diff options
author | Eric Paris <eparis@redhat.com> | 2009-12-17 20:12:04 -0500 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2010-07-28 09:58:16 -0400 |
commit | ae7b8f4108bcffb42173f867ce845268c7202d48 (patch) | |
tree | 049d357dcbffe597c77c534ea211c3efd26680e3 /kernel/auditfilter.c | |
parent | b7ba83715317007962ee318587de92f14e9c3aaa (diff) |
Audit: clean up the audit_watch split
No real changes, just cleanup to the audit_watch split patch which we done
with minimal code changes for easy review. Now fix interfaces to make
things work better.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'kernel/auditfilter.c')
-rw-r--r-- | kernel/auditfilter.c | 41 |
1 files changed, 15 insertions, 26 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index ce08041f578..ac87577f36b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -71,6 +71,7 @@ static inline void audit_free_rule(struct audit_entry *e) | |||
71 | { | 71 | { |
72 | int i; | 72 | int i; |
73 | struct audit_krule *erule = &e->rule; | 73 | struct audit_krule *erule = &e->rule; |
74 | |||
74 | /* some rules don't have associated watches */ | 75 | /* some rules don't have associated watches */ |
75 | if (erule->watch) | 76 | if (erule->watch) |
76 | audit_put_watch(erule->watch); | 77 | audit_put_watch(erule->watch); |
@@ -746,8 +747,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, | |||
746 | * rule with the new rule in the filterlist, then free the old rule. | 747 | * rule with the new rule in the filterlist, then free the old rule. |
747 | * The rlist element is undefined; list manipulations are handled apart from | 748 | * The rlist element is undefined; list manipulations are handled apart from |
748 | * the initial copy. */ | 749 | * the initial copy. */ |
749 | struct audit_entry *audit_dupe_rule(struct audit_krule *old, | 750 | struct audit_entry *audit_dupe_rule(struct audit_krule *old) |
750 | struct audit_watch *watch) | ||
751 | { | 751 | { |
752 | u32 fcount = old->field_count; | 752 | u32 fcount = old->field_count; |
753 | struct audit_entry *entry; | 753 | struct audit_entry *entry; |
@@ -769,8 +769,8 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old, | |||
769 | new->prio = old->prio; | 769 | new->prio = old->prio; |
770 | new->buflen = old->buflen; | 770 | new->buflen = old->buflen; |
771 | new->inode_f = old->inode_f; | 771 | new->inode_f = old->inode_f; |
772 | new->watch = NULL; | ||
773 | new->field_count = old->field_count; | 772 | new->field_count = old->field_count; |
773 | |||
774 | /* | 774 | /* |
775 | * note that we are OK with not refcounting here; audit_match_tree() | 775 | * note that we are OK with not refcounting here; audit_match_tree() |
776 | * never dereferences tree and we can't get false positives there | 776 | * never dereferences tree and we can't get false positives there |
@@ -811,9 +811,9 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old, | |||
811 | } | 811 | } |
812 | } | 812 | } |
813 | 813 | ||
814 | if (watch) { | 814 | if (old->watch) { |
815 | audit_get_watch(watch); | 815 | audit_get_watch(old->watch); |
816 | new->watch = watch; | 816 | new->watch = old->watch; |
817 | } | 817 | } |
818 | 818 | ||
819 | return entry; | 819 | return entry; |
@@ -866,7 +866,7 @@ static inline int audit_add_rule(struct audit_entry *entry) | |||
866 | struct audit_watch *watch = entry->rule.watch; | 866 | struct audit_watch *watch = entry->rule.watch; |
867 | struct audit_tree *tree = entry->rule.tree; | 867 | struct audit_tree *tree = entry->rule.tree; |
868 | struct list_head *list; | 868 | struct list_head *list; |
869 | int h, err; | 869 | int err; |
870 | #ifdef CONFIG_AUDITSYSCALL | 870 | #ifdef CONFIG_AUDITSYSCALL |
871 | int dont_count = 0; | 871 | int dont_count = 0; |
872 | 872 | ||
@@ -889,15 +889,11 @@ static inline int audit_add_rule(struct audit_entry *entry) | |||
889 | 889 | ||
890 | if (watch) { | 890 | if (watch) { |
891 | /* audit_filter_mutex is dropped and re-taken during this call */ | 891 | /* audit_filter_mutex is dropped and re-taken during this call */ |
892 | err = audit_add_watch(&entry->rule); | 892 | err = audit_add_watch(&entry->rule, &list); |
893 | if (err) { | 893 | if (err) { |
894 | mutex_unlock(&audit_filter_mutex); | 894 | mutex_unlock(&audit_filter_mutex); |
895 | goto error; | 895 | goto error; |
896 | } | 896 | } |
897 | /* entry->rule.watch may have changed during audit_add_watch() */ | ||
898 | watch = entry->rule.watch; | ||
899 | h = audit_hash_ino((u32)audit_watch_inode(watch)); | ||
900 | list = &audit_inode_hash[h]; | ||
901 | } | 897 | } |
902 | if (tree) { | 898 | if (tree) { |
903 | err = audit_add_tree_rule(&entry->rule); | 899 | err = audit_add_tree_rule(&entry->rule); |
@@ -949,7 +945,7 @@ static inline int audit_del_rule(struct audit_entry *entry) | |||
949 | struct audit_watch *watch = entry->rule.watch; | 945 | struct audit_watch *watch = entry->rule.watch; |
950 | struct audit_tree *tree = entry->rule.tree; | 946 | struct audit_tree *tree = entry->rule.tree; |
951 | struct list_head *list; | 947 | struct list_head *list; |
952 | LIST_HEAD(inotify_list); | 948 | LIST_HEAD(inotify_unregister_list); |
953 | int ret = 0; | 949 | int ret = 0; |
954 | #ifdef CONFIG_AUDITSYSCALL | 950 | #ifdef CONFIG_AUDITSYSCALL |
955 | int dont_count = 0; | 951 | int dont_count = 0; |
@@ -969,7 +965,7 @@ static inline int audit_del_rule(struct audit_entry *entry) | |||
969 | } | 965 | } |
970 | 966 | ||
971 | if (e->rule.watch) | 967 | if (e->rule.watch) |
972 | audit_remove_watch_rule(&e->rule, &inotify_list); | 968 | audit_remove_watch_rule(&e->rule, &inotify_unregister_list); |
973 | 969 | ||
974 | if (e->rule.tree) | 970 | if (e->rule.tree) |
975 | audit_remove_tree_rule(&e->rule); | 971 | audit_remove_tree_rule(&e->rule); |
@@ -987,8 +983,8 @@ static inline int audit_del_rule(struct audit_entry *entry) | |||
987 | #endif | 983 | #endif |
988 | mutex_unlock(&audit_filter_mutex); | 984 | mutex_unlock(&audit_filter_mutex); |
989 | 985 | ||
990 | if (!list_empty(&inotify_list)) | 986 | if (!list_empty(&inotify_unregister_list)) |
991 | audit_inotify_unregister(&inotify_list); | 987 | audit_watch_inotify_unregister(&inotify_unregister_list); |
992 | 988 | ||
993 | out: | 989 | out: |
994 | if (watch) | 990 | if (watch) |
@@ -1323,30 +1319,23 @@ static int update_lsm_rule(struct audit_krule *r) | |||
1323 | { | 1319 | { |
1324 | struct audit_entry *entry = container_of(r, struct audit_entry, rule); | 1320 | struct audit_entry *entry = container_of(r, struct audit_entry, rule); |
1325 | struct audit_entry *nentry; | 1321 | struct audit_entry *nentry; |
1326 | struct audit_watch *watch; | ||
1327 | struct audit_tree *tree; | ||
1328 | int err = 0; | 1322 | int err = 0; |
1329 | 1323 | ||
1330 | if (!security_audit_rule_known(r)) | 1324 | if (!security_audit_rule_known(r)) |
1331 | return 0; | 1325 | return 0; |
1332 | 1326 | ||
1333 | watch = r->watch; | 1327 | nentry = audit_dupe_rule(r); |
1334 | tree = r->tree; | ||
1335 | nentry = audit_dupe_rule(r, watch); | ||
1336 | if (IS_ERR(nentry)) { | 1328 | if (IS_ERR(nentry)) { |
1337 | /* save the first error encountered for the | 1329 | /* save the first error encountered for the |
1338 | * return value */ | 1330 | * return value */ |
1339 | err = PTR_ERR(nentry); | 1331 | err = PTR_ERR(nentry); |
1340 | audit_panic("error updating LSM filters"); | 1332 | audit_panic("error updating LSM filters"); |
1341 | if (watch) | 1333 | if (r->watch) |
1342 | list_del(&r->rlist); | 1334 | list_del(&r->rlist); |
1343 | list_del_rcu(&entry->list); | 1335 | list_del_rcu(&entry->list); |
1344 | list_del(&r->list); | 1336 | list_del(&r->list); |
1345 | } else { | 1337 | } else { |
1346 | if (watch) { | 1338 | if (r->watch || r->tree) |
1347 | list_add(&nentry->rule.rlist, audit_watch_rules(watch)); | ||
1348 | list_del(&r->rlist); | ||
1349 | } else if (tree) | ||
1350 | list_replace_init(&r->rlist, &nentry->rule.rlist); | 1339 | list_replace_init(&r->rlist, &nentry->rule.rlist); |
1351 | list_replace_rcu(&entry->list, &nentry->list); | 1340 | list_replace_rcu(&entry->list, &nentry->list); |
1352 | list_replace(&r->list, &nentry->rule.list); | 1341 | list_replace(&r->list, &nentry->rule.list); |