audit: validate comparison operations, store them in sane form

Don't store the field->op in the messy (and very inconvenient for e.g. audit_comparator()) form; translate to dense set of values and do full validation of userland-submitted value while we are at it. ->audit_init_rule() and ->audit_match_rule() get new values now; in-tree instances updated. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Al Viro <viro@zeniv.linux.org.uk> 2008-12-16 05:59:26 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2009-01-04 15:14:42 -0500
commit: 5af75d8d58d0f9f7b7c0515b35786b22892d5f12 (patch)
tree: 65707c5309133a33140c39145ae91b7c1679a877 /kernel/auditfilter.c
parent: 36c4f1b18c8a7d0adb4085e7f531860b837bb6b0 (diff)
1 files changed, 65 insertions, 67 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index e6e3829cadd..fbf24d121d9 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -252,7 +252,8 @@ static inline int audit_to_inode(struct audit_krule *krule,
                                 struct audit_field *f)
 {
        if (krule->listnr != AUDIT_FILTER_EXIT ||
-            krule->watch || krule->inode_f || krule->tree)
+            krule->watch || krule->inode_f || krule->tree ||
+            (f->op != Audit_equal && f->op != Audit_not_equal))
                return -EINVAL;
        krule->inode_f = f;
@@ -270,7 +271,7 @@ static int audit_to_watch(struct audit_krule *krule, char *path, int len,
        if (path[0] != '/' || path[len-1] == '/' ||
            krule->listnr != AUDIT_FILTER_EXIT ||
-            op & ~AUDIT_EQUAL ||
+            op != Audit_equal ||
            krule->inode_f || krule->watch || krule->tree)
                return -EINVAL;
@@ -420,12 +421,32 @@ exit_err:
        return ERR_PTR(err);
 }
+static u32 audit_ops[] =
+{
+        [Audit_equal] = AUDIT_EQUAL,
+        [Audit_not_equal] = AUDIT_NOT_EQUAL,
+        [Audit_bitmask] = AUDIT_BIT_MASK,
+        [Audit_bittest] = AUDIT_BIT_TEST,
+        [Audit_lt] = AUDIT_LESS_THAN,
+        [Audit_gt] = AUDIT_GREATER_THAN,
+        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
+        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
+};
+static u32 audit_to_op(u32 op)
+{
+        u32 n;
+        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
+                ;
+        return n;
+}
 /* Translate struct audit_rule to kernel's rule respresentation.
 * Exists for backward compatibility with userspace. */
 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
 {
        struct audit_entry *entry;
-        struct audit_field *ino_f;
        int err = 0;
        int i;
@@ -435,12 +456,28 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
        for (i = 0; i < rule->field_count; i++) {
                struct audit_field *f = &entry->rule.fields[i];
+                u32 n;
+                n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
+                /* Support for legacy operators where
+                 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
+                if (n & AUDIT_NEGATE)
+                        f->op = Audit_not_equal;
+                else if (!n)
+                        f->op = Audit_equal;
+                else
+                        f->op = audit_to_op(n);
+                entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
-                f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
                f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
                f->val = rule->values[i];
                err = -EINVAL;
+                if (f->op == Audit_bad)
+                        goto exit_free;
                switch(f->type) {
                default:
                        goto exit_free;
@@ -462,11 +499,8 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                case AUDIT_EXIT:
                case AUDIT_SUCCESS:
                        /* bit ops are only useful on syscall args */
-                        if (f->op == AUDIT_BIT_MASK ||
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
-                                                f->op == AUDIT_BIT_TEST) {
