Back to home page

LXR

 
 

    


0001 /* auditfilter.c -- filtering of audit events
0002  *
0003  * Copyright 2003-2004 Red Hat, Inc.
0004  * Copyright 2005 Hewlett-Packard Development Company, L.P.
0005  * Copyright 2005 IBM Corporation
0006  *
0007  * This program is free software; you can redistribute it and/or modify
0008  * it under the terms of the GNU General Public License as published by
0009  * the Free Software Foundation; either version 2 of the License, or
0010  * (at your option) any later version.
0011  *
0012  * This program is distributed in the hope that it will be useful,
0013  * but WITHOUT ANY WARRANTY; without even the implied warranty of
0014  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
0015  * GNU General Public License for more details.
0016  *
0017  * You should have received a copy of the GNU General Public License
0018  * along with this program; if not, write to the Free Software
0019  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
0020  */
0021 
0022 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0023 
0024 #include <linux/kernel.h>
0025 #include <linux/audit.h>
0026 #include <linux/kthread.h>
0027 #include <linux/mutex.h>
0028 #include <linux/fs.h>
0029 #include <linux/namei.h>
0030 #include <linux/netlink.h>
0031 #include <linux/sched.h>
0032 #include <linux/slab.h>
0033 #include <linux/security.h>
0034 #include <net/net_namespace.h>
0035 #include <net/sock.h>
0036 #include "audit.h"
0037 
0038 /*
0039  * Locking model:
0040  *
0041  * audit_filter_mutex:
0042  *      Synchronizes writes and blocking reads of audit's filterlist
0043  *      data.  Rcu is used to traverse the filterlist and access
0044  *      contents of structs audit_entry, audit_watch and opaque
0045  *      LSM rules during filtering.  If modified, these structures
0046  *      must be copied and replace their counterparts in the filterlist.
0047  *      An audit_parent struct is not accessed during filtering, so may
0048  *      be written directly provided audit_filter_mutex is held.
0049  */
0050 
0051 /* Audit filter lists, defined in <linux/audit.h> */
0052 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
0053     LIST_HEAD_INIT(audit_filter_list[0]),
0054     LIST_HEAD_INIT(audit_filter_list[1]),
0055     LIST_HEAD_INIT(audit_filter_list[2]),
0056     LIST_HEAD_INIT(audit_filter_list[3]),
0057     LIST_HEAD_INIT(audit_filter_list[4]),
0058     LIST_HEAD_INIT(audit_filter_list[5]),
0059 #if AUDIT_NR_FILTERS != 6
0060 #error Fix audit_filter_list initialiser
0061 #endif
0062 };
0063 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
0064     LIST_HEAD_INIT(audit_rules_list[0]),
0065     LIST_HEAD_INIT(audit_rules_list[1]),
0066     LIST_HEAD_INIT(audit_rules_list[2]),
0067     LIST_HEAD_INIT(audit_rules_list[3]),
0068     LIST_HEAD_INIT(audit_rules_list[4]),
0069     LIST_HEAD_INIT(audit_rules_list[5]),
0070 };
0071 
0072 DEFINE_MUTEX(audit_filter_mutex);
0073 
0074 static void audit_free_lsm_field(struct audit_field *f)
0075 {
0076     switch (f->type) {
0077     case AUDIT_SUBJ_USER:
0078     case AUDIT_SUBJ_ROLE:
0079     case AUDIT_SUBJ_TYPE:
0080     case AUDIT_SUBJ_SEN:
0081     case AUDIT_SUBJ_CLR:
0082     case AUDIT_OBJ_USER:
0083     case AUDIT_OBJ_ROLE:
0084     case AUDIT_OBJ_TYPE:
0085     case AUDIT_OBJ_LEV_LOW:
0086     case AUDIT_OBJ_LEV_HIGH:
0087         kfree(f->lsm_str);
0088         security_audit_rule_free(f->lsm_rule);
0089     }
0090 }
0091 
0092 static inline void audit_free_rule(struct audit_entry *e)
0093 {
0094     int i;
0095     struct audit_krule *erule = &e->rule;
0096 
0097     /* some rules don't have associated watches */
0098     if (erule->watch)
0099         audit_put_watch(erule->watch);
0100     if (erule->fields)
0101         for (i = 0; i < erule->field_count; i++)
0102             audit_free_lsm_field(&erule->fields[i]);
0103     kfree(erule->fields);
0104     kfree(erule->filterkey);
0105     kfree(e);
0106 }
0107 
0108 void audit_free_rule_rcu(struct rcu_head *head)
0109 {
0110     struct audit_entry *e = container_of(head, struct audit_entry, rcu);
0111     audit_free_rule(e);
0112 }
0113 
0114 /* Initialize an audit filterlist entry. */
0115 static inline struct audit_entry *audit_init_entry(u32 field_count)
0116 {
0117     struct audit_entry *entry;
0118     struct audit_field *fields;
0119 
0120     entry = kzalloc(sizeof(*entry), GFP_KERNEL);
0121     if (unlikely(!entry))
0122         return NULL;
0123 
0124     fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
0125     if (unlikely(!fields)) {
0126         kfree(entry);
0127         return NULL;
0128     }
0129     entry->rule.fields = fields;
0130 
0131     return entry;
0132 }
0133 
0134 /* Unpack a filter field's string representation from user-space
0135  * buffer. */
0136 char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
0137 {
0138     char *str;
0139 
0140     if (!*bufp || (len == 0) || (len > *remain))
0141         return ERR_PTR(-EINVAL);
0142 
0143     /* Of the currently implemented string fields, PATH_MAX
0144      * defines the longest valid length.
