Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
audit_watch.c
Go to the documentation of this file.
1 /* audit_watch.c -- watching inodes
2  *
3  * Copyright 2003-2009 Red Hat, Inc.
4  * Copyright 2005 Hewlett-Packard Development Company, L.P.
5  * Copyright 2005 IBM Corporation
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation; either version 2 of the License, or
10  * (at your option) any later version.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20  */
21 
22 #include <linux/kernel.h>
23 #include <linux/audit.h>
24 #include <linux/kthread.h>
25 #include <linux/mutex.h>
26 #include <linux/fs.h>
27 #include <linux/fsnotify_backend.h>
28 #include <linux/namei.h>
29 #include <linux/netlink.h>
30 #include <linux/sched.h>
31 #include <linux/slab.h>
32 #include <linux/security.h>
33 #include "audit.h"
34 
35 /*
36  * Reference counting:
37  *
38  * audit_parent: lifetime is from audit_init_parent() to receipt of an FS_IGNORED
39  * event. Each audit_watch holds a reference to its associated parent.
40  *
41  * audit_watch: if added to lists, lifetime is from audit_init_watch() to
42  * audit_remove_watch(). Additionally, an audit_watch may exist
43  * temporarily to assist in searching existing filter data. Each
44  * audit_krule holds a reference to its associated watch.
45  */
46 
47 struct audit_watch {
48  atomic_t count; /* reference count */
49  dev_t dev; /* associated superblock device */
50  char *path; /* insertion path */
51  unsigned long ino; /* associated inode number */
52  struct audit_parent *parent; /* associated parent */
53  struct list_head wlist; /* entry in parent->watches list */
54  struct list_head rules; /* anchor for krule->rlist */
55 };
56 
57 struct audit_parent {
58  struct list_head watches; /* anchor for audit_watch->wlist */
59  struct fsnotify_mark mark; /* fsnotify mark on the inode */
60 };
61 
62 /* fsnotify handle. */
63 static struct fsnotify_group *audit_watch_group;
64 
65 /* fsnotify events we care about. */
66 #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
67  FS_MOVE_SELF | FS_EVENT_ON_CHILD)
68 
69 static void audit_free_parent(struct audit_parent *parent)
70 {
71  WARN_ON(!list_empty(&parent->watches));
72  kfree(parent);
73 }
74 
75 static void audit_watch_free_mark(struct fsnotify_mark *entry)
76 {
77  struct audit_parent *parent;
78 
79  parent = container_of(entry, struct audit_parent, mark);
80  audit_free_parent(parent);
81 }
82 
83 static void audit_get_parent(struct audit_parent *parent)
84 {
85  if (likely(parent))
86  fsnotify_get_mark(&parent->mark);
87 }
88 
89 static void audit_put_parent(struct audit_parent *parent)
90 {
91  if (likely(parent))
92  fsnotify_put_mark(&parent->mark);
93 }
94 
95 /*
96  * Find and return the audit_parent on the given inode. If found a reference
97  * is taken on this parent.
