Commit | Line | Data |
---|---|---|
fe7752ba DW |
1 | /* auditfilter.c -- filtering of audit events |
2 | * | |
3 | * Copyright 2003-2004 Red Hat, Inc. | |
4 | * Copyright 2005 Hewlett-Packard Development Company, L.P. | |
5 | * Copyright 2005 IBM Corporation | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License as published by | |
9 | * the Free Software Foundation; either version 2 of the License, or | |
10 | * (at your option) any later version. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | * GNU General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU General Public License | |
18 | * along with this program; if not, write to the Free Software | |
19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
20 | */ | |
21 | ||
22 | #include <linux/kernel.h> | |
23 | #include <linux/audit.h> | |
24 | #include <linux/kthread.h> | |
25 | #include <linux/netlink.h> | |
26 | #include "audit.h" | |
27 | ||
28 | /* There are three lists of rules -- one to search at task creation | |
29 | * time, one to search at syscall entry time, and another to search at | |
30 | * syscall exit time. */ | |
31 | struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { | |
32 | LIST_HEAD_INIT(audit_filter_list[0]), | |
33 | LIST_HEAD_INIT(audit_filter_list[1]), | |
34 | LIST_HEAD_INIT(audit_filter_list[2]), | |
35 | LIST_HEAD_INIT(audit_filter_list[3]), | |
36 | LIST_HEAD_INIT(audit_filter_list[4]), | |
37 | LIST_HEAD_INIT(audit_filter_list[5]), | |
38 | #if AUDIT_NR_FILTERS != 6 | |
39 | #error Fix audit_filter_list initialiser | |
40 | #endif | |
41 | }; | |
42 | ||
93315ed6 | 43 | static inline void audit_free_rule(struct audit_entry *e) |
fe7752ba | 44 | { |
93315ed6 AG |
45 | kfree(e->rule.fields); |
46 | kfree(e); | |
47 | } | |
48 | ||
49 | static inline void audit_free_rule_rcu(struct rcu_head *head) | |
50 | { | |
51 | struct audit_entry *e = container_of(head, struct audit_entry, rcu); | |
52 | audit_free_rule(e); | |
53 | } | |
54 | ||
55 | /* Unpack a filter field's string representation from user-space | |
56 | * buffer. */ | |
57 | static __attribute__((unused)) char *audit_unpack_string(void **bufp, size_t *remain, size_t len) | |
58 | { | |
59 | char *str; | |
60 | ||
61 | if (!*bufp || (len == 0) || (len > *remain)) | |
62 | return ERR_PTR(-EINVAL); | |
63 | ||
64 | /* Of the currently implemented string fields, PATH_MAX | |
65 | * defines the longest valid length. | |
66 | */ | |
67 | if (len > PATH_MAX) | |
68 | return ERR_PTR(-ENAMETOOLONG); | |
69 | ||
70 | str = kmalloc(len + 1, GFP_KERNEL); | |
71 | if (unlikely(!str)) | |
72 | return ERR_PTR(-ENOMEM); | |
73 | ||
74 | memcpy(str, *bufp, len); | |
75 | str[len] = 0; | |
76 | *bufp += len; | |
77 | *remain -= len; | |
78 | ||
79 | return str; | |
80 | } | |
81 | ||
82 | /* Common user-space to kernel rule translation. */ | |
83 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) | |
84 | { | |
85 | unsigned listnr; | |
86 | struct audit_entry *entry; | |
87 | struct audit_field *fields; | |
88 | int i, err; | |
89 | ||
90 | err = -EINVAL; | |
91 | listnr = rule->flags & ~AUDIT_FILTER_PREPEND; | |
92 | switch(listnr) { | |
93 | default: | |
94 | goto exit_err; | |
95 | case AUDIT_FILTER_USER: | |
96 | case AUDIT_FILTER_TYPE: | |
97 | #ifdef CONFIG_AUDITSYSCALL | |
98 | case AUDIT_FILTER_ENTRY: | |
99 | case AUDIT_FILTER_EXIT: | |
100 | case AUDIT_FILTER_TASK: | |
101 | #endif | |
102 | ; | |
103 | } | |
104 | if (rule->action != AUDIT_NEVER && rule->action != AUDIT_POSSIBLE && | |