0145      */
0146     if (len > PATH_MAX)
0147         return ERR_PTR(-ENAMETOOLONG);
0148 
0149     str = kmalloc(len + 1, GFP_KERNEL);
0150     if (unlikely(!str))
0151         return ERR_PTR(-ENOMEM);
0152 
0153     memcpy(str, *bufp, len);
0154     str[len] = 0;
0155     *bufp += len;
0156     *remain -= len;
0157 
0158     return str;
0159 }
0160 
0161 /* Translate an inode field to kernel representation. */
0162 static inline int audit_to_inode(struct audit_krule *krule,
0163                  struct audit_field *f)
0164 {
0165     if (krule->listnr != AUDIT_FILTER_EXIT ||
0166         krule->inode_f || krule->watch || krule->tree ||
0167         (f->op != Audit_equal && f->op != Audit_not_equal))
0168         return -EINVAL;
0169 
0170     krule->inode_f = f;
0171     return 0;
0172 }
0173 
0174 static __u32 *classes[AUDIT_SYSCALL_CLASSES];
0175 
0176 int __init audit_register_class(int class, unsigned *list)
0177 {
0178     __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
0179     if (!p)
0180         return -ENOMEM;
0181     while (*list != ~0U) {
0182         unsigned n = *list++;
0183         if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
0184             kfree(p);
0185             return -EINVAL;
0186         }
0187         p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
0188     }
0189     if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
0190         kfree(p);
0191         return -EINVAL;
0192     }
0193     classes[class] = p;
0194     return 0;
0195 }
0196 
0197 int audit_match_class(int class, unsigned syscall)
0198 {
0199     if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
0200         return 0;
0201     if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
0202         return 0;
0203     return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
0204 }
0205 
0206 #ifdef CONFIG_AUDITSYSCALL
0207 static inline int audit_match_class_bits(int class, u32 *mask)
0208 {
0209     int i;
0210 
0211     if (classes[class]) {
0212         for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
0213             if (mask[i] & classes[class][i])
0214                 return 0;
0215     }
0216     return 1;
0217 }
0218 
0219 static int audit_match_signal(struct audit_entry *entry)
0220 {
0221     struct audit_field *arch = entry->rule.arch_f;
0222 
0223     if (!arch) {
0224         /* When arch is unspecified, we must check both masks on biarch
0225          * as syscall number alone is ambiguous. */
0226         return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
0227                            entry->rule.mask) &&
0228             audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
0229                            entry->rule.mask));
0230     }
0231 
0232     switch(audit_classify_arch(arch->val)) {
0233     case 0: /* native */
0234         return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
0235                            entry->rule.mask));
0236     case 1: /* 32bit on biarch */
0237         return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
0238                            entry->rule.mask));
0239     default:
0240         return 1;
0241     }
0242 }
0243 #endif
0244 
0245 /* Common user-space to kernel rule translation. */
0246 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
0247 {
0248     unsigned listnr;
0249     struct audit_entry *entry;
0250     int i, err;
0251 
0252     err = -EINVAL;
0253     listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
0254     switch(listnr) {
0255     default:
0256         goto exit_err;
0257 #ifdef CONFIG_AUDITSYSCALL
0258     case AUDIT_FILTER_ENTRY:
0259         if (rule->action == AUDIT_ALWAYS)
0260             goto exit_err;
0261     case AUDIT_FILTER_EXIT:
0262     case AUDIT_FILTER_TASK:
0263 #endif
0264     case AUDIT_FILTER_USER:
0265     case AUDIT_FILTER_TYPE:
0266         ;
0267     }
0268     if (unlikely(rule->action == AUDIT_POSSIBLE)) {
0269         pr_err("AUDIT_POSSIBLE is deprecated\n");
0270         goto exit_err;
0271     }
0272     if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
0273         goto exit_err;
0274     if (rule->field_count > AUDIT_MAX_FIELDS)
0275         goto exit_err;
0276 
0277     err = -ENOMEM;
0278     entry = audit_init_entry(rule->field_count);
0279     if (!entry)
0280         goto exit_err;
0281 
0282     entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
0283     entry->rule.listnr = listnr;
0284     entry->rule.action = rule->action;
0285     entry->rule.field_count = rule->field_count;
0286 
0287     for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
0288         entry->rule.mask[i] = rule->mask[i];
0289 
0290     for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
0291         int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
0292         __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
0293         __u32 *class;
0294 
0295         if (!(*p & AUDIT_BIT(bit)))
0296             continue;
0297         *p &= ~AUDIT_BIT(bit);
0298         class = classes[i];
0299         if (class) {
0300             int j;
0301             for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
0302                 entry->rule.mask[j] |= class[j];
0303         }
0304     }
0305 
0306     return entry;
0307 
0308 exit_err:
0309     return ERR_PTR(err);
0310 }
0311 
0312 static u32 audit_ops[] =
0313 {
0314     [Audit_equal] = AUDIT_EQUAL,
0315     [Audit_not_equal] = AUDIT_NOT_EQUAL,
0316     [Audit_bitmask] = AUDIT_BIT_MASK,
0317     [Audit_bittest] = AUDIT_BIT_TEST,
0318     [Audit_lt] = AUDIT_LESS_THAN,
0319     [Audit_gt] = AUDIT_GREATER_THAN,
0320     [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
0321     [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
0322 };
0323 
0324 static u32 audit_to_op(u32 op)
0325 {
0326     u32 n;
0327     for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
0328         ;
0329     return n;
0330 }
0331 
0332 /* check if an audit field is valid */
0333 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
0334 {
0335     switch(f->type) {
0336     case AUDIT_MSGTYPE:
0337         if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
0338             entry->rule.listnr != AUDIT_FILTER_USER)
0339             return -EINVAL;
0340         break;
0341     };
0342 
0343     switch(f->type) {
0344     default:
0345         return -EINVAL;
0346     case AUDIT_UID:
0347     case AUDIT_EUID:
0348     case AUDIT_SUID:
0349     case AUDIT_FSUID:
0350     case AUDIT_LOGINUID:
0351     case AUDIT_OBJ_UID:
0352     case AUDIT_GID:
0353     case AUDIT_EGID:
0354     case AUDIT_SGID:
0355     case AUDIT_FSGID:
0356     case AUDIT_OBJ_GID:
0357     case AUDIT_PID:
0358     case AUDIT_PERS:
0359     case AUDIT_MSGTYPE:
0360     case AUDIT_PPID:
0361     case AUDIT_DEVMAJOR:
0362     case AUDIT_DEVMINOR:
0363     case AUDIT_EXIT:
0364     case AUDIT_SUCCESS:
0365     case AUDIT_INODE:
0366     case AUDIT_SESSIONID:
0367         /* bit ops are only useful on syscall args */
0368         if (f->op == Audit_bitmask || f->op == Audit_bittest)
0369             return -EINVAL;
0370         break;
0371     case AUDIT_ARG0:
0372     case AUDIT_ARG1:
0373     case AUDIT_ARG2:
0374     case AUDIT_ARG3:
0375     case AUDIT_SUBJ_USER:
0376     case AUDIT_SUBJ_ROLE:
0377     case AUDIT_SUBJ_TYPE:
0378     case AUDIT_SUBJ_SEN:
0379     case AUDIT_SUBJ_CLR:
0380     case AUDIT_OBJ_USER:
0381     case AUDIT_OBJ_ROLE:
0382     case AUDIT_OBJ_TYPE:
0383     case AUDIT_OBJ_LEV_LOW:
0384     case AUDIT_OBJ_LEV_HIGH:
0385     case AUDIT_WATCH:
0386     case AUDIT_DIR:
0387     case AUDIT_FILTERKEY:
0388         break;
0389     case AUDIT_LOGINUID_SET:
0390         if ((f->val != 0) && (f->val != 1))
0391             return -EINVAL;
0392     /* FALL THROUGH */
0393     case AUDIT_ARCH:
0394         if (f->op != Audit_not_equal && f->op != Audit_equal)
0395             return -EINVAL;
0396         break;
0397     case AUDIT_PERM:
0398         if (f->val & ~15)
0399             return -EINVAL;
0400         break;
0401     case AUDIT_FILETYPE:
0402         if (f->val & ~S_IFMT)
0403             return -EINVAL;
0404         break;
0405     case AUDIT_FIELD_COMPARE:
0406         if (f->val > AUDIT_MAX_FIELD_COMPARE)
0407             return -EINVAL;
0408         break;
0409     case AUDIT_EXE:
0410         if (f->op != Audit_equal)
0411             return -EINVAL;
0412         if (entry->rule.listnr != AUDIT_FILTER_EXIT)
0413             return -EINVAL;
0414         break;
0415     };
0416     return 0;
0417 }
0418 
0419 /* Translate struct audit_rule_data to kernel's rule representation. */
0420 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
0421                            size_t datasz)
0422 {
0423     int err = 0;
0424     struct audit_entry *entry;
0425     void *bufp;
0426     size_t remain = datasz - sizeof(struct audit_rule_data);
0427     int i;
0428     char *str;
0429     struct audit_fsnotify_mark *audit_mark;
0430 
0431     entry = audit_to_entry_common(data);
0432     if (IS_ERR(entry))
0433         goto exit_nofree;
0434 
0435     bufp = data->buf;
0436     for (i = 0; i < data->field_count; i++) {
0437         struct audit_field *f = &entry->rule.fields[i];
0438 
0439         err = -EINVAL;
0440 
0441         f->op = audit_to_op(data->fieldflags[i]);
0442         if (f->op == Audit_bad)
0443             goto exit_free;
0444 
0445         f->type = data->fields[i];
0446         f->val = data->values[i];
0447 
0448         /* Support legacy tests for a valid loginuid */
0449         if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
0450             f->type = AUDIT_LOGINUID_SET;
0451             f->val = 0;
0452             entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
0453         }
0454 
0455         err = audit_field_valid(entry, f);
0456         if (err)
0457             goto exit_free;
0458 
0459         err = -EINVAL;
0460         switch (f->type) {
0461         case AUDIT_LOGINUID:
0462         case AUDIT_UID:
0463         case AUDIT_EUID:
0464         case AUDIT_SUID:
0465         case AUDIT_FSUID:
0466         case AUDIT_OBJ_UID:
0467             f->uid = make_kuid(current_user_ns(), f->val);
0468             if (!uid_valid(f->uid))
0469                 goto exit_free;
0470             break;
0471         case AUDIT_GID:
0472         case AUDIT_EGID:
0473         case AUDIT_SGID:
0474         case AUDIT_FSGID:
0475         case AUDIT_OBJ_GID:
0476             f->gid = make_kgid(current_user_ns(), f->val);
0477             if (!gid_valid(f->gid))
0478                 goto exit_free;
0479             break;
0480         case AUDIT_SESSIONID:
0481         case AUDIT_ARCH:
0482             entry->rule.arch_f = f;
0483             break;
0484         case AUDIT_SUBJ_USER:
0485         case AUDIT_SUBJ_ROLE:
0486         case AUDIT_SUBJ_TYPE:
0487         case AUDIT_SUBJ_SEN:
0488         case AUDIT_SUBJ_CLR:
0489         case AUDIT_OBJ_USER:
0490         case AUDIT_OBJ_ROLE:
0491         case AUDIT_OBJ_TYPE:
0492         case AUDIT_OBJ_LEV_LOW:
0493         case AUDIT_OBJ_LEV_HIGH:
0494             str = audit_unpack_string(&bufp, &remain, f->val);
0495             if (IS_ERR(str))
0496                 goto exit_free;
0497             entry->rule.buflen += f->val;
0498 
0499             err = security_audit_rule_init(f->type, f->op, str,
0500                                (void **)&f->lsm_rule);
0501             /* Keep currently invalid fields around in case they
0502              * become valid after a policy reload. */
0503             if (err == -EINVAL) {
0504                 pr_warn("audit rule for LSM \'%s\' is invalid\n",
0505                     str);
0506                 err = 0;
0507             }
0508             if (err) {
0509                 kfree(str);
0510                 goto exit_free;
0511             } else
0512                 f->lsm_str = str;
0513             break;
0514         case AUDIT_WATCH:
0515             str = audit_unpack_string(&bufp, &remain, f->val);
0516             if (IS_ERR(str))
0517                 goto exit_free;
0518             entry->rule.buflen += f->val;
0519 
0520             err = audit_to_watch(&entry->rule, str, f->val, f->op);
0521             if (err) {
0522                 kfree(str);
0523                 goto exit_free;
0524             }
0525             break;
0526         case AUDIT_DIR:
0527             str = audit_unpack_string(&bufp, &remain, f->val);
0528             if (IS_ERR(str))
0529                 goto exit_free;
0530             entry->rule.buflen += f->val;
0531 
0532             err = audit_make_tree(&entry->rule, str, f->op);
0533             kfree(str);
0534             if (err)
0535                 goto exit_free;
0536             break;
0537         case AUDIT_INODE:
0538             err = audit_to_inode(&entry->rule, f);
0539             if (err)
0540                 goto exit_free;
0541             break;
0542         case AUDIT_FILTERKEY:
0543             if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
0544                 goto exit_free;
0545             str = audit_unpack_string(&bufp, &remain, f->val);
0546             if (IS_ERR(str))
0547                 goto exit_free;
0548             entry->rule.buflen += f->val;
0549             entry->rule.filterkey = str;
0550             break;
0551         case AUDIT_EXE:
0552             if (entry->rule.exe || f->val > PATH_MAX)
0553                 goto exit_free;
0554             str = audit_unpack_string(&bufp, &remain, f->val);
0555             if (IS_ERR(str)) {
0556                 err = PTR_ERR(str);
0557                 goto exit_free;
0558             }
0559             entry->rule.buflen += f->val;
0560 
0561             audit_mark = audit_alloc_mark(&entry->rule, str, f->val);
0562             if (IS_ERR(audit_mark)) {
0563                 kfree(str);
0564                 err = PTR_ERR(audit_mark);
0565                 goto exit_free;
0566             }
0567             entry->rule.exe = audit_mark;
0568             break;
0569         }
0570     }
0571 
0572     if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
0573         entry->rule.inode_f = NULL;
0574 
0575 exit_nofree:
0576     return entry;
0577 
0578 exit_free:
0579     if (entry->rule.tree)
0580         audit_put_tree(entry->rule.tree); /* that's the temporary one */
0581     if (entry->rule.exe)
0582         audit_remove_mark(entry->rule.exe); /* that's the template one */
0583     audit_free_rule(entry);
0584     return ERR_PTR(err);
0585 }
0586 
0587 /* Pack a filter field's string representation into data block. */
0588 static inline size_t audit_pack_string(void **bufp, const char *str)
0589 {
0590     size_t len = strlen(str);
0591 
0592     memcpy(*bufp, str, len);
0593     *bufp += len;
0594 
0595     return len;
0596 }
0597 
0598 /* Translate kernel rule representation to struct audit_rule_data. */
0599 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
0600 {
0601     struct audit_rule_data *data;
0602     void *bufp;
0603     int i;
0604 
0605     data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
0606     if (unlikely(!data))
0607         return NULL;
0608     memset(data, 0, sizeof(*data));
0609 
0610     data->flags = krule->flags | krule->listnr;
0611     data->action = krule->action;
0612     data->field_count = krule->field_count;
0613     bufp = data->buf;
0614     for (i = 0; i < data->field_count; i++) {
0615         struct audit_field *f = &krule->fields[i];
0616 
0617         data->fields[i] = f->type;
0618         data->fieldflags[i] = audit_ops[f->op];
0619         switch(f->type) {
0620         case AUDIT_SUBJ_USER:
0621         case AUDIT_SUBJ_ROLE:
0622         case AUDIT_SUBJ_TYPE:
0623         case AUDIT_SUBJ_SEN:
0624         case AUDIT_SUBJ_CLR:
0625         case AUDIT_OBJ_USER:
0626         case AUDIT_OBJ_ROLE:
0627         case AUDIT_OBJ_TYPE:
0628         case AUDIT_OBJ_LEV_LOW:
0629         case AUDIT_OBJ_LEV_HIGH:
0630             data->buflen += data->values[i] =
0631                 audit_pack_string(&bufp, f->lsm_str);
0632             break;
0633         case AUDIT_WATCH:
0634             data->buflen += data->values[i] =
0635                 audit_pack_string(&bufp,
0636                           audit_watch_path(krule->watch));
0637             break;
0638         case AUDIT_DIR:
0639             data->buflen += data->values[i] =
0640                 audit_pack_string(&bufp,
0641                           audit_tree_path(krule->tree));
0642             break;
0643         case AUDIT_FILTERKEY:
0644             data->buflen += data->values[i] =
0645                 audit_pack_string(&bufp, krule->filterkey);
0646             break;
0647         case AUDIT_EXE:
0648             data->buflen += data->values[i] =
0649                 audit_pack_string(&bufp, audit_mark_path(krule->exe));
0650             break;
0651         case AUDIT_LOGINUID_SET:
0652             if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
0653                 data->fields[i] = AUDIT_LOGINUID;
0654                 data->values[i] = AUDIT_UID_UNSET;
0655                 break;
0656             }
0657             /* fallthrough if set */
0658         default:
0659             data->values[i] = f->val;
0660         }
0661     }
0662     for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
0663 
0664     return data;
0665 }
0666 
0667 /* Compare two rules in kernel format.  Considered success if rules
0668  * don't match. */
0669 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
0670 {
0671     int i;
0672 
0673     if (a->flags != b->flags ||
0674         a->pflags != b->pflags ||
0675         a->listnr != b->listnr ||
0676         a->action != b->action ||
0677         a->field_count != b->field_count)
0678         return 1;
0679 
0680     for (i = 0; i < a->field_count; i++) {
0681         if (a->fields[i].type != b->fields[i].type ||
0682             a->fields[i].op != b->fields[i].op)
0683             return 1;
0684 
0685         switch(a->fields[i].type) {
0686         case AUDIT_SUBJ_USER:
0687         case AUDIT_SUBJ_ROLE:
0688         case AUDIT_SUBJ_TYPE:
0689         case AUDIT_SUBJ_SEN:
0690         case AUDIT_SUBJ_CLR:
0691         case AUDIT_OBJ_USER:
0692         case AUDIT_OBJ_ROLE:
0693         case AUDIT_OBJ_TYPE:
0694         case AUDIT_OBJ_LEV_LOW:
0695         case AUDIT_OBJ_LEV_HIGH:
0696             if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
0697                 return 1;
0698             break;
0699         case AUDIT_WATCH:
0700             if (strcmp(audit_watch_path(a->watch),
0701                    audit_watch_path(b->watch)))
0702                 return 1;
0703             break;
0704         case AUDIT_DIR:
0705             if (strcmp(audit_tree_path(a->tree),
0706                    audit_tree_path(b->tree)))
0707                 return 1;
0708             break;
0709         case AUDIT_FILTERKEY:
0710             /* both filterkeys exist based on above type compare */
0711             if (strcmp(a->filterkey, b->filterkey))
0712                 return 1;
0713             break;
0714         case AUDIT_EXE:
0715             /* both paths exist based on above type compare */
0716             if (strcmp(audit_mark_path(a->exe),
0717                    audit_mark_path(b->exe)))
0718                 return 1;
0719             break;
0720         case AUDIT_UID:
0721         case AUDIT_EUID:
0722         case AUDIT_SUID:
0723         case AUDIT_FSUID:
0724         case AUDIT_LOGINUID:
0725         case AUDIT_OBJ_UID:
0726             if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
0727                 return 1;
0728             break;
0729         case AUDIT_GID:
0730         case AUDIT_EGID:
0731         case AUDIT_SGID:
0732         case AUDIT_FSGID:
0733         case AUDIT_OBJ_GID:
0734             if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
0735                 return 1;
0736             break;
0737         default:
0738             if (a->fields[i].val != b->fields[i].val)
0739                 return 1;
0740         }
0741     }
0742 
0743     for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
0744         if (a->mask[i] != b->mask[i])
0745             return 1;
0746 
0747     return 0;
0748 }
0749 
0750 /* Duplicate LSM field information.  The lsm_rule is opaque, so must be
0751  * re-initialized. */
0752 static inline int audit_dupe_lsm_field(struct audit_field *df,
0753                        struct audit_field *sf)
0754 {
0755     int ret = 0;
0756     char *lsm_str;
0757 
0758     /* our own copy of lsm_str */
0759     lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
0760     if (unlikely(!lsm_str))
0761         return -ENOMEM;
0762     df->lsm_str = lsm_str;
0763 
0764     /* our own (refreshed) copy of lsm_rule */
0765     ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
0766                        (void **)&df->lsm_rule);
0767     /* Keep currently invalid fields around in case they
0768      * become valid after a policy reload. */
0769     if (ret == -EINVAL) {
0770         pr_warn("audit rule for LSM \'%s\' is invalid\n",
0771             df->lsm_str);
0772         ret = 0;
0773     }
0774 
0775     return ret;
0776 }
0777 
0778 /* Duplicate an audit rule.  This will be a deep copy with the exception
0779  * of the watch - that pointer is carried over.  The LSM specific fields
0780  * will be updated in the copy.  The point is to be able to replace the old
0781  * rule with the new rule in the filterlist, then free the old rule.
0782  * The rlist element is undefined; list manipulations are handled apart from
0783  * the initial copy. */
0784 struct audit_entry *audit_dupe_rule(struct audit_krule *old)
0785 {
0786     u32 fcount = old->field_count;
0787     struct audit_entry *entry;
0788     struct audit_krule *new;
0789     char *fk;
0790     int i, err = 0;
0791 
0792     entry = audit_init_entry(fcount);
0793     if (unlikely(!entry))
0794         return ERR_PTR(-ENOMEM);
0795 
0796     new = &entry->rule;
0797     new->flags = old->flags;
0798     new->pflags = old->pflags;
0799     new->listnr = old->listnr;
0800     new->action = old->action;
0801     for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
0802         new->mask[i] = old->mask[i];
0803     new->prio = old->prio;
0804     new->buflen = old->buflen;
0805     new->inode_f = old->inode_f;
0806     new->field_count = old->field_count;
0807 
0808     /*
0809      * note that we are OK with not refcounting here; audit_match_tree()
0810      * never dereferences tree and we can't get false positives there
0811      * since we'd have to have rule gone from the list *and* removed
0812      * before the chunks found by lookup had been allocated, i.e. before
0813      * the beginning of list scan.
0814      */
0815     new->tree = old->tree;
0816     memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
0817 
0818     /* deep copy this information, updating the lsm_rule fields, because
0819      * the originals will all be freed when the old rule is freed. */
0820     for (i = 0; i < fcount; i++) {
0821         switch (new->fields[i].type) {
0822         case AUDIT_SUBJ_USER:
0823         case AUDIT_SUBJ_ROLE:
0824         case AUDIT_SUBJ_TYPE:
0825         case AUDIT_SUBJ_SEN:
0826         case AUDIT_SUBJ_CLR:
0827         case AUDIT_OBJ_USER:
0828         case AUDIT_OBJ_ROLE:
0829         case AUDIT_OBJ_TYPE:
0830         case AUDIT_OBJ_LEV_LOW:
0831         case AUDIT_OBJ_LEV_HIGH:
0832             err = audit_dupe_lsm_field(&new->fields[i],
0833                                &old->fields[i]);
0834             break;
0835         case AUDIT_FILTERKEY:
0836             fk = kstrdup(old->filterkey, GFP_KERNEL);
0837             if (unlikely(!fk))
0838                 err = -ENOMEM;
0839             else
0840                 new->filterkey = fk;
0841             break;
0842         case AUDIT_EXE:
0843             err = audit_dupe_exe(new, old);
0844             break;
0845         }
0846         if (err) {
0847             if (new->exe)
0848                 audit_remove_mark(new->exe);
0849             audit_free_rule(entry);
0850             return ERR_PTR(err);
0851         }
0852     }
0853 
0854     if (old->watch) {
0855         audit_get_watch(old->watch);
0856         new->watch = old->watch;
0857     }
0858 
0859     return entry;
0860 }
0861 
0862 /* Find an existing audit rule.