98  */
99 static inline struct audit_parent *audit_find_parent(struct inode *inode)
100 {
101  struct audit_parent *parent = NULL;
102  struct fsnotify_mark *entry;
103 
104  entry = fsnotify_find_inode_mark(audit_watch_group, inode);
105  if (entry)
106  parent = container_of(entry, struct audit_parent, mark);
107 
108  return parent;
109 }
110 
112 {
113  atomic_inc(&watch->count);
114 }
115 
117 {
118  if (atomic_dec_and_test(&watch->count)) {
119  WARN_ON(watch->parent);
120  WARN_ON(!list_empty(&watch->rules));
121  kfree(watch->path);
122  kfree(watch);
123  }
124 }
125 
126 static void audit_remove_watch(struct audit_watch *watch)
127 {
128  list_del(&watch->wlist);
129  audit_put_parent(watch->parent);
130  watch->parent = NULL;
131  audit_put_watch(watch); /* match initial get */
132 }
133 
135 {
136  return watch->path;
137 }
138 
139 int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev)
140 {
141  return (watch->ino != (unsigned long)-1) &&
142  (watch->ino == ino) &&
143  (watch->dev == dev);
144 }
145 
146 /* Initialize a parent watch entry. */
147 static struct audit_parent *audit_init_parent(struct path *path)
148 {
149  struct inode *inode = path->dentry->d_inode;
150  struct audit_parent *parent;
151  int ret;
152 
153  parent = kzalloc(sizeof(*parent), GFP_KERNEL);
154  if (unlikely(!parent))
155  return ERR_PTR(-ENOMEM);
156 
157  INIT_LIST_HEAD(&parent->watches);
158 
159  fsnotify_init_mark(&parent->mark, audit_watch_free_mark);
160  parent->mark.mask = AUDIT_FS_WATCH;
161  ret = fsnotify_add_mark(&parent->mark, audit_watch_group, inode, NULL, 0);
162  if (ret < 0) {
163  audit_free_parent(parent);
164  return ERR_PTR(ret);
165  }
166 
167  return parent;
168 }
169 
170 /* Initialize a watch entry. */
171 static struct audit_watch *audit_init_watch(char *path)
172 {
173  struct audit_watch *watch;
174 
175  watch = kzalloc(sizeof(*watch), GFP_KERNEL);
176  if (unlikely(!watch))
177  return ERR_PTR(-ENOMEM);
178 
179  INIT_LIST_HEAD(&watch->rules);
180  atomic_set(&watch->count, 1);
181  watch->path = path;
182  watch->dev = (dev_t)-1;
183  watch->ino = (unsigned long)-1;
184 
185  return watch;
186 }
187 
188 /* Translate a watch string to kernel respresentation. */
189 int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op)
190 {
191  struct audit_watch *watch;
192 
193  if (!audit_watch_group)
194  return -EOPNOTSUPP;
195 
196  if (path[0] != '/' || path[len-1] == '/' ||
197  krule->listnr != AUDIT_FILTER_EXIT ||
198  op != Audit_equal ||
199  krule->inode_f || krule->watch || krule->tree)
200  return -EINVAL;
201 
202  watch = audit_init_watch(path);
203  if (IS_ERR(watch))
204  return PTR_ERR(watch);
205 
206  audit_get_watch(watch);
207  krule->watch = watch;
208 
209  return 0;
210 }
211 
212 /* Duplicate the given audit watch. The new watch's rules list is initialized
213  * to an empty list and wlist is undefined. */
214 static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
215 {
216  char *path;
217  struct audit_watch *new;
218 
219  path = kstrdup(old->path, GFP_KERNEL);
220  if (unlikely(!path))
221  return ERR_PTR(-ENOMEM);
222 
223  new = audit_init_watch(path);
224  if (IS_ERR(new)) {
225  kfree(path);
226  goto out;
227  }
228 
229  new->dev = old->dev;
230  new->ino = old->ino;
231  audit_get_parent(old->parent);
232  new->parent = old->parent;
233 
234 out:
235  return new;
236 }
237 
238 static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
239 {
240  if (audit_enabled) {
241  struct audit_buffer *ab;
243  audit_log_format(ab, "auid=%u ses=%u op=",
244  from_kuid(&init_user_ns, audit_get_loginuid(current)),
245  audit_get_sessionid(current));
246  audit_log_string(ab, op);
247  audit_log_format(ab, " path=");
249  audit_log_key(ab, r->filterkey);
250  audit_log_format(ab, " list=%d res=1", r->listnr);
251  audit_log_end(ab);
252  }
253 }
254 
255 /* Update inode info in audit rules based on filesystem event. */
256 static void audit_update_watch(struct audit_parent *parent,
257  const char *dname, dev_t dev,
258  unsigned long ino, unsigned invalidating)
259 {
260  struct audit_watch *owatch, *nwatch, *nextw;
261  struct audit_krule *r, *nextr;
262  struct audit_entry *oentry, *nentry;
263 
264  mutex_lock(&audit_filter_mutex);
265  /* Run all of the watches on this parent looking for the one that
266  * matches the given dname */
267  list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
268  if (audit_compare_dname_path(dname, owatch->path,
270  continue;
271 
272  /* If the update involves invalidating rules, do the inode-based
273  * filtering now, so we don't omit records. */
274  if (invalidating && !audit_dummy_context())
275  audit_filter_inodes(current, current->audit_context);
276 
277  /* updating ino will likely change which audit_hash_list we
278  * are on so we need a new watch for the new list */
279  nwatch = audit_dupe_watch(owatch);
280  if (IS_ERR(nwatch)) {
281  mutex_unlock(&audit_filter_mutex);
282  audit_panic("error updating watch, skipping");
283  return;
284  }
285  nwatch->dev = dev;
286  nwatch->ino = ino;
287 
288  list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) {
289 
290  oentry = container_of(r, struct audit_entry, rule);
291  list_del(&oentry->rule.rlist);
292  list_del_rcu(&oentry->list);
293 
294  nentry = audit_dupe_rule(&oentry->rule);
295  if (IS_ERR(nentry)) {
296  list_del(&oentry->rule.list);
297  audit_panic("error updating watch, removing");
298  } else {
299  int h = audit_hash_ino((u32)ino);
300 
301  /*
302  * nentry->rule.watch == oentry->rule.watch so
303  * we must drop that reference and set it to our
304  * new watch.
