the-tree/kernel/auditfilter.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* auditfilter.c -- filtering of audit events
0003  *
0004  * Copyright 2003-2004 Red Hat, Inc.
0005  * Copyright 2005 Hewlett-Packard Development Company, L.P.
0006  * Copyright 2005 IBM Corporation
0007  */
0008
0009 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0010
0011 #include <linux/kernel.h>
0012 #include <linux/audit.h>
0013 #include <linux/kthread.h>
0014 #include <linux/mutex.h>
0015 #include <linux/fs.h>
0016 #include <linux/namei.h>
0017 #include <linux/netlink.h>
0018 #include <linux/sched.h>
0019 #include <linux/slab.h>
0020 #include <linux/security.h>
0021 #include <net/net_namespace.h>
0022 #include <net/sock.h>
0023 #include "audit.h"
0024
0025 /*
0026  * Locking model:
0027  *
0028  * audit_filter_mutex:
0029  *      Synchronizes writes and blocking reads of audit's filterlist
0030  *      data.  Rcu is used to traverse the filterlist and access
0031  *      contents of structs audit_entry, audit_watch and opaque
0032  *      LSM rules during filtering.  If modified, these structures
0033  *      must be copied and replace their counterparts in the filterlist.
0034  *      An audit_parent struct is not accessed during filtering, so may
0035  *      be written directly provided audit_filter_mutex is held.
0036  */
0037
0038 /* Audit filter lists, defined in <linux/audit.h> */
0039 struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
0040     LIST_HEAD_INIT(audit_filter_list[0]),
0041     LIST_HEAD_INIT(audit_filter_list[1]),
0042     LIST_HEAD_INIT(audit_filter_list[2]),
0043     LIST_HEAD_INIT(audit_filter_list[3]),
0044     LIST_HEAD_INIT(audit_filter_list[4]),
0045     LIST_HEAD_INIT(audit_filter_list[5]),
0046     LIST_HEAD_INIT(audit_filter_list[6]),
0047     LIST_HEAD_INIT(audit_filter_list[7]),
0048 #if AUDIT_NR_FILTERS != 8
0049 #error Fix audit_filter_list initialiser
0050 #endif
0051 };
0052 static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
0053     LIST_HEAD_INIT(audit_rules_list[0]),
0054     LIST_HEAD_INIT(audit_rules_list[1]),
0055     LIST_HEAD_INIT(audit_rules_list[2]),
0056     LIST_HEAD_INIT(audit_rules_list[3]),
0057     LIST_HEAD_INIT(audit_rules_list[4]),
0058     LIST_HEAD_INIT(audit_rules_list[5]),
0059     LIST_HEAD_INIT(audit_rules_list[6]),
0060     LIST_HEAD_INIT(audit_rules_list[7]),
0061 };
0062
0063 DEFINE_MUTEX(audit_filter_mutex);
0064
0065 static void audit_free_lsm_field(struct audit_field *f)
0066 {
0067     switch (f->type) {
0068     case AUDIT_SUBJ_USER:
0069     case AUDIT_SUBJ_ROLE:
0070     case AUDIT_SUBJ_TYPE:
0071     case AUDIT_SUBJ_SEN:
0072     case AUDIT_SUBJ_CLR:
0073     case AUDIT_OBJ_USER:
0074     case AUDIT_OBJ_ROLE:
0075     case AUDIT_OBJ_TYPE:
0076     case AUDIT_OBJ_LEV_LOW:
0077     case AUDIT_OBJ_LEV_HIGH:
0078         kfree(f->lsm_str);
0079         security_audit_rule_free(f->lsm_rule);
0080     }
0081 }
0082
0083 static inline void audit_free_rule(struct audit_entry *e)
0084 {
0085     int i;
0086     struct audit_krule *erule = &e->rule;
0087
0088     /* some rules don't have associated watches */
0089     if (erule->watch)
0090         audit_put_watch(erule->watch);
0091     if (erule->fields)
0092         for (i = 0; i < erule->field_count; i++)
0093             audit_free_lsm_field(&erule->fields[i]);
0094     kfree(erule->fields);
0095     kfree(erule->filterkey);
0096     kfree(e);
0097 }
0098
0099 void audit_free_rule_rcu(struct rcu_head *head)
0100 {
0101     struct audit_entry *e = container_of(head, struct audit_entry, rcu);
0102     audit_free_rule(e);
0103 }
0104
0105 /* Initialize an audit filterlist entry. */
0106 static inline struct audit_entry *audit_init_entry(u32 field_count)
0107 {
0108     struct audit_entry *entry;
0109     struct audit_field *fields;
0110
0111     entry = kzalloc(sizeof(*entry), GFP_KERNEL);
0112     if (unlikely(!entry))
0113         return NULL;
0114
0115     fields = kcalloc(field_count, sizeof(*fields), GFP_KERNEL);
0116     if (unlikely(!fields)) {
0117         kfree(entry);
0118         return NULL;
0119     }
0120     entry->rule.fields = fields;
0121
0122     return entry;
0123 }
0124
0125 /* Unpack a filter field's string representation from user-space
0126  * buffer. */
0127 char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
0128 {
0129     char *str;
0130
0131     if (!*bufp || (len == 0) || (len > *remain))
0132         return ERR_PTR(-EINVAL);
0133
0134     /* Of the currently implemented string fields, PATH_MAX
0135      * defines the longest valid length.
