5 files changed, 94 insertions, 84 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index cc71fdb56ae2..67e5dbfc2961 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -247,6 +247,18 @@
 #define AUDIT_GREATER_THAN_OR_EQUAL     (AUDIT_GREATER_THAN|AUDIT_EQUAL)
 #define AUDIT_OPERATORS                 (AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK)
+enum {
+        Audit_equal,
+        Audit_not_equal,
+        Audit_bitmask,
+        Audit_bittest,
+        Audit_lt,
+        Audit_gt,
+        Audit_le,
+        Audit_ge,
+        Audit_bad
+};
 /* Status symbols */
                                /* Mask values */
 #define AUDIT_STATUS_ENABLED            0x0001
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 48bddad2a3dc..8ad9545b8db9 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -618,7 +618,7 @@ int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op)
        if (pathname[0] != '/' ||
            rule->listnr != AUDIT_FILTER_EXIT ||
-            op & ~AUDIT_EQUAL ||
+            op != Audit_equal ||
            rule->inode_f || rule->watch || rule->tree)
                return -EINVAL;
        rule->tree = alloc_tree(pathname);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index e6e3829cadd1..fbf24d121d97 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -252,7 +252,8 @@ static inline int audit_to_inode(struct audit_krule *krule,
                                 struct audit_field *f)
 {
        if (krule->listnr != AUDIT_FILTER_EXIT ||
-            krule->watch || krule->inode_f || krule->tree)
+            krule->watch || krule->inode_f || krule->tree ||
+            (f->op != Audit_equal && f->op != Audit_not_equal))
                return -EINVAL;
        krule->inode_f = f;
@@ -270,7 +271,7 @@ static int audit_to_watch(struct audit_krule *krule, char *path, int len,
        if (path[0] != '/' || path[len-1] == '/' ||
            krule->listnr != AUDIT_FILTER_EXIT ||
-            op & ~AUDIT_EQUAL ||
+            op != Audit_equal ||
            krule->inode_f || krule->watch || krule->tree)
                return -EINVAL;
@@ -420,12 +421,32 @@ exit_err:
        return ERR_PTR(err);
 }
+static u32 audit_ops[] =
+{
+        [Audit_equal] = AUDIT_EQUAL,
+        [Audit_not_equal] = AUDIT_NOT_EQUAL,
+        [Audit_bitmask] = AUDIT_BIT_MASK,
+        [Audit_bittest] = AUDIT_BIT_TEST,
+        [Audit_lt] = AUDIT_LESS_THAN,
+        [Audit_gt] = AUDIT_GREATER_THAN,
+        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
+        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
+};
+static u32 audit_to_op(u32 op)
+{
+        u32 n;
+        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
+                ;
+        return n;
+}
 /* Translate struct audit_rule to kernel's rule respresentation.
 * Exists for backward compatibility with userspace. */
 static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
 {
        struct audit_entry *entry;
-        struct audit_field *ino_f;
        int err = 0;
        int i;
@@ -435,12 +456,28 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
        for (i = 0; i < rule->field_count; i++) {
                struct audit_field *f = &entry->rule.fields[i];
+                u32 n;
+                n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
+                /* Support for legacy operators where
+                 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
+                if (n & AUDIT_NEGATE)
+                        f->op = Audit_not_equal;
+                else if (!n)
+                        f->op = Audit_equal;
+                else
+                        f->op = audit_to_op(n);
+                entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
-                f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
                f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
                f->val = rule->values[i];
                err = -EINVAL;
+                if (f->op == Audit_bad)
+                        goto exit_free;
                switch(f->type) {
                default:
                        goto exit_free;
@@ -462,11 +499,8 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                case AUDIT_EXIT:
                case AUDIT_SUCCESS:
                        /* bit ops are only useful on syscall args */
-                        if (f->op == AUDIT_BIT_MASK ||
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
-                                                f->op == AUDIT_BIT_TEST) {
-                                err = -EINVAL;
                                goto exit_free;
-                        }
                        break;
                case AUDIT_ARG0:
                case AUDIT_ARG1:
@@ -475,11 +509,8 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                        break;
                /* arch is only allowed to be = or != */
                case AUDIT_ARCH:
-                        if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
+                        if (f->op != Audit_not_equal && f->op != Audit_equal)
-                                        && (f->op != AUDIT_NEGATE) && (f->op)) {
-                                err = -EINVAL;
                                goto exit_free;
-                        }
                        entry->rule.arch_f = f;
                        break;
                case AUDIT_PERM:
@@ -496,33 +527,10 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                                goto exit_free;
                        break;
                }
-                entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1;
-                /* Support for legacy operators where
-                 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
-                if (f->op & AUDIT_NEGATE)
-                        f->op = AUDIT_NOT_EQUAL;
-                else if (!f->op)
-                        f->op = AUDIT_EQUAL;
-                else if (f->op == AUDIT_OPERATORS) {
-                        err = -EINVAL;
-                        goto exit_free;
-                }
        }
-        ino_f = entry->rule.inode_f;
+        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
-        if (ino_f) {
+                entry->rule.inode_f = NULL;
-                switch(ino_f->op) {
-                case AUDIT_NOT_EQUAL:
-                        entry->rule.inode_f = NULL;
-                case AUDIT_EQUAL:
-                        break;
-                default:
-                        err = -EINVAL;
-                        goto exit_free;
-                }
-        }
 exit_nofree:
        return entry;
@@ -538,7 +546,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 {
        int err = 0;
        struct audit_entry *entry;
-        struct audit_field *ino_f;
        void *bufp;
        size_t remain = datasz - sizeof(struct audit_rule_data);
        int i;
@@ -554,11 +561,11 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                struct audit_field *f = &entry->rule.fields[i];
                err = -EINVAL;
-                if (!(data->fieldflags[i] & AUDIT_OPERATORS) ||
-                    data->fieldflags[i] & ~AUDIT_OPERATORS)
+                f->op = audit_to_op(data->fieldflags[i]);
+                if (f->op == Audit_bad)
                        goto exit_free;
-                f->op = data->fieldflags[i] & AUDIT_OPERATORS;
                f->type = data->fields[i];
                f->val = data->values[i];
                f->lsm_str = NULL;
@@ -670,18 +677,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                }
        }
-        ino_f = entry->rule.inode_f;
+        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
-        if (ino_f) {
+                entry->rule.inode_f = NULL;
-                switch(ino_f->op) {
-                case AUDIT_NOT_EQUAL:
-                        entry->rule.inode_f = NULL;
-                case AUDIT_EQUAL:
-                        break;
-                default:
-                        err = -EINVAL;
-                        goto exit_free;
-                }
-        }
 exit_nofree:
        return entry;
@@ -721,10 +718,10 @@ static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
                rule->fields[i] = krule->fields[i].type;
                if (krule->vers_ops == 1) {
-                        if (krule->fields[i].op & AUDIT_NOT_EQUAL)
+                        if (krule->fields[i].op == Audit_not_equal)
                                rule->fields[i] |= AUDIT_NEGATE;
                } else {
-                        rule->fields[i] |= krule->fields[i].op;
+                        rule->fields[i] |= audit_ops[krule->fields[i].op];
                }
        }
        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
@@ -752,7 +749,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
                struct audit_field *f = &krule->fields[i];
                data->fields[i] = f->type;
-                data->fieldflags[i] = f->op;
+                data->fieldflags[i] = audit_ops[f->op];
                switch(f->type) {
                case AUDIT_SUBJ_USER:
                case AUDIT_SUBJ_ROLE:
@@ -1626,28 +1623,29 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
        return err;
 }
-int audit_comparator(const u32 left, const u32 op, const u32 right)
+int audit_comparator(u32 left, u32 op, u32 right)
 {
        switch (op) {
-        case AUDIT_EQUAL:
+        case Audit_equal:
                return (left == right);
-        case AUDIT_NOT_EQUAL:
+        case Audit_not_equal:
                return (left != right);
-        case AUDIT_LESS_THAN:
+        case Audit_lt:
                return (left < right);
-        case AUDIT_LESS_THAN_OR_EQUAL:
+        case Audit_le:
                return (left <= right);
-        case AUDIT_GREATER_THAN:
+        case Audit_gt:
                return (left > right);
-        case AUDIT_GREATER_THAN_OR_EQUAL:
+        case Audit_ge:
                return (left >= right);
-        case AUDIT_BIT_MASK:
+        case Audit_bitmask:
                return (left & right);
-        case AUDIT_BIT_TEST:
+        case Audit_bittest:
                return ((left & right) == right);
+        default:
+                BUG();
+                return 0;
        }
-        BUG();
-        return 0;
 }
 /* Compare given dentry name with last component in given path,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 343c8ab14af0..c65e4fe4a0f1 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2602,7 +2602,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
        case AUDIT_OBJ_ROLE:
        case AUDIT_OBJ_TYPE:
                /* only 'equals' and 'not equals' fit user, role, and type */
-                if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
+                if (op != Audit_equal && op != Audit_not_equal)
                        return -EINVAL;
                break;
        case AUDIT_SUBJ_SEN:
@@ -2736,10 +2736,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
        case AUDIT_SUBJ_USER:
        case AUDIT_OBJ_USER:
                switch (op) {
-                case AUDIT_EQUAL:
+                case Audit_equal:
                        match = (ctxt->user == rule->au_ctxt.user);
                        break;
-                case AUDIT_NOT_EQUAL:
+                case Audit_not_equal:
                        match = (ctxt->user != rule->au_ctxt.user);
                        break;
                }
@@ -2747,10 +2747,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
        case AUDIT_SUBJ_ROLE:
        case AUDIT_OBJ_ROLE:
                switch (op) {
-                case AUDIT_EQUAL:
+                case Audit_equal:
                        match = (ctxt->role == rule->au_ctxt.role);
                        break;
-                case AUDIT_NOT_EQUAL:
+                case Audit_not_equal:
                        match = (ctxt->role != rule->au_ctxt.role);
                        break;
                }
@@ -2758,10 +2758,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
        case AUDIT_SUBJ_TYPE:
        case AUDIT_OBJ_TYPE:
                switch (op) {
-                case AUDIT_EQUAL:
+                case Audit_equal:
                        match = (ctxt->type == rule->au_ctxt.type);
                        break;
-                case AUDIT_NOT_EQUAL:
+                case Audit_not_equal:
                        match = (ctxt->type != rule->au_ctxt.type);
                        break;
                }
@@ -2774,31 +2774,31 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
                          field == AUDIT_OBJ_LEV_LOW) ?
                         &ctxt->range.level[0] : &ctxt->range.level[1]);
                switch (op) {
-                case AUDIT_EQUAL:
+                case Audit_equal:
                        match = mls_level_eq(&rule->au_ctxt.range.level[0],
                                             level);
                        break;
-                case AUDIT_NOT_EQUAL:
+                case Audit_not_equal:
                        match = !mls_level_eq(&rule->au_ctxt.range.level[0],
                                              level);
                        break;
-                case AUDIT_LESS_THAN:
+                case Audit_lt:
                        match = (mls_level_dom(&rule->au_ctxt.range.level[0],
                                               level) &&
                                 !mls_level_eq(&rule->au_ctxt.range.level[0],
                                               level));
                        break;
-                case AUDIT_LESS_THAN_OR_EQUAL:
+                case Audit_le:
                        match = mls_level_dom(&rule->au_ctxt.range.level[0],
                                              level);
                        break;
-                case AUDIT_GREATER_THAN:
+                case Audit_gt:
                        match = (mls_level_dom(level,
                                              &rule->au_ctxt.range.level[0]) &&
                                 !mls_level_eq(level,
                                               &rule->au_ctxt.range.level[0]));
                        break;
-                case AUDIT_GREATER_THAN_OR_EQUAL:
+                case Audit_ge:
                        match = mls_level_dom(level,
                                              &rule->au_ctxt.range.level[0]);
                        break;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1b5551dfc1f7..848212fd4845 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2492,7 +2492,7 @@ static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
        if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
                return -EINVAL;
-        if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
+        if (op != Audit_equal && op != Audit_not_equal)
                return -EINVAL;
        *rule = smk_import(rulestr, 0);
@@ -2556,9 +2556,9 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
         * both pointers will point to the same smack_known
         * label.