305  */
306  audit_put_watch(nentry->rule.watch);
307  audit_get_watch(nwatch);
308  nentry->rule.watch = nwatch;
309  list_add(&nentry->rule.rlist, &nwatch->rules);
310  list_add_rcu(&nentry->list, &audit_inode_hash[h]);
311  list_replace(&oentry->rule.list,
312  &nentry->rule.list);
313  }
314 
315  audit_watch_log_rule_change(r, owatch, "updated rules");
316 
317  call_rcu(&oentry->rcu, audit_free_rule_rcu);
318  }
319 
320  audit_remove_watch(owatch);
321  goto add_watch_to_parent; /* event applies to a single watch */
322  }
323  mutex_unlock(&audit_filter_mutex);
324  return;
325 
326 add_watch_to_parent:
327  list_add(&nwatch->wlist, &parent->watches);
328  mutex_unlock(&audit_filter_mutex);
329  return;
330 }
331 
332 /* Remove all watches & rules associated with a parent that is going away. */
333 static void audit_remove_parent_watches(struct audit_parent *parent)
334 {
335  struct audit_watch *w, *nextw;
336  struct audit_krule *r, *nextr;
337  struct audit_entry *e;
338 
339  mutex_lock(&audit_filter_mutex);
340  list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
341  list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
342  e = container_of(r, struct audit_entry, rule);
343  audit_watch_log_rule_change(r, w, "remove rule");
344  list_del(&r->rlist);
345  list_del(&r->list);
346  list_del_rcu(&e->list);
348  }
349  audit_remove_watch(w);
350  }
351  mutex_unlock(&audit_filter_mutex);
352 
353  fsnotify_destroy_mark(&parent->mark);
354 }
355 
356 /* Get path information necessary for adding watches. */
357 static int audit_get_nd(struct audit_watch *watch, struct path *parent)
358 {
359  struct dentry *d = kern_path_locked(watch->path, parent);
360  if (IS_ERR(d))
361  return PTR_ERR(d);
362  mutex_unlock(&parent->dentry->d_inode->i_mutex);
363  if (d->d_inode) {
364  /* update watch filter fields */
365  watch->dev = d->d_inode->i_sb->s_dev;
366  watch->ino = d->d_inode->i_ino;
367  }
368  dput(d);
369  return 0;
370 }
371 
372 /* Associate the given rule with an existing parent.
373  * Caller must hold audit_filter_mutex. */
374 static void audit_add_to_parent(struct audit_krule *krule,
375  struct audit_parent *parent)
376 {
377  struct audit_watch *w, *watch = krule->watch;
378  int watch_found = 0;
379 
380  BUG_ON(!mutex_is_locked(&audit_filter_mutex));
381 
382  list_for_each_entry(w, &parent->watches, wlist) {
383  if (strcmp(watch->path, w->path))
384  continue;
385 
386  watch_found = 1;
387 
388  /* put krule's and initial refs to temporary watch */
389  audit_put_watch(watch);
390  audit_put_watch(watch);
391 
392  audit_get_watch(w);
393  krule->watch = watch = w;
394  break;
395  }
396 
397  if (!watch_found) {
398  audit_get_parent(parent);
399  watch->parent = parent;
400 
401  list_add(&watch->wlist, &parent->watches);
402  }
403  list_add(&krule->rlist, &watch->rules);
404 }
405 
406 /* Find a matching watch entry, or add this one.
