]>
Commit | Line | Data |
---|---|---|
fe7752ba DW |
1 | /* auditfilter.c -- filtering of audit events |
2 | * | |
3 | * Copyright 2003-2004 Red Hat, Inc. | |
4 | * Copyright 2005 Hewlett-Packard Development Company, L.P. | |
5 | * Copyright 2005 IBM Corporation | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License as published by | |
9 | * the Free Software Foundation; either version 2 of the License, or | |
10 | * (at your option) any later version. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | * GNU General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU General Public License | |
18 | * along with this program; if not, write to the Free Software | |
19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
20 | */ | |
21 | ||
22 | #include <linux/kernel.h> | |
23 | #include <linux/audit.h> | |
24 | #include <linux/kthread.h> | |
25 | #include <linux/netlink.h> | |
26 | #include "audit.h" | |
27 | ||
28 | /* There are three lists of rules -- one to search at task creation | |
29 | * time, one to search at syscall entry time, and another to search at | |
30 | * syscall exit time. */ | |
31 | struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { | |
32 | LIST_HEAD_INIT(audit_filter_list[0]), | |
33 | LIST_HEAD_INIT(audit_filter_list[1]), | |
34 | LIST_HEAD_INIT(audit_filter_list[2]), | |
35 | LIST_HEAD_INIT(audit_filter_list[3]), | |
36 | LIST_HEAD_INIT(audit_filter_list[4]), | |
37 | LIST_HEAD_INIT(audit_filter_list[5]), | |
38 | #if AUDIT_NR_FILTERS != 6 | |
39 | #error Fix audit_filter_list initialiser | |
40 | #endif | |
41 | }; | |
42 | ||
93315ed6 | 43 | static inline void audit_free_rule(struct audit_entry *e) |
fe7752ba | 44 | { |
93315ed6 AG |
45 | kfree(e->rule.fields); |
46 | kfree(e); | |
47 | } | |
48 | ||
49 | static inline void audit_free_rule_rcu(struct rcu_head *head) | |
50 | { | |
51 | struct audit_entry *e = container_of(head, struct audit_entry, rcu); | |
52 | audit_free_rule(e); | |
53 | } | |
54 | ||
55 | /* Unpack a filter field's string representation from user-space | |
56 | * buffer. */ | |
57 | static __attribute__((unused)) char *audit_unpack_string(void **bufp, size_t *remain, size_t len) | |
58 | { | |
59 | char *str; | |
60 | ||
61 | if (!*bufp || (len == 0) || (len > *remain)) | |
62 | return ERR_PTR(-EINVAL); | |
63 | ||
64 | /* Of the currently implemented string fields, PATH_MAX | |
65 | * defines the longest valid length. | |
66 | */ | |
67 | if (len > PATH_MAX) | |
68 | return ERR_PTR(-ENAMETOOLONG); | |
69 | ||
70 | str = kmalloc(len + 1, GFP_KERNEL); | |
71 | if (unlikely(!str)) | |
72 | return ERR_PTR(-ENOMEM); | |
73 | ||
74 | memcpy(str, *bufp, len); | |
75 | str[len] = 0; | |
76 | *bufp += len; | |
77 | *remain -= len; | |
78 | ||
79 | return str; | |
80 | } | |
81 | ||
82 | /* Common user-space to kernel rule translation. */ | |
83 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) | |
84 | { | |
85 | unsigned listnr; | |
86 | struct audit_entry *entry; | |
87 | struct audit_field *fields; | |
88 | int i, err; | |
89 | ||
90 | err = -EINVAL; | |
91 | listnr = rule->flags & ~AUDIT_FILTER_PREPEND; | |
92 | switch(listnr) { | |
93 | default: | |
94 | goto exit_err; | |
95 | case AUDIT_FILTER_USER: | |
96 | case AUDIT_FILTER_TYPE: | |
97 | #ifdef CONFIG_AUDITSYSCALL | |
98 | case AUDIT_FILTER_ENTRY: | |
99 | case AUDIT_FILTER_EXIT: | |
100 | case AUDIT_FILTER_TASK: | |
101 | #endif | |
102 | ; | |
103 | } | |
104 | if (rule->action != AUDIT_NEVER && rule->action != AUDIT_POSSIBLE && | |
105 | rule->action != AUDIT_ALWAYS) | |
106 | goto exit_err; | |
