📄 auditfilter.c
字号:
} if (err) { kfree(str); goto exit_free; } else f->se_str = str; break; case AUDIT_WATCH: str = audit_unpack_string(&bufp, &remain, f->val); if (IS_ERR(str)) goto exit_free; entry->rule.buflen += f->val; err = audit_to_watch(&entry->rule, str, f->val, f->op); if (err) { kfree(str); goto exit_free; } break; case AUDIT_INODE: err = audit_to_inode(&entry->rule, f); if (err) goto exit_free; break; case AUDIT_FILTERKEY: err = -EINVAL; if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) goto exit_free; str = audit_unpack_string(&bufp, &remain, f->val); if (IS_ERR(str)) goto exit_free; entry->rule.buflen += f->val; entry->rule.filterkey = str; break; case AUDIT_PERM: if (f->val & ~15) goto exit_free; break; default: goto exit_free; } } f = entry->rule.inode_f; if (f) { switch(f->op) { case AUDIT_NOT_EQUAL: entry->rule.inode_f = NULL; case AUDIT_EQUAL: break; default: err = -EINVAL; goto exit_free; } }exit_nofree: return entry;exit_free: audit_free_rule(entry); return ERR_PTR(err);}/* Pack a filter field's string representation into data block. */static inline size_t audit_pack_string(void **bufp, char *str){ size_t len = strlen(str); memcpy(*bufp, str, len); *bufp += len; return len;}/* Translate kernel rule respresentation to struct audit_rule. * Exists for backward compatibility with userspace. */static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule){ struct audit_rule *rule; int i; rule = kzalloc(sizeof(*rule), GFP_KERNEL); if (unlikely(!rule)) return NULL; rule->flags = krule->flags | krule->listnr; rule->action = krule->action; rule->field_count = krule->field_count; for (i = 0; i < rule->field_count; i++) { rule->values[i] = krule->fields[i].val; rule->fields[i] = krule->fields[i].type; if (krule->vers_ops == 1) { if (krule->fields[i].op & AUDIT_NOT_EQUAL) rule->fields[i] |= AUDIT_NEGATE; } else { rule->fields[i] |= krule->fields[i].op; } } for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; return rule;}/* Translate kernel rule respresentation to struct audit_rule_data. */static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule){ struct audit_rule_data *data; void *bufp; int i; data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); if (unlikely(!data)) return NULL; memset(data, 0, sizeof(*data)); data->flags = krule->flags | krule->listnr; data->action = krule->action; data->field_count = krule->field_count; bufp = data->buf; for (i = 0; i < data->field_count; i++) { struct audit_field *f = &krule->fields[i]; data->fields[i] = f->type; data->fieldflags[i] = f->op; switch(f->type) { case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_OBJ_USER: case AUDIT_OBJ_ROLE: case AUDIT_OBJ_TYPE: case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: data->buflen += data->values[i] = audit_pack_string(&bufp, f->se_str); break; case AUDIT_WATCH: data->buflen += data->values[i] = audit_pack_string(&bufp, krule->watch->path); break; case AUDIT_FILTERKEY: data->buflen += data->values[i] = audit_pack_string(&bufp, krule->filterkey); break; default: data->values[i] = f->val; } } for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; return data;}/* Compare two rules in kernel format. Considered success if rules * don't match. */static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b){ int i; if (a->flags != b->flags || a->listnr != b->listnr || a->action != b->action || a->field_count != b->field_count) return 1; for (i = 0; i < a->field_count; i++) { if (a->fields[i].type != b->fields[i].type || a->fields[i].op != b->fields[i].op) return 1; switch(a->fields[i].type) { case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_OBJ_USER: case AUDIT_OBJ_ROLE: case AUDIT_OBJ_TYPE: case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) return 1; break; case AUDIT_WATCH: if (strcmp(a->watch->path, b->watch->path)) return 1; break; case AUDIT_FILTERKEY: /* both filterkeys exist based on above type compare */ if (strcmp(a->filterkey, b->filterkey)) return 1; break; default: if (a->fields[i].val != b->fields[i].val) return 1; } } for (i = 0; i < AUDIT_BITMASK_SIZE; i++) if (a->mask[i] != b->mask[i]) return 1; return 0;}/* Duplicate the given audit watch. The new watch's rules list is initialized * to an empty list and wlist is undefined. */static struct audit_watch *audit_dupe_watch(struct audit_watch *old){ char *path; struct audit_watch *new; path = kstrdup(old->path, GFP_KERNEL); if (unlikely(!path)) return ERR_PTR(-ENOMEM); new = audit_init_watch(path); if (unlikely(IS_ERR(new))) { kfree(path); goto out; } new->dev = old->dev; new->ino = old->ino; get_inotify_watch(&old->parent->wdata); new->parent = old->parent;out: return new;}/* Duplicate selinux field information. The se_rule is opaque, so must be * re-initialized. */static inline int audit_dupe_selinux_field(struct audit_field *df, struct audit_field *sf){ int ret = 0; char *se_str; /* our own copy of se_str */ se_str = kstrdup(sf->se_str, GFP_KERNEL); if (unlikely(!se_str)) return -ENOMEM; df->se_str = se_str; /* our own (refreshed) copy of se_rule */ ret = selinux_audit_rule_init(df->type, df->op, df->se_str, &df->se_rule); /* Keep currently invalid fields around in case they * become valid after a policy reload. */ if (ret == -EINVAL) { printk(KERN_WARNING "audit rule for selinux \'%s\' is " "invalid\n", df->se_str); ret = 0; } return ret;}/* Duplicate an audit rule. This will be a deep copy with the exception * of the watch - that pointer is carried over. The selinux specific fields * will be updated in the copy. The point is to be able to replace the old * rule with the new rule in the filterlist, then free the old rule. * The rlist element is undefined; list manipulations are handled apart from * the initial copy. */static struct audit_entry *audit_dupe_rule(struct audit_krule *old, struct audit_watch *watch){ u32 fcount = old->field_count; struct audit_entry *entry; struct audit_krule *new; char *fk; int i, err = 0; entry = audit_init_entry(fcount); if (unlikely(!entry)) return ERR_PTR(-ENOMEM); new = &entry->rule; new->vers_ops = old->vers_ops; new->flags = old->flags; new->listnr = old->listnr; new->action = old->action; for (i = 0; i < AUDIT_BITMASK_SIZE; i++) new->mask[i] = old->mask[i]; new->buflen = old->buflen; new->inode_f = old->inode_f; new->watch = NULL; new->field_count = old->field_count; memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); /* deep copy this information, updating the se_rule fields, because * the originals will all be freed when the old rule is freed. */ for (i = 0; i < fcount; i++) { switch (new->fields[i].type) { case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_OBJ_USER: case AUDIT_OBJ_ROLE: case AUDIT_OBJ_TYPE: case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: err = audit_dupe_selinux_field(&new->fields[i], &old->fields[i]); break; case AUDIT_FILTERKEY: fk = kstrdup(old->filterkey, GFP_KERNEL); if (unlikely(!fk)) err = -ENOMEM; else new->filterkey = fk; } if (err) { audit_free_rule(entry); return ERR_PTR(err); } } if (watch) { audit_get_watch(watch); new->watch = watch; } return entry;}/* Update inode info in audit rules based on filesystem event. */static void audit_update_watch(struct audit_parent *parent, const char *dname, dev_t dev, unsigned long ino, unsigned invalidating){ struct audit_watch *owatch, *nwatch, *nextw; struct audit_krule *r, *nextr; struct audit_entry *oentry, *nentry; struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { if (audit_compare_dname_path(dname, owatch->path, NULL)) continue; /* If the update involves invalidating rules, do the inode-based * filtering now, so we don't omit records. */ if (invalidating && current->audit_context && audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) audit_set_auditable(current->audit_context); nwatch = audit_dupe_watch(owatch); if (unlikely(IS_ERR(nwatch))) { mutex_unlock(&audit_filter_mutex); audit_panic("error updating watch, skipping"); return; } nwatch->dev = dev; nwatch->ino = ino; list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) { oentry = container_of(r, struct audit_entry, rule); list_del(&oentry->rule.rlist); list_del_rcu(&oentry->list); nentry = audit_dupe_rule(&oentry->rule, nwatch); if (unlikely(IS_ERR(nentry))) audit_panic("error updating watch, removing"); else { int h = audit_hash_ino((u32)ino); list_add(&nentry->rule.rlist, &nwatch->rules); list_add_rcu(&nentry->list, &audit_inode_hash[h]); } call_rcu(&oentry->rcu, audit_free_rule_rcu); } ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); audit_log_format(ab, "op=updated rules specifying path="); audit_log_untrustedstring(ab, owatch->path); audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); audit_log_format(ab, " list=%d res=1", r->listnr); audit_log_end(ab); audit_remove_watch(owatch); goto add_watch_to_parent; /* event applies to a single watch */ } mutex_unlock(&audit_filter_mutex); return;add_watch_to_parent: list_add(&nwatch->wlist, &parent->watches); mutex_unlock(&audit_filter_mutex); return;}/* Remove all watches & rules associated with a parent that is going away. */static void audit_remove_parent_watches(struct audit_parent *parent){ struct