0136      */
0137     if (len > PATH_MAX)
0138         return ERR_PTR(-ENAMETOOLONG);
0139
0140     str = kmalloc(len + 1, GFP_KERNEL);
0141     if (unlikely(!str))
0142         return ERR_PTR(-ENOMEM);
0143
0144     memcpy(str, *bufp, len);
0145     str[len] = 0;
0146     *bufp += len;
0147     *remain -= len;
0148
0149     return str;
0150 }
0151
0152 /* Translate an inode field to kernel representation. */
0153 static inline int audit_to_inode(struct audit_krule *krule,
0154                  struct audit_field *f)
0155 {
0156     if ((krule->listnr != AUDIT_FILTER_EXIT &&
0157          krule->listnr != AUDIT_FILTER_URING_EXIT) ||
0158         krule->inode_f || krule->watch || krule->tree ||
0159         (f->op != Audit_equal && f->op != Audit_not_equal))
0160         return -EINVAL;
0161
0162     krule->inode_f = f;
0163     return 0;
0164 }
0165
0166 static __u32 *classes[AUDIT_SYSCALL_CLASSES];
0167
0168 int __init audit_register_class(int class, unsigned *list)
0169 {
0170     __u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
0171     if (!p)
0172         return -ENOMEM;
0173     while (*list != ~0U) {
0174         unsigned n = *list++;
0175         if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
0176             kfree(p);
0177             return -EINVAL;
0178         }
0179         p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
0180     }
0181     if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
0182         kfree(p);
0183         return -EINVAL;
0184     }
0185     classes[class] = p;
0186     return 0;
0187 }
0188
0189 int audit_match_class(int class, unsigned syscall)
0190 {
0191     if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
0192         return 0;
0193     if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
0194         return 0;
0195     return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
0196 }
0197
0198 #ifdef CONFIG_AUDITSYSCALL
0199 static inline int audit_match_class_bits(int class, u32 *mask)
0200 {
0201     int i;
0202
0203     if (classes[class]) {
0204         for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
0205             if (mask[i] & classes[class][i])
0206                 return 0;
0207     }
0208     return 1;
0209 }
0210
0211 static int audit_match_signal(struct audit_entry *entry)
0212 {
0213     struct audit_field *arch = entry->rule.arch_f;
0214
0215     if (!arch) {
0216         /* When arch is unspecified, we must check both masks on biarch
0217          * as syscall number alone is ambiguous. */
0218         return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
0219                            entry->rule.mask) &&
0220             audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
0221                            entry->rule.mask));
0222     }
0223
0224     switch(audit_classify_arch(arch->val)) {
0225     case 0: /* native */
0226         return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
0227                            entry->rule.mask));
0228     case 1: /* 32bit on biarch */
0229         return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
0230                            entry->rule.mask));
0231     default:
0232         return 1;
0233     }
0234 }
0235 #endif
0236
0237 /* Common user-space to kernel rule translation. */
0238 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
0239 {
0240     unsigned listnr;
0241     struct audit_entry *entry;
0242     int i, err;
0243
0244     err = -EINVAL;
0245     listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
0246     switch(listnr) {
0247     default:
0248         goto exit_err;
0249 #ifdef CONFIG_AUDITSYSCALL
0250     case AUDIT_FILTER_ENTRY:
0251         pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
0252         goto exit_err;
0253     case AUDIT_FILTER_EXIT:
0254     case AUDIT_FILTER_URING_EXIT:
0255     case AUDIT_FILTER_TASK:
0256 #endif
0257     case AUDIT_FILTER_USER:
0258     case AUDIT_FILTER_EXCLUDE:
0259     case AUDIT_FILTER_FS:
0260         ;
0261     }
0262     if (unlikely(rule->action == AUDIT_POSSIBLE)) {
0263         pr_err("AUDIT_POSSIBLE is deprecated\n");
0264         goto exit_err;
0265     }
0266     if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
0267         goto exit_err;
0268     if (rule->field_count > AUDIT_MAX_FIELDS)
0269         goto exit_err;
0270
0271     err = -ENOMEM;
0272     entry = audit_init_entry(rule->field_count);
0273     if (!entry)
0274         goto exit_err;
0275
0276     entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
0277     entry->rule.listnr = listnr;
0278     entry->rule.action = rule->action;
0279     entry->rule.field_count = rule->field_count;
0280
0281     for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
0282         entry->rule.mask[i] = rule->mask[i];
0283
0284     for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
0285         int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
0286         __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
0287         __u32 *class;
0288
0289         if (!(*p & AUDIT_BIT(bit)))
0290             continue;
0291         *p &= ~AUDIT_BIT(bit);
0292         class = classes[i];
0293         if (class) {
0294             int j;
0295             for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
0296                 entry->rule.mask[j] |= class[j];
0297         }
0298     }
0299
0300     return entry;
0301
0302 exit_err:
0303     return ERR_PTR(err);
0304 }
0305
0306 static u32 audit_ops[] =
0307 {
0308     [Audit_equal] = AUDIT_EQUAL,
0309     [Audit_not_equal] = AUDIT_NOT_EQUAL,
0310     [Audit_bitmask] = AUDIT_BIT_MASK,
0311     [Audit_bittest] = AUDIT_BIT_TEST,
0312     [Audit_lt] = AUDIT_LESS_THAN,
0313     [Audit_gt] = AUDIT_GREATER_THAN,
0314     [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
0315     [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
0316 };
0317
0318 static u32 audit_to_op(u32 op)
0319 {
0320     u32 n;
0321     for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
0322         ;
0323     return n;
0324 }
0325
0326 /* check if an audit field is valid */
0327 static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
0328 {
0329     switch (f->type) {
0330     case AUDIT_MSGTYPE:
0331         if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE &&
0332             entry->rule.listnr != AUDIT_FILTER_USER)
0333             return -EINVAL;
0334         break;
0335     case AUDIT_FSTYPE:
0336         if (entry->rule.listnr != AUDIT_FILTER_FS)
0337             return -EINVAL;
0338         break;
0339     case AUDIT_PERM:
0340         if (entry->rule.listnr == AUDIT_FILTER_URING_EXIT)
0341             return -EINVAL;
0342         break;
0343     }
0344
0345     switch (entry->rule.listnr) {
0346     case AUDIT_FILTER_FS:
0347         switch(f->type) {
0348         case AUDIT_FSTYPE:
0349         case AUDIT_FILTERKEY:
0350             break;
0351         default:
0352             return -EINVAL;
0353         }
0354     }
0355
0356     /* Check for valid field type and op */
0357     switch (f->type) {
0358     case AUDIT_ARG0:
0359     case AUDIT_ARG1:
0360     case AUDIT_ARG2:
0361     case AUDIT_ARG3:
0362     case AUDIT_PERS: /* <uapi/linux/personality.h> */
0363     case AUDIT_DEVMINOR:
0364         /* all ops are valid */
0365         break;
0366     case AUDIT_UID:
0367     case AUDIT_EUID:
0368     case AUDIT_SUID:
0369     case AUDIT_FSUID:
0370     case AUDIT_LOGINUID:
0371     case AUDIT_OBJ_UID:
0372     case AUDIT_GID:
0373     case AUDIT_EGID:
0374     case AUDIT_SGID:
0375     case AUDIT_FSGID:
0376     case AUDIT_OBJ_GID:
0377     case AUDIT_PID:
0378     case AUDIT_MSGTYPE:
0379     case AUDIT_PPID:
0380     case AUDIT_DEVMAJOR:
0381     case AUDIT_EXIT:
0382     case AUDIT_SUCCESS:
0383     case AUDIT_INODE:
0384     case AUDIT_SESSIONID:
0385     case AUDIT_SUBJ_SEN:
0386     case AUDIT_SUBJ_CLR:
0387     case AUDIT_OBJ_LEV_LOW:
0388     case AUDIT_OBJ_LEV_HIGH:
0389     case AUDIT_SADDR_FAM:
0390         /* bit ops are only useful on syscall args */
0391         if (f->op == Audit_bitmask || f->op == Audit_bittest)
0392             return -EINVAL;
0393         break;
0394     case AUDIT_SUBJ_USER:
0395     case AUDIT_SUBJ_ROLE:
0396     case AUDIT_SUBJ_TYPE:
0397     case AUDIT_OBJ_USER:
0398     case AUDIT_OBJ_ROLE:
0399     case AUDIT_OBJ_TYPE:
0400     case AUDIT_WATCH:
0401     case AUDIT_DIR:
0402     case AUDIT_FILTERKEY:
0403     case AUDIT_LOGINUID_SET:
0404     case AUDIT_ARCH:
0405     case AUDIT_FSTYPE:
0406     case AUDIT_PERM:
0407     case AUDIT_FILETYPE:
0408     case AUDIT_FIELD_COMPARE:
0409     case AUDIT_EXE:
0410         /* only equal and not equal valid ops */
0411         if (f->op != Audit_not_equal && f->op != Audit_equal)
0412             return -EINVAL;
0413         break;
0414     default:
0415         /* field not recognized */
0416         return -EINVAL;
0417     }
0418
0419     /* Check for select valid field values */
0420     switch (f->type) {
0421     case AUDIT_LOGINUID_SET:
0422         if ((f->val != 0) && (f->val != 1))
0423             return -EINVAL;
0424         break;
0425     case AUDIT_PERM:
0426         if (f->val & ~15)
0427             return -EINVAL;
0428         break;
0429     case AUDIT_FILETYPE:
0430         if (f->val & ~S_IFMT)
0431             return -EINVAL;
0432         break;
0433     case AUDIT_FIELD_COMPARE:
0434         if (f->val > AUDIT_MAX_FIELD_COMPARE)
0435             return -EINVAL;
0436         break;
0437     case AUDIT_SADDR_FAM:
0438         if (f->val >= AF_MAX)
0439             return -EINVAL;
0440         break;
0441     default:
0442         break;
0443     }
0444
0445     return 0;
0446 }
0447
0448 /* Translate struct audit_rule_data to kernel's rule representation. */
0449 static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
0450                            size_t datasz)
0451 {
0452     int err = 0;
0453     struct audit_entry *entry;
0454     void *bufp;
0455     size_t remain = datasz - sizeof(struct audit_rule_data);
0456     int i;
0457     char *str;
0458     struct audit_fsnotify_mark *audit_mark;
0459
0460     entry = audit_to_entry_common(data);
0461     if (IS_ERR(entry))
0462         goto exit_nofree;
0463
0464     bufp = data->buf;
0465     for (i = 0; i < data->field_count; i++) {
0466         struct audit_field *f = &entry->rule.fields[i];
0467         u32 f_val;
0468
0469         err = -EINVAL;
0470
0471         f->op = audit_to_op(data->fieldflags[i]);
0472         if (f->op == Audit_bad)
0473             goto exit_free;
0474
0475         f->type = data->fields[i];
0476         f_val = data->values[i];
0477
0478         /* Support legacy tests for a valid loginuid */
0479         if ((f->type == AUDIT_LOGINUID) && (f_val == AUDIT_UID_UNSET)) {
0480             f->type = AUDIT_LOGINUID_SET;
0481             f_val = 0;
0482             entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
0483         }
0484
0485         err = audit_field_valid(entry, f);
0486         if (err)
0487             goto exit_free;
0488
0489         err = -EINVAL;
0490         switch (f->type) {
0491         case AUDIT_LOGINUID:
0492         case AUDIT_UID:
0493         case AUDIT_EUID:
0494         case AUDIT_SUID:
0495         case AUDIT_FSUID:
0496         case AUDIT_OBJ_UID:
0497             f->uid = make_kuid(current_user_ns(), f_val);
0498             if (!uid_valid(f->uid))
0499                 goto exit_free;
0500             break;
0501         case AUDIT_GID:
0502         case AUDIT_EGID:
0503         case AUDIT_SGID:
0504         case AUDIT_FSGID:
0505         case AUDIT_OBJ_GID:
0506             f->gid = make_kgid(current_user_ns(), f_val);
0507             if (!gid_valid(f->gid))
0508                 goto exit_free;
0509             break;
0510         case AUDIT_ARCH:
0511             f->val = f_val;
0512             entry->rule.arch_f = f;
0513             break;
0514         case AUDIT_SUBJ_USER:
0515         case AUDIT_SUBJ_ROLE:
0516         case AUDIT_SUBJ_TYPE:
0517         case AUDIT_SUBJ_SEN:
0518         case AUDIT_SUBJ_CLR:
0519         case AUDIT_OBJ_USER:
0520         case AUDIT_OBJ_ROLE:
0521         case AUDIT_OBJ_TYPE:
0522         case AUDIT_OBJ_LEV_LOW:
0523         case AUDIT_OBJ_LEV_HIGH:
0524             str = audit_unpack_string(&bufp, &remain, f_val);
0525             if (IS_ERR(str)) {
0526                 err = PTR_ERR(str);
0527                 goto exit_free;
0528             }
0529             entry->rule.buflen += f_val;
0530             f->lsm_str = str;
0531             err = security_audit_rule_init(f->type, f->op, str,
0532                                (void **)&f->lsm_rule);
0533             /* Keep currently invalid fields around in case they
0534              * become valid after a policy reload. */
0535             if (err == -EINVAL) {
0536                 pr_warn("audit rule for LSM \'%s\' is invalid\n",
