* This function will re-initialize the lsm_rule field of all applicable rules.
1395  * It will traverse the filter lists serarching for rules that contain LSM
1396  * specific filter fields.  When such a rule is found, it is copied, the
1397  * LSM field is re-initialized, and the old rule is replaced with the
1398  * updated rule. */
1399 int audit_update_lsm_rules(void)
1400 {
1401         struct audit_krule *r, *n;
1402         int i, err = 0;
1403 
1404         /* audit_filter_mutex synchronizes the writers */
1405         mutex_lock(&audit_filter_mutex);
1406 
1407         for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1408                 list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1409                         int res = update_lsm_rule(r);
1410                         if (!err)
1411                                 err = res;
1412                 }
1413         }
1414         mutex_unlock(&audit_filter_mutex);
1415 
1416         return err;
1417 }
1418 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us