107 | if (rule->field_count > AUDIT_MAX_FIELDS) | |
108 | goto exit_err; | |
109 | ||
110 | err = -ENOMEM; | |
111 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | |
112 | if (unlikely(!entry)) | |
113 | goto exit_err; | |
114 | fields = kmalloc(sizeof(*fields) * rule->field_count, GFP_KERNEL); | |
115 | if (unlikely(!fields)) { | |
116 | kfree(entry); | |
117 | goto exit_err; | |
118 | } | |
119 | ||
120 | memset(&entry->rule, 0, sizeof(struct audit_krule)); | |
121 | memset(fields, 0, sizeof(struct audit_field)); | |
122 | ||
123 | entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; | |
124 | entry->rule.listnr = listnr; | |
125 | entry->rule.action = rule->action; | |
126 | entry->rule.field_count = rule->field_count; | |
127 | entry->rule.fields = fields; | |
128 | ||
129 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | |
130 | entry->rule.mask[i] = rule->mask[i]; | |
131 | ||
132 | return entry; | |
133 | ||
134 | exit_err: | |
135 | return ERR_PTR(err); | |
136 | } | |
137 | ||
138 | /* Translate struct audit_rule to kernel's rule respresentation. | |
139 | * Exists for backward compatibility with userspace. */ | |
140 | static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | |
141 | { | |
142 | struct audit_entry *entry; | |
143 | int err = 0; | |
fe7752ba DW |
144 | int i; |
145 | ||
93315ed6 AG |
146 | entry = audit_to_entry_common(rule); |
147 | if (IS_ERR(entry)) | |
148 | goto exit_nofree; | |
149 | ||
150 | for (i = 0; i < rule->field_count; i++) { | |
151 | struct audit_field *f = &entry->rule.fields[i]; | |
152 | ||
153 | if (rule->fields[i] & AUDIT_UNUSED_BITS) { | |
154 | err = -EINVAL; | |
155 | goto exit_free; | |
156 | } | |
157 | ||
158 | f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); | |
159 | f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); | |
160 | f->val = rule->values[i]; | |
161 | ||
162 | entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; | |
d9d9ec6e DK |
163 | |
164 | /* Support for legacy operators where | |
165 | * AUDIT_NEGATE bit signifies != and otherwise assumes == */ | |
93315ed6 | 166 | if (f->op & AUDIT_NEGATE) |
d9d9ec6e DK |
167 | f->op = AUDIT_NOT_EQUAL; |
168 | else if (!f->op) | |
169 | f->op = AUDIT_EQUAL; | |
170 | else if (f->op == AUDIT_OPERATORS) { | |
171 | err = -EINVAL; | |
172 | goto exit_free; | |
173 | } | |
fe7752ba | 174 | } |
93315ed6 AG |
175 | |
176 | exit_nofree: | |
177 | return entry; | |
178 | ||
179 | exit_free: | |
180 | audit_free_rule(entry); | |
181 | return ERR_PTR(err); | |
fe7752ba DW |
182 | } |
183 | ||
93315ed6 AG |
184 | /* Translate struct audit_rule_data to kernel's rule respresentation. */ |
185 | static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |
186 | size_t datasz) | |
fe7752ba | 187 | { |
93315ed6 AG |
188 | int err = 0; |
189 | struct audit_entry *entry; | |
190 | void *bufp; | |
191 | /* size_t remain = datasz - sizeof(struct audit_rule_data); */ | |
fe7752ba DW |
192 | int i; |
193 | ||
93315ed6 AG |
194 | entry = audit_to_entry_common((struct audit_rule *)data); |
195 | if (IS_ERR(entry)) | |
196 | goto exit_nofree; | |
fe7752ba | 197 | |
93315ed6 AG |
198 | bufp = data->buf; |
199 | entry->rule.vers_ops = 2; | |
200 | for (i = 0; i < data->field_count; i++) { | |
201 | struct audit_field *f = &entry->rule.fields[i]; | |
202 | ||
203 | err = -EINVAL; | |
204 | if (!(data->fieldflags[i] & AUDIT_OPERATORS) || | |
205 | data->fieldflags[i] & ~AUDIT_OPERATORS) | |
206 | goto exit_free; | |
207 | ||
208 | f->op = data->fieldflags[i] & AUDIT_OPERATORS; | |
