Commit | Line | Data |
---|---|---|
fe7752ba DW |
1 | /* auditfilter.c -- filtering of audit events |
2 | * | |
3 | * Copyright 2003-2004 Red Hat, Inc. | |
4 | * Copyright 2005 Hewlett-Packard Development Company, L.P. | |
5 | * Copyright 2005 IBM Corporation | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License as published by | |
9 | * the Free Software Foundation; either version 2 of the License, or | |
10 | * (at your option) any later version. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | * GNU General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU General Public License | |
18 | * along with this program; if not, write to the Free Software | |
19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
20 | */ | |
21 | ||
22 | #include <linux/kernel.h> | |
23 | #include <linux/audit.h> | |
24 | #include <linux/kthread.h> | |
25 | #include <linux/netlink.h> | |
26 | #include "audit.h" | |
27 | ||
28 | /* There are three lists of rules -- one to search at task creation | |
29 | * time, one to search at syscall entry time, and another to search at | |
30 | * syscall exit time. */ | |
31 | struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { | |
32 | LIST_HEAD_INIT(audit_filter_list[0]), | |
33 | LIST_HEAD_INIT(audit_filter_list[1]), | |
34 | LIST_HEAD_INIT(audit_filter_list[2]), | |
35 | LIST_HEAD_INIT(audit_filter_list[3]), | |
36 | LIST_HEAD_INIT(audit_filter_list[4]), | |
37 | LIST_HEAD_INIT(audit_filter_list[5]), | |
38 | #if AUDIT_NR_FILTERS != 6 | |
39 | #error Fix audit_filter_list initialiser | |
40 | #endif | |
41 | }; | |
42 | ||
43 | /* Copy rule from user-space to kernel-space. Called from | |
44 | * audit_add_rule during AUDIT_ADD. */ | |
45 | static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) | |
46 | { | |
47 | int i; | |
48 | ||
49 | if (s->action != AUDIT_NEVER | |
50 | && s->action != AUDIT_POSSIBLE | |
51 | && s->action != AUDIT_ALWAYS) | |
52 | return -1; | |
53 | if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS) | |
54 | return -1; | |
55 | if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS) | |
56 | return -1; | |
57 | ||
58 | d->flags = s->flags; | |
59 | d->action = s->action; | |
60 | d->field_count = s->field_count; | |
61 | for (i = 0; i < d->field_count; i++) { | |
62 | d->fields[i] = s->fields[i]; | |
63 | d->values[i] = s->values[i]; | |
64 | } | |
65 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; | |
66 | return 0; | |
67 | } | |
68 | ||
69 | /* Check to see if two rules are identical. It is called from | |
70 | * audit_add_rule during AUDIT_ADD and | |
71 | * audit_del_rule during AUDIT_DEL. */ | |
72 | static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) | |
73 | { | |
74 | int i; | |
75 | ||
76 | if (a->flags != b->flags) | |
77 | return 1; | |
78 | ||
79 | if (a->action != b->action) | |
80 | return 1; | |
81 | ||
82 | if (a->field_count != b->field_count) | |
83 | return 1; | |
84 | ||
85 | for (i = 0; i < a->field_count; i++) { | |
86 | if (a->fields[i] != b->fields[i] | |
87 | || a->values[i] != b->values[i]) | |
88 | return 1; | |
89 | } | |
90 | ||
91 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | |
92 | if (a->mask[i] != b->mask[i]) | |
93 | return 1; | |
94 | ||
95 | return 0; | |
96 | } | |
97 | ||
98 | /* Note that audit_add_rule and audit_del_rule are called via | |
99 | * audit_receive() in audit.c, and are protected by | |
100 | * audit_netlink_sem. */ | |
101 | static inline int audit_add_rule(struct audit_rule *rule, | |
102 | struct list_head *list) | |
103 | { | |
104 | struct audit_entry *entry; | |
105 | int i; | |
106 | ||
107 | /* Do not use the _rcu iterator here, since this is the only | |
108 | * addition routine. */ | |
109 | list_for_each_entry(entry, list, list) { | |
110 | if (!audit_compare_rule(rule, &entry->rule)) { | |
111 | return -EEXIST; | |
112 | } | |
113 | } | |
114 | ||
115 | for (i = 0; i < rule->field_count; i++) { | |
116 | if (rule->fields[i] & AUDIT_UNUSED_BITS) | |
117 | return -EINVAL; | |
118 | if ( rule->fields[i] & AUDIT_NEGATE ) | |
119 | rule->fields[i] |= AUDIT_NOT_EQUAL; | |
