[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[RFC][PATCH] new audit rule interface



Hello,

Following is a first cut at a patch which implements an interface for
specifying filesystem paths in audit rules.  I've identified some
issues, and would like to offer the patch up for discussion before
attempting to resolve them.  If you see issues that I haven't
identified below, please mention them as well.

Overview
--------
The kernel-userspace interface changes required to specify audit rules
with string fields were implemented based on the proposal:

    https://www.redhat.com/archives/linux-audit/2005-November/msg00015.html

Support for specifying filesystem paths in audit rules was included as
a proof-of-concept.  

With this patch, userspace may specify a path filter, akin to
specifying an inode filter.  If a filename exists at the specified
path, audit records will be generated as they are for inode filters.

Watched paths are tracked via a master_watchlist.  The
master_watchlist is composed of one or more audit_watch structs, each
of which is associated with one or more struct audit_krule's in the
syscall exit filter list (AUDIT_FILTER_EXIT).  Audit's filtering data
structures are still updated exclusively through explicit rule
addition and removal, so this patch did not require any locking
changes.

To reduce the complexity of the patch, I omitted the functionality
necessary to provide persistence for path-based filters.  At present,
audit is not aware when a file is created or removed from watched path
locations.  I plan to submit this functionality in a separate patch.

Issues
------
I have identified some issues with this patch that I'll list here.

1) struct audit_rule_xprt

    Introducing a new data structure for specifying audit rules via
    netlink provides a good opportunity to revisit the data structure
    design and determine if we want to make any other changes, e.g.
    adding a structure version field, reserving fields, etc.  At
    present, I've only added the empty buf[] array.

    How much we deviate from the current structure should be a factor
    of how long we expect to continue using netlink for all
    userspace-kernel communication.

2) struct audit_krule

    The kernel structure defining an audit rule isn't keeping enough
    information about what it received from userspace.

    - the kernel currently converts the upper bits of a field[]
      element to its own representation; when the rule is listed back
      to userspace, the bits are not converted back to the way in
      which they were originally specified

    - the difference between an inode-based and a path-based filter is
      not always discernible, as it needs to be (e.g. kernel currently
      won't allow a rule to be added for an inode # that can be
      resolved from an existing path-based filter)
    
    - might not be an issue now, but should probably track which type
      or version of structure was used to add a given rule

    - the operator bits consistently need to be masked out; they
      should just be a separate field in kernel

3) audit_rule_in()

    This function is long and somewhat specific to specifying paths in
    audit rules.  This should be more generalized, or the
    path-specific code should be split out to another function.

4) in general

    Perhaps most importantly, this patch mixes the interface changes
    required to specify audit rules with string fields with some of
    the initial filesystem audit functionality.  I think these pieces
    should be split into separate patches to allow a more generalized
    approach.

I plan to update this patch to resolve these issues, along with any
other identified issues.

Thanks for your review.
Amy


diff --git a/include/linux/audit.h b/include/linux/audit.h
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -59,6 +59,9 @@
 #define AUDIT_WATCH_REM		1008	/* Remove file/dir watch entry */
 #define AUDIT_WATCH_LIST	1009	/* List all file/dir watches */
 #define AUDIT_SIGNAL_INFO	1010	/* Get info about sender of signal to auditd */
+#define AUDIT_ADD_RULE		1011	/* Add syscall filter (string supp) */
+#define AUDIT_DEL_RULE		1012	/* Delete syscall filter (string supp)*/
+#define AUDIT_LIST_RULES	1013	/* List syscall filters (string supp) */
 
 #define AUDIT_FIRST_USER_MSG	1100	/* Userspace messages mostly uninteresting to kernel */
 #define AUDIT_USER_AVC		1107	/* We filter this differently */
@@ -142,6 +145,7 @@
 #define AUDIT_INODE	102
 #define AUDIT_EXIT	103
 #define AUDIT_SUCCESS   104	/* exit >= 0; value ignored */
+#define AUDIT_PATHNAME	105	/* location in filesystem (attached path len */
 
