diff options
| author | Eric Paris <eparis@redhat.com> | 2013-04-18 19:16:36 -0400 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2013-04-30 15:31:28 -0400 |
| commit | 18900909163758baf2152c9102b1a0953f7f1c30 (patch) | |
| tree | 0b5c2920d599911c39c78f021da34f71c1ca021e /kernel | |
| parent | ab61d38ed8cf670946d12dc46b9198b521c790ea (diff) | |
audit: remove the old depricated kernel interface
We used to have an inflexible mechanism to add audit rules to the
kernel. It hasn't been used in a long time. Get rid of that stuff.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/audit.c | 28 | ||||
| -rw-r--r-- | kernel/auditfilter.c | 160 |
2 files changed, 8 insertions, 180 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 132271448b89..274882d308d3 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -597,13 +597,14 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 597 | return -EPERM; | 597 | return -EPERM; |
| 598 | 598 | ||
| 599 | switch (msg_type) { | 599 | switch (msg_type) { |
| 600 | case AUDIT_GET: | ||
| 601 | case AUDIT_LIST: | 600 | case AUDIT_LIST: |
| 602 | case AUDIT_LIST_RULES: | ||
| 603 | case AUDIT_SET: | ||
| 604 | case AUDIT_ADD: | 601 | case AUDIT_ADD: |
| 605 | case AUDIT_ADD_RULE: | ||
| 606 | case AUDIT_DEL: | 602 | case AUDIT_DEL: |
| 603 | return -EOPNOTSUPP; | ||
| 604 | case AUDIT_GET: | ||
| 605 | case AUDIT_SET: | ||
| 606 | case AUDIT_LIST_RULES: | ||
| 607 | case AUDIT_ADD_RULE: | ||
| 607 | case AUDIT_DEL_RULE: | 608 | case AUDIT_DEL_RULE: |
| 608 | case AUDIT_SIGNAL_INFO: | 609 | case AUDIT_SIGNAL_INFO: |
| 609 | case AUDIT_TTY_GET: | 610 | case AUDIT_TTY_GET: |
| @@ -766,25 +767,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 766 | audit_log_end(ab); | 767 | audit_log_end(ab); |
| 767 | } | 768 | } |
| 768 | break; | 769 | break; |
| 769 | case AUDIT_ADD: | ||
| 770 | case AUDIT_DEL: | ||
| 771 | if (nlmsg_len(nlh) < sizeof(struct audit_rule)) | ||
| 772 | return -EINVAL; | ||
| 773 | if (audit_enabled == AUDIT_LOCKED) { | ||
| 774 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, | ||
| 775 | loginuid, sessionid, sid); | ||
| 776 | |||
| 777 | audit_log_format(ab, " audit_enabled=%d res=0", | ||
| 778 | audit_enabled); | ||
| 779 | audit_log_end(ab); | ||
| 780 | return -EPERM; | ||
| 781 | } | ||
| 782 | /* fallthrough */ | ||
| 783 | case AUDIT_LIST: | ||
| 784 | err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid, | ||
| 785 | seq, data, nlmsg_len(nlh), | ||
| 786 | loginuid, sessionid, sid); | ||
| 787 | break; | ||
| 788 | case AUDIT_ADD_RULE: | 770 | case AUDIT_ADD_RULE: |
| 789 | case AUDIT_DEL_RULE: | 771 | case AUDIT_DEL_RULE: |
| 790 | if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) | 772 | if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index ff6e09d89278..ee9af6533327 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -386,89 +386,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) | |||
| 386 | return 0; | 386 | return 0; |
| 387 | } | 387 | } |
| 388 | 388 | ||
| 389 | /* Translate struct audit_rule to kernel's rule respresentation. | ||
| 390 | * Exists for backward compatibility with userspace. */ | ||
| 391 | static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | ||
| 392 | { | ||
| 393 | struct audit_entry *entry; | ||
| 394 | int err = 0; | ||
| 395 | int i; | ||
| 396 | |||
| 397 | entry = audit_to_entry_common(rule); | ||
| 398 | if (IS_ERR(entry)) | ||
| 399 | goto exit_nofree; | ||
| 400 | |||
| 401 | for (i = 0; i < rule->field_count; i++) { | ||
| 402 | struct audit_field *f = &entry->rule.fields[i]; | ||
| 403 | u32 n; | ||
| 404 | |||
| 405 | n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS); | ||
| 406 | |||
| 407 | /* Support for legacy operators where | ||
| 408 | * AUDIT_NEGATE bit signifies != and otherwise assumes == */ | ||
| 409 | if (n & AUDIT_NEGATE) | ||
| 410 | f->op = Audit_not_equal; | ||
| 411 | else if (!n) | ||
| 412 | f->op = Audit_equal; | ||
| 413 | else | ||
| 414 | f->op = audit_to_op(n); | ||
| 415 | |||
| 416 | entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1; | ||
| 417 | |||
| 418 | f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS); | ||
| 419 | f->val = rule->values[i]; | ||
| 420 | f->uid = INVALID_UID; | ||
| 421 | f->gid = INVALID_GID; | ||
| 422 | |||
| 423 | err = -EINVAL; | ||
| 424 | if (f->op == Audit_bad) | ||
| 425 | goto exit_free; | ||
| 426 | |||
| 427 | err = audit_field_valid(entry, f); | ||
| 428 | if (err) | ||
| 429 | goto exit_free; | ||
| 430 | |||
| 431 | err = -EINVAL; | ||
| 432 | switch (f->type) { | ||
| 433 | case AUDIT_UID: | ||
| 434 | case AUDIT_EUID: | ||
| 435 | case AUDIT_SUID: | ||
| 436 | case AUDIT_FSUID: | ||
| 437 | case AUDIT_LOGINUID: | ||
| 438 | f->uid = make_kuid(current_user_ns(), f->val); | ||
| 439 | if (!uid_valid(f->uid)) | ||
| 440 | goto exit_free; | ||
| 441 | break; | ||
| 442 | case AUDIT_GID: | ||
| 443 | case AUDIT_EGID: | ||
| 444 | case AUDIT_SGID: | ||
| 445 | case AUDIT_FSGID: | ||
| 446 | f->gid = make_kgid(current_user_ns(), f->val); | ||
| 447 | if (!gid_valid(f->gid)) | ||
| 448 | goto exit_free; | ||
| 449 | break; | ||
| 450 | case AUDIT_ARCH: | ||
| 451 | entry->rule.arch_f = f; | ||
| 452 | break; | ||
| 453 | case AUDIT_INODE: | ||
| 454 | err = audit_to_inode(&entry->rule, f); | ||
| 455 | if (err) | ||
| 456 | goto exit_free; | ||
| 457 | break; | ||
| 458 | } | ||
| 459 | } | ||
| 460 | |||
| 461 | if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) | ||
| 462 | entry->rule.inode_f = NULL; | ||
| 463 | |||
| 464 | exit_nofree: | ||
| 465 | return entry; | ||
| 466 | |||
| 467 | exit_free: | ||
| 468 | audit_free_rule(entry); | ||
| 469 | return ERR_PTR(err); | ||
| 470 | } | ||
| 471 | |||
| 472 | /* Translate struct audit_rule_data to kernel's rule respresentation. */ | 389 | /* Translate struct audit_rule_data to kernel's rule respresentation. */ |
| 473 | static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | 390 | static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, |
| 474 | size_t datasz) | 391 | size_t datasz) |
| @@ -622,36 +539,6 @@ static inline size_t audit_pack_string(void **bufp, const char *str) | |||
| 622 | return len; | 539 | return len; |
| 623 | } | 540 | } |
| 624 | 541 | ||
| 625 | /* Translate kernel rule respresentation to struct audit_rule. | ||
| 626 | * Exists for backward compatibility with userspace. */ | ||
| 627 | static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule) | ||
| 628 | { | ||
| 629 | struct audit_rule *rule; | ||
| 630 | int i; | ||
| 631 | |||
| 632 | rule = kzalloc(sizeof(*rule), GFP_KERNEL); | ||
| 633 | if (unlikely(!rule)) | ||
| 634 | return NULL; | ||
| 635 | |||
| 636 | rule->flags = krule->flags | krule->listnr; | ||
| 637 | rule->action = krule->action; | ||
| 638 | rule->field_count = krule->field_count; | ||
| 639 | for (i = 0; i < rule->field_count; i++) { | ||
| 640 | rule->values[i] = krule->fields[i].val; | ||
| 641 | rule->fields[i] = krule->fields[i].type; | ||
| 642 | |||
| 643 | if (krule->vers_ops == 1) { | ||
| 644 | if (krule->fields[i].op == Audit_not_equal) | ||
| 645 | rule->fields[i] |= AUDIT_NEGATE; | ||
| 646 | } else { | ||
| 647 | rule->fields[i] |= audit_ops[krule->fields[i].op]; | ||
| 648 | } | ||
| 649 | } | ||
| 650 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i]; | ||
| 651 | |||
| 652 | return rule; | ||
| 653 | } | ||
| 654 | |||
| 655 | /* Translate kernel rule respresentation to struct audit_rule_data. */ | 542 | /* Translate kernel rule respresentation to struct audit_rule_data. */ |
| 656 | static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) | 543 | static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) |
| 657 | { | 544 | { |
| @@ -1064,35 +951,6 @@ out: | |||
| 1064 | return ret; | 951 | return ret; |
| 1065 | } | 952 | } |
| 1066 | 953 | ||
| 1067 | /* List rules using struct audit_rule. Exists for backward | ||
| 1068 | * compatibility with userspace. */ | ||