-                                err = -EINVAL;
                                goto exit_free;
-                        }
                        break;
                case AUDIT_ARG0:
                case AUDIT_ARG1:
@@ -475,11 +509,8 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                        break;
                /* arch is only allowed to be = or != */
                case AUDIT_ARCH:
-                        if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
+                        if (f->op != Audit_not_equal && f->op != Audit_equal)
-                                        && (f->op != AUDIT_NEGATE) && (f->op)) {
-                                err = -EINVAL;
                                goto exit_free;
-                        }
                        entry->rule.arch_f = f;
                        break;
                case AUDIT_PERM:
@@ -496,33 +527,10 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                                goto exit_free;
                        break;
                }
-                entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1;
-                /* Support for legacy operators where
-                 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
-                if (f->op & AUDIT_NEGATE)
-                        f->op = AUDIT_NOT_EQUAL;
-                else if (!f->op)
-                        f->op = AUDIT_EQUAL;
-                else if (f->op == AUDIT_OPERATORS) {
-                        err = -EINVAL;
-                        goto exit_free;
-                }
        }
-        ino_f = entry->rule.inode_f;
+        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
-        if (ino_f) {
+                entry->rule.inode_f = NULL;
-                switch(ino_f->op) {
-                case AUDIT_NOT_EQUAL:
-                        entry->rule.inode_f = NULL;
-                case AUDIT_EQUAL:
-                        break;
-                default:
-                        err = -EINVAL;
-                        goto exit_free;
-                }
-        }
 exit_nofree:
        return entry;
@@ -538,7 +546,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 {
        int err = 0;
        struct audit_entry *entry;
-        struct audit_field *ino_f;
        void *bufp;
        size_t remain = datasz - sizeof(struct audit_rule_data);
        int i;
@@ -554,11 +561,11 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                struct audit_field *f = &entry->rule.fields[i];
                err = -EINVAL;
-                if (!(data->fieldflags[i] & AUDIT_OPERATORS) ||
-                    data->fieldflags[i] & ~AUDIT_OPERATORS)
+                f->op = audit_to_op(data->fieldflags[i]);
+                if (f->op == Audit_bad)
                        goto exit_free;
-                f->op = data->fieldflags[i] & AUDIT_OPERATORS;
                f->type = data->fields[i];
                f->val = data->values[i];
                f->lsm_str = NULL;
@@ -670,18 +677,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                }
        }
-        ino_f = entry->rule.inode_f;
+        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
-        if (ino_f) {
+                entry->rule.inode_f = NULL;
-                switch(ino_f->op) {
-                case AUDIT_NOT_EQUAL:
-                        entry->rule.inode_f = NULL;
-                case AUDIT_EQUAL:
-                        break;
-                default:
-                        err = -EINVAL;
-                        goto exit_free;
-                }
-        }
 exit_nofree:
        return entry;
@@ -721,10 +718,10 @@ static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
                rule->fields[i] = krule->fields[i].type;
                if (krule->vers_ops == 1) {
-                        if (krule->fields[i].op & AUDIT_NOT_EQUAL)
+                        if (krule->fields[i].op == Audit_not_equal)
                                rule->fields[i] |= AUDIT_NEGATE;
                } else {