 #define AUDIT_ARG0      200
 #define AUDIT_ARG1      (AUDIT_ARG0+1)
@@ -226,7 +230,26 @@ struct audit_status {
 	__u32		backlog;	/* messages waiting in queue */
 };
 
-struct audit_rule {		/* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
+/* audit_rule_xprt supports filter rules with both integer and string
+ * fields.  It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
+ * AUDIT_LIST_RULES requests.
+ */
+struct audit_rule_xprt {
+	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
+	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
+	__u32		field_count;
+	__u32		mask[AUDIT_BITMASK_SIZE];
+	__u32		fields[AUDIT_MAX_FIELDS];
+	__u32		values[AUDIT_MAX_FIELDS];
+	__u32		buflen;	/* total length of string fields */
+	char		buf[0];	/* string fields buffer */
+};
+
+/* audit_rule is supported to maintain backward compatibility with
+ * userspace.  It supports integer fields only and corresponds to
+ * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests. 
+ */
+struct audit_rule {
 	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
 	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
 	__u32		field_count;
diff --git a/kernel/audit.c b/kernel/audit.c
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -358,9 +358,12 @@ static int audit_netlink_ok(kernel_cap_t
 	switch (msg_type) {
 	case AUDIT_GET:
 	case AUDIT_LIST:
+	case AUDIT_LIST_RULES:
 	case AUDIT_SET:
 	case AUDIT_ADD:
+	case AUDIT_ADD_RULE:
 	case AUDIT_DEL:
+	case AUDIT_DEL_RULE:
 	case AUDIT_SIGNAL_INFO:
 		if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
 			err = -EPERM;
@@ -474,6 +477,15 @@ static int audit_receive_msg(struct sk_b
 		err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
 					   uid, seq, data, loginuid);
 		break;
+	case AUDIT_ADD_RULE:
+	case AUDIT_DEL_RULE:
+		if (nlh->nlmsg_len < sizeof(struct audit_rule_xprt))
+			return -EINVAL;
+		/* fallthrough */
+	case AUDIT_LIST_RULES:
+		err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
+					   uid, seq, data, loginuid);
+		break;
 	case AUDIT_SIGNAL_INFO:
 		sig_data.uid = audit_sig_uid;
 		sig_data.pid = audit_sig_pid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -182,7 +182,33 @@ struct audit_context {
 #endif
 };
 
-				/* Public API */
+/* Audit Filters */
+
+/* kernel's representation of a watched filesystem location */
+struct audit_watch {
+	char			*path;	/* watch insertion path */
+	struct list_head	mlist;	/* entry in master_watchlist */
+	struct list_head	rules;	/* associated rules*/
+};
+
+/* kernel's internal filter rule representation */
+struct audit_krule {
+	u32			flags;
+	u32			action;
+	u32			field_count;
+	u32			mask[AUDIT_BITMASK_SIZE];
+	u32			fields[AUDIT_MAX_FIELDS];
+	u32			values[AUDIT_MAX_FIELDS];
+	struct audit_watch	*watch; /* associated watch */
+	struct list_head	rlist;	/* entry in audit_watch.rules list */
+};
+
+struct audit_entry {
+	struct list_head	list;	/* entry in audit_filter_list */
+	struct rcu_head		rcu;
+	struct audit_krule	rule;
+};
+
 /* There are three lists of rules -- one to search at task creation
  * time, one to search at syscall entry time, and another to search at
  * syscall exit time. */
@@ -198,101 +224,290 @@ static struct list_head audit_filter_lis
 #endif
 };
 
-struct audit_entry {
-	struct list_head  list;
-	struct rcu_head   rcu;
-	struct audit_rule rule;
-};
+static LIST_HEAD(master_watchlist);
 
 extern int audit_pid;
 