         */
-        if (op == AUDIT_EQUAL)
+        if (op == Audit_equal)
                return (rule == smack);
-        if (op == AUDIT_NOT_EQUAL)
+        if (op == Audit_not_equal)
                return (rule != smack);
        return 0;

diff --git a/include/linux/audit.h b/include/linux/audit.h index cc71fdb56ae2..67e5dbfc2961 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h
@@ -247,6 +247,18 @@
247	#define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN\|AUDIT_EQUAL)	247	#define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN\|AUDIT_EQUAL)
248	#define AUDIT_OPERATORS (AUDIT_EQUAL\|AUDIT_NOT_EQUAL\|AUDIT_BIT_MASK)	248	#define AUDIT_OPERATORS (AUDIT_EQUAL\|AUDIT_NOT_EQUAL\|AUDIT_BIT_MASK)
249		249
		250	enum {
		251	Audit_equal,
		252	Audit_not_equal,
		253	Audit_bitmask,
		254	Audit_bittest,
		255	Audit_lt,
		256	Audit_gt,
		257	Audit_le,
		258	Audit_ge,
		259	Audit_bad
		260	};
		261
250	/* Status symbols */	262	/* Status symbols */
251	/* Mask values */	263	/* Mask values */
252	#define AUDIT_STATUS_ENABLED 0x0001	264	#define AUDIT_STATUS_ENABLED 0x0001


diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 48bddad2a3dc..8ad9545b8db9 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c
@@ -618,7 +618,7 @@ int audit_make_tree(struct audit_krule rule, char pathname, u32 op)
618		618
619	if (pathname[0] != '/' \|\|	619	if (pathname[0] != '/' \|\|
620	rule->listnr != AUDIT_FILTER_EXIT \|\|	620	rule->listnr != AUDIT_FILTER_EXIT \|\|
621	op & ~AUDIT_EQUAL \|\|	621	op != Audit_equal \|\|
622	rule->inode_f \|\| rule->watch \|\| rule->tree)	622	rule->inode_f \|\| rule->watch \|\| rule->tree)
623	return -EINVAL;	623	return -EINVAL;
624	rule->tree = alloc_tree(pathname);	624	rule->tree = alloc_tree(pathname);


diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index e6e3829cadd1..fbf24d121d97 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -252,7 +252,8 @@ static inline int audit_to_inode(struct audit_krule *krule,
252	struct audit_field *f)	252	struct audit_field *f)
253	{	253	{
254	if (krule->listnr != AUDIT_FILTER_EXIT \|\|	254	if (krule->listnr != AUDIT_FILTER_EXIT \|\|
255	krule->watch \|\| krule->inode_f \|\| krule->tree)	255	krule->watch \|\| krule->inode_f \|\| krule->tree \|\|
		256	(f->op != Audit_equal && f->op != Audit_not_equal))
256	return -EINVAL;	257	return -EINVAL;
257		258
258	krule->inode_f = f;	259	krule->inode_f = f;
@@ -270,7 +271,7 @@ static int audit_to_watch(struct audit_krule krule, char path, int len,
270		271
271	if (path[0] != '/' \|\| path[len-1] == '/' \|\|	272	if (path[0] != '/' \|\| path[len-1] == '/' \|\|
272	krule->listnr != AUDIT_FILTER_EXIT \|\|	273	krule->listnr != AUDIT_FILTER_EXIT \|\|
273	op & ~AUDIT_EQUAL \|\|	274	op != Audit_equal \|\|
274	krule->inode_f \|\| krule->watch \|\| krule->tree)	275	krule->inode_f \|\| krule->watch \|\| krule->tree)
275	return -EINVAL;	276	return -EINVAL;
276		277
@@ -420,12 +421,32 @@ exit_err:
420	return ERR_PTR(err);	421	return ERR_PTR(err);
421	}	422	}
422		423
		424	static u32 audit_ops[] =
		425	{
		426	[Audit_equal] = AUDIT_EQUAL,
		427	[Audit_not_equal] = AUDIT_NOT_EQUAL,
		428	[Audit_bitmask] = AUDIT_BIT_MASK,
		429	[Audit_bittest] = AUDIT_BIT_TEST,
		430	[Audit_lt] = AUDIT_LESS_THAN,
		431	[Audit_gt] = AUDIT_GREATER_THAN,
		432	[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
		433	[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
		434	};
		435
		436	static u32 audit_to_op(u32 op)
		437	{
		438	u32 n;
		439	for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
		440	;
		441	return n;
		442	}
		443
		444
423	/* Translate struct audit_rule to kernel's rule respresentation.	445	/* Translate struct audit_rule to kernel's rule respresentation.