209 | f->type = data->fields[i]; | |
210 | switch(f->type) { | |
211 | /* call type-specific conversion routines here */ | |
212 | default: | |
213 | f->val = data->values[i]; | |
214 | } | |
215 | } | |
216 | ||
217 | exit_nofree: | |
218 | return entry; | |
219 | ||
220 | exit_free: | |
221 | audit_free_rule(entry); | |
222 | return ERR_PTR(err); | |
223 | } | |
224 | ||
225 | /* Pack a filter field's string representation into data block. */ | |
226 | static inline size_t audit_pack_string(void **bufp, char *str) | |
227 | { | |
228 | size_t len = strlen(str); | |
229 | ||
230 | memcpy(*bufp, str, len); | |
231 | *bufp += len; | |
232 | ||
233 | return len; | |
234 | } | |
235 | ||
236 | /* Translate kernel rule respresentation to struct audit_rule. | |
237 | * Exists for backward compatibility with userspace. */ | |
238 | static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) | |
239 | { | |
240 | struct audit_rule *rule; | |
241 | int i; | |
242 | ||
243 | rule = kmalloc(sizeof(*rule), GFP_KERNEL); | |
244 | if (unlikely(!rule)) | |
245 | return ERR_PTR(-ENOMEM); | |
246 | memset(rule, 0, sizeof(*rule)); | |
247 | ||
248 | rule->flags = krule->flags | krule->listnr; | |
249 | rule->action = krule->action; | |
250 | rule->field_count = krule->field_count; | |
251 | for (i = 0; i < rule->field_count; i++) { | |
252 | rule->values[i] = krule->fields[i].val; | |
253 | rule->fields[i] = krule->fields[i].type; | |
254 | ||
255 | if (krule->vers_ops == 1) { | |
256 | if (krule->fields[i].op & AUDIT_NOT_EQUAL) | |
257 | rule->fields[i] |= AUDIT_NEGATE; | |
258 | } else { | |
259 | rule->fields[i] |= krule->fields[i].op; | |
260 | } | |
261 | } | |
262 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; | |
263 | ||
264 | return rule; | |
265 | } | |
fe7752ba | 266 | |
93315ed6 AG |
267 | /* Translate kernel rule respresentation to struct audit_rule_data. */ |
268 | static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) | |
269 | { | |
270 | struct audit_rule_data *data; | |
271 | void *bufp; | |
272 | int i; | |
273 | ||
274 | data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); | |
275 | if (unlikely(!data)) | |
276 | return ERR_PTR(-ENOMEM); | |
277 | memset(data, 0, sizeof(*data)); | |
278 | ||
279 | data->flags = krule->flags | krule->listnr; | |
280 | data->action = krule->action; | |
281 | data->field_count = krule->field_count; | |
282 | bufp = data->buf; | |
283 | for (i = 0; i < data->field_count; i++) { | |
284 | struct audit_field *f = &krule->fields[i]; | |
285 | ||
286 | data->fields[i] = f->type; | |
287 | data->fieldflags[i] = f->op; | |
288 | switch(f->type) { | |
289 | /* call type-specific conversion routines here */ | |
290 | default: | |
291 | data->values[i] = f->val; | |
292 | } | |
293 | } | |
294 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; | |
295 | ||
296 | return data; | |
297 | } | |
298 | ||
299 | /* Compare two rules in kernel format. Considered success if rules | |
300 | * don't match. */ | |
301 | static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) | |
302 | { | |
303 | int i; | |
304 | ||
305 | if (a->flags != b->flags || | |
306 | a->listnr != b->listnr || | |
307 | a->action != b->action || | |
308 | a->field_count != b->field_count) | |
fe7752ba DW |
309 | return 1; |
310 | ||
311 | for (i = 0; i < a->field_count; i++) { | |
93315ed6 AG |
312 | if (a->fields[i].type != b->fields[i].type || |
313 | a->fields[i].op != b->fields[i].op) | |
fe7752ba | 314 | return 1; |
93315ed6 AG |
315 | |
316 | switch(a->fields[i].type) { | |