-/* Copy rule from user-space to kernel-space.  Called from 
- * audit_add_rule during AUDIT_ADD. */
-static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
+/* Check to see if two rules are identical. */
+static inline int audit_compare_rule(struct audit_krule *a, 
+				     struct audit_krule *b,
+				     unsigned skip_ino)
 {
 	int i;
 
-	if (s->action != AUDIT_NEVER
-	    && s->action != AUDIT_POSSIBLE
-	    && s->action != AUDIT_ALWAYS)
-		return -1;
-	if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
-		return -1;
-	if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
-		return -1;
-
-	d->flags	= s->flags;
-	d->action	= s->action;
-	d->field_count	= s->field_count;
-	for (i = 0; i < d->field_count; i++) {
-		d->fields[i] = s->fields[i];
-		d->values[i] = s->values[i];
+	if (a->flags != b->flags || 
+	    a->action != b->action || 
+	    a->field_count != b->field_count)
+		return 1;
+
+	/* rules must have same field ordering to match */
+	for (i = 0; i < a->field_count; i++) {
+		/* skip inode comparison with matching paths */
+		if (skip_ino &&
+		    (a->fields[i] & ~AUDIT_OPERATORS) == AUDIT_INODE &&
+		    (b->fields[i] & ~AUDIT_OPERATORS) == AUDIT_INODE)
+			continue;
+		if (a->fields[i] != b->fields[i] || 
+		    a->values[i] != b->values[i])
+			return 1;
 	}
-	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];
+
+	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
+		if (a->mask[i] != b->mask[i])
+			return 1;
+
 	return 0;
 }
 
-/* Check to see if two rules are identical.  It is called from
- * audit_add_rule during AUDIT_ADD and 
- * audit_del_rule during AUDIT_DEL. */
-static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
+static inline void audit_destroy_rule(struct rcu_head *head)
+{
+	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
+	kfree(e);
+}
+
+static inline void audit_remove_watch(struct audit_krule *rule)
+{
+	struct audit_watch *watch;
+
+	watch = rule->watch;
+	list_del(&rule->rlist);
+	rule->watch = NULL;
+
+	if (list_empty(&watch->rules)) {
+		list_del(&watch->mlist);
+		kfree(watch->path);
+		kfree(watch);
+	}
+}
+
+static int audit_add_watch(struct audit_krule *rule, char *path)
 {
+	int rc = 0;
+	struct audit_watch *w, *watch;
+	struct audit_entry *e;
+	struct nameidata nd;
 	int i;
 
-	if (a->flags != b->flags)
-		return 1;
+	list_for_each_entry(w, &master_watchlist, mlist) {
+		if (strcmp(path, w->path) != 0)
+			continue;
+
+		list_for_each_entry(e, &audit_filter_list[AUDIT_FILTER_EXIT], 
+				    list)
+			if (!audit_compare_rule(rule, &e->rule, 1))  {
+				rc = -EEXIST;
+				goto exit;
+			}
+		watch = w;
+		goto attach_rule;
+	}
 
-	if (a->action != b->action)
-		return 1;
+	watch = kmalloc(sizeof(*watch), GFP_KERNEL);
+	if (!watch) {
+		rc = -ENOMEM;
+		goto exit;
+	}
+	watch->path = path;
+	list_add(&watch->mlist, &master_watchlist);
+	INIT_LIST_HEAD(&watch->rules);
 
-	if (a->field_count != b->field_count)
-		return 1;
+attach_rule:
+	list_add(&rule->rlist, &watch->rules);
+	rule->watch = watch;
 