0537                     str);
0538                 err = 0;
0539             } else if (err)
0540                 goto exit_free;
0541             break;
0542         case AUDIT_WATCH:
0543             str = audit_unpack_string(&bufp, &remain, f_val);
0544             if (IS_ERR(str)) {
0545                 err = PTR_ERR(str);
0546                 goto exit_free;
0547             }
0548             err = audit_to_watch(&entry->rule, str, f_val, f->op);
0549             if (err) {
0550                 kfree(str);
0551                 goto exit_free;
0552             }
0553             entry->rule.buflen += f_val;
0554             break;
0555         case AUDIT_DIR:
0556             str = audit_unpack_string(&bufp, &remain, f_val);
0557             if (IS_ERR(str)) {
0558                 err = PTR_ERR(str);
0559                 goto exit_free;
0560             }
0561             err = audit_make_tree(&entry->rule, str, f->op);
0562             kfree(str);
0563             if (err)
0564                 goto exit_free;
0565             entry->rule.buflen += f_val;
0566             break;
0567         case AUDIT_INODE:
0568             f->val = f_val;
0569             err = audit_to_inode(&entry->rule, f);
0570             if (err)
0571                 goto exit_free;
0572             break;
0573         case AUDIT_FILTERKEY:
0574             if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN)
0575                 goto exit_free;
0576             str = audit_unpack_string(&bufp, &remain, f_val);
0577             if (IS_ERR(str)) {
0578                 err = PTR_ERR(str);
0579                 goto exit_free;
0580             }
0581             entry->rule.buflen += f_val;
0582             entry->rule.filterkey = str;
0583             break;
0584         case AUDIT_EXE:
0585             if (entry->rule.exe || f_val > PATH_MAX)
0586                 goto exit_free;
0587             str = audit_unpack_string(&bufp, &remain, f_val);
0588             if (IS_ERR(str)) {
0589                 err = PTR_ERR(str);
0590                 goto exit_free;
0591             }
0592             audit_mark = audit_alloc_mark(&entry->rule, str, f_val);
0593             if (IS_ERR(audit_mark)) {
0594                 kfree(str);
0595                 err = PTR_ERR(audit_mark);
0596                 goto exit_free;
0597             }
0598             entry->rule.buflen += f_val;
0599             entry->rule.exe = audit_mark;
0600             break;
0601         default:
0602             f->val = f_val;
0603             break;
0604         }
0605     }
0606
0607     if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
0608         entry->rule.inode_f = NULL;
0609
0610 exit_nofree:
0611     return entry;
0612
0613 exit_free:
0614     if (entry->rule.tree)
0615         audit_put_tree(entry->rule.tree); /* that's the temporary one */
0616     if (entry->rule.exe)
0617         audit_remove_mark(entry->rule.exe); /* that's the template one */
0618     audit_free_rule(entry);
0619     return ERR_PTR(err);
0620 }
0621
0622 /* Pack a filter field's string representation into data block. */
0623 static inline size_t audit_pack_string(void **bufp, const char *str)
0624 {
0625     size_t len = strlen(str);
0626
0627     memcpy(*bufp, str, len);
0628     *bufp += len;
0629
0630     return len;
0631 }
0632
0633 /* Translate kernel rule representation to struct audit_rule_data. */
0634 static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
0635 {
0636     struct audit_rule_data *data;
0637     void *bufp;
0638     int i;
0639
0640     data = kmalloc(struct_size(data, buf, krule->buflen), GFP_KERNEL);
0641     if (unlikely(!data))
0642         return NULL;
0643     memset(data, 0, sizeof(*data));
0644
0645     data->flags = krule->flags | krule->listnr;
0646     data->action = krule->action;
0647     data->field_count = krule->field_count;
0648     bufp = data->buf;
0649     for (i = 0; i < data->field_count; i++) {
0650         struct audit_field *f = &krule->fields[i];
0651
0652         data->fields[i] = f->type;
0653         data->fieldflags[i] = audit_ops[f->op];
0654         switch(f->type) {
0655         case AUDIT_SUBJ_USER:
0656         case AUDIT_SUBJ_ROLE:
0657         case AUDIT_SUBJ_TYPE:
0658         case AUDIT_SUBJ_SEN:
0659         case AUDIT_SUBJ_CLR:
0660         case AUDIT_OBJ_USER:
0661         case AUDIT_OBJ_ROLE:
0662         case AUDIT_OBJ_TYPE:
0663         case AUDIT_OBJ_LEV_LOW:
0664         case AUDIT_OBJ_LEV_HIGH:
0665             data->buflen += data->values[i] =
0666                 audit_pack_string(&bufp, f->lsm_str);
0667             break;
0668         case AUDIT_WATCH:
0669             data->buflen += data->values[i] =
0670                 audit_pack_string(&bufp,
0671                           audit_watch_path(krule->watch));
0672             break;
0673         case AUDIT_DIR:
0674             data->buflen += data->values[i] =
0675                 audit_pack_string(&bufp,
0676                           audit_tree_path(krule->tree));
0677             break;
0678         case AUDIT_FILTERKEY:
0679             data->buflen += data->values[i] =
0680                 audit_pack_string(&bufp, krule->filterkey);
0681             break;
0682         case AUDIT_EXE:
0683             data->buflen += data->values[i] =
0684                 audit_pack_string(&bufp, audit_mark_path(krule->exe));
0685             break;
0686         case AUDIT_LOGINUID_SET:
0687             if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
0688                 data->fields[i] = AUDIT_LOGINUID;
0689                 data->values[i] = AUDIT_UID_UNSET;
0690                 break;
0691             }
0692             fallthrough;    /* if set */
0693         default:
0694             data->values[i] = f->val;
0695         }
0696     }
0697     for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
0698
0699     return data;
0700 }
0701
0702 /* Compare two rules in kernel format.  Considered success if rules
0703  * don't match. */
0704 static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
0705 {
0706     int i;
0707
0708     if (a->flags != b->flags ||
0709         a->pflags != b->pflags ||
0710         a->listnr != b->listnr ||
0711         a->action != b->action ||
0712         a->field_count != b->field_count)
0713         return 1;
0714
0715     for (i = 0; i < a->field_count; i++) {
0716         if (a->fields[i].type != b->fields[i].type ||
0717             a->fields[i].op != b->fields[i].op)