424	* Exists for backward compatibility with userspace. */	446	* Exists for backward compatibility with userspace. */
425	static struct audit_entry audit_rule_to_entry(struct audit_rule rule)	447	static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
426	{	448	{
427	struct audit_entry *entry;	449	struct audit_entry *entry;
428	struct audit_field *ino_f;
429	int err = 0;	450	int err = 0;
430	int i;	451	int i;
431		452
@@ -435,12 +456,28 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
435		456
436	for (i = 0; i < rule->field_count; i++) {	457	for (i = 0; i < rule->field_count; i++) {
437	struct audit_field *f = &entry->rule.fields[i];	458	struct audit_field *f = &entry->rule.fields[i];
		459	u32 n;
		460
		461	n = rule->fields[i] & (AUDIT_NEGATE\|AUDIT_OPERATORS);
		462
		463	/* Support for legacy operators where
		464	* AUDIT_NEGATE bit signifies != and otherwise assumes == */
		465	if (n & AUDIT_NEGATE)
		466	f->op = Audit_not_equal;
		467	else if (!n)
		468	f->op = Audit_equal;
		469	else
		470	f->op = audit_to_op(n);
		471
		472	entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
438		473
439	f->op = rule->fields[i] & (AUDIT_NEGATE\|AUDIT_OPERATORS);
440	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);	474	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);
441	f->val = rule->values[i];	475	f->val = rule->values[i];
442		476
443	err = -EINVAL;	477	err = -EINVAL;
		478	if (f->op == Audit_bad)
		479	goto exit_free;
		480
444	switch(f->type) {	481	switch(f->type) {
445	default:	482	default:
446	goto exit_free;	483	goto exit_free;
@@ -462,11 +499,8 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
462	case AUDIT_EXIT:	499	case AUDIT_EXIT:
463	case AUDIT_SUCCESS:	500	case AUDIT_SUCCESS:
464	/* bit ops are only useful on syscall args */	501	/* bit ops are only useful on syscall args */
465	if (f->op == AUDIT_BIT_MASK \|\|	502	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
466	f->op == AUDIT_BIT_TEST) {
467	err = -EINVAL;
468	goto exit_free;	503	goto exit_free;
469	}
470	break;	504	break;
471	case AUDIT_ARG0:	505	case AUDIT_ARG0:
472	case AUDIT_ARG1:	506	case AUDIT_ARG1:
@@ -475,11 +509,8 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
475	break;	509	break;
476	/* arch is only allowed to be = or != */	510	/* arch is only allowed to be = or != */
477	case AUDIT_ARCH:	511	case AUDIT_ARCH:
478	if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)	512	if (f->op != Audit_not_equal && f->op != Audit_equal)
479	&& (f->op != AUDIT_NEGATE) && (f->op)) {
480	err = -EINVAL;
481	goto exit_free;	513	goto exit_free;
482	}
483	entry->rule.arch_f = f;	514	entry->rule.arch_f = f;
484	break;	515	break;
485	case AUDIT_PERM:	516	case AUDIT_PERM:
@@ -496,33 +527,10 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
496	goto exit_free;	527	goto exit_free;
497	break;	528	break;
498	}	529	}
499
500	entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1;
501
502	/* Support for legacy operators where
503	* AUDIT_NEGATE bit signifies != and otherwise assumes == */
504	if (f->op & AUDIT_NEGATE)
505	f->op = AUDIT_NOT_EQUAL;
506	else if (!f->op)
507	f->op = AUDIT_EQUAL;
508	else if (f->op == AUDIT_OPERATORS) {
509	err = -EINVAL;
510	goto exit_free;
511	}
512	}	530	}
513		531
514	ino_f = entry->rule.inode_f;	532	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
515	if (ino_f) {	533	entry->rule.inode_f = NULL;
516	switch(ino_f->op) {
517	case AUDIT_NOT_EQUAL:
518	entry->rule.inode_f = NULL;