-	for (i = 0; i < a->field_count; i++) {
-		if (a->fields[i] != b->fields[i]
-		    || a->values[i] != b->values[i])
-			return 1;
+	/* update inode filter field if possible */
+	if (path_lookup(path, 0, &nd) == 0)
+		for (i = 0; i < rule->field_count; i++)
+			if ((rule->fields[i] & ~AUDIT_OPERATORS) == AUDIT_INODE)
+				rule->values[i] = nd.dentry->d_inode->i_ino;
+	path_release(&nd);
+
+exit:
+	return rc;
+}
+
+static inline char *audit_path_in(char *buf, int buflen)
+{
+	char *path;
+
+	if (buflen > PATH_MAX)
+		return ERR_PTR(-ENAMETOOLONG);
+
+	if (buflen <= 1 || !buf || buf[0] != '/')
+		return ERR_PTR(-EINVAL);
+
+	path = kmalloc(buflen + 1, GFP_KERNEL);
+	if (!path)
+		return ERR_PTR(-ENOMEM);
+	memcpy(path, buf, buflen);
+	path[buflen] = 0;
+
+	return path;
+}
+
+/* Copy rule from user-space to kernel-space. */
+static struct audit_entry *audit_rule_in(struct audit_rule_xprt *rulex, 
+					  char **path, int type)
+{
+	int i, ret;
+	struct audit_entry *entry;
+	void *buf = NULL;
+	char *tmp = NULL;
+	unsigned listnr;
+	unsigned int offset = 0;
+
+	if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
+		return ERR_PTR(-ENOMEM);
+
+	ret = -EINVAL;
+	listnr = rulex->flags & ~AUDIT_FILTER_PREPEND;
+	if (listnr >= AUDIT_NR_FILTERS)
+		goto exit_err;
+	if (rulex->action != AUDIT_NEVER && rulex->action != AUDIT_POSSIBLE && 
+	    rulex->action != AUDIT_ALWAYS)
+		goto exit_err;
+	if (rulex->field_count < 0 || rulex->field_count > AUDIT_MAX_FIELDS)
+		goto exit_err;
+
+	entry->rule.flags = rulex->flags;
+	entry->rule.action = rulex->action;
+	entry->rule.field_count = rulex->field_count;
+	entry->rule.watch = NULL;
+
+	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
+		entry->rule.mask[i] = rulex->mask[i];
+
+	if (type == AUDIT_ADD_RULE || type == AUDIT_DEL_RULE)
+		buf = rulex->buf;
+
+	for (i = 0; i < rulex->field_count; i++) {
+		u32 rfield = rulex->fields[i] & (~AUDIT_NEGATE|AUDIT_OPERATORS);
+		u32 rvalue = rulex->values[i];
+
+		ret = -EINVAL;
+		if (rulex->fields[i] & AUDIT_UNUSED_BITS)
+			goto exit_err;
+
+		if (rfield == AUDIT_PATHNAME) {
+			if (listnr != AUDIT_FILTER_EXIT)
+				goto exit_err;
+			if (offset + rvalue > rulex->buflen)
+				goto exit_err;
+
+			tmp = audit_path_in(buf, rvalue);
+			if (IS_ERR(tmp)) {
+				ret = PTR_ERR(tmp);
+				tmp = NULL;
+				goto exit_err;
+			}
+			*path = tmp;
+
+			offset += rvalue;
+			buf = rulex->buf + offset;
+
+			entry->rule.fields[i] = AUDIT_INODE|AUDIT_EQUAL;
+			entry->rule.values[i] = -1;
+		} else {
+			entry->rule.fields[i] = rulex->fields[i];
+			entry->rule.values[i] = rvalue;
+
+			if (entry->rule.fields[i] & AUDIT_NEGATE) {
+				entry->rule.fields[i] &= ~AUDIT_NEGATE;
+				entry->rule.fields[i] |= AUDIT_NOT_EQUAL;
+			} else if ((entry->rule.fields[i] &
+				    AUDIT_OPERATORS) == 0)
+				entry->rule.fields[i] |= AUDIT_EQUAL;
+		}
 	}
+	return entry;
+
+exit_err:
+	kfree(tmp);
+	kfree(entry);
+	return ERR_PTR(ret);
+}
+
+/* Copy rule into user-space compatible struct */
+static struct audit_rule_xprt *audit_rule_out(struct audit_krule *rule)
+{
+	int i, len;
+	int pathlen = 0;
+	int watched = 0; /* flag rules with attached watches */
+	struct audit_rule_xprt *rulex;
+	void *buf;
+
+	if (rule->watch) {
+		pathlen = strlen(rule->watch->path) + 1;
+		watched = 1;
+	}
+
+	len = sizeof(struct audit_rule_xprt) + pathlen;
+	rulex = kmalloc(len, GFP_KERNEL);
+	if (!rulex)
+		return ERR_PTR(-ENOMEM);
+	memset(rulex, 0, len);
+
+	rulex->flags 	   = rule->flags;
+	rulex->action 	   = rule->action;
+	rulex->field_count = rule->field_count;
 