0718             return 1;
0719
0720         switch(a->fields[i].type) {
0721         case AUDIT_SUBJ_USER:
0722         case AUDIT_SUBJ_ROLE:
0723         case AUDIT_SUBJ_TYPE:
0724         case AUDIT_SUBJ_SEN:
0725         case AUDIT_SUBJ_CLR:
0726         case AUDIT_OBJ_USER:
0727         case AUDIT_OBJ_ROLE:
0728         case AUDIT_OBJ_TYPE:
0729         case AUDIT_OBJ_LEV_LOW:
0730         case AUDIT_OBJ_LEV_HIGH:
0731             if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
0732                 return 1;
0733             break;
0734         case AUDIT_WATCH:
0735             if (strcmp(audit_watch_path(a->watch),
0736                    audit_watch_path(b->watch)))
0737                 return 1;
0738             break;
0739         case AUDIT_DIR:
0740             if (strcmp(audit_tree_path(a->tree),
0741                    audit_tree_path(b->tree)))
0742                 return 1;
0743             break;
0744         case AUDIT_FILTERKEY:
0745             /* both filterkeys exist based on above type compare */
0746             if (strcmp(a->filterkey, b->filterkey))
0747                 return 1;
0748             break;
0749         case AUDIT_EXE:
0750             /* both paths exist based on above type compare */
0751             if (strcmp(audit_mark_path(a->exe),
0752                    audit_mark_path(b->exe)))
0753                 return 1;
0754             break;
0755         case AUDIT_UID:
0756         case AUDIT_EUID:
0757         case AUDIT_SUID:
0758         case AUDIT_FSUID:
0759         case AUDIT_LOGINUID:
0760         case AUDIT_OBJ_UID:
0761             if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
0762                 return 1;
0763             break;
0764         case AUDIT_GID:
0765         case AUDIT_EGID:
0766         case AUDIT_SGID:
0767         case AUDIT_FSGID:
0768         case AUDIT_OBJ_GID:
0769             if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
0770                 return 1;
0771             break;
0772         default:
0773             if (a->fields[i].val != b->fields[i].val)
0774                 return 1;
0775         }
0776     }
0777
0778     for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
0779         if (a->mask[i] != b->mask[i])
0780             return 1;
0781
0782     return 0;
0783 }
0784
0785 /* Duplicate LSM field information.  The lsm_rule is opaque, so must be
0786  * re-initialized. */
0787 static inline int audit_dupe_lsm_field(struct audit_field *df,
0788                        struct audit_field *sf)
0789 {
0790     int ret = 0;
0791     char *lsm_str;
0792
0793     /* our own copy of lsm_str */
0794     lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
0795     if (unlikely(!lsm_str))
0796         return -ENOMEM;
0797     df->lsm_str = lsm_str;
0798
0799     /* our own (refreshed) copy of lsm_rule */
0800     ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
0801                        (void **)&df->lsm_rule);
0802     /* Keep currently invalid fields around in case they
0803      * become valid after a policy reload. */
0804     if (ret == -EINVAL) {
0805         pr_warn("audit rule for LSM \'%s\' is invalid\n",
0806             df->lsm_str);
0807         ret = 0;
0808     }
0809
0810     return ret;
0811 }
0812
0813 /* Duplicate an audit rule.  This will be a deep copy with the exception
0814  * of the watch - that pointer is carried over.  The LSM specific fields
0815  * will be updated in the copy.  The point is to be able to replace the old
0816  * rule with the new rule in the filterlist, then free the old rule.
0817  * The rlist element is undefined; list manipulations are handled apart from
0818  * the initial copy. */
0819 struct audit_entry *audit_dupe_rule(struct audit_krule *old)
0820 {
0821     u32 fcount = old->field_count;
0822     struct audit_entry *entry;
0823     struct audit_krule *new;
0824     char *fk;
0825     int i, err = 0;
0826
0827     entry = audit_init_entry(fcount);
0828     if (unlikely(!entry))
0829         return ERR_PTR(-ENOMEM);
0830
0831     new = &entry->rule;
0832     new->flags = old->flags;
0833     new->pflags = old->pflags;
0834     new->listnr = old->listnr;
0835     new->action = old->action;
0836     for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
0837         new->mask[i] = old->mask[i];
0838     new->prio = old->prio;
0839     new->buflen = old->buflen;
0840     new->inode_f = old->inode_f;
0841     new->field_count = old->field_count;
0842
0843     /*
0844      * note that we are OK with not refcounting here; audit_match_tree()
0845      * never dereferences tree and we can't get false positives there
0846      * since we'd have to have rule gone from the list *and* removed
0847      * before the chunks found by lookup had been allocated, i.e. before
0848      * the beginning of list scan.
0849      */
0850     new->tree = old->tree;
0851     memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
0852
0853     /* deep copy this information, updating the lsm_rule fields, because
0854      * the originals will all be freed when the old rule is freed. */
0855     for (i = 0; i < fcount; i++) {
0856         switch (new->fields[i].type) {
0857         case AUDIT_SUBJ_USER:
0858         case AUDIT_SUBJ_ROLE:
0859         case AUDIT_SUBJ_TYPE:
0860         case AUDIT_SUBJ_SEN:
0861         case AUDIT_SUBJ_CLR:
0862         case AUDIT_OBJ_USER:
0863         case AUDIT_OBJ_ROLE:
0864         case AUDIT_OBJ_TYPE:
0865         case AUDIT_OBJ_LEV_LOW:
0866         case AUDIT_OBJ_LEV_HIGH:
0867             err = audit_dupe_lsm_field(&new->fields[i],
0868                                &old->fields[i]);
0869             break;
0870         case AUDIT_FILTERKEY:
0871             fk = kstrdup(old->filterkey, GFP_KERNEL);
0872             if (unlikely(!fk))
0873                 err = -ENOMEM;
0874             else
0875                 new->filterkey = fk;
0876             break;
0877         case AUDIT_EXE:
0878             err = audit_dupe_exe(new, old);
0879             break;
0880         }
0881         if (err) {
0882             if (new->exe)
0883                 audit_remove_mark(new->exe);
0884             audit_free_rule(entry);
0885             return ERR_PTR(err);
0886         }
0887     }
0888
0889     if (old->watch) {
0890         audit_get_watch(old->watch);
0891         new->watch = old->watch;
0892     }
0893
0894     return entry;
0895 }
0896
0897 /* Find an existing audit rule.