0863  * Caller must hold audit_filter_mutex to prevent stale rule data. */
0864 static struct audit_entry *audit_find_rule(struct audit_entry *entry,
0865                        struct list_head **p)
0866 {
0867     struct audit_entry *e, *found = NULL;
0868     struct list_head *list;
0869     int h;
0870 
0871     if (entry->rule.inode_f) {
0872         h = audit_hash_ino(entry->rule.inode_f->val);
0873         *p = list = &audit_inode_hash[h];
0874     } else if (entry->rule.watch) {
0875         /* we don't know the inode number, so must walk entire hash */
0876         for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
0877             list = &audit_inode_hash[h];
0878             list_for_each_entry(e, list, list)
0879                 if (!audit_compare_rule(&entry->rule, &e->rule)) {
0880                     found = e;
0881                     goto out;
0882                 }
0883         }
0884         goto out;
0885     } else {
0886         *p = list = &audit_filter_list[entry->rule.listnr];
0887     }
0888 
0889     list_for_each_entry(e, list, list)
0890         if (!audit_compare_rule(&entry->rule, &e->rule)) {
0891             found = e;
0892             goto out;
0893         }
0894 
0895 out:
0896     return found;
0897 }
0898 
0899 static u64 prio_low = ~0ULL/2;
0900 static u64 prio_high = ~0ULL/2 - 1;
0901 
0902 /* Add rule to given filterlist if not a duplicate. */
0903 static inline int audit_add_rule(struct audit_entry *entry)
0904 {
0905     struct audit_entry *e;
0906     struct audit_watch *watch = entry->rule.watch;
0907     struct audit_tree *tree = entry->rule.tree;
0908     struct list_head *list;
0909     int err = 0;
0910 #ifdef CONFIG_AUDITSYSCALL
0911     int dont_count = 0;
0912 
0913     /* If either of these, don't count towards total */
0914     if (entry->rule.listnr == AUDIT_FILTER_USER ||
0915         entry->rule.listnr == AUDIT_FILTER_TYPE)
0916         dont_count = 1;
0917 #endif
0918 
0919     mutex_lock(&audit_filter_mutex);
0920     e = audit_find_rule(entry, &list);
0921     if (e) {
0922         mutex_unlock(&audit_filter_mutex);
0923         err = -EEXIST;
0924         /* normally audit_add_tree_rule() will free it on failure */
0925         if (tree)
0926             audit_put_tree(tree);
0927         return err;
0928     }
0929 
0930     if (watch) {
0931         /* audit_filter_mutex is dropped and re-taken during this call */
0932         err = audit_add_watch(&entry->rule, &list);
0933         if (err) {
0934             mutex_unlock(&audit_filter_mutex);
0935             /*
0936              * normally audit_add_tree_rule() will free it
0937              * on failure
0938              */
0939             if (tree)
0940                 audit_put_tree(tree);
0941             return err;
0942         }
0943     }
0944     if (tree) {
0945         err = audit_add_tree_rule(&entry->rule);
0946         if (err) {
0947             mutex_unlock(&audit_filter_mutex);
0948             return err;
0949         }
0950     }
0951 
0952     entry->rule.prio = ~0ULL;
0953     if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
0954         if (entry->rule.flags & AUDIT_FILTER_PREPEND)
0955             entry->rule.prio = ++prio_high;
0956         else
0957             entry->rule.prio = --prio_low;
0958     }
0959 
0960     if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
0961         list_add(&entry->rule.list,
0962              &audit_rules_list[entry->rule.listnr]);
0963         list_add_rcu(&entry->list, list);
0964         entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
0965     } else {
0966         list_add_tail(&entry->rule.list,
0967                   &audit_rules_list[entry->rule.listnr]);
0968         list_add_tail_rcu(&entry->list, list);
0969     }
0970 #ifdef CONFIG_AUDITSYSCALL
0971     if (!dont_count)
0972         audit_n_rules++;
0973 
0974     if (!audit_match_signal(entry))
0975         audit_signals++;
0976 #endif
0977     mutex_unlock(&audit_filter_mutex);
0978 
0979     return err;
0980 }
0981 
0982 /* Remove an existing rule from filterlist. */
0983 int audit_del_rule(struct audit_entry *entry)
0984 {
0985     struct audit_entry  *e;
0986     struct audit_tree *tree = entry->rule.tree;
0987     struct list_head *list;
0988     int ret = 0;
0989 #ifdef CONFIG_AUDITSYSCALL
0990     int dont_count = 0;
0991 
0992     /* If either of these, don't count towards total */
0993     if (entry->rule.listnr == AUDIT_FILTER_USER ||
0994         entry->rule.listnr == AUDIT_FILTER_TYPE)
0995         dont_count = 1;
0996 #endif
0997 
0998     mutex_lock(&audit_filter_mutex);
0999     e = audit_find_rule(entry, &list);
1000     if (!e) {
1001         ret = -ENOENT;
1002         goto out;
1003     }
1004 
1005     if (e->rule.watch)
1006         audit_remove_watch_rule(&e->rule);
1007 
1008     if (e->rule.tree)
1009         audit_remove_tree_rule(&e->rule);
1010 
1011     if (e->rule.exe)
1012         audit_remove_mark_rule(&e->rule);
1013 
1014 #ifdef CONFIG_AUDITSYSCALL
1015     if (!dont_count)
1016         audit_n_rules--;
1017 
1018     if (!audit_match_signal(entry))
1019         audit_signals--;
1020 #endif
1021 
1022     list_del_rcu(&e->list);
1023     list_del(&e->rule.list);
1024     call_rcu(&e->rcu, audit_free_rule_rcu);
1025 
1026 out:
1027     mutex_unlock(&audit_filter_mutex);
1028 
1029     if (tree)
1030         audit_put_tree(tree);   /* that's the temporary one */
1031 
1032     return ret;
1033 }
1034 
1035 /* List rules using struct audit_rule_data. */
1036 static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q)
1037 {
1038     struct sk_buff *skb;
1039     struct audit_krule *r;
1040     int i;
1041 
1042     /* This is a blocking read, so use audit_filter_mutex instead of rcu
1043      * iterator to sync with list writers. */
1044     for (i=0; i<AUDIT_NR_FILTERS; i++) {
1045         list_for_each_entry(r, &audit_rules_list[i], list) {
1046             struct audit_rule_data *data;
1047 
1048             data = audit_krule_to_data(r);
1049             if (unlikely(!data))
1050                 break;
1051             skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES,
1052                            0, 1, data,
1053                            sizeof(*data) + data->buflen);
1054             if (skb)
1055                 skb_queue_tail(q, skb);
1056             kfree(data);
1057         }
1058     }