 	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
-		if (a->mask[i] != b->mask[i])
-			return 1;
+		rulex->mask[i] = rule->mask[i];
 
-	return 0;
+	buf = rulex->buf;
+	for (i = 0; i < rule->field_count; i++) {
+		u32 field = rule->fields[i] & ~AUDIT_OPERATORS;
+		if (watched && field == AUDIT_INODE) {
+			memcpy(buf, rule->watch->path, pathlen);
+			rulex->buflen += pathlen;
+			buf = rulex->buf + rulex->buflen;
+
+			rulex->fields[i] = AUDIT_PATHNAME|AUDIT_EQUAL;
+			rulex->values[i] = pathlen;
+		} else {
+			rulex->fields[i] = rule->fields[i];
+			rulex->values[i] = rule->values[i];
+		}
+	}
+	return rulex;
 }
 
 /* Note that audit_add_rule and audit_del_rule are called via
  * audit_receive() in audit.c, and are protected by
  * audit_netlink_sem. */
-static inline int audit_add_rule(struct audit_rule *rule,
-				  struct list_head *list)
+static inline int audit_add_rule(void *data, int type)
 {
-	struct audit_entry  *entry;
-	int i;
+	int ret = 0;
+	struct audit_entry *e, *entry;
+	char *path = NULL;
+	unsigned listnr;
+	struct list_head *list;
 
-	/* Do not use the _rcu iterator here, since this is the only
-	 * addition routine. */
-	list_for_each_entry(entry, list, list) {
-		if (!audit_compare_rule(rule, &entry->rule)) {
-			return -EEXIST;
-		}
+	entry = audit_rule_in(data, &path, type);
+	if (IS_ERR(entry)) {
+		ret = PTR_ERR(entry);
+		goto out;
 	}
 
-	for (i = 0; i < rule->field_count; i++) {
-		if (rule->fields[i] & AUDIT_UNUSED_BITS)
-			return -EINVAL;
-		if ( rule->fields[i] & AUDIT_NEGATE )
-			rule->fields[i] |= AUDIT_NOT_EQUAL;
-		else if ( (rule->fields[i] & AUDIT_OPERATORS) == 0 )
-			rule->fields[i] |= AUDIT_EQUAL;
-		rule->fields[i] &= (~AUDIT_NEGATE);
+	if (path && (ret = audit_add_watch(&entry->rule, path))) {
+		kfree(path);
+		kfree(entry);
+		goto out;
 	}
 
-	if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
-		return -ENOMEM;
-	if (audit_copy_rule(&entry->rule, rule)) {
-		kfree(entry);
-		return -EINVAL;
+	listnr = entry->rule.flags & ~AUDIT_FILTER_PREPEND;
+	list = &audit_filter_list[listnr];
+
+	/* Do not use the _rcu iterator here, since this is the only
+	 * addition routine. */
+	if (!path) {
+		list_for_each_entry(e, list, list) {
+			if (!audit_compare_rule(&entry->rule, &e->rule, 0)) {
+				ret = -EEXIST;
+				kfree(entry);
+				goto out;
+			}
+		}
 	}
 