317 | /* call type-specific comparison routines here */ | |
318 | default: | |
319 | if (a->fields[i].val != b->fields[i].val) | |
320 | return 1; | |
321 | } | |
fe7752ba DW |
322 | } |
323 | ||
324 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | |
325 | if (a->mask[i] != b->mask[i]) | |
326 | return 1; | |
327 | ||
328 | return 0; | |
329 | } | |
330 | ||
93315ed6 | 331 | /* Add rule to given filterlist if not a duplicate. Protected by |
5a0bbce5 | 332 | * audit_netlink_mutex. */ |
93315ed6 | 333 | static inline int audit_add_rule(struct audit_entry *entry, |
fe7752ba DW |
334 | struct list_head *list) |
335 | { | |
93315ed6 | 336 | struct audit_entry *e; |
fe7752ba DW |
337 | |
338 | /* Do not use the _rcu iterator here, since this is the only | |
339 | * addition routine. */ | |
93315ed6 AG |
340 | list_for_each_entry(e, list, list) { |
341 | if (!audit_compare_rule(&entry->rule, &e->rule)) | |
fe7752ba | 342 | return -EEXIST; |
fe7752ba DW |
343 | } |
344 | ||
fe7752ba | 345 | if (entry->rule.flags & AUDIT_FILTER_PREPEND) { |
fe7752ba DW |
346 | list_add_rcu(&entry->list, list); |
347 | } else { | |
348 | list_add_tail_rcu(&entry->list, list); | |
349 | } | |
350 | ||
351 | return 0; | |
352 | } | |
353 | ||
93315ed6 | 354 | /* Remove an existing rule from filterlist. Protected by |
5a0bbce5 | 355 | * audit_netlink_mutex. */ |
93315ed6 | 356 | static inline int audit_del_rule(struct audit_entry *entry, |
fe7752ba DW |
357 | struct list_head *list) |
358 | { | |
359 | struct audit_entry *e; | |
360 | ||
361 | /* Do not use the _rcu iterator here, since this is the only | |
362 | * deletion routine. */ | |
363 | list_for_each_entry(e, list, list) { | |
93315ed6 | 364 | if (!audit_compare_rule(&entry->rule, &e->rule)) { |
fe7752ba | 365 | list_del_rcu(&e->list); |
93315ed6 | 366 | call_rcu(&e->rcu, audit_free_rule_rcu); |
fe7752ba DW |
367 | return 0; |
368 | } | |
369 | } | |
370 | return -ENOENT; /* No matching rule */ | |
371 | } | |
372 | ||
93315ed6 AG |
373 | /* List rules using struct audit_rule. Exists for backward |
374 | * compatibility with userspace. */ | |
375 | static int audit_list(void *_dest) | |
fe7752ba DW |
376 | { |
377 | int pid, seq; | |
378 | int *dest = _dest; | |
379 | struct audit_entry *entry; | |
380 | int i; | |
381 | ||
382 | pid = dest[0]; | |
383 | seq = dest[1]; | |
384 | kfree(dest); | |
385 | ||
5a0bbce5 | 386 | mutex_lock(&audit_netlink_mutex); |
fe7752ba DW |
387 | |
388 | /* The *_rcu iterators not needed here because we are | |
5a0bbce5 | 389 | always called with audit_netlink_mutex held. */ |
fe7752ba | 390 | for (i=0; i<AUDIT_NR_FILTERS; i++) { |
93315ed6 AG |
391 | list_for_each_entry(entry, &audit_filter_list[i], list) { |
392 | struct audit_rule *rule; | |
393 | ||
394 | rule = audit_krule_to_rule(&entry->rule); | |
395 | if (unlikely(!rule)) | |
396 | break; | |
fe7752ba | 397 | audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, |
93315ed6 AG |
398 | rule, sizeof(*rule)); |
399 | kfree(rule); | |
400 | } | |
fe7752ba DW |
401 | } |
402 | audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); | |
403 | ||
5a0bbce5 | 404 | mutex_unlock(&audit_netlink_mutex); |
fe7752ba DW |
405 | return 0; |
406 | } | |
407 | ||
93315ed6 AG |
408 | /* List rules using struct audit_rule_data. */ |
409 | static int audit_list_rules(void *_dest) | |
410 | { | |
411 | int pid, seq; | |
412 | int *dest = _dest; | |
413 | struct audit_entry *e; | |
414 | int i; | |
415 | ||
416 | pid = dest[0]; | |
417 | seq = dest[1]; | |
418 | kfree(dest); | |
419 | ||
5a0bbce5 | 420 | mutex_lock(&audit_netlink_mutex); |