519	case AUDIT_EQUAL:
520	break;
521	default:
522	err = -EINVAL;
523	goto exit_free;
524	}
525	}
526		534
527	exit_nofree:	535	exit_nofree:
528	return entry;	536	return entry;
@@ -538,7 +546,6 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
538	{	546	{
539	int err = 0;	547	int err = 0;
540	struct audit_entry *entry;	548	struct audit_entry *entry;
541	struct audit_field *ino_f;
542	void *bufp;	549	void *bufp;
543	size_t remain = datasz - sizeof(struct audit_rule_data);	550	size_t remain = datasz - sizeof(struct audit_rule_data);
544	int i;	551	int i;
@@ -554,11 +561,11 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
554	struct audit_field *f = &entry->rule.fields[i];	561	struct audit_field *f = &entry->rule.fields[i];
555		562
556	err = -EINVAL;	563	err = -EINVAL;
557	if (!(data->fieldflags[i] & AUDIT_OPERATORS) \|\|	564
558	data->fieldflags[i] & ~AUDIT_OPERATORS)	565	f->op = audit_to_op(data->fieldflags[i]);
		566	if (f->op == Audit_bad)
559	goto exit_free;	567	goto exit_free;
560		568
561	f->op = data->fieldflags[i] & AUDIT_OPERATORS;
562	f->type = data->fields[i];	569	f->type = data->fields[i];
563	f->val = data->values[i];	570	f->val = data->values[i];
564	f->lsm_str = NULL;	571	f->lsm_str = NULL;
@@ -670,18 +677,8 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
670	}	677	}
671	}	678	}
672		679
673	ino_f = entry->rule.inode_f;	680	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
674	if (ino_f) {	681	entry->rule.inode_f = NULL;
675	switch(ino_f->op) {
676	case AUDIT_NOT_EQUAL:
677	entry->rule.inode_f = NULL;
678	case AUDIT_EQUAL:
679	break;
680	default:
681	err = -EINVAL;
682	goto exit_free;
683	}
684	}
685		682
686	exit_nofree:	683	exit_nofree:
687	return entry;	684	return entry;
@@ -721,10 +718,10 @@ static struct audit_rule audit_krule_to_rule(struct audit_krule krule)
721	rule->fields[i] = krule->fields[i].type;	718	rule->fields[i] = krule->fields[i].type;
722		719
723	if (krule->vers_ops == 1) {	720	if (krule->vers_ops == 1) {
724	if (krule->fields[i].op & AUDIT_NOT_EQUAL)	721	if (krule->fields[i].op == Audit_not_equal)
725	rule->fields[i] \|= AUDIT_NEGATE;	722	rule->fields[i] \|= AUDIT_NEGATE;
726	} else {	723	} else {
727	rule->fields[i] \|= krule->fields[i].op;	724	rule->fields[i] \|= audit_ops[krule->fields[i].op];
728	}	725	}
729	}	726	}
730	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];	727	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
@@ -752,7 +749,7 @@ static struct audit_rule_data audit_krule_to_data(struct audit_krule krule)
752	struct audit_field *f = &krule->fields[i];	749	struct audit_field *f = &krule->fields[i];
753		750
754	data->fields[i] = f->type;	751	data->fields[i] = f->type;
755	data->fieldflags[i] = f->op;	752	data->fieldflags[i] = audit_ops[f->op];
756	switch(f->type) {	753	switch(f->type) {
757	case AUDIT_SUBJ_USER:	754	case AUDIT_SUBJ_USER:
758	case AUDIT_SUBJ_ROLE:	755	case AUDIT_SUBJ_ROLE:
@@ -1626,28 +1623,29 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1626	return err;	1623	return err;
1627	}	1624	}
1628		1625
1629	int audit_comparator(const u32 left, const u32 op, const u32 right)	1626	int audit_comparator(u32 left, u32 op, u32 right)
1630	{	1627	{
1631	switch (op) {	1628	switch (op) {
1632	case AUDIT_EQUAL:	1629	case Audit_equal:
1633	return (left == right);	1630	return (left == right);
1634	case AUDIT_NOT_EQUAL:	1631	case Audit_not_equal:
1635	return (left != right);	1632	return (left != right);