0898  * Caller must hold audit_filter_mutex to prevent stale rule data. */
0899 static struct audit_entry *audit_find_rule(struct audit_entry *entry,
0900                        struct list_head **p)
0901 {
0902     struct audit_entry *e, *found = NULL;
0903     struct list_head *list;
0904     int h;
0905
0906     if (entry->rule.inode_f) {
0907         h = audit_hash_ino(entry->rule.inode_f->val);
0908         *p = list = &audit_inode_hash[h];
0909     } else if (entry->rule.watch) {
0910         /* we don't know the inode number, so must walk entire hash */
0911         for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
0912             list = &audit_inode_hash[h];
0913             list_for_each_entry(e, list, list)
0914                 if (!audit_compare_rule(&entry->rule, &e->rule)) {
0915                     found = e;
0916                     goto out;
0917                 }
0918         }
0919         goto out;
0920     } else {
0921         *p = list = &audit_filter_list[entry->rule.listnr];
0922     }
0923
0924     list_for_each_entry(e, list, list)
0925         if (!audit_compare_rule(&entry->rule, &e->rule)) {
0926             found = e;
0927             goto out;
0928         }
0929
0930 out:
0931     return found;
0932 }
0933
0934 static u64 prio_low = ~0ULL/2;
0935 static u64 prio_high = ~0ULL/2 - 1;
0936
0937 /* Add rule to given filterlist if not a duplicate. */
0938 static inline int audit_add_rule(struct audit_entry *entry)
0939 {
0940     struct audit_entry *e;
0941     struct audit_watch *watch = entry->rule.watch;
0942     struct audit_tree *tree = entry->rule.tree;
0943     struct list_head *list;
0944     int err = 0;
0945 #ifdef CONFIG_AUDITSYSCALL
0946     int dont_count = 0;
0947
0948     /* If any of these, don't count towards total */
0949     switch(entry->rule.listnr) {
0950     case AUDIT_FILTER_USER:
0951     case AUDIT_FILTER_EXCLUDE:
0952     case AUDIT_FILTER_FS:
0953         dont_count = 1;
0954     }
0955 #endif
0956
0957     mutex_lock(&audit_filter_mutex);
0958     e = audit_find_rule(entry, &list);
0959     if (e) {
0960         mutex_unlock(&audit_filter_mutex);
0961         err = -EEXIST;
0962         /* normally audit_add_tree_rule() will free it on failure */
0963         if (tree)
0964             audit_put_tree(tree);
0965         return err;
0966     }
0967
0968     if (watch) {
0969         /* audit_filter_mutex is dropped and re-taken during this call */
0970         err = audit_add_watch(&entry->rule, &list);
0971         if (err) {
0972             mutex_unlock(&audit_filter_mutex);
0973             /*
0974              * normally audit_add_tree_rule() will free it
0975              * on failure
0976              */
0977             if (tree)
0978                 audit_put_tree(tree);
0979             return err;
0980         }
0981     }
0982     if (tree) {
0983         err = audit_add_tree_rule(&entry->rule);
0984         if (err) {
0985             mutex_unlock(&audit_filter_mutex);
0986             return err;
0987         }
0988     }
0989
0990     entry->rule.prio = ~0ULL;
0991     if (entry->rule.listnr == AUDIT_FILTER_EXIT ||
0992         entry->rule.listnr == AUDIT_FILTER_URING_EXIT) {
0993         if (entry->rule.flags & AUDIT_FILTER_PREPEND)
0994             entry->rule.prio = ++prio_high;
0995         else
0996             entry->rule.prio = --prio_low;
0997     }
0998
0999     if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
1000         list_add(&entry->rule.list,
1001              &audit_rules_list[entry->rule.listnr]);
1002         list_add_rcu(&entry->list, list);
1003         entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
1004     } else {
1005         list_add_tail(&entry->rule.list,
1006                   &audit_rules_list[entry->rule.listnr]);
1007         list_add_tail_rcu(&entry->list, list);
1008     }
1009 #ifdef CONFIG_AUDITSYSCALL
1010     if (!dont_count)
1011         audit_n_rules++;
1012
1013     if (!audit_match_signal(entry))
1014         audit_signals++;
1015 #endif
1016     mutex_unlock(&audit_filter_mutex);
1017
1018     return err;
1019 }
1020
1021 /* Remove an existing rule from filterlist. */
1022 int audit_del_rule(struct audit_entry *entry)
1023 {
1024     struct audit_entry  *e;
1025     struct audit_tree *tree = entry->rule.tree;
1026     struct list_head *list;
1027     int ret = 0;
1028 #ifdef CONFIG_AUDITSYSCALL
1029     int dont_count = 0;
1030
1031     /* If any of these, don't count towards total */
1032     switch(entry->rule.listnr) {
1033     case AUDIT_FILTER_USER:
1034     case AUDIT_FILTER_EXCLUDE:
1035     case AUDIT_FILTER_FS:
1036         dont_count = 1;
1037     }
1038 #endif
1039
1040     mutex_lock(&audit_filter_mutex);
1041     e = audit_find_rule(entry, &list);
1042     if (!e) {
1043         ret = -ENOENT;
1044         goto out;
1045     }
1046
1047     if (e->rule.watch)
1048         audit_remove_watch_rule(&e->rule);
1049
1050     if (e->rule.tree)
1051         audit_remove_tree_rule(&e->rule);
1052
1053     if (e->rule.exe)
1054         audit_remove_mark_rule(&e->rule);
1055
1056 #ifdef CONFIG_AUDITSYSCALL
1057     if (!dont_count)
1058         audit_n_rules--;
1059
1060     if (!audit_match_signal(entry))
1061         audit_signals--;
1062 #endif
1063
1064     list_del_rcu(&e->list);
1065     list_del(&e->rule.list);
1066     call_rcu(&e->rcu, audit_free_rule_rcu);
1067
1068 out:
1069     mutex_unlock(&audit_filter_mutex);
1070
1071     if (tree)
1072         audit_put_tree(tree);   /* that's the temporary one */
1073
1074     return ret;
1075 }
1076
1077 /* List rules using struct audit_rule_data. */
1078 static void audit_list_rules(int seq, struct sk_buff_head *q)
1079 {
1080     struct sk_buff *skb;
1081     struct audit_krule *r;
1082     int i;
1083
1084     /* This is a blocking read, so use audit_filter_mutex instead of rcu
1085      * iterator to sync with list writers. */
1086     for (i=0; i<AUDIT_NR_FILTERS; i++) {
1087         list_for_each_entry(r, &audit_rules_list[i], list) {
1088             struct audit_rule_data *data;
1089
1090             data = audit_krule_to_data(r);
1091             if (unlikely(!data))
1092                 break;
1093             skb = audit_make_reply(seq, AUDIT_LIST_RULES, 0, 1,
1094                            data,
1095                            struct_size(data, buf, data->buflen));
1096             if (skb)
1097                 skb_queue_tail(q, skb);
1098             kfree(data);
1099         }
1100     }
1101     skb = audit_make_reply(seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1102     if (skb)
1103         skb_queue_tail(q, skb);
1104 }
1105
1106 /* Log rule additions and removals */
1107 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1108 {
1109     struct audit_buffer *ab;
1110
1111     if (!audit_enabled)
1112         return;
1113
1114     ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1115     if (!ab)
1116         return;
1117     audit_log_session_info(ab);
1118     audit_log_task_context(ab);
1119     audit_log_format(ab, " op=%s", action);
1120     audit_log_key(ab, rule->filterkey);
1121     audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1122     audit_log_end(ab);
1123 }
1124
1125 /**
1126  * audit_rule_change - apply all rules to the specified message type
1127  * @type: audit message type
1128  * @seq: netlink audit message sequence (serial) number
1129  * @data: payload data
1130  * @datasz: size of payload data
1131  */
1132 int audit_rule_change(int type, int seq, void *data, size_t datasz)
1133 {
1134     int err = 0;
1135     struct audit_entry *entry;
1136
1137     switch (type) {
1138     case AUDIT_ADD_RULE:
1139         entry = audit_data_to_entry(data, datasz);
1140         if (IS_ERR(entry))
1141             return PTR_ERR(entry);
1142         err = audit_add_rule(entry);
1143         audit_log_rule_change("add_rule", &entry->rule, !err);
1144         break;
1145     case AUDIT_DEL_RULE:
1146         entry = audit_data_to_entry(data, datasz);
1147         if (IS_ERR(entry))
1148             return PTR_ERR(entry);
1149         err = audit_del_rule(entry);
1150         audit_log_rule_change("remove_rule", &entry->rule, !err);
1151         break;
1152     default:
1153         WARN_ON(1);
1154         return -EINVAL;
1155     }
1156
1157     if (err || type == AUDIT_DEL_RULE) {
1158         if (entry->rule.exe)
1159             audit_remove_mark(entry->rule.exe);
1160         audit_free_rule(entry);
1161     }
1162
1163     return err;
1164 }
1165
1166 /**
1167  * audit_list_rules_send - list the audit rules
1168  * @request_skb: skb of request we are replying to (used to target the reply)
1169  * @seq: netlink audit message sequence (serial) number
1170  */
1171 int audit_list_rules_send(struct sk_buff *request_skb, int seq)
1172 {
1173     struct task_struct *tsk;
1174     struct audit_netlink_list *dest;
1175
1176     /* We can't just spew out the rules here because we might fill
1177      * the available socket buffer space and deadlock waiting for
1178      * auditctl to read from it... which isn't ever going to
1179      * happen if we're actually running in the context of auditctl
1180      * trying to _send_ the stuff */
1181
1182     dest = kmalloc(sizeof(*dest), GFP_KERNEL);
1183     if (!dest)
1184         return -ENOMEM;
1185     dest->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
1186     dest->portid = NETLINK_CB(request_skb).portid;
1187     skb_queue_head_init(&dest->q);
1188
1189     mutex_lock(&audit_filter_mutex);
1190     audit_list_rules(seq, &dest->q);
1191     mutex_unlock(&audit_filter_mutex);
1192
1193     tsk = kthread_run(audit_send_list_thread, dest, "audit_send_list");
1194     if (IS_ERR(tsk)) {
1195         skb_queue_purge(&dest->q);
1196         put_net(dest->net);
1197         kfree(dest);
1198         return PTR_ERR(tsk);
1199     }
1200
1201     return 0;
1202 }
1203
1204 int audit_comparator(u32 left, u32 op, u32 right)
1205 {
1206     switch (op) {
1207     case Audit_equal:
1208         return (left == right);
1209     case Audit_not_equal:
1210         return (left != right);
1211     case Audit_lt:
1212         return (left < right);
1213     case Audit_le:
1214         return (left <= right);
1215     case Audit_gt:
1216         return (left > right);
1217     case Audit_ge:
1218         return (left >= right);
1219     case Audit_bitmask:
1220         return (left & right);
1221     case Audit_bittest:
1222         return ((left & right) == right);
1223     default:
1224         return 0;
1225     }
1226 }
1227
1228 int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1229 {
1230     switch (op) {
1231     case Audit_equal:
1232         return uid_eq(left, right);
1233     case Audit_not_equal:
1234         return !uid_eq(left, right);
1235     case Audit_lt:
1236         return uid_lt(left, right);
1237     case Audit_le:
1238         return uid_lte(left, right);
1239     case Audit_gt:
1240         return uid_gt(left, right);
1241     case Audit_ge:
1242         return uid_gte(left, right);
1243     case Audit_bitmask:
1244     case Audit_bittest:
1245     default:
1246         return 0;
1247     }
1248 }
1249
1250 int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1251 {
1252     switch (op) {
1253     case Audit_equal:
1254         return gid_eq(left, right);
1255     case Audit_not_equal:
1256         return !gid_eq(left, right);
1257     case Audit_lt:
1258         return gid_lt(left, right);
1259     case Audit_le:
1260         return gid_lte(left, right);
1261     case Audit_gt:
1262         return gid_gt(left, right);
1263     case Audit_ge:
1264         return gid_gte(left, right);
1265     case Audit_bitmask:
1266     case Audit_bittest:
1267     default:
1268         return 0;
1269     }
1270 }
1271
1272 /**
1273  * parent_len - find the length of the parent portion of a pathname
1274  * @path: pathname of which to determine length
1275  */
1276 int parent_len(const char *path)
1277 {
1278     int plen;
1279     const char *p;
1280
1281     plen = strlen(path);
1282
1283     if (plen == 0)
1284         return plen;
1285
1286     /* disregard trailing slashes */
1287     p = path + plen - 1;
1288     while ((*p == '/') && (p > path))
1289         p--;
1290
1291     /* walk backward until we find the next slash or hit beginning */
1292     while ((*p != '/') && (p > path))
1293         p--;
1294
1295     /* did we find a slash? Then increment to include it in path */
1296     if (*p == '/')
1297         p++;
1298
1299     return p - path;
1300 }
1301
1302 /**
1303  * audit_compare_dname_path - compare given dentry name with last component in
1304  *                given path. Return of 0 indicates a match.
