diff options
Diffstat (limited to 'kernel/auditfilter.c')
| -rw-r--r-- | kernel/auditfilter.c | 37 |
1 files changed, 32 insertions, 5 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 6a9a5c5a4e7d..a44879b0c72f 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -302,6 +302,15 @@ int __init audit_register_class(int class, unsigned *list) | |||
| 302 | return 0; | 302 | return 0; |
| 303 | } | 303 | } |
| 304 | 304 | ||
| 305 | int audit_match_class(int class, unsigned syscall) | ||
| 306 | { | ||
| 307 | if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) | ||
| 308 | return 0; | ||
| 309 | if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) | ||
| 310 | return 0; | ||
| 311 | return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); | ||
| 312 | } | ||
| 313 | |||
| 305 | /* Common user-space to kernel rule translation. */ | 314 | /* Common user-space to kernel rule translation. */ |
| 306 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) | 315 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) |
| 307 | { | 316 | { |
| @@ -404,6 +413,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | |||
| 404 | case AUDIT_PERS: | 413 | case AUDIT_PERS: |
| 405 | case AUDIT_ARCH: | 414 | case AUDIT_ARCH: |
| 406 | case AUDIT_MSGTYPE: | 415 | case AUDIT_MSGTYPE: |
| 416 | case AUDIT_PPID: | ||
| 407 | case AUDIT_DEVMAJOR: | 417 | case AUDIT_DEVMAJOR: |
| 408 | case AUDIT_DEVMINOR: | 418 | case AUDIT_DEVMINOR: |
| 409 | case AUDIT_EXIT: | 419 | case AUDIT_EXIT: |
| @@ -413,6 +423,10 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | |||
| 413 | case AUDIT_ARG2: | 423 | case AUDIT_ARG2: |
| 414 | case AUDIT_ARG3: | 424 | case AUDIT_ARG3: |
| 415 | break; | 425 | break; |
| 426 | case AUDIT_PERM: | ||
| 427 | if (f->val & ~15) | ||
| 428 | goto exit_free; | ||
| 429 | break; | ||
| 416 | case AUDIT_INODE: | 430 | case AUDIT_INODE: |
| 417 | err = audit_to_inode(&entry->rule, f); | 431 | err = audit_to_inode(&entry->rule, f); |
| 418 | if (err) | 432 | if (err) |
| @@ -567,6 +581,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
| 567 | entry->rule.buflen += f->val; | 581 | entry->rule.buflen += f->val; |
| 568 | entry->rule.filterkey = str; | 582 | entry->rule.filterkey = str; |
| 569 | break; | 583 | break; |
| 584 | case AUDIT_PERM: | ||
| 585 | if (f->val & ~15) | ||
| 586 | goto exit_free; | ||
| 587 | break; | ||
| 570 | default: | 588 | default: |
| 571 | goto exit_free; | 589 | goto exit_free; |
| 572 | } | 590 | } |
| @@ -913,7 +931,7 @@ static void audit_update_watch(struct audit_parent *parent, | |||
| 913 | } | 931 | } |
| 914 | 932 | ||
| 915 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 933 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); |
| 916 | audit_log_format(ab, "audit updated rules specifying watch="); | 934 | audit_log_format(ab, "audit updated rules specifying path="); |
| 917 | audit_log_untrustedstring(ab, owatch->path); | 935 | audit_log_untrustedstring(ab, owatch->path); |
| 918 | audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); | 936 | audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); |
| 919 | audit_log_end(ab); | 937 | audit_log_end(ab); |
| @@ -936,19 +954,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent) | |||
| 936 | struct audit_watch *w, *nextw; | 954 | struct audit_watch *w, *nextw; |
| 937 | struct audit_krule *r, *nextr; | 955 | struct audit_krule *r, *nextr; |
| 938 | struct audit_entry *e; | 956 | struct audit_entry *e; |
| 957 | struct audit_buffer *ab; | ||
| 939 | 958 | ||
| 940 | mutex_lock(&audit_filter_mutex); | 959 | mutex_lock(&audit_filter_mutex); |
| 941 | parent->flags |= AUDIT_PARENT_INVALID; | 960 | parent->flags |= AUDIT_PARENT_INVALID; |
| 942 | list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { | 961 | list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { |
| 943 | list_for_each_entry_safe(r, nextr, &w->rules, rlist) { | 962 | list_for_each_entry_safe(r, nextr, &w->rules, rlist) { |
| 944 | e = container_of(r, struct audit_entry, rule); | 963 | e = container_of(r, struct audit_entry, rule); |
| 964 | |||
| 965 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | ||
| 966 | audit_log_format(ab, "audit implicitly removed rule path="); | ||
| 967 | audit_log_untrustedstring(ab, w->path); | ||
| 968 | if (r->filterkey) { | ||
| 969 | audit_log_format(ab, " key="); | ||
| 970 | audit_log_untrustedstring(ab, r->filterkey); | ||
| 971 | } else | ||
| 972 | audit_log_format(ab, " key=(null)"); | ||
| 973 | audit_log_format(ab, " list=%d", r->listnr); | ||
| 974 | audit_log_end(ab); | ||
| 975 | |||
| 945 | list_del(&r->rlist); | 976 | list_del(&r->rlist); |
| 946 | list_del_rcu(&e->list); | 977 | list_del_rcu(&e->list); |
| 947 | call_rcu(&e->rcu, audit_free_rule_rcu); | 978 | call_rcu(&e->rcu, audit_free_rule_rcu); |
| 948 | |||
| 949 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 950 | "audit implicitly removed rule from list=%d\n", | ||
| 951 | AUDIT_FILTER_EXIT); | ||
| 952 | } | 979 | } |
| 953 | audit_remove_watch(w); | 980 | audit_remove_watch(w); |
| 954 | } | 981 | } |