105 | rule->action != AUDIT_ALWAYS) | |
106 | goto exit_err; | |
107 | if (rule->field_count > AUDIT_MAX_FIELDS) | |
108 | goto exit_err; | |
109 | ||
110 | err = -ENOMEM; | |
111 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | |
112 | if (unlikely(!entry)) | |
113 | goto exit_err; | |
114 | fields = kmalloc(sizeof(*fields) * rule->field_count, GFP_KERNEL); | |
115 | if (unlikely(!fields)) { | |
116 | kfree(entry); | |
117 | goto exit_err; | |
118 | } | |
119 | ||
120 | memset(&entry->rule, 0, sizeof(struct audit_krule)); | |
121 | memset(fields, 0, sizeof(struct audit_field)); | |
122 | ||
123 | entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; | |
124 | entry->rule.listnr = listnr; | |
125 | entry->rule.action = rule->action; | |
126 | entry->rule.field_count = rule->field_count; | |
127 | entry->rule.fields = fields; | |
128 | ||
129 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | |
130 | entry->rule.mask[i] = rule->mask[i]; | |
131 | ||
132 | return entry; | |
133 | ||
134 | exit_err: | |
135 | return ERR_PTR(err); | |
136 | } | |
137 | ||
138 | /* Translate struct audit_rule to kernel's rule respresentation. | |
139 | * Exists for backward compatibility with userspace. */ | |
140 | static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | |
141 | { | |
142 | struct audit_entry *entry; | |
143 | int err = 0; | |
fe7752ba DW |
144 | int i; |
145 | ||
93315ed6 AG |
146 | entry = audit_to_entry_common(rule); |
147 | if (IS_ERR(entry)) | |
148 | goto exit_nofree; | |
149 | ||
150 | for (i = 0; i < rule->field_count; i++) { | |
151 | struct audit_field *f = &entry->rule.fields[i]; | |
152 | ||
153 | if (rule->fields[i] & AUDIT_UNUSED_BITS) { | |
154 | err = -EINVAL; | |
155 | goto exit_free; | |
156 | } | |
157 | ||
158 | f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); | |
159 | f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); | |
160 | f->val = rule->values[i]; | |
161 | ||
162 | entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1; | |
163 | if (f->op & AUDIT_NEGATE) | |
164 | f->op |= AUDIT_NOT_EQUAL; | |
165 | else if (!(f->op & AUDIT_OPERATORS)) | |
166 | f->op |= AUDIT_EQUAL; | |
167 | f->op &= ~AUDIT_NEGATE; | |
fe7752ba | 168 | } |
93315ed6 AG |
169 | |
170 | exit_nofree: | |
171 | return entry; | |
172 | ||
173 | exit_free: | |
174 | audit_free_rule(entry); | |
175 | return ERR_PTR(err); | |
fe7752ba DW |
176 | } |
177 | ||
93315ed6 AG |
178 | /* Translate struct audit_rule_data to kernel's rule respresentation. */ |
179 | static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |
180 | size_t datasz) | |
fe7752ba | 181 | { |
93315ed6 AG |
182 | int err = 0; |
183 | struct audit_entry *entry; | |
184 | void *bufp; | |
185 | /* size_t remain = datasz - sizeof(struct audit_rule_data); */ | |
fe7752ba DW |
186 | int i; |
187 | ||
93315ed6 AG |
188 | entry = audit_to_entry_common((struct audit_rule *)data); |
189 | if (IS_ERR(entry)) | |
190 | goto exit_nofree; | |
fe7752ba | 191 | |
93315ed6 AG |
192 | bufp = data->buf; |
193 | entry->rule.vers_ops = 2; | |
194 | for (i = 0; i < data->field_count; i++) { | |
195 | struct audit_field *f = &entry->rule.fields[i]; | |
196 | ||
197 | err = -EINVAL; | |
198 | if (!(data->fieldflags[i] & AUDIT_OPERATORS) || | |
199 | data->fieldflags[i] & ~AUDIT_OPERATORS) | |
200 | goto exit_free; | |
201 | ||
202 | f->op = data->fieldflags[i] & AUDIT_OPERATORS; | |
203 | f->type = data->fields[i]; | |
204 | switch(f->type) { | |