 	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
@@ -302,56 +517,91 @@ static inline int audit_add_rule(struct 
 		list_add_tail_rcu(&entry->list, list);
 	}
 
-	return 0;
-}
-
-static inline void audit_free_rule(struct rcu_head *head)
-{
-	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
-	kfree(e);
+out:
+	return ret;
 }
 
 /* Note that audit_add_rule and audit_del_rule are called via
  * audit_receive() in audit.c, and are protected by
  * audit_netlink_sem. */
-static inline int audit_del_rule(struct audit_rule *rule,
-				 struct list_head *list)
+static inline int audit_del_rule(void *data, int type)
 {
-	struct audit_entry  *e;
+	int ret = 0;
+	struct audit_entry *e, *entry;
+	char *path = NULL;
+	struct list_head *list;
+	unsigned listnr;
+
+	entry = audit_rule_in(data, &path, type);
+	if (IS_ERR(entry)) {
+		ret = PTR_ERR(entry);
+		goto out;
+	}
+
+	listnr = entry->rule.flags & ~AUDIT_FILTER_PREPEND;
+	list = &audit_filter_list[listnr];
 
 	/* Do not use the _rcu iterator here, since this is the only
 	 * deletion routine. */
 	list_for_each_entry(e, list, list) {
-		if (!audit_compare_rule(rule, &e->rule)) {
+		unsigned skip_ino = 0;
+
+		if (path) {
+			if (!e->rule.watch || 
+			    strcmp(path, e->rule.watch->path))
+				continue;
+			skip_ino = 1; /* watch paths match */
+		} else if (e->rule.watch)
+			continue;
+
+		if (!audit_compare_rule(&entry->rule, &e->rule, skip_ino)) {
+			if (path)
+				audit_remove_watch(&e->rule);
 			list_del_rcu(&e->list);
-			call_rcu(&e->rcu, audit_free_rule);
-			return 0;
+			call_rcu(&e->rcu, audit_destroy_rule);
+			kfree(path);
+			kfree(entry);
+			goto out;
 		}
 	}
-	return -ENOENT;		/* No matching rule */
+	ret = -ENOENT;		/* No matching rule */
+out:
+	return ret;
 }
 
-static int audit_list_rules(void *_dest)
+static int audit_list_rules(void *_args)
 {
-	int pid, seq;
-	int *dest = _dest;
+	int pid, seq, type;
+	int *args = _args;
 	struct audit_entry *entry;
 	int i;
 
-	pid = dest[0];
-	seq = dest[1];
-	kfree(dest);
+	pid = args[0];
+	seq = args[1];
+	type = args[2];
+	kfree(args);
 
 	down(&audit_netlink_sem);
 
 	/* The *_rcu iterators not needed here because we are
 	   always called with audit_netlink_sem held. */
 	for (i=0; i<AUDIT_NR_FILTERS; i++) {
-		list_for_each_entry(entry, &audit_filter_list[i], list)
-			audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
-					 &entry->rule, sizeof(entry->rule));
+		list_for_each_entry(entry, &audit_filter_list[i], list) {
+			struct audit_rule_xprt *rule;
+			int len;
+
+			rule = audit_rule_out(&entry->rule);
+			if (type == AUDIT_LIST)
+				len = sizeof(struct audit_rule);
+			else
+				len = sizeof(struct audit_rule_xprt) +
+					rule->buflen;
+			audit_send_reply(pid, seq, type, 0, 1, rule, len);
+
+			kfree(rule);
+		}
 	}
-	audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
+	audit_send_reply(pid, seq, type, 1, 1, NULL, 0);
 	
 	up(&audit_netlink_sem);
 	return 0;
@@ -370,46 +620,42 @@ int audit_receive_filter(int type, int p
 							uid_t loginuid)
 {
 	struct task_struct *tsk;
-	int *dest;
-	int		   err = 0;
-	unsigned listnr;
+	int *args;
+	int err = 0;
 