1305  * @dname:  dentry name that we're comparing
1306  * @path:   full pathname that we're comparing
1307  * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1308  *      here indicates that we must compute this value.
1309  */
1310 int audit_compare_dname_path(const struct qstr *dname, const char *path, int parentlen)
1311 {
1312     int dlen, pathlen;
1313     const char *p;
1314
1315     dlen = dname->len;
1316     pathlen = strlen(path);
1317     if (pathlen < dlen)
1318         return 1;
1319
1320     parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1321     if (pathlen - parentlen != dlen)
1322         return 1;
1323
1324     p = path + parentlen;
1325
1326     return strncmp(p, dname->name, dlen);
1327 }
1328
1329 int audit_filter(int msgtype, unsigned int listtype)
1330 {
1331     struct audit_entry *e;
1332     int ret = 1; /* Audit by default */
1333
1334     rcu_read_lock();
1335     list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
1336         int i, result = 0;
1337
1338         for (i = 0; i < e->rule.field_count; i++) {
1339             struct audit_field *f = &e->rule.fields[i];
1340             pid_t pid;
1341             u32 sid;
1342
1343             switch (f->type) {
1344             case AUDIT_PID:
1345                 pid = task_pid_nr(current);
1346                 result = audit_comparator(pid, f->op, f->val);
1347                 break;
1348             case AUDIT_UID:
1349                 result = audit_uid_comparator(current_uid(), f->op, f->uid);
1350                 break;
1351             case AUDIT_GID:
1352                 result = audit_gid_comparator(current_gid(), f->op, f->gid);
1353                 break;
1354             case AUDIT_LOGINUID:
1355                 result = audit_uid_comparator(audit_get_loginuid(current),
1356                                   f->op, f->uid);
1357                 break;
1358             case AUDIT_LOGINUID_SET:
1359                 result = audit_comparator(audit_loginuid_set(current),
1360                               f->op, f->val);
1361                 break;
1362             case AUDIT_MSGTYPE:
1363                 result = audit_comparator(msgtype, f->op, f->val);
1364                 break;
1365             case AUDIT_SUBJ_USER:
1366             case AUDIT_SUBJ_ROLE:
1367             case AUDIT_SUBJ_TYPE:
1368             case AUDIT_SUBJ_SEN:
1369             case AUDIT_SUBJ_CLR:
1370                 if (f->lsm_rule) {
1371                     security_current_getsecid_subj(&sid);
1372                     result = security_audit_rule_match(sid,
1373                            f->type, f->op, f->lsm_rule);
1374                 }
1375                 break;
1376             case AUDIT_EXE:
1377                 result = audit_exe_compare(current, e->rule.exe);
1378                 if (f->op == Audit_not_equal)
1379                     result = !result;
1380                 break;
1381             default:
1382                 goto unlock_and_return;
1383             }
1384             if (result < 0) /* error */
1385                 goto unlock_and_return;
1386             if (!result)
1387                 break;
1388         }
1389         if (result > 0) {
1390             if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCLUDE)
1391                 ret = 0;
1392             break;
1393         }
1394     }
1395 unlock_and_return:
1396     rcu_read_unlock();
1397     return ret;
1398 }
1399
1400 static int update_lsm_rule(struct audit_krule *r)
1401 {
1402     struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1403     struct audit_entry *nentry;
1404     int err = 0;
1405
1406     if (!security_audit_rule_known(r))
1407         return 0;
1408
1409     nentry = audit_dupe_rule(r);
1410     if (entry->rule.exe)
1411         audit_remove_mark(entry->rule.exe);
1412     if (IS_ERR(nentry)) {
1413         /* save the first error encountered for the
1414          * return value */
1415         err = PTR_ERR(nentry);
1416         audit_panic("error updating LSM filters");
1417         if (r->watch)
1418             list_del(&r->rlist);
1419         list_del_rcu(&entry->list);
1420         list_del(&r->list);
1421     } else {
1422         if (r->watch || r->tree)
1423             list_replace_init(&r->rlist, &nentry->rule.rlist);
1424         list_replace_rcu(&entry->list, &nentry->list);
1425         list_replace(&r->list, &nentry->rule.list);
1426     }
1427     call_rcu(&entry->rcu, audit_free_rule_rcu);
1428
1429     return err;
1430 }
1431
1432 /* This function will re-initialize the lsm_rule field of all applicable rules.
1433  * It will traverse the filter lists serarching for rules that contain LSM
1434  * specific filter fields.  When such a rule is found, it is copied, the
1435  * LSM field is re-initialized, and the old rule is replaced with the
1436  * updated rule. */
1437 int audit_update_lsm_rules(void)
1438 {
1439     struct audit_krule *r, *n;
1440     int i, err = 0;
1441
1442     /* audit_filter_mutex synchronizes the writers */
1443     mutex_lock(&audit_filter_mutex);
1444
1445     for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1446         list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1447             int res = update_lsm_rule(r);
1448             if (!err)
1449                 err = res;
1450         }
1451     }
1452     mutex_unlock(&audit_filter_mutex);
1453
1454     return err;
1455 }