-                        rule->fields[i] |= krule->fields[i].op;
+                        rule->fields[i] |= audit_ops[krule->fields[i].op];
                }
        }
        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
@@ -752,7 +749,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
                struct audit_field *f = &krule->fields[i];
                data->fields[i] = f->type;
-                data->fieldflags[i] = f->op;
+                data->fieldflags[i] = audit_ops[f->op];
                switch(f->type) {
                case AUDIT_SUBJ_USER:
                case AUDIT_SUBJ_ROLE:
@@ -1626,28 +1623,29 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
        return err;
 }
-int audit_comparator(const u32 left, const u32 op, const u32 right)
+int audit_comparator(u32 left, u32 op, u32 right)
 {
        switch (op) {
-        case AUDIT_EQUAL:
+        case Audit_equal:
                return (left == right);
-        case AUDIT_NOT_EQUAL:
+        case Audit_not_equal:
                return (left != right);
-        case AUDIT_LESS_THAN:
+        case Audit_lt:
                return (left < right);
-        case AUDIT_LESS_THAN_OR_EQUAL:
+        case Audit_le:
                return (left <= right);
-        case AUDIT_GREATER_THAN:
+        case Audit_gt:
                return (left > right);
-        case AUDIT_GREATER_THAN_OR_EQUAL:
+        case Audit_ge:
                return (left >= right);
-        case AUDIT_BIT_MASK:
+        case Audit_bitmask:
                return (left & right);
-        case AUDIT_BIT_TEST:
+        case Audit_bittest:
                return ((left & right) == right);
+        default:
+                BUG();
+                return 0;
        }
-        BUG();
-        return 0;
 }
 /* Compare given dentry name with last component in given path,
author	Al Viro <viro@zeniv.linux.org.uk>	2008-12-16 05:59:26 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2009-01-04 15:14:42 -0500
commit	5af75d8d58d0f9f7b7c0515b35786b22892d5f12 (patch)
tree	65707c5309133a33140c39145ae91b7c1679a877 /kernel/auditfilter.c
parent	36c4f1b18c8a7d0adb4085e7f531860b837bb6b0 (diff)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index e6e3829cadd..fbf24d121d9 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -252,7 +252,8 @@ static inline int audit_to_inode(struct audit_krule *krule,
252	struct audit_field *f)	252	struct audit_field *f)
253	{	253	{
254	if (krule->listnr != AUDIT_FILTER_EXIT \|\|	254	if (krule->listnr != AUDIT_FILTER_EXIT \|\|
255	krule->watch \|\| krule->inode_f \|\| krule->tree)	255	krule->watch \|\| krule->inode_f \|\| krule->tree \|\|
		256	(f->op != Audit_equal && f->op != Audit_not_equal))
256	return -EINVAL;	257	return -EINVAL;
257		258
258	krule->inode_f = f;	259	krule->inode_f = f;
@@ -270,7 +271,7 @@ static int audit_to_watch(struct audit_krule krule, char path, int len,
270		271
271	if (path[0] != '/' \|\| path[len-1] == '/' \|\|	272	if (path[0] != '/' \|\| path[len-1] == '/' \|\|
272	krule->listnr != AUDIT_FILTER_EXIT \|\|	273	krule->listnr != AUDIT_FILTER_EXIT \|\|
273	op & ~AUDIT_EQUAL \|\|	274	op != Audit_equal \|\|
274	krule->inode_f \|\| krule->watch \|\| krule->tree)	275	krule->inode_f \|\| krule->watch \|\| krule->tree)
275	return -EINVAL;	276	return -EINVAL;
276		277
@@ -420,12 +421,32 @@ exit_err:
420	return ERR_PTR(err);	421	return ERR_PTR(err);
421	}	422	}
422		423
		424	static u32 audit_ops[] =
		425	{
		426	[Audit_equal] = AUDIT_EQUAL,
		427	[Audit_not_equal] = AUDIT_NOT_EQUAL,
		428	[Audit_bitmask] = AUDIT_BIT_MASK,
		429	[Audit_bittest] = AUDIT_BIT_TEST,
		430	[Audit_lt] = AUDIT_LESS_THAN,
		431	[Audit_gt] = AUDIT_GREATER_THAN,
		432	[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
		433	[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
		434	};
		435
		436	static u32 audit_to_op(u32 op)
		437	{
		438	u32 n;
		439	for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
		440	;
		441	return n;
		442	}
		443
		444
423	/* Translate struct audit_rule to kernel's rule respresentation.	445	/* Translate struct audit_rule to kernel's rule respresentation.
424	* Exists for backward compatibility with userspace. */	446	* Exists for backward compatibility with userspace. */
425	static struct audit_entry audit_rule_to_entry(struct audit_rule rule)	447	static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
426	{	448	{
427	struct audit_entry *entry;	449	struct audit_entry *entry;
428	struct audit_field *ino_f;
429	int err = 0;	450	int err = 0;
430	int i;	451	int i;
431		452
@@ -435,12 +456,28 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
435		456
436	for (i = 0; i < rule->field_count; i++) {	457	for (i = 0; i < rule->field_count; i++) {
437	struct audit_field *f = &entry->rule.fields[i];	458	struct audit_field *f = &entry->rule.fields[i];
		459	u32 n;
		460
		461	n = rule->fields[i] & (AUDIT_NEGATE\|AUDIT_OPERATORS);
		462
		463	/* Support for legacy operators where
		464	* AUDIT_NEGATE bit signifies != and otherwise assumes == */
		465	if (n & AUDIT_NEGATE)
		466	f->op = Audit_not_equal;
		467	else if (!n)
		468	f->op = Audit_equal;
		469	else
		470	f->op = audit_to_op(n);
		471
		472	entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
438		473
439	f->op = rule->fields[i] & (AUDIT_NEGATE\|AUDIT_OPERATORS);
440	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);	474	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);
441	f->val = rule->values[i];	475	f->val = rule->values[i];
442		476
443	err = -EINVAL;	477	err = -EINVAL;
		478	if (f->op == Audit_bad)
		479	goto exit_free;
		480
444	switch(f->type) {	481	switch(f->type) {
445	default:	482	default:
446	goto exit_free;	483	goto exit_free;
@@ -462,11 +499,8 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
462	case AUDIT_EXIT:	499	case AUDIT_EXIT:
463	case AUDIT_SUCCESS:	500	case AUDIT_SUCCESS:
464	/* bit ops are only useful on syscall args */	501	/* bit ops are only useful on syscall args */
465	if (f->op == AUDIT_BIT_MASK \|\|	502	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
466	f->op == AUDIT_BIT_TEST) {
467	err = -EINVAL;
468	goto exit_free;	503	goto exit_free;
469	}
470	break;	504	break;
471	case AUDIT_ARG0:	505	case AUDIT_ARG0:
472	case AUDIT_ARG1:	506	case AUDIT_ARG1:
@@ -475,11 +509,8 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
475	break;	509	break;
476	/* arch is only allowed to be = or != */	510	/* arch is only allowed to be = or != */
477	case AUDIT_ARCH:	511	case AUDIT_ARCH:
478	if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)	512	if (f->op != Audit_not_equal && f->op != Audit_equal)
479	&& (f->op != AUDIT_NEGATE) && (f->op)) {
480	err = -EINVAL;
481	goto exit_free;	513	goto exit_free;
482	}
483	entry->rule.arch_f = f;	514	entry->rule.arch_f = f;
484	break;	515	break;
485	case AUDIT_PERM:	516	case AUDIT_PERM:
@@ -496,33 +527,10 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
496	goto exit_free;	527	goto exit_free;
497	break;	528	break;
498	}	529	}
499
500	entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1;
501
502	/* Support for legacy operators where
503	* AUDIT_NEGATE bit signifies != and otherwise assumes == */
504	if (f->op & AUDIT_NEGATE)
505	f->op = AUDIT_NOT_EQUAL;
506	else if (!f->op)
507	f->op = AUDIT_EQUAL;
508	else if (f->op == AUDIT_OPERATORS) {
509	err = -EINVAL;
510	goto exit_free;
511	}
512	}	530	}
513		531
514	ino_f = entry->rule.inode_f;	532	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
515	if (ino_f) {	533	entry->rule.inode_f = NULL;
516	switch(ino_f->op) {
517	case AUDIT_NOT_EQUAL:
518	entry->rule.inode_f = NULL;
519	case AUDIT_EQUAL:
520	break;
521	default:
522	err = -EINVAL;
523	goto exit_free;
524	}
525	}
526		534
527	exit_nofree:	535	exit_nofree:
528	return entry;	536	return entry;
@@ -538,7 +546,6 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
538	{	546	{
539	int err = 0;	547	int err = 0;
540	struct audit_entry *entry;	548	struct audit_entry *entry;
541	struct audit_field *ino_f;
542	void *bufp;	549	void *bufp;