93315ed6 AG |
421 | |
422 | /* The *_rcu iterators not needed here because we are | |
5a0bbce5 | 423 | always called with audit_netlink_mutex held. */ |
93315ed6 AG |
424 | for (i=0; i<AUDIT_NR_FILTERS; i++) { |
425 | list_for_each_entry(e, &audit_filter_list[i], list) { | |
426 | struct audit_rule_data *data; | |
427 | ||
428 | data = audit_krule_to_data(&e->rule); | |
429 | if (unlikely(!data)) | |
430 | break; | |
431 | audit_send_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, | |
432 | data, sizeof(*data)); | |
433 | kfree(data); | |
434 | } | |
435 | } | |
436 | audit_send_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); | |
437 | ||
5a0bbce5 | 438 | mutex_unlock(&audit_netlink_mutex); |
93315ed6 AG |
439 | return 0; |
440 | } | |
441 | ||
fe7752ba DW |
442 | /** |
443 | * audit_receive_filter - apply all rules to the specified message type | |
444 | * @type: audit message type | |
445 | * @pid: target pid for netlink audit messages | |
446 | * @uid: target uid for netlink audit messages | |
447 | * @seq: netlink audit message sequence (serial) number | |
448 | * @data: payload data | |
93315ed6 | 449 | * @datasz: size of payload data |
fe7752ba DW |
450 | * @loginuid: loginuid of sender |
451 | */ | |
452 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | |
93315ed6 | 453 | size_t datasz, uid_t loginuid) |
fe7752ba DW |
454 | { |
455 | struct task_struct *tsk; | |
456 | int *dest; | |
93315ed6 AG |
457 | int err = 0; |
458 | struct audit_entry *entry; | |
fe7752ba DW |
459 | |
460 | switch (type) { | |
461 | case AUDIT_LIST: | |
93315ed6 | 462 | case AUDIT_LIST_RULES: |
fe7752ba DW |
463 | /* We can't just spew out the rules here because we might fill |
464 | * the available socket buffer space and deadlock waiting for | |
465 | * auditctl to read from it... which isn't ever going to | |
466 | * happen if we're actually running in the context of auditctl | |
467 | * trying to _send_ the stuff */ | |
468 | ||
469 | dest = kmalloc(2 * sizeof(int), GFP_KERNEL); | |
470 | if (!dest) | |
471 | return -ENOMEM; | |
472 | dest[0] = pid; | |
473 | dest[1] = seq; | |
474 | ||
93315ed6 AG |
475 | if (type == AUDIT_LIST) |
476 | tsk = kthread_run(audit_list, dest, "audit_list"); | |
477 | else | |
478 | tsk = kthread_run(audit_list_rules, dest, | |
479 | "audit_list_rules"); | |
fe7752ba DW |
480 | if (IS_ERR(tsk)) { |
481 | kfree(dest); | |
482 | err = PTR_ERR(tsk); | |
483 | } | |
484 | break; | |
485 | case AUDIT_ADD: | |
93315ed6 AG |
486 | case AUDIT_ADD_RULE: |
487 | if (type == AUDIT_ADD) | |
488 | entry = audit_rule_to_entry(data); | |
489 | else | |
490 | entry = audit_data_to_entry(data, datasz); | |
491 | if (IS_ERR(entry)) | |
492 | return PTR_ERR(entry); | |
493 | ||
494 | err = audit_add_rule(entry, | |
495 | &audit_filter_list[entry->rule.listnr]); | |
5d330108 AV |
496 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
497 | "auid=%u add rule to list=%d res=%d\n", | |
498 | loginuid, entry->rule.listnr, !err); | |
499 | ||
500 | if (err) | |
93315ed6 | 501 | audit_free_rule(entry); |
fe7752ba DW |
502 | break; |
503 | case AUDIT_DEL: | |
93315ed6 AG |
504 | case AUDIT_DEL_RULE: |
505 | if (type == AUDIT_DEL) | |
506 | entry = audit_rule_to_entry(data); | |
507 | else | |
508 | entry = audit_data_to_entry(data, datasz); | |
509 | if (IS_ERR(entry)) | |
510 | return PTR_ERR(entry); | |
511 | ||
512 | err = audit_del_rule(entry, | |
513 | &audit_filter_list[entry->rule.listnr]); | |
5d330108 AV |
514 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