120 | else if ( (rule->fields[i] & AUDIT_OPERATORS) == 0 ) | |
121 | rule->fields[i] |= AUDIT_EQUAL; | |
122 | rule->fields[i] &= (~AUDIT_NEGATE); | |
123 | } | |
124 | ||
125 | if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) | |
126 | return -ENOMEM; | |
127 | if (audit_copy_rule(&entry->rule, rule)) { | |
128 | kfree(entry); | |
129 | return -EINVAL; | |
130 | } | |
131 | ||
132 | if (entry->rule.flags & AUDIT_FILTER_PREPEND) { | |
133 | entry->rule.flags &= ~AUDIT_FILTER_PREPEND; | |
134 | list_add_rcu(&entry->list, list); | |
135 | } else { | |
136 | list_add_tail_rcu(&entry->list, list); | |
137 | } | |
138 | ||
139 | return 0; | |
140 | } | |
141 | ||
142 | static inline void audit_free_rule(struct rcu_head *head) | |
143 | { | |
144 | struct audit_entry *e = container_of(head, struct audit_entry, rcu); | |
145 | kfree(e); | |
146 | } | |
147 | ||
148 | /* Note that audit_add_rule and audit_del_rule are called via | |
149 | * audit_receive() in audit.c, and are protected by | |
150 | * audit_netlink_sem. */ | |
151 | static inline int audit_del_rule(struct audit_rule *rule, | |
152 | struct list_head *list) | |
153 | { | |
154 | struct audit_entry *e; | |
155 | ||
156 | /* Do not use the _rcu iterator here, since this is the only | |
157 | * deletion routine. */ | |
158 | list_for_each_entry(e, list, list) { | |
159 | if (!audit_compare_rule(rule, &e->rule)) { | |
160 | list_del_rcu(&e->list); | |
161 | call_rcu(&e->rcu, audit_free_rule); | |
162 | return 0; | |
163 | } | |
164 | } | |
165 | return -ENOENT; /* No matching rule */ | |
166 | } | |
167 | ||
168 | static int audit_list_rules(void *_dest) | |
169 | { | |
170 | int pid, seq; | |
171 | int *dest = _dest; | |
172 | struct audit_entry *entry; | |
173 | int i; | |
174 | ||
175 | pid = dest[0]; | |
176 | seq = dest[1]; | |
177 | kfree(dest); | |
178 | ||
179 | down(&audit_netlink_sem); | |
180 | ||
181 | /* The *_rcu iterators not needed here because we are | |
182 | always called with audit_netlink_sem held. */ | |
183 | for (i=0; i<AUDIT_NR_FILTERS; i++) { | |
184 | list_for_each_entry(entry, &audit_filter_list[i], list) | |
185 | audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, | |
186 | &entry->rule, sizeof(entry->rule)); | |
187 | } | |
188 | audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); | |
189 | ||
190 | up(&audit_netlink_sem); | |
191 | return 0; | |
192 | } | |
193 | ||
194 | /** | |
195 | * audit_receive_filter - apply all rules to the specified message type | |
196 | * @type: audit message type | |
197 | * @pid: target pid for netlink audit messages | |
198 | * @uid: target uid for netlink audit messages | |
199 | * @seq: netlink audit message sequence (serial) number | |
200 | * @data: payload data | |
201 | * @loginuid: loginuid of sender | |
202 | */ | |
203 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | |
204 | uid_t loginuid) | |
205 | { | |
206 | struct task_struct *tsk; | |
207 | int *dest; | |
208 | int err = 0; | |
209 | unsigned listnr; | |
210 | ||
211 | switch (type) { | |
212 | case AUDIT_LIST: | |
213 | /* We can't just spew out the rules here because we might fill | |
214 | * the available socket buffer space and deadlock waiting for | |
215 | * auditctl to read from it... which isn't ever going to | |
216 | * happen if we're actually running in the context of auditctl | |
217 | * trying to _send_ the stuff */ | |
218 | ||
219 | dest = kmalloc(2 * sizeof(int), GFP_KERNEL); | |
220 | if (!dest) | |
221 | return -ENOMEM; | |
222 | dest[0] = pid; | |
223 | dest[1] = seq; | |
224 | ||
225 | tsk = kthread_run(audit_list_rules, dest, "audit_list_rules"); | |
226 | if (IS_ERR(tsk)) { | |
227 | kfree(dest); | |
228 | err = PTR_ERR(tsk); | |
229 | } | |
230 | break; | |
231 | case AUDIT_ADD: | |
232 | listnr = ((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; | |
233 | switch(listnr) { | |
234 | default: | |
235 | return -EINVAL; | |
236 | ||
237 | case AUDIT_FILTER_USER: | |
238 | case AUDIT_FILTER_TYPE: | |
239 | #ifdef CONFIG_AUDITSYSCALL | |
240 | case AUDIT_FILTER_ENTRY: | |
241 | case AUDIT_FILTER_EXIT: | |