1059     skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1060     if (skb)
1061         skb_queue_tail(q, skb);
1062 }
1063 
1064 /* Log rule additions and removals */
1065 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1066 {
1067     struct audit_buffer *ab;
1068     uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
1069     unsigned int sessionid = audit_get_sessionid(current);
1070 
1071     if (!audit_enabled)
1072         return;
1073 
1074     ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1075     if (!ab)
1076         return;
1077     audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
1078     audit_log_task_context(ab);
1079     audit_log_format(ab, " op=%s", action);
1080     audit_log_key(ab, rule->filterkey);
1081     audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1082     audit_log_end(ab);
1083 }
1084 
1085 /**
1086  * audit_rule_change - apply all rules to the specified message type
1087  * @type: audit message type
1088  * @portid: target port id for netlink audit messages
1089  * @seq: netlink audit message sequence (serial) number
1090  * @data: payload data
1091  * @datasz: size of payload data
1092  */
1093 int audit_rule_change(int type, __u32 portid, int seq, void *data,
1094             size_t datasz)
1095 {
1096     int err = 0;
1097     struct audit_entry *entry;
1098 
1099     entry = audit_data_to_entry(data, datasz);
1100     if (IS_ERR(entry))
1101         return PTR_ERR(entry);
1102 
1103     switch (type) {
1104     case AUDIT_ADD_RULE:
1105         err = audit_add_rule(entry);
1106         audit_log_rule_change("add_rule", &entry->rule, !err);
1107         break;
1108     case AUDIT_DEL_RULE:
1109         err = audit_del_rule(entry);
1110         audit_log_rule_change("remove_rule", &entry->rule, !err);
1111         break;
1112     default:
1113         err = -EINVAL;
1114         WARN_ON(1);
1115     }
1116 
1117     if (err || type == AUDIT_DEL_RULE) {
1118         if (entry->rule.exe)
1119             audit_remove_mark(entry->rule.exe);
1120         audit_free_rule(entry);
1121     }
1122 
1123     return err;
1124 }
1125 
1126 /**
1127  * audit_list_rules_send - list the audit rules
1128  * @request_skb: skb of request we are replying to (used to target the reply)
1129  * @seq: netlink audit message sequence (serial) number
1130  */
1131 int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1132 {
1133     u32 portid = NETLINK_CB(request_skb).portid;
1134     struct net *net = sock_net(NETLINK_CB(request_skb).sk);
1135     struct task_struct *tsk;
1136     struct audit_netlink_list *dest;
1137     int err = 0;
1138 
1139     /* We can't just spew out the rules here because we might fill
1140      * the available socket buffer space and deadlock waiting for
1141      * auditctl to read from it... which isn't ever going to
1142      * happen if we're actually running in the context of auditctl
1143      * trying to _send_ the stuff */
1144 
1145     dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1146     if (!dest)
1147         return -ENOMEM;
1148     dest->net = get_net(net);
1149     dest->portid = portid;
1150     skb_queue_head_init(&dest->q);
1151 
1152     mutex_lock(&audit_filter_mutex);
1153     audit_list_rules(portid, seq, &dest->q);
1154     mutex_unlock(&audit_filter_mutex);
1155 
1156     tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1157     if (IS_ERR(tsk)) {
1158         skb_queue_purge(&dest->q);
1159         kfree(dest);
1160         err = PTR_ERR(tsk);
1161     }
1162 
1163     return err;
1164 }
1165 
1166 int audit_comparator(u32 left, u32 op, u32 right)
1167 {
1168     switch (op) {
1169     case Audit_equal:
1170         return (left == right);
1171     case Audit_not_equal:
1172         return (left != right);
1173     case Audit_lt:
1174         return (left < right);
1175     case Audit_le:
1176         return (left <= right);
1177     case Audit_gt:
1178         return (left > right);
1179     case Audit_ge:
1180         return (left >= right);
1181     case Audit_bitmask:
1182         return (left & right);
1183     case Audit_bittest:
1184         return ((left & right) == right);
1185     default:
1186         BUG();
1187         return 0;
1188     }
1189 }
1190 
1191 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1192 {
1193     switch (op) {
1194     case Audit_equal:
1195         return uid_eq(left, right);
1196     case Audit_not_equal:
1197         return !uid_eq(left, right);
1198     case Audit_lt:
1199         return uid_lt(left, right);
1200     case Audit_le:
1201         return uid_lte(left, right);
1202     case Audit_gt:
1203         return uid_gt(left, right);
1204     case Audit_ge:
1205         return uid_gte(left, right);
1206     case Audit_bitmask:
1207     case Audit_bittest:
1208     default:
1209         BUG();
1210         return 0;
1211     }
1212 }
1213 
1214 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1215 {
1216     switch (op) {
1217     case Audit_equal:
1218         return gid_eq(left, right);
1219     case Audit_not_equal:
1220         return !gid_eq(left, right);
1221     case Audit_lt:
1222         return gid_lt(left, right);
1223     case Audit_le:
1224         return gid_lte(left, right);
1225     case Audit_gt:
1226         return gid_gt(left, right);
1227     case Audit_ge:
1228         return gid_gte(left, right);
1229     case Audit_bitmask:
1230     case Audit_bittest:
1231     default:
1232         BUG();
1233         return 0;
1234     }
1235 }
1236 
1237 /**
1238  * parent_len - find the length of the parent portion of a pathname
1239  * @path: pathname of which to determine length
1240  */
1241 int parent_len(const char *path)
1242 {
1243     int plen;
1244     const char *p;
1245 
1246     plen = strlen(path);
1247 
1248     if (plen == 0)
1249         return plen;
1250 
1251     /* disregard trailing slashes */
1252     p = path + plen - 1;
1253     while ((*p == '/') && (p > path))
1254         p--;
1255 
1256     /* walk backward until we find the next slash or hit beginning */
1257     while ((*p != '/') && (p > path))
1258         p--;
1259 
1260     /* did we find a slash? Then increment to include it in path */
1261     if (*p == '/')
1262         p++;
1263 
1264     return p - path;
1265 }
1266 
1267 /**
1268  * audit_compare_dname_path - compare given dentry name with last component in
1269  *                given path. Return of 0 indicates a match.
