the-tree/kernel/audit_watch.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* audit_watch.c -- watching inodes
0003  *
0004  * Copyright 2003-2009 Red Hat, Inc.
0005  * Copyright 2005 Hewlett-Packard Development Company, L.P.
0006  * Copyright 2005 IBM Corporation
0007  */
0008
0009 #include <linux/file.h>
0010 #include <linux/kernel.h>
0011 #include <linux/audit.h>
0012 #include <linux/kthread.h>
0013 #include <linux/mutex.h>
0014 #include <linux/fs.h>
0015 #include <linux/fsnotify_backend.h>
0016 #include <linux/namei.h>
0017 #include <linux/netlink.h>
0018 #include <linux/refcount.h>
0019 #include <linux/sched.h>
0020 #include <linux/slab.h>
0021 #include <linux/security.h>
0022 #include "audit.h"
0023
0024 /*
0025  * Reference counting:
0026  *
0027  * audit_parent: lifetime is from audit_init_parent() to receipt of an FS_IGNORED
0028  *  event.  Each audit_watch holds a reference to its associated parent.
0029  *
0030  * audit_watch: if added to lists, lifetime is from audit_init_watch() to
0031  *  audit_remove_watch().  Additionally, an audit_watch may exist
0032  *  temporarily to assist in searching existing filter data.  Each
0033  *  audit_krule holds a reference to its associated watch.
0034  */
0035
0036 struct audit_watch {
0037     refcount_t      count;  /* reference count */
0038     dev_t           dev;    /* associated superblock device */
0039     char            *path;  /* insertion path */
0040     unsigned long       ino;    /* associated inode number */
0041     struct audit_parent *parent; /* associated parent */
0042     struct list_head    wlist;  /* entry in parent->watches list */
0043     struct list_head    rules;  /* anchor for krule->rlist */
0044 };
0045
0046 struct audit_parent {
0047     struct list_head    watches; /* anchor for audit_watch->wlist */
0048     struct fsnotify_mark mark; /* fsnotify mark on the inode */
0049 };
0050
0051 /* fsnotify handle. */
0052 static struct fsnotify_group *audit_watch_group;
0053
0054 /* fsnotify events we care about. */
0055 #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
0056             FS_MOVE_SELF | FS_UNMOUNT)
0057
0058 static void audit_free_parent(struct audit_parent *parent)
0059 {
0060     WARN_ON(!list_empty(&parent->watches));
0061     kfree(parent);
0062 }
0063
0064 static void audit_watch_free_mark(struct fsnotify_mark *entry)
0065 {
0066     struct audit_parent *parent;
0067
0068     parent = container_of(entry, struct audit_parent, mark);
0069     audit_free_parent(parent);
0070 }
0071
0072 static void audit_get_parent(struct audit_parent *parent)
0073 {
0074     if (likely(parent))
0075         fsnotify_get_mark(&parent->mark);
0076 }
0077
0078 static void audit_put_parent(struct audit_parent *parent)
0079 {
0080     if (likely(parent))
0081         fsnotify_put_mark(&parent->mark);
0082 }
0083
0084 /*
0085  * Find and return the audit_parent on the given inode.  If found a reference
0086  * is taken on this parent.
0087  */
0088 static inline struct audit_parent *audit_find_parent(struct inode *inode)
0089 {
0090     struct audit_parent *parent = NULL;
0091     struct fsnotify_mark *entry;
0092
0093     entry = fsnotify_find_mark(&inode->i_fsnotify_marks, audit_watch_group);
0094     if (entry)
0095         parent = container_of(entry, struct audit_parent, mark);
0096
0097     return parent;
0098 }
0099
0100 void audit_get_watch(struct audit_watch *watch)
0101 {
0102     refcount_inc(&watch->count);
0103 }
0104
0105 void audit_put_watch(struct audit_watch *watch)
0106 {
0107     if (refcount_dec_and_test(&watch->count)) {
0108         WARN_ON(watch->parent);
0109         WARN_ON(!list_empty(&watch->rules));
0110         kfree(watch->path);
0111         kfree(watch);
0112     }
0113 }
0114
0115 static void audit_remove_watch(struct audit_watch *watch)
0116 {
0117     list_del(&watch->wlist);
0118     audit_put_parent(watch->parent);
0119     watch->parent = NULL;
0120     audit_put_watch(watch); /* match initial get */
0121 }
0122
0123 char *audit_watch_path(struct audit_watch *watch)
0124 {
0125     return watch->path;
0126 }
0127
0128 int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev)
0129 {
0130     return (watch->ino != AUDIT_INO_UNSET) &&
0131         (watch->ino == ino) &&
0132         (watch->dev == dev);
0133 }
0134
0135 /* Initialize a parent watch entry. */
0136 static struct audit_parent *audit_init_parent(struct path *path)
0137 {
0138     struct inode *inode = d_backing_inode(path->dentry);
0139     struct audit_parent *parent;
0140     int ret;
0141
0142     parent = kzalloc(sizeof(*parent), GFP_KERNEL);
0143     if (unlikely(!parent))
0144         return ERR_PTR(-ENOMEM);
0145
0146     INIT_LIST_HEAD(&parent->watches);
0147
0148     fsnotify_init_mark(&parent->mark, audit_watch_group);
0149     parent->mark.mask = AUDIT_FS_WATCH;
0150     ret = fsnotify_add_inode_mark(&parent->mark, inode, 0);
0151     if (ret < 0) {
0152         audit_free_parent(parent);
0153         return ERR_PTR(ret);
0154     }
0155
0156     return parent;
0157 }
0158
0159 /* Initialize a watch entry. */
0160 static struct audit_watch *audit_init_watch(char *path)
0161 {
0162     struct audit_watch *watch;
0163
0164     watch = kzalloc(sizeof(*watch), GFP_KERNEL);
0165     if (unlikely(!watch))
0166         return ERR_PTR(-ENOMEM);
0167
0168     INIT_LIST_HEAD(&watch->rules);
0169     refcount_set(&watch->count, 1);
0170     watch->path = path;
0171     watch->dev = AUDIT_DEV_UNSET;
0172     watch->ino = AUDIT_INO_UNSET;
0173
0174     return watch;
0175 }
0176
0177 /* Translate a watch string to kernel representation. */
0178 int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op)
0179 {
0180     struct audit_watch *watch;
0181
0182     if (!audit_watch_group)
0183         return -EOPNOTSUPP;
0184
0185     if (path[0] != '/' || path[len-1] == '/' ||
0186         (krule->listnr != AUDIT_FILTER_EXIT &&
0187          krule->listnr != AUDIT_FILTER_URING_EXIT) ||
0188         op != Audit_equal ||
0189         krule->inode_f || krule->watch || krule->tree)
0190         return -EINVAL;
0191
0192     watch = audit_init_watch(path);
0193     if (IS_ERR(watch))
0194         return PTR_ERR(watch);
0195
0196     krule->watch = watch;
0197
0198     return 0;
0199 }
0200
0201 /* Duplicate the given audit watch.  The new watch's rules list is initialized
0202  * to an empty list and wlist is undefined. */
0203 static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
0204 {
0205     char *path;
0206     struct audit_watch *new;
0207
0208     path = kstrdup(old->path, GFP_KERNEL);
0209     if (unlikely(!path))
0210         return ERR_PTR(-ENOMEM);
0211
0212     new = audit_init_watch(path);
0213     if (IS_ERR(new)) {
0214         kfree(path);
0215         goto out;
0216     }
0217
0218     new->dev = old->dev;
0219     new->ino = old->ino;
0220     audit_get_parent(old->parent);
0221     new->parent = old->parent;
0222
0223 out:
0224     return new;
0225 }
0226
0227 static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
0228 {
0229     struct audit_buffer *ab;
0230
0231     if (!audit_enabled)
0232         return;
0233     ab = audit_log_start(audit_context(), GFP_NOFS, AUDIT_CONFIG_CHANGE);
0234     if (!ab)
0235         return;
0236     audit_log_session_info(ab);
0237     audit_log_format(ab, "op=%s path=", op);
0238     audit_log_untrustedstring(ab, w->path);
0239     audit_log_key(ab, r->filterkey);
0240     audit_log_format(ab, " list=%d res=1", r->listnr);
0241     audit_log_end(ab);
0242 }
0243
0244 /* Update inode info in audit rules based on filesystem event. */
0245 static void audit_update_watch(struct audit_parent *parent,
0246                    const struct qstr *dname, dev_t dev,
0247                    unsigned long ino, unsigned invalidating)
0248 {
0249     struct audit_watch *owatch, *nwatch, *nextw;
0250     struct audit_krule *r, *nextr;
0251     struct audit_entry *oentry, *nentry;
0252
0253     mutex_lock(&audit_filter_mutex);
0254     /* Run all of the watches on this parent looking for the one that
0255      * matches the given dname */
0256     list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
0257         if (audit_compare_dname_path(dname, owatch->path,
0258                          AUDIT_NAME_FULL))
0259             continue;
0260
0261         /* If the update involves invalidating rules, do the inode-based
0262          * filtering now, so we don't omit records. */
0263         if (invalidating && !audit_dummy_context())
0264             audit_filter_inodes(current, audit_context());
0265
0266         /* updating ino will likely change which audit_hash_list we
0267          * are on so we need a new watch for the new list */
0268         nwatch = audit_dupe_watch(owatch);
0269         if (IS_ERR(nwatch)) {
0270             mutex_unlock(&audit_filter_mutex);
0271             audit_panic("error updating watch, skipping");
0272             return;
0273         }
0274         nwatch->dev = dev;
0275         nwatch->ino = ino;
0276
0277         list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) {
0278
0279             oentry = container_of(r, struct audit_entry, rule);
0280             list_del(&oentry->rule.rlist);
0281             list_del_rcu(&oentry->list);
0282
0283             nentry = audit_dupe_rule(&oentry->rule);
0284             if (IS_ERR(nentry)) {
0285                 list_del(&oentry->rule.list);
0286                 audit_panic("error updating watch, removing");
0287             } else {
0288                 int h = audit_hash_ino((u32)ino);
0289
0290                 /*
0291                  * nentry->rule.watch == oentry->rule.watch so
0292                  * we must drop that reference and set it to our
0293                  * new watch.
0294                  */
0295                 audit_put_watch(nentry->rule.watch);
0296                 audit_get_watch(nwatch);
0297                 nentry->rule.watch = nwatch;
0298                 list_add(&nentry->rule.rlist, &nwatch->rules);
0299                 list_add_rcu(&nentry->list, &audit_inode_hash[h]);
0300                 list_replace(&oentry->rule.list,
0301                          &nentry->rule.list);
0302             }
0303             if (oentry->rule.exe)
0304                 audit_remove_mark(oentry->rule.exe);
0305
0306             call_rcu(&oentry->rcu, audit_free_rule_rcu);
0307         }
0308
0309         audit_remove_watch(owatch);
0310         goto add_watch_to_parent; /* event applies to a single watch */
0311     }
0312     mutex_unlock(&audit_filter_mutex);
0313     return;
0314
0315 add_watch_to_parent:
0316     list_add(&nwatch->wlist, &parent->watches);
0317     mutex_unlock(&audit_filter_mutex);
0318     return;
0319 }
0320
0321 /* Remove all watches & rules associated with a parent that is going away. */
0322 static void audit_remove_parent_watches(struct audit_parent *parent)
0323 {
0324     struct audit_watch *w, *nextw;
0325     struct audit_krule *r, *nextr;
0326     struct audit_entry *e;
0327
0328     mutex_lock(&audit_filter_mutex);
0329     list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
0330         list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
0331             e = container_of(r, struct audit_entry, rule);
0332             audit_watch_log_rule_change(r, w, "remove_rule");
0333             if (e->rule.exe)
0334                 audit_remove_mark(e->rule.exe);
0335             list_del(&r->rlist);
0336             list_del(&r->list);
0337             list_del_rcu(&e->list);
0338             call_rcu(&e->rcu, audit_free_rule_rcu);
0339         }
0340         audit_remove_watch(w);
0341     }
0342     mutex_unlock(&audit_filter_mutex);
0343
0344     fsnotify_destroy_mark(&parent->mark, audit_watch_group);
0345 }
0346
0347 /* Get path information necessary for adding watches. */
0348 static int audit_get_nd(struct audit_watch *watch, struct path *parent)
0349 {
0350     struct dentry *d = kern_path_locked(watch->path, parent);
0351     if (IS_ERR(d))
0352         return PTR_ERR(d);
0353     if (d_is_positive(d)) {
0354         /* update watch filter fields */
0355         watch->dev = d->d_sb->s_dev;
0356         watch->ino = d_backing_inode(d)->i_ino;
0357     }
0358     inode_unlock(d_backing_inode(parent->dentry));
0359     dput(d);
0360     return 0;
0361 }
0362
0363 /* Associate the given rule with an existing parent.
0364  * Caller must hold audit_filter_mutex. */
0365 static void audit_add_to_parent(struct audit_krule *krule,
0366                 struct audit_parent *parent)
0367 {
0368     struct audit_watch *w, *watch = krule->watch;
0369     int watch_found = 0;
0370
0371     BUG_ON(!mutex_is_locked(&audit_filter_mutex));
0372
0373     list_for_each_entry(w, &parent->watches, wlist) {
0374         if (strcmp(watch->path, w->path))
0375             continue;
0376
0377         watch_found = 1;
0378
0379         /* put krule's ref to temporary watch */
0380         audit_put_watch(watch);
0381
0382         audit_get_watch(w);
0383         krule->watch = watch = w;
0384
0385         audit_put_parent(parent);
0386         break;
0387     }
0388
0389     if (!watch_found) {
0390         watch->parent = parent;
0391
0392         audit_get_watch(watch);
0393         list_add(&watch->wlist, &parent->watches);
0394     }
0395     list_add(&krule->rlist, &watch->rules);
0396 }
0397
0398 /* Find a matching watch entry, or add this one.
0399  * Caller must hold audit_filter_mutex. */
0400 int audit_add_watch(struct audit_krule *krule, struct list_head **list)
0401 {
0402     struct audit_watch *watch = krule->watch;
0403     struct audit_parent *parent;
0404     struct path parent_path;
0405     int h, ret = 0;
0406
0407     /*
0408      * When we will be calling audit_add_to_parent, krule->watch might have
0409      * been updated and watch might have been freed.
0410      * So we need to keep a reference of watch.
0411      */
0412     audit_get_watch(watch);
0413
0414     mutex_unlock(&audit_filter_mutex);
0415
0416     /* Avoid calling path_lookup under audit_filter_mutex. */
0417     ret = audit_get_nd(watch, &parent_path);
0418
0419     /* caller expects mutex locked */
0420     mutex_lock(&audit_filter_mutex);
0421
0422     if (ret) {
0423         audit_put_watch(watch);
0424         return ret;
0425     }
0426
0427     /* either find an old parent or attach a new one */
0428     parent = audit_find_parent(d_backing_inode(parent_path.dentry));
0429     if (!parent) {
0430         parent = audit_init_parent(&parent_path);
0431         if (IS_ERR(parent)) {
0432             ret = PTR_ERR(parent);
0433             goto error;
0434         }
0435     }
0436
0437     audit_add_to_parent(krule, parent);
0438
0439     h = audit_hash_ino((u32)watch->ino);
0440     *list = &audit_inode_hash[h];
0441 error:
0442     path_put(&parent_path);
0443     audit_put_watch(watch);
0444     return ret;
0445 }
0446
0447 void audit_remove_watch_rule(struct audit_krule *krule)
0448 {
0449     struct audit_watch *watch = krule->watch;
0450     struct audit_parent *parent = watch->parent;
0451
0452     list_del(&krule->rlist);
0453
0454     if (list_empty(&watch->rules)) {
0455         /*
0456          * audit_remove_watch() drops our reference to 'parent' which
0457          * can get freed. Grab our own reference to be safe.
0458          */
0459         audit_get_parent(parent);
0460         audit_remove_watch(watch);
0461         if (list_empty(&parent->watches))
0462             fsnotify_destroy_mark(&parent->mark, audit_watch_group);
0463         audit_put_parent(parent);
0464     }
0465 }
0466
0467 /* Update watch data in audit rules based on fsnotify events. */
0468 static int audit_watch_handle_event(struct fsnotify_mark *inode_mark, u32 mask,
0469                     struct inode *inode, struct inode *dir,
0470                     const struct qstr *dname, u32 cookie)
0471 {
0472     struct audit_parent *parent;
0473
0474     parent = container_of(inode_mark, struct audit_parent, mark);
0475
0476     if (WARN_ON_ONCE(inode_mark->group != audit_watch_group))
0477         return 0;
0478
0479     if (mask & (FS_CREATE|FS_MOVED_TO) && inode)
0480         audit_update_watch(parent, dname, inode->i_sb->s_dev, inode->i_ino, 0);
0481     else if (mask & (FS_DELETE|FS_MOVED_FROM))
0482         audit_update_watch(parent, dname, AUDIT_DEV_UNSET, AUDIT_INO_UNSET, 1);
0483     else if (mask & (FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF))
0484         audit_remove_parent_watches(parent);
0485
0486     return 0;
0487 }
0488
0489 static const struct fsnotify_ops audit_watch_fsnotify_ops = {
0490     .handle_inode_event =   audit_watch_handle_event,
0491     .free_mark =        audit_watch_free_mark,
0492 };
0493
0494 static int __init audit_watch_init(void)
0495 {
0496     audit_watch_group = fsnotify_alloc_group(&audit_watch_fsnotify_ops, 0);
0497     if (IS_ERR(audit_watch_group)) {
0498         audit_watch_group = NULL;
0499         audit_panic("cannot create audit fsnotify group");
0500     }
0501     return 0;
0502 }
0503 device_initcall(audit_watch_init);
0504
0505 int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
0506 {
0507     struct audit_fsnotify_mark *audit_mark;
0508     char *pathname;
0509
0510     pathname = kstrdup(audit_mark_path(old->exe), GFP_KERNEL);
0511     if (!pathname)
0512         return -ENOMEM;
0513
0514     audit_mark = audit_alloc_mark(new, pathname, strlen(pathname));
0515     if (IS_ERR(audit_mark)) {
0516         kfree(pathname);
0517         return PTR_ERR(audit_mark);
0518     }
0519     new->exe = audit_mark;
0520
0521     return 0;
0522 }
0523
0524 int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
0525 {
0526     struct file *exe_file;
0527     unsigned long ino;
0528     dev_t dev;
0529
0530     exe_file = get_task_exe_file(tsk);
0531     if (!exe_file)
0532         return 0;
0533     ino = file_inode(exe_file)->i_ino;
0534     dev = file_inode(exe_file)->i_sb->s_dev;
0535     fput(exe_file);
0536     return audit_mark_compare(mark, ino, dev);
0537 }