1636	case AUDIT_LESS_THAN:	1633	case Audit_lt:
1637	return (left < right);	1634	return (left < right);
1638	case AUDIT_LESS_THAN_OR_EQUAL:	1635	case Audit_le:
1639	return (left <= right);	1636	return (left <= right);
1640	case AUDIT_GREATER_THAN:	1637	case Audit_gt:
1641	return (left > right);	1638	return (left > right);
1642	case AUDIT_GREATER_THAN_OR_EQUAL:	1639	case Audit_ge:
1643	return (left >= right);	1640	return (left >= right);
1644	case AUDIT_BIT_MASK:	1641	case Audit_bitmask:
1645	return (left & right);	1642	return (left & right);
1646	case AUDIT_BIT_TEST:	1643	case Audit_bittest:
1647	return ((left & right) == right);	1644	return ((left & right) == right);
		1645	default:
		1646	BUG();
		1647	return 0;
1648	}	1648	}
1649	BUG();
1650	return 0;
1651	}	1649	}
1652		1650
1653	/* Compare given dentry name with last component in given path,	1651	/* Compare given dentry name with last component in given path,


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 343c8ab14af0..c65e4fe4a0f1 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -2602,7 +2602,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule)
2602	case AUDIT_OBJ_ROLE:	2602	case AUDIT_OBJ_ROLE:
2603	case AUDIT_OBJ_TYPE:	2603	case AUDIT_OBJ_TYPE:
2604	/* only 'equals' and 'not equals' fit user, role, and type */	2604	/* only 'equals' and 'not equals' fit user, role, and type */
2605	if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)	2605	if (op != Audit_equal && op != Audit_not_equal)
2606	return -EINVAL;	2606	return -EINVAL;
2607	break;	2607	break;
2608	case AUDIT_SUBJ_SEN:	2608	case AUDIT_SUBJ_SEN:
@@ -2736,10 +2736,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2736	case AUDIT_SUBJ_USER:	2736	case AUDIT_SUBJ_USER:
2737	case AUDIT_OBJ_USER:	2737	case AUDIT_OBJ_USER:
2738	switch (op) {	2738	switch (op) {
2739	case AUDIT_EQUAL:	2739	case Audit_equal:
2740	match = (ctxt->user == rule->au_ctxt.user);	2740	match = (ctxt->user == rule->au_ctxt.user);
2741	break;	2741	break;
2742	case AUDIT_NOT_EQUAL:	2742	case Audit_not_equal:
2743	match = (ctxt->user != rule->au_ctxt.user);	2743	match = (ctxt->user != rule->au_ctxt.user);
2744	break;	2744	break;
2745	}	2745	}
@@ -2747,10 +2747,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2747	case AUDIT_SUBJ_ROLE:	2747	case AUDIT_SUBJ_ROLE:
2748	case AUDIT_OBJ_ROLE:	2748	case AUDIT_OBJ_ROLE:
2749	switch (op) {	2749	switch (op) {
2750	case AUDIT_EQUAL:	2750	case Audit_equal:
2751	match = (ctxt->role == rule->au_ctxt.role);	2751	match = (ctxt->role == rule->au_ctxt.role);
2752	break;	2752	break;
2753	case AUDIT_NOT_EQUAL:	2753	case Audit_not_equal:
2754	match = (ctxt->role != rule->au_ctxt.role);	2754	match = (ctxt->role != rule->au_ctxt.role);
2755	break;	2755	break;
2756	}	2756	}
@@ -2758,10 +2758,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2758	case AUDIT_SUBJ_TYPE:	2758	case AUDIT_SUBJ_TYPE:
2759	case AUDIT_OBJ_TYPE:	2759	case AUDIT_OBJ_TYPE:
2760	switch (op) {	2760	switch (op) {
2761	case AUDIT_EQUAL:	2761	case Audit_equal:
2762	match = (ctxt->type == rule->au_ctxt.type);	2762	match = (ctxt->type == rule->au_ctxt.type);
2763	break;	2763	break;
2764	case AUDIT_NOT_EQUAL:	2764	case Audit_not_equal:
2765	match = (ctxt->type != rule->au_ctxt.type);	2765	match = (ctxt->type != rule->au_ctxt.type);
2766	break;	2766	break;
2767	}	2767	}
@@ -2774,31 +2774,31 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2774	field == AUDIT_OBJ_LEV_LOW) ?	2774	field == AUDIT_OBJ_LEV_LOW) ?