515 | "auid=%u remove rule from list=%d res=%d\n", | |
516 | loginuid, entry->rule.listnr, !err); | |
517 | ||
93315ed6 | 518 | audit_free_rule(entry); |
fe7752ba DW |
519 | break; |
520 | default: | |
521 | return -EINVAL; | |
522 | } | |
523 | ||
524 | return err; | |
525 | } | |
526 | ||
527 | int audit_comparator(const u32 left, const u32 op, const u32 right) | |
528 | { | |
529 | switch (op) { | |
530 | case AUDIT_EQUAL: | |
531 | return (left == right); | |
532 | case AUDIT_NOT_EQUAL: | |
533 | return (left != right); | |
534 | case AUDIT_LESS_THAN: | |
535 | return (left < right); | |
536 | case AUDIT_LESS_THAN_OR_EQUAL: | |
537 | return (left <= right); | |
538 | case AUDIT_GREATER_THAN: | |
539 | return (left > right); | |
540 | case AUDIT_GREATER_THAN_OR_EQUAL: | |
541 | return (left >= right); | |
fe7752ba | 542 | } |
d9d9ec6e DK |
543 | BUG(); |
544 | return 0; | |
fe7752ba DW |
545 | } |
546 | ||
547 | ||
548 | ||
549 | static int audit_filter_user_rules(struct netlink_skb_parms *cb, | |
93315ed6 | 550 | struct audit_krule *rule, |
fe7752ba DW |
551 | enum audit_state *state) |
552 | { | |
553 | int i; | |
554 | ||
555 | for (i = 0; i < rule->field_count; i++) { | |
93315ed6 | 556 | struct audit_field *f = &rule->fields[i]; |
fe7752ba DW |
557 | int result = 0; |
558 | ||
93315ed6 | 559 | switch (f->type) { |
fe7752ba | 560 | case AUDIT_PID: |
93315ed6 | 561 | result = audit_comparator(cb->creds.pid, f->op, f->val); |
fe7752ba DW |
562 | break; |
563 | case AUDIT_UID: | |
93315ed6 | 564 | result = audit_comparator(cb->creds.uid, f->op, f->val); |
fe7752ba DW |
565 | break; |
566 | case AUDIT_GID: | |
93315ed6 | 567 | result = audit_comparator(cb->creds.gid, f->op, f->val); |
fe7752ba DW |
568 | break; |
569 | case AUDIT_LOGINUID: | |
93315ed6 | 570 | result = audit_comparator(cb->loginuid, f->op, f->val); |
fe7752ba DW |
571 | break; |
572 | } | |
573 | ||
574 | if (!result) | |
575 | return 0; | |
576 | } | |
577 | switch (rule->action) { | |
578 | case AUDIT_NEVER: *state = AUDIT_DISABLED; break; | |
579 | case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; | |
580 | case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; | |
581 | } | |
582 | return 1; | |
583 | } | |
584 | ||
585 | int audit_filter_user(struct netlink_skb_parms *cb, int type) | |
586 | { | |
587 | struct audit_entry *e; | |
588 | enum audit_state state; | |
589 | int ret = 1; | |
590 | ||
591 | rcu_read_lock(); | |
592 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { | |
593 | if (audit_filter_user_rules(cb, &e->rule, &state)) { | |
594 | if (state == AUDIT_DISABLED) | |
595 | ret = 0; | |
596 | break; | |
597 | } | |
598 | } | |
599 | rcu_read_unlock(); | |
600 | ||
601 | return ret; /* Audit by default */ | |
602 | } | |
603 | ||
604 | int audit_filter_type(int type) | |
605 | { | |
606 | struct audit_entry *e; | |
607 | int result = 0; | |
608 | ||
609 | rcu_read_lock(); | |
610 | if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) | |
611 | goto unlock_and_return; | |
612 | ||
613 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], | |
614 | list) { | |
fe7752ba | 615 | int i; |
93315ed6 AG |
616 | for (i = 0; i < e->rule.field_count; i++) { |
617 | struct audit_field *f = &e->rule.fields[i]; | |
618 | if (f->type == AUDIT_MSGTYPE) { | |
619 | result = audit_comparator(type, f->op, f->val); | |
fe7752ba DW |
620 | if (!result) |
621 | break; | |
622 | } | |
623 | } | |
624 | if (result) | |
625 | goto unlock_and_return; | |
626 | } | |
627 | unlock_and_return: | |
628 | rcu_read_unlock(); | |
629 | return result; | |
630 | } |