205 | /* call type-specific conversion routines here */ | |
206 | default: | |
207 | f->val = data->values[i]; | |
208 | } | |
209 | } | |
210 | ||
211 | exit_nofree: | |
212 | return entry; | |
213 | ||
214 | exit_free: | |
215 | audit_free_rule(entry); | |
216 | return ERR_PTR(err); | |
217 | } | |
218 | ||
219 | /* Pack a filter field's string representation into data block. */ | |
220 | static inline size_t audit_pack_string(void **bufp, char *str) | |
221 | { | |
222 | size_t len = strlen(str); | |
223 | ||
224 | memcpy(*bufp, str, len); | |
225 | *bufp += len; | |
226 | ||
227 | return len; | |
228 | } | |
229 | ||
230 | /* Translate kernel rule respresentation to struct audit_rule. | |
231 | * Exists for backward compatibility with userspace. */ | |
232 | static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) | |
233 | { | |
234 | struct audit_rule *rule; | |
235 | int i; | |
236 | ||
237 | rule = kmalloc(sizeof(*rule), GFP_KERNEL); | |
238 | if (unlikely(!rule)) | |
239 | return ERR_PTR(-ENOMEM); | |
240 | memset(rule, 0, sizeof(*rule)); | |
241 | ||
242 | rule->flags = krule->flags | krule->listnr; | |
243 | rule->action = krule->action; | |
244 | rule->field_count = krule->field_count; | |
245 | for (i = 0; i < rule->field_count; i++) { | |
246 | rule->values[i] = krule->fields[i].val; | |
247 | rule->fields[i] = krule->fields[i].type; | |
248 | ||
249 | if (krule->vers_ops == 1) { | |
250 | if (krule->fields[i].op & AUDIT_NOT_EQUAL) | |
251 | rule->fields[i] |= AUDIT_NEGATE; | |
252 | } else { | |
253 | rule->fields[i] |= krule->fields[i].op; | |
254 | } | |
255 | } | |
256 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; | |
257 | ||
258 | return rule; | |
259 | } | |
fe7752ba | 260 | |
93315ed6 AG |
261 | /* Translate kernel rule respresentation to struct audit_rule_data. */ |
262 | static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) | |
263 | { | |
264 | struct audit_rule_data *data; | |
265 | void *bufp; | |
266 | int i; | |
267 | ||
268 | data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL); | |
269 | if (unlikely(!data)) | |
270 | return ERR_PTR(-ENOMEM); | |
271 | memset(data, 0, sizeof(*data)); | |
272 | ||
273 | data->flags = krule->flags | krule->listnr; | |
274 | data->action = krule->action; | |
275 | data->field_count = krule->field_count; | |
276 | bufp = data->buf; | |
277 | for (i = 0; i < data->field_count; i++) { | |
278 | struct audit_field *f = &krule->fields[i]; | |
279 | ||
280 | data->fields[i] = f->type; | |
281 | data->fieldflags[i] = f->op; | |
282 | switch(f->type) { | |
283 | /* call type-specific conversion routines here */ | |
284 | default: | |
285 | data->values[i] = f->val; | |
286 | } | |
287 | } | |
288 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i]; | |
289 | ||
290 | return data; | |
291 | } | |
292 | ||
293 | /* Compare two rules in kernel format. Considered success if rules | |
294 | * don't match. */ | |
295 | static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) | |
296 | { | |
297 | int i; | |
298 | ||
299 | if (a->flags != b->flags || | |
300 | a->listnr != b->listnr || | |
301 | a->action != b->action || | |
302 | a->field_count != b->field_count) | |
fe7752ba DW |
303 | return 1; |
304 | ||
305 | for (i = 0; i < a->field_count; i++) { | |
93315ed6 AG |
306 | if (a->fields[i].type != b->fields[i].type || |
307 | a->fields[i].op != b->fields[i].op) | |
fe7752ba | 308 | return 1; |
93315ed6 AG |
309 | |
310 | switch(a->fields[i].type) { | |
311 | /* call type-specific comparison routines here */ | |