242 | case AUDIT_FILTER_TASK: | |
243 | #endif | |
244 | ; | |
245 | } | |
246 | err = audit_add_rule(data, &audit_filter_list[listnr]); | |
247 | if (!err) | |
248 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
249 | "auid=%u added an audit rule\n", loginuid); | |
250 | break; | |
251 | case AUDIT_DEL: | |
252 | listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; | |
253 | if (listnr >= AUDIT_NR_FILTERS) | |
254 | return -EINVAL; | |
255 | ||
256 | err = audit_del_rule(data, &audit_filter_list[listnr]); | |
257 | if (!err) | |
258 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | |
259 | "auid=%u removed an audit rule\n", loginuid); | |
260 | break; | |
261 | default: | |
262 | return -EINVAL; | |
263 | } | |
264 | ||
265 | return err; | |
266 | } | |
267 | ||
268 | int audit_comparator(const u32 left, const u32 op, const u32 right) | |
269 | { | |
270 | switch (op) { | |
271 | case AUDIT_EQUAL: | |
272 | return (left == right); | |
273 | case AUDIT_NOT_EQUAL: | |
274 | return (left != right); | |
275 | case AUDIT_LESS_THAN: | |
276 | return (left < right); | |
277 | case AUDIT_LESS_THAN_OR_EQUAL: | |
278 | return (left <= right); | |
279 | case AUDIT_GREATER_THAN: | |
280 | return (left > right); | |
281 | case AUDIT_GREATER_THAN_OR_EQUAL: | |
282 | return (left >= right); | |
283 | default: | |
284 | return -EINVAL; | |
285 | } | |
286 | } | |
287 | ||
288 | ||
289 | ||
290 | static int audit_filter_user_rules(struct netlink_skb_parms *cb, | |
291 | struct audit_rule *rule, | |
292 | enum audit_state *state) | |
293 | { | |
294 | int i; | |
295 | ||
296 | for (i = 0; i < rule->field_count; i++) { | |
297 | u32 field = rule->fields[i] & ~AUDIT_OPERATORS; | |
298 | u32 op = rule->fields[i] & AUDIT_OPERATORS; | |
299 | u32 value = rule->values[i]; | |
300 | int result = 0; | |
301 | ||
302 | switch (field) { | |
303 | case AUDIT_PID: | |
304 | result = audit_comparator(cb->creds.pid, op, value); | |
305 | break; | |
306 | case AUDIT_UID: | |
307 | result = audit_comparator(cb->creds.uid, op, value); | |
308 | break; | |
309 | case AUDIT_GID: | |
310 | result = audit_comparator(cb->creds.gid, op, value); | |
311 | break; | |
312 | case AUDIT_LOGINUID: | |
313 | result = audit_comparator(cb->loginuid, op, value); | |
314 | break; | |
315 | } | |
316 | ||
317 | if (!result) | |
318 | return 0; | |
319 | } | |
320 | switch (rule->action) { | |
321 | case AUDIT_NEVER: *state = AUDIT_DISABLED; break; | |
322 | case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; | |
323 | case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; | |
324 | } | |
325 | return 1; | |
326 | } | |
327 | ||
328 | int audit_filter_user(struct netlink_skb_parms *cb, int type) | |
329 | { | |
330 | struct audit_entry *e; | |
331 | enum audit_state state; | |
332 | int ret = 1; | |
333 | ||
334 | rcu_read_lock(); | |
335 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { | |
336 | if (audit_filter_user_rules(cb, &e->rule, &state)) { | |
337 | if (state == AUDIT_DISABLED) | |
338 | ret = 0; | |
339 | break; | |
340 | } | |
341 | } | |
342 | rcu_read_unlock(); | |
343 | ||
344 | return ret; /* Audit by default */ | |
345 | } | |
346 | ||
347 | int audit_filter_type(int type) | |
348 | { | |
349 | struct audit_entry *e; | |
350 | int result = 0; | |
351 | ||
352 | rcu_read_lock(); | |
353 | if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) | |
354 | goto unlock_and_return; | |
355 | ||
356 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], | |
357 | list) { | |
358 | struct audit_rule *rule = &e->rule; | |
359 | int i; | |
360 | for (i = 0; i < rule->field_count; i++) { | |
361 | u32 field = rule->fields[i] & ~AUDIT_OPERATORS; | |
362 | u32 op = rule->fields[i] & AUDIT_OPERATORS; | |
363 | u32 value = rule->values[i]; | |
364 | if ( field == AUDIT_MSGTYPE ) { | |
365 | result = audit_comparator(type, op, value); | |
366 | if (!result) | |
367 | break; | |
368 | } | |
369 | } | |
370 | if (result) | |
371 | goto unlock_and_return; | |
372 | } | |
373 | unlock_and_return: | |
374 | rcu_read_unlock(); | |
375 | return result; | |
376 | } | |
377 | ||
378 |