1270  * @dname:  dentry name that we're comparing
1271  * @path:   full pathname that we're comparing
1272  * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1273  *      here indicates that we must compute this value.
1274  */
1275 int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1276 {
1277     int dlen, pathlen;
1278     const char *p;
1279 
1280     dlen = strlen(dname);
1281     pathlen = strlen(path);
1282     if (pathlen < dlen)
1283         return 1;
1284 
1285     parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1286     if (pathlen - parentlen != dlen)
1287         return 1;
1288 
1289     p = path + parentlen;
1290 
1291     return strncmp(p, dname, dlen);
1292 }
1293 
1294 int audit_filter(int msgtype, unsigned int listtype)
1295 {
1296     struct audit_entry *e;
1297     int ret = 1; /* Audit by default */
1298 
1299     rcu_read_lock();
1300     if (list_empty(&audit_filter_list[listtype]))
1301         goto unlock_and_return;
1302     list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
1303         int i, result = 0;
1304 
1305         for (i = 0; i < e->rule.field_count; i++) {
1306             struct audit_field *f = &e->rule.fields[i];
1307             pid_t pid;
1308             u32 sid;
1309 
1310             switch (f->type) {
1311             case AUDIT_PID:
1312                 pid = task_pid_nr(current);
1313                 result = audit_comparator(pid, f->op, f->val);
1314                 break;
1315             case AUDIT_UID:
1316                 result = audit_uid_comparator(current_uid(), f->op, f->uid);
1317                 break;
1318             case AUDIT_GID:
1319                 result = audit_gid_comparator(current_gid(), f->op, f->gid);
1320                 break;
1321             case AUDIT_LOGINUID:
1322                 result = audit_uid_comparator(audit_get_loginuid(current),
1323                                   f->op, f->uid);
1324                 break;
1325             case AUDIT_LOGINUID_SET:
1326                 result = audit_comparator(audit_loginuid_set(current),
1327                               f->op, f->val);
1328                 break;
1329             case AUDIT_MSGTYPE:
1330                 result = audit_comparator(msgtype, f->op, f->val);
1331                 break;
1332             case AUDIT_SUBJ_USER:
1333             case AUDIT_SUBJ_ROLE:
1334             case AUDIT_SUBJ_TYPE:
1335             case AUDIT_SUBJ_SEN:
1336             case AUDIT_SUBJ_CLR:
1337                 if (f->lsm_rule) {
1338                     security_task_getsecid(current, &sid);
1339                     result = security_audit_rule_match(sid,
1340                             f->type, f->op, f->lsm_rule, NULL);
1341                 }
1342                 break;
1343             default:
1344                 goto unlock_and_return;
1345             }
1346             if (result < 0) /* error */
1347                 goto unlock_and_return;
1348             if (!result)
1349                 break;
1350         }
1351         if (result > 0) {
1352             if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
1353                 ret = 0;
1354             break;
1355         }
1356     }
1357 unlock_and_return:
1358     rcu_read_unlock();
1359     return ret;
1360 }
1361 
1362 static int update_lsm_rule(struct audit_krule *r)
1363 {
1364     struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1365     struct audit_entry *nentry;
1366     int err = 0;
1367 
1368     if (!security_audit_rule_known(r))
1369         return 0;
1370 
1371     nentry = audit_dupe_rule(r);
1372     if (entry->rule.exe)
1373         audit_remove_mark(entry->rule.exe);
1374     if (IS_ERR(nentry)) {
1375         /* save the first error encountered for the
1376          * return value */
1377         err = PTR_ERR(nentry);
1378         audit_panic("error updating LSM filters");
1379         if (r->watch)
1380             list_del(&r->rlist);
1381         list_del_rcu(&entry->list);
1382         list_del(&r->list);
1383     } else {
1384         if (r->watch || r->tree)
1385             list_replace_init(&r->rlist, &nentry->rule.rlist);
1386         list_replace_rcu(&entry->list, &nentry->list);
1387         list_replace(&r->list, &nentry->rule.list);
1388     }
1389     call_rcu(&entry->rcu, audit_free_rule_rcu);
1390 
1391     return err;
1392 }
1393 
1394 /* This function will re-initialize the lsm_rule field of all applicable rules.
1395  * It will traverse the filter lists serarching for rules that contain LSM
1396  * specific filter fields.  When such a rule is found, it is copied, the
1397  * LSM field is re-initialized, and the old rule is replaced with the
1398  * updated rule. */
1399 int audit_update_lsm_rules(void)
1400 {
1401     struct audit_krule *r, *n;
1402     int i, err = 0;
1403 
1404     /* audit_filter_mutex synchronizes the writers */
1405     mutex_lock(&audit_filter_mutex);
1406 
1407     for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1408         list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1409             int res = update_lsm_rule(r);
1410             if (!err)
1411                 err = res;
1412         }
1413     }
1414     mutex_unlock(&audit_filter_mutex);
1415 
1416     return err;
1417 }