diff options
-rw-r--r-- | kernel/auditfilter.c | 77 |
1 files changed, 47 insertions, 30 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 9fd85a4640a0..0febaa0f784c 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -1778,6 +1778,41 @@ unlock_and_return: | |||
1778 | return result; | 1778 | return result; |
1779 | } | 1779 | } |
1780 | 1780 | ||
1781 | static int update_lsm_rule(struct audit_entry *entry) | ||
1782 | { | ||
1783 | struct audit_entry *nentry; | ||
1784 | struct audit_watch *watch; | ||
1785 | struct audit_tree *tree; | ||
1786 | int err = 0; | ||
1787 | |||
1788 | if (!security_audit_rule_known(&entry->rule)) | ||
1789 | return 0; | ||
1790 | |||
1791 | watch = entry->rule.watch; | ||
1792 | tree = entry->rule.tree; | ||
1793 | nentry = audit_dupe_rule(&entry->rule, watch); | ||
1794 | if (IS_ERR(nentry)) { | ||
1795 | /* save the first error encountered for the | ||
1796 | * return value */ | ||
1797 | err = PTR_ERR(nentry); | ||
1798 | audit_panic("error updating LSM filters"); | ||
1799 | if (watch) | ||
1800 | list_del(&entry->rule.rlist); | ||
1801 | list_del_rcu(&entry->list); | ||
1802 | } else { | ||
1803 | if (watch) { | ||
1804 | list_add(&nentry->rule.rlist, &watch->rules); | ||
1805 | list_del(&entry->rule.rlist); | ||
1806 | } else if (tree) | ||
1807 | list_replace_init(&entry->rule.rlist, | ||
1808 | &nentry->rule.rlist); | ||
1809 | list_replace_rcu(&entry->list, &nentry->list); | ||
1810 | } | ||
1811 | call_rcu(&entry->rcu, audit_free_rule_rcu); | ||
1812 | |||
1813 | return err; | ||
1814 | } | ||
1815 | |||
1781 | /* This function will re-initialize the lsm_rule field of all applicable rules. | 1816 | /* This function will re-initialize the lsm_rule field of all applicable rules. |
1782 | * It will traverse the filter lists serarching for rules that contain LSM | 1817 | * It will traverse the filter lists serarching for rules that contain LSM |
1783 | * specific filter fields. When such a rule is found, it is copied, the | 1818 | * specific filter fields. When such a rule is found, it is copied, the |
@@ -1785,42 +1820,24 @@ unlock_and_return: | |||
1785 | * updated rule. */ | 1820 | * updated rule. */ |
1786 | int audit_update_lsm_rules(void) | 1821 | int audit_update_lsm_rules(void) |
1787 | { | 1822 | { |
1788 | struct audit_entry *entry, *n, *nentry; | 1823 | struct audit_entry *e, *n; |
1789 | struct audit_watch *watch; | ||
1790 | struct audit_tree *tree; | ||
1791 | int i, err = 0; | 1824 | int i, err = 0; |
1792 | 1825 | ||
1793 | /* audit_filter_mutex synchronizes the writers */ | 1826 | /* audit_filter_mutex synchronizes the writers */ |
1794 | mutex_lock(&audit_filter_mutex); | 1827 | mutex_lock(&audit_filter_mutex); |
1795 | 1828 | ||
1796 | for (i = 0; i < AUDIT_NR_FILTERS; i++) { | 1829 | for (i = 0; i < AUDIT_NR_FILTERS; i++) { |
1797 | list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { | 1830 | list_for_each_entry_safe(e, n, &audit_filter_list[i], list) { |
1798 | if (!security_audit_rule_known(&entry->rule)) | 1831 | int res = update_lsm_rule(e); |
1799 | continue; | 1832 | if (!err) |
1800 | 1833 | err = res; | |
1801 | watch = entry->rule.watch; | 1834 | } |
1802 | tree = entry->rule.tree; | 1835 | } |
1803 | nentry = audit_dupe_rule(&entry->rule, watch); | 1836 | for (i=0; i< AUDIT_INODE_BUCKETS; i++) { |
1804 | if (IS_ERR(nentry)) { | 1837 | list_for_each_entry_safe(e, n, &audit_inode_hash[i], list) { |
1805 | /* save the first error encountered for the | 1838 | int res = update_lsm_rule(e); |
1806 | * return value */ | 1839 | if (!err) |
1807 | if (!err) | 1840 | err = res; |
1808 | err = PTR_ERR(nentry); | ||
1809 | audit_panic("error updating LSM filters"); | ||
1810 | if (watch) | ||
1811 | list_del(&entry->rule.rlist); | ||
1812 | list_del_rcu(&entry->list); | ||
1813 | } else { | ||
1814 | if (watch) { | ||
1815 | list_add(&nentry->rule.rlist, | ||
1816 | &watch->rules); | ||
1817 | list_del(&entry->rule.rlist); | ||
1818 | } else if (tree) | ||
1819 | list_replace_init(&entry->rule.rlist, | ||
1820 | &nentry->rule.rlist); | ||
1821 | list_replace_rcu(&entry->list, &nentry->list); | ||
1822 | } | ||
1823 | call_rcu(&entry->rcu, audit_free_rule_rcu); | ||
1824 | } | 1841 | } |
1825 | } | 1842 | } |
1826 | 1843 | ||