312 | default: | |
313 | if (a->fields[i].val != b->fields[i].val) | |
314 | return 1; | |
315 | } | |
fe7752ba DW |
316 | } |
317 | ||
318 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | |
319 | if (a->mask[i] != b->mask[i]) | |
320 | return 1; | |
321 | ||
322 | return 0; | |
323 | } | |
324 | ||
93315ed6 | 325 | /* Add rule to given filterlist if not a duplicate. Protected by |
fe7752ba | 326 | * audit_netlink_sem. */ |
93315ed6 | 327 | static inline int audit_add_rule(struct audit_entry *entry, |
fe7752ba DW |
328 | struct list_head *list) |
329 | { | |
93315ed6 | 330 | struct audit_entry *e; |
fe7752ba DW |
331 | |
332 | /* Do not use the _rcu iterator here, since this is the only | |
333 | * addition routine. */ | |
93315ed6 AG |
334 | list_for_each_entry(e, list, list) { |
335 | if (!audit_compare_rule(&entry->rule, &e->rule)) | |
fe7752ba | 336 | return -EEXIST; |
fe7752ba DW |
337 | } |
338 | ||
fe7752ba | 339 | if (entry->rule.flags & AUDIT_FILTER_PREPEND) { |
fe7752ba DW |
340 | list_add_rcu(&entry->list, list); |
341 | } else { | |
342 | list_add_tail_rcu(&entry->list, list); | |
343 | } | |
344 | ||
345 | return 0; | |
346 | } | |
347 | ||
93315ed6 | 348 | /* Remove an existing rule from filterlist. Protected by |
fe7752ba | 349 | * audit_netlink_sem. */ |
93315ed6 | 350 | static inline int audit_del_rule(struct audit_entry *entry, |
fe7752ba DW |
351 | struct list_head *list) |
352 | { | |
353 | struct audit_entry *e; | |
354 | ||
355 | /* Do not use the _rcu iterator here, since this is the only | |
356 | * deletion routine. */ | |
357 | list_for_each_entry(e, list, list) { | |
93315ed6 | 358 | if (!audit_compare_rule(&entry->rule, &e->rule)) { |
fe7752ba | 359 | list_del_rcu(&e->list); |
93315ed6 | 360 | call_rcu(&e->rcu, audit_free_rule_rcu); |
fe7752ba DW |
361 | return 0; |
362 | } | |
363 | } | |
364 | return -ENOENT; /* No matching rule */ | |
365 | } | |
366 | ||
93315ed6 AG |
367 | /* List rules using struct audit_rule. Exists for backward |
368 | * compatibility with userspace. */ | |
369 | static int audit_list(void *_dest) | |
fe7752ba DW |
370 | { |
371 | int pid, seq; | |
372 | int *dest = _dest; | |
373 | struct audit_entry *entry; | |
374 | int i; | |
375 | ||
376 | pid = dest[0]; | |
377 | seq = dest[1]; | |
378 | kfree(dest); | |
379 | ||
380 | down(&audit_netlink_sem); | |
381 | ||
382 | /* The *_rcu iterators not needed here because we are | |
383 | always called with audit_netlink_sem held. */ | |
384 | for (i=0; i<AUDIT_NR_FILTERS; i++) { | |
93315ed6 AG |
385 | list_for_each_entry(entry, &audit_filter_list[i], list) { |
386 | struct audit_rule *rule; | |
387 | ||
388 | rule = audit_krule_to_rule(&entry->rule); | |
389 | if (unlikely(!rule)) | |
390 | break; | |
fe7752ba | 391 | audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, |
93315ed6 AG |
392 | rule, sizeof(*rule)); |
393 | kfree(rule); | |
394 | } | |
fe7752ba DW |
395 | } |
396 | audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); | |
397 | ||
398 | up(&audit_netlink_sem); | |
399 | return 0; | |
400 | } | |
401 | ||
93315ed6 AG |
402 | /* List rules using struct audit_rule_data. */ |
403 | static int audit_list_rules(void *_dest) | |
404 | { | |
405 | int pid, seq; | |
406 | int *dest = _dest; | |
407 | struct audit_entry *e; | |
408 | int i; | |
409 | ||
410 | pid = dest[0]; | |
411 | seq = dest[1]; | |
412 | kfree(dest); | |
413 | ||
414 | down(&audit_netlink_sem); | |
415 | ||
