Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/kernel/audit_watch.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0-or-later
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /* audit_watch.c -- watching inodes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  * Copyright 2003-2009 Red Hat, Inc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * Copyright 2005 Hewlett-Packard Development Company, L.P.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  * Copyright 2005 IBM Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) #include <linux/file.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) #include <linux/audit.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) #include <linux/kthread.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) #include <linux/mutex.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) #include <linux/fs.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) #include <linux/fsnotify_backend.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) #include <linux/namei.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) #include <linux/netlink.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) #include <linux/refcount.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) #include <linux/sched.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) #include <linux/security.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) #include "audit.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25)  * Reference counting:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27)  * audit_parent: lifetime is from audit_init_parent() to receipt of an FS_IGNORED
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28)  * 	event.  Each audit_watch holds a reference to its associated parent.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30)  * audit_watch: if added to lists, lifetime is from audit_init_watch() to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31)  * 	audit_remove_watch().  Additionally, an audit_watch may exist
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32)  * 	temporarily to assist in searching existing filter data.  Each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33)  * 	audit_krule holds a reference to its associated watch.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) struct audit_watch {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) 	refcount_t		count;	/* reference count */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 	dev_t			dev;	/* associated superblock device */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) 	char			*path;	/* insertion path */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 	unsigned long		ino;	/* associated inode number */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) 	struct audit_parent	*parent; /* associated parent */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 	struct list_head	wlist;	/* entry in parent->watches list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) 	struct list_head	rules;	/* anchor for krule->rlist */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) struct audit_parent {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 	struct list_head	watches; /* anchor for audit_watch->wlist */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 	struct fsnotify_mark mark; /* fsnotify mark on the inode */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) /* fsnotify handle. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) static struct fsnotify_group *audit_watch_group;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) /* fsnotify events we care about. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 			FS_MOVE_SELF | FS_UNMOUNT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) static void audit_free_parent(struct audit_parent *parent)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 	WARN_ON(!list_empty(&parent->watches));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 	kfree(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) static void audit_watch_free_mark(struct fsnotify_mark *entry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) 	struct audit_parent *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) 	parent = container_of(entry, struct audit_parent, mark);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 	audit_free_parent(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) static void audit_get_parent(struct audit_parent *parent)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 	if (likely(parent))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 		fsnotify_get_mark(&parent->mark);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) static void audit_put_parent(struct audit_parent *parent)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 	if (likely(parent))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 		fsnotify_put_mark(&parent->mark);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85)  * Find and return the audit_parent on the given inode.  If found a reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86)  * is taken on this parent.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) static inline struct audit_parent *audit_find_parent(struct inode *inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 	struct audit_parent *parent = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 	struct fsnotify_mark *entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 	entry = fsnotify_find_mark(&inode->i_fsnotify_marks, audit_watch_group);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 	if (entry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 		parent = container_of(entry, struct audit_parent, mark);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 	return parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) void audit_get_watch(struct audit_watch *watch)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 	refcount_inc(&watch->count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) void audit_put_watch(struct audit_watch *watch)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 	if (refcount_dec_and_test(&watch->count)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 		WARN_ON(watch->parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 		WARN_ON(!list_empty(&watch->rules));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) 		kfree(watch->path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 		kfree(watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) static void audit_remove_watch(struct audit_watch *watch)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 	list_del(&watch->wlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 	audit_put_parent(watch->parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 	watch->parent = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 	audit_put_watch(watch); /* match initial get */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) char *audit_watch_path(struct audit_watch *watch)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 	return watch->path;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 	return (watch->ino != AUDIT_INO_UNSET) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 		(watch->ino == ino) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 		(watch->dev == dev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) /* Initialize a parent watch entry. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) static struct audit_parent *audit_init_parent(struct path *path)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	struct inode *inode = d_backing_inode(path->dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 	struct audit_parent *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 	int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 	parent = kzalloc(sizeof(*parent), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 	if (unlikely(!parent))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 		return ERR_PTR(-ENOMEM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 	INIT_LIST_HEAD(&parent->watches);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) 	fsnotify_init_mark(&parent->mark, audit_watch_group);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 	parent->mark.mask = AUDIT_FS_WATCH;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 	ret = fsnotify_add_inode_mark(&parent->mark, inode, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	if (ret < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 		audit_free_parent(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 		return ERR_PTR(ret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 	return parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) /* Initialize a watch entry. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) static struct audit_watch *audit_init_watch(char *path)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 	struct audit_watch *watch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 	watch = kzalloc(sizeof(*watch), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) 	if (unlikely(!watch))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 		return ERR_PTR(-ENOMEM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) 	INIT_LIST_HEAD(&watch->rules);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) 	refcount_set(&watch->count, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 	watch->path = path;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) 	watch->dev = AUDIT_DEV_UNSET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) 	watch->ino = AUDIT_INO_UNSET;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) 	return watch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) /* Translate a watch string to kernel representation. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 	struct audit_watch *watch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 	if (!audit_watch_group)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) 		return -EOPNOTSUPP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 	if (path[0] != '/' || path[len-1] == '/' ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 	    krule->listnr != AUDIT_FILTER_EXIT ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) 	    op != Audit_equal ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 	    krule->inode_f || krule->watch || krule->tree)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 	watch = audit_init_watch(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) 	if (IS_ERR(watch))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) 		return PTR_ERR(watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 	krule->watch = watch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) /* Duplicate the given audit watch.  The new watch's rules list is initialized
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201)  * to an empty list and wlist is undefined. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 	char *path;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 	struct audit_watch *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 	path = kstrdup(old->path, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) 	if (unlikely(!path))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) 		return ERR_PTR(-ENOMEM);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 	new = audit_init_watch(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 	if (IS_ERR(new)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) 		kfree(path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 	new->dev = old->dev;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) 	new->ino = old->ino;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 	audit_get_parent(old->parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) 	new->parent = old->parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 	return new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) 	struct audit_buffer *ab;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) 	if (!audit_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) 		return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) 	ab = audit_log_start(audit_context(), GFP_NOFS, AUDIT_CONFIG_CHANGE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 	if (!ab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) 		return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 	audit_log_session_info(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) 	audit_log_format(ab, "op=%s path=", op);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 	audit_log_untrustedstring(ab, w->path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 	audit_log_key(ab, r->filterkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 	audit_log_format(ab, " list=%d res=1", r->listnr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 	audit_log_end(ab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) /* Update inode info in audit rules based on filesystem event. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) static void audit_update_watch(struct audit_parent *parent,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 			       const struct qstr *dname, dev_t dev,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) 			       unsigned long ino, unsigned invalidating)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) 	struct audit_watch *owatch, *nwatch, *nextw;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) 	struct audit_krule *r, *nextr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 	struct audit_entry *oentry, *nentry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 	mutex_lock(&audit_filter_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) 	/* Run all of the watches on this parent looking for the one that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) 	 * matches the given dname */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) 	list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) 		if (audit_compare_dname_path(dname, owatch->path,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) 					     AUDIT_NAME_FULL))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) 			continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) 		/* If the update involves invalidating rules, do the inode-based
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) 		 * filtering now, so we don't omit records. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) 		if (invalidating && !audit_dummy_context())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) 			audit_filter_inodes(current, audit_context());
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) 		/* updating ino will likely change which audit_hash_list we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) 		 * are on so we need a new watch for the new list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) 		nwatch = audit_dupe_watch(owatch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) 		if (IS_ERR(nwatch)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) 			mutex_unlock(&audit_filter_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) 			audit_panic("error updating watch, skipping");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) 			return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) 		nwatch->dev = dev;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) 		nwatch->ino = ino;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) 		list_for_each_entry_safe(r, nextr, &owatch->rules, rlist) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) 			oentry = container_of(r, struct audit_entry, rule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) 			list_del(&oentry->rule.rlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) 			list_del_rcu(&oentry->list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) 			nentry = audit_dupe_rule(&oentry->rule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) 			if (IS_ERR(nentry)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) 				list_del(&oentry->rule.list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 				audit_panic("error updating watch, removing");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) 			} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) 				int h = audit_hash_ino((u32)ino);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) 				/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 				 * nentry->rule.watch == oentry->rule.watch so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) 				 * we must drop that reference and set it to our
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) 				 * new watch.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) 				 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) 				audit_put_watch(nentry->rule.watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 				audit_get_watch(nwatch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) 				nentry->rule.watch = nwatch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) 				list_add(&nentry->rule.rlist, &nwatch->rules);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) 				list_add_rcu(&nentry->list, &audit_inode_hash[h]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 				list_replace(&oentry->rule.list,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 					     &nentry->rule.list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) 			}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) 			if (oentry->rule.exe)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) 				audit_remove_mark(oentry->rule.exe);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) 			call_rcu(&oentry->rcu, audit_free_rule_rcu);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) 		audit_remove_watch(owatch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) 		goto add_watch_to_parent; /* event applies to a single watch */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) 	mutex_unlock(&audit_filter_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) 	return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) add_watch_to_parent:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) 	list_add(&nwatch->wlist, &parent->watches);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) 	mutex_unlock(&audit_filter_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) 	return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) /* Remove all watches & rules associated with a parent that is going away. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) static void audit_remove_parent_watches(struct audit_parent *parent)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) 	struct audit_watch *w, *nextw;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) 	struct audit_krule *r, *nextr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) 	struct audit_entry *e;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) 	mutex_lock(&audit_filter_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) 	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) 		list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 			e = container_of(r, struct audit_entry, rule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) 			audit_watch_log_rule_change(r, w, "remove_rule");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) 			if (e->rule.exe)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) 				audit_remove_mark(e->rule.exe);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) 			list_del(&r->rlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) 			list_del(&r->list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) 			list_del_rcu(&e->list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) 			call_rcu(&e->rcu, audit_free_rule_rcu);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) 		audit_remove_watch(w);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) 	mutex_unlock(&audit_filter_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) 	fsnotify_destroy_mark(&parent->mark, audit_watch_group);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) /* Get path information necessary for adding watches. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) static int audit_get_nd(struct audit_watch *watch, struct path *parent)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) 	struct dentry *d = kern_path_locked(watch->path, parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) 	if (IS_ERR(d))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) 		return PTR_ERR(d);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) 	if (d_is_positive(d)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) 		/* update watch filter fields */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) 		watch->dev = d->d_sb->s_dev;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) 		watch->ino = d_backing_inode(d)->i_ino;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) 	inode_unlock(d_backing_inode(parent->dentry));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) 	dput(d);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) /* Associate the given rule with an existing parent.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363)  * Caller must hold audit_filter_mutex. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) static void audit_add_to_parent(struct audit_krule *krule,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) 				struct audit_parent *parent)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) 	struct audit_watch *w, *watch = krule->watch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) 	int watch_found = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) 	BUG_ON(!mutex_is_locked(&audit_filter_mutex));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) 	list_for_each_entry(w, &parent->watches, wlist) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) 		if (strcmp(watch->path, w->path))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) 			continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) 		watch_found = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) 		/* put krule's ref to temporary watch */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) 		audit_put_watch(watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) 		audit_get_watch(w);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) 		krule->watch = watch = w;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) 		audit_put_parent(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) 	if (!watch_found) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) 		watch->parent = parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) 		audit_get_watch(watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) 		list_add(&watch->wlist, &parent->watches);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) 	list_add(&krule->rlist, &watch->rules);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) /* Find a matching watch entry, or add this one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398)  * Caller must hold audit_filter_mutex. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) int audit_add_watch(struct audit_krule *krule, struct list_head **list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) 	struct audit_watch *watch = krule->watch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) 	struct audit_parent *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) 	struct path parent_path;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) 	int h, ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) 	 * When we will be calling audit_add_to_parent, krule->watch might have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) 	 * been updated and watch might have been freed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) 	 * So we need to keep a reference of watch.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) 	audit_get_watch(watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) 	mutex_unlock(&audit_filter_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) 	/* Avoid calling path_lookup under audit_filter_mutex. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) 	ret = audit_get_nd(watch, &parent_path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) 	/* caller expects mutex locked */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) 	mutex_lock(&audit_filter_mutex);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) 	if (ret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) 		audit_put_watch(watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) 		return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) 	/* either find an old parent or attach a new one */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) 	parent = audit_find_parent(d_backing_inode(parent_path.dentry));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) 	if (!parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) 		parent = audit_init_parent(&parent_path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) 		if (IS_ERR(parent)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) 			ret = PTR_ERR(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) 			goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) 	audit_add_to_parent(krule, parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) 	h = audit_hash_ino((u32)watch->ino);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) 	*list = &audit_inode_hash[h];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) error:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) 	path_put(&parent_path);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) 	audit_put_watch(watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) void audit_remove_watch_rule(struct audit_krule *krule)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) 	struct audit_watch *watch = krule->watch;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) 	struct audit_parent *parent = watch->parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) 	list_del(&krule->rlist);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) 	if (list_empty(&watch->rules)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) 		/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) 		 * audit_remove_watch() drops our reference to 'parent' which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) 		 * can get freed. Grab our own reference to be safe.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) 		audit_get_parent(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) 		audit_remove_watch(watch);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) 		if (list_empty(&parent->watches))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) 			fsnotify_destroy_mark(&parent->mark, audit_watch_group);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) 		audit_put_parent(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) /* Update watch data in audit rules based on fsnotify events. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) static int audit_watch_handle_event(struct fsnotify_mark *inode_mark, u32 mask,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) 				    struct inode *inode, struct inode *dir,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) 				    const struct qstr *dname, u32 cookie)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) 	struct audit_parent *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) 	parent = container_of(inode_mark, struct audit_parent, mark);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) 	if (WARN_ON_ONCE(inode_mark->group != audit_watch_group) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) 	    WARN_ON_ONCE(!inode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) 	if (mask & (FS_CREATE|FS_MOVED_TO) && inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) 		audit_update_watch(parent, dname, inode->i_sb->s_dev, inode->i_ino, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) 	else if (mask & (FS_DELETE|FS_MOVED_FROM))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) 		audit_update_watch(parent, dname, AUDIT_DEV_UNSET, AUDIT_INO_UNSET, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) 	else if (mask & (FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) 		audit_remove_parent_watches(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) static const struct fsnotify_ops audit_watch_fsnotify_ops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) 	.handle_inode_event =	audit_watch_handle_event,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) 	.free_mark =		audit_watch_free_mark,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) static int __init audit_watch_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) 	audit_watch_group = fsnotify_alloc_group(&audit_watch_fsnotify_ops);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) 	if (IS_ERR(audit_watch_group)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) 		audit_watch_group = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) 		audit_panic("cannot create audit fsnotify group");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) device_initcall(audit_watch_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) 	struct audit_fsnotify_mark *audit_mark;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) 	char *pathname;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) 	pathname = kstrdup(audit_mark_path(old->exe), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) 	if (!pathname)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) 		return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) 	audit_mark = audit_alloc_mark(new, pathname, strlen(pathname));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) 	if (IS_ERR(audit_mark)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) 		kfree(pathname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) 		return PTR_ERR(audit_mark);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) 	new->exe = audit_mark;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) 	struct file *exe_file;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) 	unsigned long ino;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) 	dev_t dev;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) 	exe_file = get_task_exe_file(tsk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) 	if (!exe_file)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) 	ino = file_inode(exe_file)->i_ino;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) 	dev = file_inode(exe_file)->i_sb->s_dev;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) 	fput(exe_file);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) 	return audit_mark_compare(mark, ino, dev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) }
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.