| 1069 | static void audit_list(int pid, int seq, struct sk_buff_head *q) | ||
| 1070 | { | ||
| 1071 | struct sk_buff *skb; | ||
| 1072 | struct audit_krule *r; | ||
| 1073 | int i; | ||
| 1074 | |||
| 1075 | /* This is a blocking read, so use audit_filter_mutex instead of rcu | ||
| 1076 | * iterator to sync with list writers. */ | ||
| 1077 | for (i=0; i<AUDIT_NR_FILTERS; i++) { | ||
| 1078 | list_for_each_entry(r, &audit_rules_list[i], list) { | ||
| 1079 | struct audit_rule *rule; | ||
| 1080 | |||
| 1081 | rule = audit_krule_to_rule(r); | ||
| 1082 | if (unlikely(!rule)) | ||
| 1083 | break; | ||
| 1084 | skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1, | ||
| 1085 | rule, sizeof(*rule)); | ||
| 1086 | if (skb) | ||
| 1087 | skb_queue_tail(q, skb); | ||
| 1088 | kfree(rule); | ||
| 1089 | } | ||
| 1090 | } | ||
| 1091 | skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); | ||
| 1092 | if (skb) | ||
| 1093 | skb_queue_tail(q, skb); | ||
| 1094 | } | ||
| 1095 | |||
| 1096 | /* List rules using struct audit_rule_data. */ | 954 | /* List rules using struct audit_rule_data. */ |
| 1097 | static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) | 955 | static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) |
| 1098 | { | 956 | { |
| @@ -1173,7 +1031,6 @@ int audit_receive_filter(int type, int pid, int seq, void *data, | |||
| 1173 | struct audit_entry *entry; | 1031 | struct audit_entry *entry; |
| 1174 | 1032 | ||
| 1175 | switch (type) { | 1033 | switch (type) { |
| 1176 | case AUDIT_LIST: | ||
| 1177 | case AUDIT_LIST_RULES: | 1034 | case AUDIT_LIST_RULES: |
| 1178 | /* We can't just spew out the rules here because we might fill | 1035 | /* We can't just spew out the rules here because we might fill |
| 1179 | * the available socket buffer space and deadlock waiting for | 1036 | * the available socket buffer space and deadlock waiting for |
| @@ -1188,10 +1045,7 @@ int audit_receive_filter(int type, int pid, int seq, void *data, | |||
| 1188 | skb_queue_head_init(&dest->q); | 1045 | skb_queue_head_init(&dest->q); |
| 1189 | 1046 | ||
| 1190 | mutex_lock(&audit_filter_mutex); | 1047 | mutex_lock(&audit_filter_mutex); |
| 1191 | if (type == AUDIT_LIST) | 1048 | audit_list_rules(pid, seq, &dest->q); |
| 1192 | audit_list(pid, seq, &dest->q); | ||
| 1193 | else | ||
| 1194 | audit_list_rules(pid, seq, &dest->q); | ||
| 1195 | mutex_unlock(&audit_filter_mutex); | 1049 | mutex_unlock(&audit_filter_mutex); |
| 1196 | 1050 | ||
| 1197 | tsk = kthread_run(audit_send_list, dest, "audit_send_list"); | 1051 | tsk = kthread_run(audit_send_list, dest, "audit_send_list"); |
| @@ -1201,12 +1055,8 @@ int audit_receive_filter(int type, int pid, int seq, void *data, | |||
| 1201 | err = PTR_ERR(tsk); | 1055 | err = PTR_ERR(tsk); |
| 1202 | } | 1056 | } |
| 1203 | break; | 1057 | break; |
| 1204 | case AUDIT_ADD: | ||
| 1205 | case AUDIT_ADD_RULE: | 1058 | case AUDIT_ADD_RULE: |
| 1206 | if (type == AUDIT_ADD) | 1059 | entry = audit_data_to_entry(data, datasz); |
| 1207 | entry = audit_rule_to_entry(data); | ||
| 1208 | else | ||
| 1209 | entry = audit_data_to_entry(data, datasz); | ||
| 1210 | if (IS_ERR(entry)) | 1060 | if (IS_ERR(entry)) |
| 1211 | return PTR_ERR(entry); | 1061 | return PTR_ERR(entry); |
| 1212 | 1062 | ||
| @@ -1217,12 +1067,8 @@ int audit_receive_filter(int type, int pid, int seq, void *data, | |||
| 1217 | if (err) | 1067 | if (err) |
| 1218 | audit_free_rule(entry); | 1068 | audit_free_rule(entry); |
| 1219 | break; | 1069 | break; |
| 1220 | case AUDIT_DEL: | ||
| 1221 | case AUDIT_DEL_RULE: | 1070 | case AUDIT_DEL_RULE: |
| 1222 | if (type == AUDIT_DEL) | 1071 | entry = audit_data_to_entry(data, datasz); |
| 1223 | entry = audit_rule_to_entry(data); | ||
| 1224 | else | ||
| 1225 | entry = audit_data_to_entry(data, datasz); | ||
| 1226 | if (IS_ERR(entry)) | 1072 | if (IS_ERR(entry)) |
| 1227 | return PTR_ERR(entry); | 1073 | return PTR_ERR(entry); |
| 1228 | 1074 | ||