407  * Caller must hold audit_filter_mutex. */
408 int audit_add_watch(struct audit_krule *krule, struct list_head **list)
409 {
410  struct audit_watch *watch = krule->watch;
411  struct audit_parent *parent;
412  struct path parent_path;
413  int h, ret = 0;
414 
416 
417  /* Avoid calling path_lookup under audit_filter_mutex. */
418  ret = audit_get_nd(watch, &parent_path);
419 
420  /* caller expects mutex locked */
422 
423  if (ret)
424  return ret;
425 
426  /* either find an old parent or attach a new one */
427  parent = audit_find_parent(parent_path.dentry->d_inode);
428  if (!parent) {
429  parent = audit_init_parent(&parent_path);
430  if (IS_ERR(parent)) {
431  ret = PTR_ERR(parent);
432  goto error;
433  }
434  }
435 
436  audit_add_to_parent(krule, parent);
437 
438  /* match get in audit_find_parent or audit_init_parent */
439  audit_put_parent(parent);
440 
441  h = audit_hash_ino((u32)watch->ino);
442  *list = &audit_inode_hash[h];
443 error:
444  path_put(&parent_path);
445  return ret;
446 }
447 
449 {
450  struct audit_watch *watch = krule->watch;
451  struct audit_parent *parent = watch->parent;
452 
453  list_del(&krule->rlist);
454 
455  if (list_empty(&watch->rules)) {
456  audit_remove_watch(watch);
457 
458  if (list_empty(&parent->watches)) {
459  audit_get_parent(parent);
460  fsnotify_destroy_mark(&parent->mark);
461  audit_put_parent(parent);
462  }
463  }
464 }
465 
466 static bool audit_watch_should_send_event(struct fsnotify_group *group, struct inode *inode,
467  struct fsnotify_mark *inode_mark,
468  struct fsnotify_mark *vfsmount_mark,
469  __u32 mask, void *data, int data_type)
470 {
471  return true;
472 }
473 
474 /* Update watch data in audit rules based on fsnotify events. */
475 static int audit_watch_handle_event(struct fsnotify_group *group,
476  struct fsnotify_mark *inode_mark,
477  struct fsnotify_mark *vfsmount_mark,
478  struct fsnotify_event *event)
479 {
480  struct inode *inode;
481  __u32 mask = event->mask;
482  const char *dname = event->file_name;
483  struct audit_parent *parent;
484 
485  parent = container_of(inode_mark, struct audit_parent, mark);
486 
487  BUG_ON(group != audit_watch_group);
488 
489  switch (event->data_type) {
490  case (FSNOTIFY_EVENT_PATH):
491  inode = event->path.dentry->d_inode;
492  break;
493  case (FSNOTIFY_EVENT_INODE):
494  inode = event->inode;
495  break;
496  default:
497  BUG();
498  inode = NULL;
499  break;
500  };
501 
502  if (mask & (FS_CREATE|FS_MOVED_TO) && inode)
503  audit_update_watch(parent, dname, inode->i_sb->s_dev, inode->i_ino, 0);
504  else if (mask & (FS_DELETE|FS_MOVED_FROM))
505  audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1);
506  else if (mask & (FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF))
507  audit_remove_parent_watches(parent);
508 
509  return 0;
510 }
511 
512 static const struct fsnotify_ops audit_watch_fsnotify_ops = {
513  .should_send_event = audit_watch_should_send_event,
514  .handle_event = audit_watch_handle_event,
515  .free_group_priv = NULL,
516  .freeing_mark = NULL,
517  .free_event_priv = NULL,
518 };
519 
520 static int __init audit_watch_init(void)
521 {
522  audit_watch_group = fsnotify_alloc_group(&audit_watch_fsnotify_ops);
523  if (IS_ERR(audit_watch_group)) {
524  audit_watch_group = NULL;
525  audit_panic("cannot create audit fsnotify group");
526  }
527  return 0;
528 }
529 device_initcall(audit_watch_init);