2775	&ctxt->range.level[0] : &ctxt->range.level[1]);	2775	&ctxt->range.level[0] : &ctxt->range.level[1]);
2776	switch (op) {	2776	switch (op) {
2777	case AUDIT_EQUAL:	2777	case Audit_equal:
2778	match = mls_level_eq(&rule->au_ctxt.range.level[0],	2778	match = mls_level_eq(&rule->au_ctxt.range.level[0],
2779	level);	2779	level);
2780	break;	2780	break;
2781	case AUDIT_NOT_EQUAL:	2781	case Audit_not_equal:
2782	match = !mls_level_eq(&rule->au_ctxt.range.level[0],	2782	match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2783	level);	2783	level);
2784	break;	2784	break;
2785	case AUDIT_LESS_THAN:	2785	case Audit_lt:
2786	match = (mls_level_dom(&rule->au_ctxt.range.level[0],	2786	match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2787	level) &&	2787	level) &&
2788	!mls_level_eq(&rule->au_ctxt.range.level[0],	2788	!mls_level_eq(&rule->au_ctxt.range.level[0],
2789	level));	2789	level));
2790	break;	2790	break;
2791	case AUDIT_LESS_THAN_OR_EQUAL:	2791	case Audit_le:
2792	match = mls_level_dom(&rule->au_ctxt.range.level[0],	2792	match = mls_level_dom(&rule->au_ctxt.range.level[0],
2793	level);	2793	level);
2794	break;	2794	break;
2795	case AUDIT_GREATER_THAN:	2795	case Audit_gt:
2796	match = (mls_level_dom(level,	2796	match = (mls_level_dom(level,
2797	&rule->au_ctxt.range.level[0]) &&	2797	&rule->au_ctxt.range.level[0]) &&
2798	!mls_level_eq(level,	2798	!mls_level_eq(level,
2799	&rule->au_ctxt.range.level[0]));	2799	&rule->au_ctxt.range.level[0]));
2800	break;	2800	break;
2801	case AUDIT_GREATER_THAN_OR_EQUAL:	2801	case Audit_ge:
2802	match = mls_level_dom(level,	2802	match = mls_level_dom(level,
2803	&rule->au_ctxt.range.level[0]);	2803	&rule->au_ctxt.range.level[0]);
2804	break;	2804	break;


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1b5551dfc1f7..848212fd4845 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -2492,7 +2492,7 @@ static int smack_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule)
2492	if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)	2492	if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
2493	return -EINVAL;	2493	return -EINVAL;
2494		2494
2495	if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)	2495	if (op != Audit_equal && op != Audit_not_equal)
2496	return -EINVAL;	2496	return -EINVAL;
2497		2497
2498	*rule = smk_import(rulestr, 0);	2498	*rule = smk_import(rulestr, 0);
@@ -2556,9 +2556,9 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
2556	* both pointers will point to the same smack_known	2556	* both pointers will point to the same smack_known
2557	* label.	2557	* label.
2558	*/	2558	*/
2559	if (op == AUDIT_EQUAL)	2559	if (op == Audit_equal)
2560	return (rule == smack);	2560	return (rule == smack);
2561	if (op == AUDIT_NOT_EQUAL)	2561	if (op == Audit_not_equal)
2562	return (rule != smack);	2562	return (rule != smack);
2563		2563
2564	return 0;	2564	return 0;