 	switch (type) {
 	case AUDIT_LIST:
+	case AUDIT_LIST_RULES:
 		/* We can't just spew out the rules here because we might fill
 		 * the available socket buffer space and deadlock waiting for
 		 * auditctl to read from it... which isn't ever going to
 		 * happen if we're actually running in the context of auditctl
 		 * trying to _send_ the stuff */
-		 
-		dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
-		if (!dest)
+
+		args = kmalloc(3 * sizeof(int), GFP_KERNEL);
+		if (!args)
 			return -ENOMEM;
-		dest[0] = pid;
-		dest[1] = seq;
+		args[0] = pid;
+		args[1] = seq;
+		args[2] = type;
+
+		tsk = kthread_run(audit_list_rules, args, "audit_list_rules");
 
-		tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
 		if (IS_ERR(tsk)) {
-			kfree(dest);
+			kfree(args);
 			err = PTR_ERR(tsk);
 		}
 		break;
 	case AUDIT_ADD:
-		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
-		if (listnr >= AUDIT_NR_FILTERS)
-			return -EINVAL;
-
-		err = audit_add_rule(data, &audit_filter_list[listnr]);
+	case AUDIT_ADD_RULE:
+		err = audit_add_rule(data, type);
 		if (!err)
 			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
 				  "auid=%u added an audit rule\n", loginuid);
 		break;
 	case AUDIT_DEL:
-		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
-		if (listnr >= AUDIT_NR_FILTERS)
-			return -EINVAL;
-
-		err = audit_del_rule(data, &audit_filter_list[listnr]);
+	case AUDIT_DEL_RULE:
+		err = audit_del_rule(data, type);
 		if (!err)
 			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
 				  "auid=%u removed an audit rule\n", loginuid);
@@ -444,7 +690,7 @@ static int audit_comparator(const u32 le
 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
  * otherwise. */
 static int audit_filter_rules(struct task_struct *tsk,
-			      struct audit_rule *rule,
+			      struct audit_krule *rule,
 			      struct audit_context *ctx,
 			      enum audit_state *state)
 {
@@ -525,9 +771,9 @@ static int audit_filter_rules(struct tas
 			}
 			break;
 		case AUDIT_INODE:
-			if (ctx) {
+			if (ctx && value != (unsigned int)-1) {
 				for (j = 0; j < ctx->name_count; j++) {
-					if (audit_comparator(ctx->names[j].pino, op, value) ||
+					if (audit_comparator(ctx->names[j].ino, op, value) ||
 					    audit_comparator(ctx->names[j].pino, op, value)) {
 						++result;
 						break;
@@ -602,7 +848,8 @@ static enum audit_state audit_filter_sys
 
 		list_for_each_entry_rcu(e, list, list) {
 			if ((e->rule.mask[word] & bit) == bit
-					&& audit_filter_rules(tsk, &e->rule, ctx, &state)) {
+					&& audit_filter_rules(tsk, &e->rule, 
+							      ctx, &state)) {
 				rcu_read_unlock();
 				return state;
 			}
@@ -613,7 +860,7 @@ static enum audit_state audit_filter_sys
 }
 
 static int audit_filter_user_rules(struct netlink_skb_parms *cb,
-				   struct audit_rule *rule,
+				   struct audit_krule *rule,
 				   enum audit_state *state)
 {
 	int i;
@@ -680,7 +927,7 @@ int audit_filter_exclude(int type)
 
 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_EXCLUDE],
 				list) {
-		struct audit_rule *rule = &e->rule;
+		struct audit_krule *rule = &e->rule;
 		int i;
 		for (i = 0; i < rule->field_count; i++) {
 			u32 field  = rule->fields[i] & ~AUDIT_OPERATORS;


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]