543	size_t remain = datasz - sizeof(struct audit_rule_data);	550	size_t remain = datasz - sizeof(struct audit_rule_data);
544	int i;	551	int i;
@@ -554,11 +561,11 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
554	struct audit_field *f = &entry->rule.fields[i];	561	struct audit_field *f = &entry->rule.fields[i];
555		562
556	err = -EINVAL;	563	err = -EINVAL;
557	if (!(data->fieldflags[i] & AUDIT_OPERATORS) \|\|	564
558	data->fieldflags[i] & ~AUDIT_OPERATORS)	565	f->op = audit_to_op(data->fieldflags[i]);
		566	if (f->op == Audit_bad)
559	goto exit_free;	567	goto exit_free;
560		568
561	f->op = data->fieldflags[i] & AUDIT_OPERATORS;
562	f->type = data->fields[i];	569	f->type = data->fields[i];
563	f->val = data->values[i];	570	f->val = data->values[i];
564	f->lsm_str = NULL;	571	f->lsm_str = NULL;
@@ -670,18 +677,8 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
670	}	677	}
671	}	678	}
672		679
673	ino_f = entry->rule.inode_f;	680	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
674	if (ino_f) {	681	entry->rule.inode_f = NULL;
675	switch(ino_f->op) {
676	case AUDIT_NOT_EQUAL:
677	entry->rule.inode_f = NULL;
678	case AUDIT_EQUAL:
679	break;
680	default:
681	err = -EINVAL;
682	goto exit_free;
683	}
684	}
685		682
686	exit_nofree:	683	exit_nofree:
687	return entry;	684	return entry;
@@ -721,10 +718,10 @@ static struct audit_rule audit_krule_to_rule(struct audit_krule krule)
721	rule->fields[i] = krule->fields[i].type;	718	rule->fields[i] = krule->fields[i].type;
722		719
723	if (krule->vers_ops == 1) {	720	if (krule->vers_ops == 1) {
724	if (krule->fields[i].op & AUDIT_NOT_EQUAL)	721	if (krule->fields[i].op == Audit_not_equal)
725	rule->fields[i] \|= AUDIT_NEGATE;	722	rule->fields[i] \|= AUDIT_NEGATE;
726	} else {	723	} else {
727	rule->fields[i] \|= krule->fields[i].op;	724	rule->fields[i] \|= audit_ops[krule->fields[i].op];
728	}	725	}
729	}	726	}
730	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];	727	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
@@ -752,7 +749,7 @@ static struct audit_rule_data audit_krule_to_data(struct audit_krule krule)
752	struct audit_field *f = &krule->fields[i];	749	struct audit_field *f = &krule->fields[i];
753		750
754	data->fields[i] = f->type;	751	data->fields[i] = f->type;
755	data->fieldflags[i] = f->op;	752	data->fieldflags[i] = audit_ops[f->op];
756	switch(f->type) {	753	switch(f->type) {
757	case AUDIT_SUBJ_USER:	754	case AUDIT_SUBJ_USER:
758	case AUDIT_SUBJ_ROLE:	755	case AUDIT_SUBJ_ROLE:
@@ -1626,28 +1623,29 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1626	return err;	1623	return err;
1627	}	1624	}
1628		1625
1629	int audit_comparator(const u32 left, const u32 op, const u32 right)	1626	int audit_comparator(u32 left, u32 op, u32 right)
1630	{	1627	{
1631	switch (op) {	1628	switch (op) {
1632	case AUDIT_EQUAL:	1629	case Audit_equal:
1633	return (left == right);	1630	return (left == right);
1634	case AUDIT_NOT_EQUAL:	1631	case Audit_not_equal:
1635	return (left != right);	1632	return (left != right);
1636	case AUDIT_LESS_THAN:	1633	case Audit_lt:
1637	return (left < right);	1634	return (left < right);
1638	case AUDIT_LESS_THAN_OR_EQUAL:	1635	case Audit_le:
1639	return (left <= right);	1636	return (left <= right);
1640	case AUDIT_GREATER_THAN:	1637	case Audit_gt:
1641	return (left > right);	1638	return (left > right);
1642	case AUDIT_GREATER_THAN_OR_EQUAL:	1639	case Audit_ge:
1643	return (left >= right);	1640	return (left >= right);
1644	case AUDIT_BIT_MASK:	1641	case Audit_bitmask:
1645	return (left & right);	1642	return (left & right);
1646	case AUDIT_BIT_TEST:	1643	case Audit_bittest:
1647	return ((left & right) == right);	1644	return ((left & right) == right);
		1645	default:
		1646	BUG();
		1647	return 0;
1648	}	1648	}
1649	BUG();
1650	return 0;
1651	}	1649	}
1652		1650
1653	/* Compare given dentry name with last component in given path,	1651	/* Compare given dentry name with last component in given path,