416 | /* The *_rcu iterators not needed here because we are | |
417 | always called with audit_netlink_sem held. */ | |
418 | for (i=0; i<AUDIT_NR_FILTERS; i++) { | |
419 | list_for_each_entry(e, &audit_filter_list[i], list) { | |
420 | struct audit_rule_data *data; | |
421 | ||
422 | data = audit_krule_to_data(&e->rule); | |
423 | if (unlikely(!data)) | |
424 | break; | |
425 | audit_send_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, | |
426 | data, sizeof(*data)); | |
427 | kfree(data); | |
428 | } | |
429 | } | |
430 | audit_send_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); | |
431 | ||
432 | up(&audit_netlink_sem); | |
433 | return 0; | |
434 | } | |
435 | ||
fe7752ba DW |
436 | /** |
437 | * audit_receive_filter - apply all rules to the specified message type | |
438 | * @type: audit message type | |
439 | * @pid: target pid for netlink audit messages | |
440 | * @uid: target uid for netlink audit messages | |
441 | * @seq: netlink audit message sequence (serial) number | |
442 | * @data: payload data | |
93315ed6 | 443 | * @datasz: size of payload data |
fe7752ba DW |
444 | * @loginuid: loginuid of sender |
445 | */ | |
446 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | |
93315ed6 | 447 | size_t datasz, uid_t loginuid) |
fe7752ba DW |
448 | { |
449 | struct task_struct *tsk; | |
450 | int *dest; | |
93315ed6 AG |
451 | int err = 0; |
452 | struct audit_entry *entry; | |
fe7752ba DW |
453 | |
454 | switch (type) { | |
455 | case AUDIT_LIST: | |
93315ed6 | 456 | case AUDIT_LIST_RULES: |
fe7752ba DW |
457 | /* We can't just spew out the rules here because we might fill |
458 | * the available socket buffer space and deadlock waiting for | |
459 | * auditctl to read from it... which isn't ever going to | |
460 | * happen if we're actually running in the context of auditctl | |
461 | * trying to _send_ the stuff */ | |
462 | ||
463 | dest = kmalloc(2 * sizeof(int), GFP_KERNEL); | |
464 | if (!dest) | |
465 | return -ENOMEM; | |
466 | dest[0] = pid; | |
467 | dest[1] = seq; | |
468 | ||
93315ed6 AG |
469 | if (type == AUDIT_LIST) |
470 | tsk = kthread_run(audit_list, dest, "audit_list"); | |
471 | else | |
472 | tsk = kthread_run(audit_list_rules, dest, | |
473 | "audit_list_rules"); | |
fe7752ba DW |
474 | if (IS_ERR(tsk)) { |
475 | kfree(dest); | |
476 | err = PTR_ERR(tsk); | |
477 | } | |
478 | break; | |
479 | case AUDIT_ADD: | |
93315ed6 AG |
480 | case AUDIT_ADD_RULE: |
481 | if (type == AUDIT_ADD) | |
482 | entry = audit_rule_to_entry(data); | |
483 | else | |
484 | entry = audit_data_to_entry(data, datasz); | |
485 | if (IS_ERR(entry)) | |
486 | return PTR_ERR(entry); | |
487 | ||
488 | err = audit_add_rule(entry, | |
489 | &audit_filter_list[entry->rule.listnr]); | |
5d330108 AV |
490 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
491 | "auid=%u add rule to list=%d res=%d\n", | |
492 | loginuid, entry->rule.listnr, !err); | |
493 | ||
494 | if (err) | |
93315ed6 | 495 | audit_free_rule(entry); |
fe7752ba DW |
496 | break; |
497 | case AUDIT_DEL: | |
93315ed6 AG |
498 | case AUDIT_DEL_RULE: |
499 | if (type == AUDIT_DEL) | |
500 | entry = audit_rule_to_entry(data); | |
501 | else | |
502 | entry = audit_data_to_entry(data, datasz); | |
503 | if (IS_ERR(entry)) | |
504 | return PTR_ERR(entry); | |
505 | ||
506 | err = audit_del_rule(entry, | |
507 | &audit_filter_list[entry->rule.listnr]); | |
5d330108 AV |
508 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
509 | "auid=%u remove rule from list=%d res=%d\n", | |
510 | loginuid, entry->rule.listnr, !err); | |
511 | ||
93315ed6 | 512 | audit_free_rule(entry); |
fe7752ba DW |
513 | break; |
514 | default: | |
515 | return -EINVAL; | |
516 | } | |
517 | ||
518 | return err; | |
519 | } | |
520 | ||
521 | int audit_comparator(const u32 left, const u32 op, const u32 right) | |
522 | { | |
523 | switch (op) { | |
524 | case AUDIT_EQUAL: | |
525 | return (left == right); | |
526 | case AUDIT_NOT_EQUAL: | |
527 | return (left != right); | |
528 | case AUDIT_LESS_THAN: | |
529 | return (left < right); | |
530 | case AUDIT_LESS_THAN_OR_EQUAL: | |
531 | return (left <= right); | |
532 | case AUDIT_GREATER_THAN: | |
533 | return (left > right); | |
534 | case AUDIT_GREATER_THAN_OR_EQUAL: | |
535 | return (left >= right); | |
536 | default: | |
537 | return -EINVAL; | |
538 | } | |
539 | } | |
540 | ||
541 | ||
542 | ||
543 | static int audit_filter_user_rules(struct netlink_skb_parms *cb, | |
93315ed6 | 544 | struct audit_krule *rule, |
fe7752ba DW |
545 | enum audit_state *state) |
546 | { | |
547 | int i; | |
548 | ||
549 | for (i = 0; i < rule->field_count; i++) { | |
93315ed6 | 550 | struct audit_field *f = &rule->fields[i]; |
fe7752ba DW |
551 | int result = 0; |
552 | ||
93315ed6 | 553 | switch (f->type) { |
fe7752ba | 554 | case AUDIT_PID: |
93315ed6 | 555 | result = audit_comparator(cb->creds.pid, f->op, f->val); |
fe7752ba DW |
556 | break; |
557 | case AUDIT_UID: | |
93315ed6 | 558 | result = audit_comparator(cb->creds.uid, f->op, f->val); |
fe7752ba DW |
559 | break; |
560 | case AUDIT_GID: | |
93315ed6 | 561 | result = audit_comparator(cb->creds.gid, f->op, f->val); |
fe7752ba DW |
562 | break; |
563 | case AUDIT_LOGINUID: | |
93315ed6 | 564 | result = audit_comparator(cb->loginuid, f->op, f->val); |
fe7752ba DW |
565 | break; |
566 | } | |
567 | ||
568 | if (!result) | |
569 | return 0; | |
570 | } | |
571 | switch (rule->action) { | |
572 | case AUDIT_NEVER: *state = AUDIT_DISABLED; break; | |
573 | case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; | |
574 | case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; | |
575 | } | |
576 | return 1; | |
577 | } | |
578 | ||
579 | int audit_filter_user(struct netlink_skb_parms *cb, int type) | |
580 | { | |
581 | struct audit_entry *e; | |
582 | enum audit_state state; | |
583 | int ret = 1; | |
584 | ||
585 | rcu_read_lock(); | |
586 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { | |
587 | if (audit_filter_user_rules(cb, &e->rule, &state)) { | |
588 | if (state == AUDIT_DISABLED) | |
589 | ret = 0; | |
590 | break; | |
591 | } | |
592 | } | |
593 | rcu_read_unlock(); | |
594 | ||
595 | return ret; /* Audit by default */ | |
596 | } | |
597 | ||
598 | int audit_filter_type(int type) | |
599 | { | |
600 | struct audit_entry *e; | |
601 | int result = 0; | |
602 | ||
603 | rcu_read_lock(); | |
604 | if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE])) | |
605 | goto unlock_and_return; | |
606 | ||
607 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE], | |
608 | list) { | |
fe7752ba | 609 | int i; |
93315ed6 AG |
610 | for (i = 0; i < e->rule.field_count; i++) { |
611 | struct audit_field *f = &e->rule.fields[i]; | |
612 | if (f->type == AUDIT_MSGTYPE) { | |
613 | result = audit_comparator(type, f->op, f->val); | |
fe7752ba DW |
614 | if (!result) |
615 | break; | |
616 | } | |
617 | } | |
618 | if (result) | |
619 | goto unlock_and_return; | |
620 | } | |
621 | unlock_and_return: | |
622 | rcu_read_unlock(); | |
623 | return result; | |
624 | } |