audit_watch *w, *nextw; struct audit_krule *r, *nextr; struct audit_entry *e; struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); parent->flags |= AUDIT_PARENT_INVALID; list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { list_for_each_entry_safe(r, nextr, &w->rules, rlist) { e = container_of(r, struct audit_entry, rule); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); audit_log_format(ab, "op=remove rule path="); audit_log_untrustedstring(ab, w->path); if (r->filterkey) { audit_log_format(ab, " key="); audit_log_untrustedstring(ab, r->filterkey); } else audit_log_format(ab, " key=(null)"); audit_log_format(ab, " list=%d res=1", r->listnr); audit_log_end(ab); list_del(&r->rlist); list_del_rcu(&e->list); call_rcu(&e->rcu, audit_free_rule_rcu); } audit_remove_watch(w); } mutex_unlock(&audit_filter_mutex);}/* Unregister inotify watches for parents on in_list. * Generates an IN_IGNORED event. */static void audit_inotify_unregister(struct list_head *in_list){ struct audit_parent *p, *n; list_for_each_entry_safe(p, n, in_list, ilist) { list_del(&p->ilist); inotify_rm_watch(audit_ih, &p->wdata); /* the put matching the get in audit_do_del_rule() */ put_inotify_watch(&p->wdata); }}/* Find an existing audit rule. * Caller must hold audit_filter_mutex to prevent stale rule data. */static struct audit_entry *audit_find_rule(struct audit_entry *entry, struct list_head *list){ struct audit_entry *e, *found = NULL; int h; if (entry->rule.watch) { /* we don't know the inode number, so must walk entire hash */ for (h = 0; h < AUDIT_INODE_BUCKETS; h++) { list = &audit_inode_hash[h]; list_for_each_entry(e, list, list) if (!audit_compare_rule(&entry->rule, &e->rule)) { found = e; goto out; } } goto out; } list_for_each_entry(e, list, list) if (!audit_compare_rule(&entry->rule, &e->rule)) { found = e; goto out; }out: return found;}/* Get path information necessary for adding watches. */static int audit_get_nd(char *path, struct nameidata **ndp, struct nameidata **ndw){ struct nameidata *ndparent, *ndwatch; int err; ndparent = kmalloc(sizeof(*ndparent), GFP_KERNEL); if (unlikely(!ndparent)) return -ENOMEM; ndwatch = kmalloc(sizeof(*ndwatch), GFP_KERNEL); if (unlikely(!ndwatch)) { kfree(ndparent); return -ENOMEM; } err = path_lookup(path, LOOKUP_PARENT, ndparent); if (err) { kfree(ndparent); kfree(ndwatch); return err; } err = path_lookup(path, 0, ndwatch); if (err) { kfree(ndwatch); ndwatch = NULL; } *ndp = ndparent; *ndw = ndwatch; return 0;}/* Release resources used for watch path information. */static void audit_put_nd(struct nameidata *ndp, struct nameidata *ndw){ if (ndp) { path_release(ndp); kfree(ndp); } if (ndw) { path_release(ndw); kfree(ndw); }}/* Associate the given rule with an existing parent inotify_watch. * Caller must hold audit_filter_mutex. */static void audit_add_to_parent(struct audit_krule *krule, struct audit_parent *parent){ struct audit_watch *w, *watch = krule->watch; int watch_found = 0; list_for_each_entry(w, &parent->watches, wlist) { if (strcmp(watch->path, w->path)) continue; watch_found = 1; /* put krule's and initial refs to temporary watch */ audit_put_watch(watch); audit_put_watch(watch); audit_get_watch(w); krule->watch = watch = w; break; } if (!watch_found) { get_inotify_watch(&parent->wdata); watch->parent = parent; list_add(&watch->wlist, &parent->watches); } list_add(&krule->rlist, &watch->rules);}/* Find a matching watch entry, or add this one. * Caller must hold audit_filter_mutex. */static int audit_add_watch(struct audit_krule *krule, struct nameidata *ndp, struct nameidata *ndw){ struct audit_watch *watch = krule->watch; struct inotify_watch *i_watch; struct audit_parent *parent; int ret = 0; /* update watch filter fields */ if (ndw) { watch->dev = ndw->dentry->d_inode->i_sb->s_dev; watch->ino = ndw->dentry->d_inode->i_ino; } /* The audit_filter_mutex must not be held during inotify calls because * we hold it during inotify event callback processing. If an existing * inotify watch is found, inotify_find_watch() grabs a reference before * returning. */ mutex_unlock(&audit_filter_mutex); if (inotify_find_watch(audit_ih, ndp->dentry->d_inode, &i_watch) < 0) { parent = audit_init_parent(ndp); if (IS_ERR(parent)) { /* caller expects mutex locked */ mutex_lock(&audit_filter_mutex); return PTR_ERR(parent); } } else parent = container_of(i_watch, struct audit_parent, wdata); mutex_lock(&audit_filter_mutex); /* parent was moved before we took audit_filter_mutex */ if (parent->flags & AUDIT_PARENT_INVALID)⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -