linux/kernel/auditfilter.c
<<
>>
Prefs
   1/* auditfilter.c -- filtering of audit events
   2 *
   3 * Copyright 2003-2004 Red Hat, Inc.
   4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   5 * Copyright 2005 IBM Corporation
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * This program is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  20 */
  21
  22#include <linux/kernel.h>
  23#include <linux/audit.h>
  24#include <linux/kthread.h>
  25#include <linux/mutex.h>
  26#include <linux/fs.h>
  27#include <linux/namei.h>
  28#include <linux/netlink.h>
  29#include <linux/sched.h>
  30#include <linux/slab.h>
  31#include <linux/security.h>
  32#include "audit.h"
  33
  34/*
  35 * Locking model:
  36 *
  37 * audit_filter_mutex:
  38 *              Synchronizes writes and blocking reads of audit's filterlist
  39 *              data.  Rcu is used to traverse the filterlist and access
  40 *              contents of structs audit_entry, audit_watch and opaque
  41 *              LSM rules during filtering.  If modified, these structures
  42 *              must be copied and replace their counterparts in the filterlist.
  43 *              An audit_parent struct is not accessed during filtering, so may
  44 *              be written directly provided audit_filter_mutex is held.
  45 */
  46
  47/* Audit filter lists, defined in <linux/audit.h> */
  48struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
  49        LIST_HEAD_INIT(audit_filter_list[0]),
  50        LIST_HEAD_INIT(audit_filter_list[1]),
  51        LIST_HEAD_INIT(audit_filter_list[2]),
  52        LIST_HEAD_INIT(audit_filter_list[3]),
  53        LIST_HEAD_INIT(audit_filter_list[4]),
  54        LIST_HEAD_INIT(audit_filter_list[5]),
  55#if AUDIT_NR_FILTERS != 6
  56#error Fix audit_filter_list initialiser
  57#endif
  58};
  59static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
  60        LIST_HEAD_INIT(audit_rules_list[0]),
  61        LIST_HEAD_INIT(audit_rules_list[1]),
  62        LIST_HEAD_INIT(audit_rules_list[2]),
  63        LIST_HEAD_INIT(audit_rules_list[3]),
  64        LIST_HEAD_INIT(audit_rules_list[4]),
  65        LIST_HEAD_INIT(audit_rules_list[5]),
  66};
  67
  68DEFINE_MUTEX(audit_filter_mutex);
  69
  70static inline void audit_free_rule(struct audit_entry *e)
  71{
  72        int i;
  73        struct audit_krule *erule = &e->rule;
  74
  75        /* some rules don't have associated watches */
  76        if (erule->watch)
  77                audit_put_watch(erule->watch);
  78        if (erule->fields)
  79                for (i = 0; i < erule->field_count; i++) {
  80                        struct audit_field *f = &erule->fields[i];
  81                        kfree(f->lsm_str);
  82                        security_audit_rule_free(f->lsm_rule);
  83                }
  84        kfree(erule->fields);
  85        kfree(erule->filterkey);
  86        kfree(e);
  87}
  88
  89void audit_free_rule_rcu(struct rcu_head *head)
  90{
  91        struct audit_entry *e = container_of(head, struct audit_entry, rcu);
  92        audit_free_rule(e);
  93}
  94
  95/* Initialize an audit filterlist entry. */
  96static inline struct audit_entry *audit_init_entry(u32 field_count)
  97{
  98        struct audit_entry *entry;
  99        struct audit_field *fields;
 100
 101        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 102        if (unlikely(!entry))
 103                return NULL;
 104
 105        fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
 106        if (unlikely(!fields)) {
 107                kfree(entry);
 108                return NULL;
 109        }
 110        entry->rule.fields = fields;
 111
 112        return entry;
 113}
 114
 115/* Unpack a filter field's string representation from user-space
 116 * buffer. */
 117char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
 118{
 119        char *str;
 120
 121        if (!*bufp || (len == 0) || (len > *remain))
 122                return ERR_PTR(-EINVAL);
 123
 124        /* Of the currently implemented string fields, PATH_MAX
 125         * defines the longest valid length.
 126         */
 127        if (len > PATH_MAX)
 128                return ERR_PTR(-ENAMETOOLONG);
 129
 130        str = kmalloc(len + 1, GFP_KERNEL);
 131        if (unlikely(!str))
 132                return ERR_PTR(-ENOMEM);
 133
 134        memcpy(str, *bufp, len);
 135        str[len] = 0;
 136        *bufp += len;
 137        *remain -= len;
 138
 139        return str;
 140}
 141
 142/* Translate an inode field to kernel respresentation. */
 143static inline int audit_to_inode(struct audit_krule *krule,
 144                                 struct audit_field *f)
 145{
 146        if (krule->listnr != AUDIT_FILTER_EXIT ||
 147            krule->watch || krule->inode_f || krule->tree ||
 148            (f->op != Audit_equal && f->op != Audit_not_equal))
 149                return -EINVAL;
 150
 151        krule->inode_f = f;
 152        return 0;
 153}
 154
 155static __u32 *classes[AUDIT_SYSCALL_CLASSES];
 156
 157int __init audit_register_class(int class, unsigned *list)
 158{
 159        __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
 160        if (!p)
 161                return -ENOMEM;
 162        while (*list != ~0U) {
 163                unsigned n = *list++;
 164                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
 165                        kfree(p);
 166                        return -EINVAL;
 167                }
 168                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
 169        }
 170        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
 171                kfree(p);
 172                return -EINVAL;
 173        }
 174        classes[class] = p;
 175        return 0;
 176}
 177
 178int audit_match_class(int class, unsigned syscall)
 179{
 180        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
 181                return 0;
 182        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
 183                return 0;
 184        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
 185}
 186
 187#ifdef CONFIG_AUDITSYSCALL
 188static inline int audit_match_class_bits(int class, u32 *mask)
 189{
 190        int i;
 191
 192        if (classes[class]) {
 193                for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 194                        if (mask[i] & classes[class][i])
 195                                return 0;
 196        }
 197        return 1;
 198}
 199
 200static int audit_match_signal(struct audit_entry *entry)
 201{
 202        struct audit_field *arch = entry->rule.arch_f;
 203
 204        if (!arch) {
 205                /* When arch is unspecified, we must check both masks on biarch
 206                 * as syscall number alone is ambiguous. */
 207                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 208                                               entry->rule.mask) &&
 209                        audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 210                                               entry->rule.mask));
 211        }
 212
 213        switch(audit_classify_arch(arch->val)) {
 214        case 0: /* native */
 215                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
 216                                               entry->rule.mask));
 217        case 1: /* 32bit on biarch */
 218                return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
 219                                               entry->rule.mask));
 220        default:
 221                return 1;
 222        }
 223}
 224#endif
 225
 226/* Common user-space to kernel rule translation. */
 227static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
 228{
 229        unsigned listnr;
 230        struct audit_entry *entry;
 231        int i, err;
 232
 233        err = -EINVAL;
 234        listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
 235        switch(listnr) {
 236        default:
 237                goto exit_err;
 238#ifdef CONFIG_AUDITSYSCALL
 239        case AUDIT_FILTER_ENTRY:
 240                if (rule->action == AUDIT_ALWAYS)
 241                        goto exit_err;
 242        case AUDIT_FILTER_EXIT:
 243        case AUDIT_FILTER_TASK:
 244#endif
 245        case AUDIT_FILTER_USER:
 246        case AUDIT_FILTER_TYPE:
 247                ;
 248        }
 249        if (unlikely(rule->action == AUDIT_POSSIBLE)) {
 250                printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
 251                goto exit_err;
 252        }
 253        if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
 254                goto exit_err;
 255        if (rule->field_count > AUDIT_MAX_FIELDS)
 256                goto exit_err;
 257
 258        err = -ENOMEM;
 259        entry = audit_init_entry(rule->field_count);
 260        if (!entry)
 261                goto exit_err;
 262
 263        entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
 264        entry->rule.listnr = listnr;
 265        entry->rule.action = rule->action;
 266        entry->rule.field_count = rule->field_count;
 267
 268        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 269                entry->rule.mask[i] = rule->mask[i];
 270
 271        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
 272                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
 273                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
 274                __u32 *class;
 275
 276                if (!(*p & AUDIT_BIT(bit)))
 277                        continue;
 278                *p &= ~AUDIT_BIT(bit);
 279                class = classes[i];
 280                if (class) {
 281                        int j;
 282                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
 283                                entry->rule.mask[j] |= class[j];
 284                }
 285        }
 286
 287        return entry;
 288
 289exit_err:
 290        return ERR_PTR(err);
 291}
 292
 293static u32 audit_ops[] =
 294{
 295        [Audit_equal] = AUDIT_EQUAL,
 296        [Audit_not_equal] = AUDIT_NOT_EQUAL,
 297        [Audit_bitmask] = AUDIT_BIT_MASK,
 298        [Audit_bittest] = AUDIT_BIT_TEST,
 299        [Audit_lt] = AUDIT_LESS_THAN,
 300        [Audit_gt] = AUDIT_GREATER_THAN,
 301        [Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
 302        [Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
 303};
 304
 305static u32 audit_to_op(u32 op)
 306{
 307        u32 n;
 308        for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
 309                ;
 310        return n;
 311}
 312
 313/* check if an audit field is valid */
 314static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 315{
 316        switch(f->type) {
 317        case AUDIT_MSGTYPE:
 318                if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
 319                    entry->rule.listnr != AUDIT_FILTER_USER)
 320                        return -EINVAL;
 321                break;
 322        };
 323
 324        switch(f->type) {
 325        default:
 326                return -EINVAL;
 327        case AUDIT_UID:
 328        case AUDIT_EUID:
 329        case AUDIT_SUID:
 330        case AUDIT_FSUID:
 331        case AUDIT_LOGINUID:
 332        case AUDIT_OBJ_UID:
 333        case AUDIT_GID:
 334        case AUDIT_EGID:
 335        case AUDIT_SGID:
 336        case AUDIT_FSGID:
 337        case AUDIT_OBJ_GID:
 338        case AUDIT_PID:
 339        case AUDIT_PERS:
 340        case AUDIT_MSGTYPE:
 341        case AUDIT_PPID:
 342        case AUDIT_DEVMAJOR:
 343        case AUDIT_DEVMINOR:
 344        case AUDIT_EXIT:
 345        case AUDIT_SUCCESS:
 346                /* bit ops are only useful on syscall args */
 347                if (f->op == Audit_bitmask || f->op == Audit_bittest)
 348                        return -EINVAL;
 349                break;
 350        case AUDIT_ARG0:
 351        case AUDIT_ARG1:
 352        case AUDIT_ARG2:
 353        case AUDIT_ARG3:
 354        case AUDIT_SUBJ_USER:
 355        case AUDIT_SUBJ_ROLE:
 356        case AUDIT_SUBJ_TYPE:
 357        case AUDIT_SUBJ_SEN:
 358        case AUDIT_SUBJ_CLR:
 359        case AUDIT_OBJ_USER:
 360        case AUDIT_OBJ_ROLE:
 361        case AUDIT_OBJ_TYPE:
 362        case AUDIT_OBJ_LEV_LOW:
 363        case AUDIT_OBJ_LEV_HIGH:
 364        case AUDIT_WATCH:
 365        case AUDIT_DIR:
 366        case AUDIT_FILTERKEY:
 367                break;
 368        case AUDIT_LOGINUID_SET:
 369                if ((f->val != 0) && (f->val != 1))
 370                        return -EINVAL;
 371        /* FALL THROUGH */
 372        case AUDIT_ARCH:
 373                if (f->op != Audit_not_equal && f->op != Audit_equal)
 374                        return -EINVAL;
 375                break;
 376        case AUDIT_PERM:
 377                if (f->val & ~15)
 378                        return -EINVAL;
 379                break;
 380        case AUDIT_FILETYPE:
 381                if (f->val & ~S_IFMT)
 382                        return -EINVAL;
 383                break;
 384        case AUDIT_FIELD_COMPARE:
 385                if (f->val > AUDIT_MAX_FIELD_COMPARE)
 386                        return -EINVAL;
 387                break;
 388        };
 389        return 0;
 390}
 391
 392/* Translate struct audit_rule_data to kernel's rule respresentation. */
 393static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 394                                               size_t datasz)
 395{
 396        int err = 0;
 397        struct audit_entry *entry;
 398        void *bufp;
 399        size_t remain = datasz - sizeof(struct audit_rule_data);
 400        int i;
 401        char *str;
 402
 403        entry = audit_to_entry_common((struct audit_rule *)data);
 404        if (IS_ERR(entry))
 405                goto exit_nofree;
 406
 407        bufp = data->buf;
 408        entry->rule.vers_ops = 2;
 409        for (i = 0; i < data->field_count; i++) {
 410                struct audit_field *f = &entry->rule.fields[i];
 411
 412                err = -EINVAL;
 413
 414                f->op = audit_to_op(data->fieldflags[i]);
 415                if (f->op == Audit_bad)
 416                        goto exit_free;
 417
 418                f->type = data->fields[i];
 419                f->val = data->values[i];
 420                f->uid = INVALID_UID;
 421                f->gid = INVALID_GID;
 422                f->lsm_str = NULL;
 423                f->lsm_rule = NULL;
 424
 425                /* Support legacy tests for a valid loginuid */
 426                if ((f->type == AUDIT_LOGINUID) && (f->val == ~0U)) {
 427                        f->type = AUDIT_LOGINUID_SET;
 428                        f->val = 0;
 429                }
 430
 431                err = audit_field_valid(entry, f);
 432                if (err)
 433                        goto exit_free;
 434
 435                err = -EINVAL;
 436                switch (f->type) {
 437                case AUDIT_LOGINUID:
 438                case AUDIT_UID:
 439                case AUDIT_EUID:
 440                case AUDIT_SUID:
 441                case AUDIT_FSUID:
 442                case AUDIT_OBJ_UID:
 443                        f->uid = make_kuid(current_user_ns(), f->val);
 444                        if (!uid_valid(f->uid))
 445                                goto exit_free;
 446                        break;
 447                case AUDIT_GID:
 448                case AUDIT_EGID:
 449                case AUDIT_SGID:
 450                case AUDIT_FSGID:
 451                case AUDIT_OBJ_GID:
 452                        f->gid = make_kgid(current_user_ns(), f->val);
 453                        if (!gid_valid(f->gid))
 454                                goto exit_free;
 455                        break;
 456                case AUDIT_ARCH:
 457                        entry->rule.arch_f = f;
 458                        break;
 459                case AUDIT_SUBJ_USER:
 460                case AUDIT_SUBJ_ROLE:
 461                case AUDIT_SUBJ_TYPE:
 462                case AUDIT_SUBJ_SEN:
 463                case AUDIT_SUBJ_CLR:
 464                case AUDIT_OBJ_USER:
 465                case AUDIT_OBJ_ROLE:
 466                case AUDIT_OBJ_TYPE:
 467                case AUDIT_OBJ_LEV_LOW:
 468                case AUDIT_OBJ_LEV_HIGH:
 469                        str = audit_unpack_string(&bufp, &remain, f->val);
 470                        if (IS_ERR(str))
 471                                goto exit_free;
 472                        entry->rule.buflen += f->val;
 473
 474                        err = security_audit_rule_init(f->type, f->op, str,
 475                                                       (void **)&f->lsm_rule);
 476                        /* Keep currently invalid fields around in case they
 477                         * become valid after a policy reload. */
 478                        if (err == -EINVAL) {
 479                                printk(KERN_WARNING "audit rule for LSM "
 480                                       "\'%s\' is invalid\n",  str);
 481                                err = 0;
 482                        }
 483                        if (err) {
 484                                kfree(str);
 485                                goto exit_free;
 486                        } else
 487                                f->lsm_str = str;
 488                        break;
 489                case AUDIT_WATCH:
 490                        str = audit_unpack_string(&bufp, &remain, f->val);
 491                        if (IS_ERR(str))
 492                                goto exit_free;
 493                        entry->rule.buflen += f->val;
 494
 495                        err = audit_to_watch(&entry->rule, str, f->val, f->op);
 496                        if (err) {
 497                                kfree(str);
 498                                goto exit_free;
 499                        }
 500                        break;
 501                case AUDIT_DIR:
 502                        str = audit_unpack_string(&bufp, &remain, f->val);
 503                        if (IS_ERR(str))
 504                                goto exit_free;
 505                        entry->rule.buflen += f->val;
 506
 507                        err = audit_make_tree(&entry->rule, str, f->op);
 508                        kfree(str);
 509                        if (err)
 510                                goto exit_free;
 511                        break;
 512                case AUDIT_INODE:
 513                        err = audit_to_inode(&entry->rule, f);
 514                        if (err)
 515                                goto exit_free;
 516                        break;
 517                case AUDIT_FILTERKEY:
 518                        if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 519                                goto exit_free;
 520                        str = audit_unpack_string(&bufp, &remain, f->val);
 521                        if (IS_ERR(str))
 522                                goto exit_free;
 523                        entry->rule.buflen += f->val;
 524                        entry->rule.filterkey = str;
 525                        break;
 526                }
 527        }
 528
 529        if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
 530                entry->rule.inode_f = NULL;
 531
 532exit_nofree:
 533        return entry;
 534
 535exit_free:
 536        if (entry->rule.watch)
 537                audit_put_watch(entry->rule.watch); /* matches initial get */
 538        if (entry->rule.tree)
 539                audit_put_tree(entry->rule.tree); /* that's the temporary one */
 540        audit_free_rule(entry);
 541        return ERR_PTR(err);
 542}
 543
 544/* Pack a filter field's string representation into data block. */
 545static inline size_t audit_pack_string(void **bufp, const char *str)
 546{
 547        size_t len = strlen(str);
 548
 549        memcpy(*bufp, str, len);
 550        *bufp += len;
 551
 552        return len;
 553}
 554
 555/* Translate kernel rule respresentation to struct audit_rule_data. */
 556static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
 557{
 558        struct audit_rule_data *data;
 559        void *bufp;
 560        int i;
 561
 562        data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
 563        if (unlikely(!data))
 564                return NULL;
 565        memset(data, 0, sizeof(*data));
 566
 567        data->flags = krule->flags | krule->listnr;
 568        data->action = krule->action;
 569        data->field_count = krule->field_count;
 570        bufp = data->buf;
 571        for (i = 0; i < data->field_count; i++) {
 572                struct audit_field *f = &krule->fields[i];
 573
 574                data->fields[i] = f->type;
 575                data->fieldflags[i] = audit_ops[f->op];
 576                switch(f->type) {
 577                case AUDIT_SUBJ_USER:
 578                case AUDIT_SUBJ_ROLE:
 579                case AUDIT_SUBJ_TYPE:
 580                case AUDIT_SUBJ_SEN:
 581                case AUDIT_SUBJ_CLR:
 582                case AUDIT_OBJ_USER:
 583                case AUDIT_OBJ_ROLE:
 584                case AUDIT_OBJ_TYPE:
 585                case AUDIT_OBJ_LEV_LOW:
 586                case AUDIT_OBJ_LEV_HIGH:
 587                        data->buflen += data->values[i] =
 588                                audit_pack_string(&bufp, f->lsm_str);
 589                        break;
 590                case AUDIT_WATCH:
 591                        data->buflen += data->values[i] =
 592                                audit_pack_string(&bufp,
 593                                                  audit_watch_path(krule->watch));
 594                        break;
 595                case AUDIT_DIR:
 596                        data->buflen += data->values[i] =
 597                                audit_pack_string(&bufp,
 598                                                  audit_tree_path(krule->tree));
 599                        break;
 600                case AUDIT_FILTERKEY:
 601                        data->buflen += data->values[i] =
 602                                audit_pack_string(&bufp, krule->filterkey);
 603                        break;
 604                default:
 605                        data->values[i] = f->val;
 606                }
 607        }
 608        for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
 609
 610        return data;
 611}
 612
 613/* Compare two rules in kernel format.  Considered success if rules
 614 * don't match. */
 615static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
 616{
 617        int i;
 618
 619        if (a->flags != b->flags ||
 620            a->listnr != b->listnr ||
 621            a->action != b->action ||
 622            a->field_count != b->field_count)
 623                return 1;
 624
 625        for (i = 0; i < a->field_count; i++) {
 626                if (a->fields[i].type != b->fields[i].type ||
 627                    a->fields[i].op != b->fields[i].op)
 628                        return 1;
 629
 630                switch(a->fields[i].type) {
 631                case AUDIT_SUBJ_USER:
 632                case AUDIT_SUBJ_ROLE:
 633                case AUDIT_SUBJ_TYPE:
 634                case AUDIT_SUBJ_SEN:
 635                case AUDIT_SUBJ_CLR:
 636                case AUDIT_OBJ_USER:
 637                case AUDIT_OBJ_ROLE:
 638                case AUDIT_OBJ_TYPE:
 639                case AUDIT_OBJ_LEV_LOW:
 640                case AUDIT_OBJ_LEV_HIGH:
 641                        if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
 642                                return 1;
 643                        break;
 644                case AUDIT_WATCH:
 645                        if (strcmp(audit_watch_path(a->watch),
 646                                   audit_watch_path(b->watch)))
 647                                return 1;
 648                        break;
 649                case AUDIT_DIR:
 650                        if (strcmp(audit_tree_path(a->tree),
 651                                   audit_tree_path(b->tree)))
 652                                return 1;
 653                        break;
 654                case AUDIT_FILTERKEY:
 655                        /* both filterkeys exist based on above type compare */
 656                        if (strcmp(a->filterkey, b->filterkey))
 657                                return 1;
 658                        break;
 659                case AUDIT_UID:
 660                case AUDIT_EUID:
 661                case AUDIT_SUID:
 662                case AUDIT_FSUID:
 663                case AUDIT_LOGINUID:
 664                case AUDIT_OBJ_UID:
 665                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
 666                                return 1;
 667                        break;
 668                case AUDIT_GID:
 669                case AUDIT_EGID:
 670                case AUDIT_SGID:
 671                case AUDIT_FSGID:
 672                case AUDIT_OBJ_GID:
 673                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
 674                                return 1;
 675                        break;
 676                default:
 677                        if (a->fields[i].val != b->fields[i].val)
 678                                return 1;
 679                }
 680        }
 681
 682        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 683                if (a->mask[i] != b->mask[i])
 684                        return 1;
 685
 686        return 0;
 687}
 688
 689/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
 690 * re-initialized. */
 691static inline int audit_dupe_lsm_field(struct audit_field *df,
 692                                           struct audit_field *sf)
 693{
 694        int ret = 0;
 695        char *lsm_str;
 696
 697        /* our own copy of lsm_str */
 698        lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
 699        if (unlikely(!lsm_str))
 700                return -ENOMEM;
 701        df->lsm_str = lsm_str;
 702
 703        /* our own (refreshed) copy of lsm_rule */
 704        ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
 705                                       (void **)&df->lsm_rule);
 706        /* Keep currently invalid fields around in case they
 707         * become valid after a policy reload. */
 708        if (ret == -EINVAL) {
 709                printk(KERN_WARNING "audit rule for LSM \'%s\' is "
 710                       "invalid\n", df->lsm_str);
 711                ret = 0;
 712        }
 713
 714        return ret;
 715}
 716
 717/* Duplicate an audit rule.  This will be a deep copy with the exception
 718 * of the watch - that pointer is carried over.  The LSM specific fields
 719 * will be updated in the copy.  The point is to be able to replace the old
 720 * rule with the new rule in the filterlist, then free the old rule.
 721 * The rlist element is undefined; list manipulations are handled apart from
 722 * the initial copy. */
 723struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 724{
 725        u32 fcount = old->field_count;
 726        struct audit_entry *entry;
 727        struct audit_krule *new;
 728        char *fk;
 729        int i, err = 0;
 730
 731        entry = audit_init_entry(fcount);
 732        if (unlikely(!entry))
 733                return ERR_PTR(-ENOMEM);
 734
 735        new = &entry->rule;
 736        new->vers_ops = old->vers_ops;
 737        new->flags = old->flags;
 738        new->listnr = old->listnr;
 739        new->action = old->action;
 740        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
 741                new->mask[i] = old->mask[i];
 742        new->prio = old->prio;
 743        new->buflen = old->buflen;
 744        new->inode_f = old->inode_f;
 745        new->field_count = old->field_count;
 746
 747        /*
 748         * note that we are OK with not refcounting here; audit_match_tree()
 749         * never dereferences tree and we can't get false positives there
 750         * since we'd have to have rule gone from the list *and* removed
 751         * before the chunks found by lookup had been allocated, i.e. before
 752         * the beginning of list scan.
 753         */
 754        new->tree = old->tree;
 755        memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
 756
 757        /* deep copy this information, updating the lsm_rule fields, because
 758         * the originals will all be freed when the old rule is freed. */
 759        for (i = 0; i < fcount; i++) {
 760                switch (new->fields[i].type) {
 761                case AUDIT_SUBJ_USER:
 762                case AUDIT_SUBJ_ROLE:
 763                case AUDIT_SUBJ_TYPE:
 764                case AUDIT_SUBJ_SEN:
 765                case AUDIT_SUBJ_CLR:
 766                case AUDIT_OBJ_USER:
 767                case AUDIT_OBJ_ROLE:
 768                case AUDIT_OBJ_TYPE:
 769                case AUDIT_OBJ_LEV_LOW:
 770                case AUDIT_OBJ_LEV_HIGH:
 771                        err = audit_dupe_lsm_field(&new->fields[i],
 772                                                       &old->fields[i]);
 773                        break;
 774                case AUDIT_FILTERKEY:
 775                        fk = kstrdup(old->filterkey, GFP_KERNEL);
 776                        if (unlikely(!fk))
 777                                err = -ENOMEM;
 778                        else
 779                                new->filterkey = fk;
 780                }
 781                if (err) {
 782                        audit_free_rule(entry);
 783                        return ERR_PTR(err);
 784                }
 785        }
 786
 787        if (old->watch) {
 788                audit_get_watch(old->watch);
 789                new->watch = old->watch;
 790        }
 791
 792        return entry;
 793}
 794
 795/* Find an existing audit rule.
 796 * Caller must hold audit_filter_mutex to prevent stale rule data. */
 797static struct audit_entry *audit_find_rule(struct audit_entry *entry,
 798                                           struct list_head **p)
 799{
 800        struct audit_entry *e, *found = NULL;
 801        struct list_head *list;
 802        int h;
 803
 804        if (entry->rule.inode_f) {
 805                h = audit_hash_ino(entry->rule.inode_f->val);
 806                *p = list = &audit_inode_hash[h];
 807        } else if (entry->rule.watch) {
 808                /* we don't know the inode number, so must walk entire hash */
 809                for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
 810                        list = &audit_inode_hash[h];
 811                        list_for_each_entry(e, list, list)
 812                                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 813                                        found = e;
 814                                        goto out;
 815                                }
 816                }
 817                goto out;
 818        } else {
 819                *p = list = &audit_filter_list[entry->rule.listnr];
 820        }
 821
 822        list_for_each_entry(e, list, list)
 823                if (!audit_compare_rule(&entry->rule, &e->rule)) {
 824                        found = e;
 825                        goto out;
 826                }
 827
 828out:
 829        return found;
 830}
 831
 832static u64 prio_low = ~0ULL/2;
 833static u64 prio_high = ~0ULL/2 - 1;
 834
 835/* Add rule to given filterlist if not a duplicate. */
 836static inline int audit_add_rule(struct audit_entry *entry)
 837{
 838        struct audit_entry *e;
 839        struct audit_watch *watch = entry->rule.watch;
 840        struct audit_tree *tree = entry->rule.tree;
 841        struct list_head *list;
 842        int err;
 843#ifdef CONFIG_AUDITSYSCALL
 844        int dont_count = 0;
 845
 846        /* If either of these, don't count towards total */
 847        if (entry->rule.listnr == AUDIT_FILTER_USER ||
 848                entry->rule.listnr == AUDIT_FILTER_TYPE)
 849                dont_count = 1;
 850#endif
 851
 852        mutex_lock(&audit_filter_mutex);
 853        e = audit_find_rule(entry, &list);
 854        if (e) {
 855                mutex_unlock(&audit_filter_mutex);
 856                err = -EEXIST;
 857                /* normally audit_add_tree_rule() will free it on failure */
 858                if (tree)
 859                        audit_put_tree(tree);
 860                goto error;
 861        }
 862
 863        if (watch) {
 864                /* audit_filter_mutex is dropped and re-taken during this call */
 865                err = audit_add_watch(&entry->rule, &list);
 866                if (err) {
 867                        mutex_unlock(&audit_filter_mutex);
 868                        /*
 869                         * normally audit_add_tree_rule() will free it
 870                         * on failure
 871                         */
 872                        if (tree)
 873                                audit_put_tree(tree);
 874                        goto error;
 875                }
 876        }
 877        if (tree) {
 878                err = audit_add_tree_rule(&entry->rule);
 879                if (err) {
 880                        mutex_unlock(&audit_filter_mutex);
 881                        goto error;
 882                }
 883        }
 884
 885        entry->rule.prio = ~0ULL;
 886        if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
 887                if (entry->rule.flags & AUDIT_FILTER_PREPEND)
 888                        entry->rule.prio = ++prio_high;
 889                else
 890                        entry->rule.prio = --prio_low;
 891        }
 892
 893        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
 894                list_add(&entry->rule.list,
 895                         &audit_rules_list[entry->rule.listnr]);
 896                list_add_rcu(&entry->list, list);
 897                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
 898        } else {
 899                list_add_tail(&entry->rule.list,
 900                              &audit_rules_list[entry->rule.listnr]);
 901                list_add_tail_rcu(&entry->list, list);
 902        }
 903#ifdef CONFIG_AUDITSYSCALL
 904        if (!dont_count)
 905                audit_n_rules++;
 906
 907        if (!audit_match_signal(entry))
 908                audit_signals++;
 909#endif
 910        mutex_unlock(&audit_filter_mutex);
 911
 912        return 0;
 913
 914error:
 915        if (watch)
 916                audit_put_watch(watch); /* tmp watch, matches initial get */
 917        return err;
 918}
 919
 920/* Remove an existing rule from filterlist. */
 921static inline int audit_del_rule(struct audit_entry *entry)
 922{
 923        struct audit_entry  *e;
 924        struct audit_watch *watch = entry->rule.watch;
 925        struct audit_tree *tree = entry->rule.tree;
 926        struct list_head *list;
 927        int ret = 0;
 928#ifdef CONFIG_AUDITSYSCALL
 929        int dont_count = 0;
 930
 931        /* If either of these, don't count towards total */
 932        if (entry->rule.listnr == AUDIT_FILTER_USER ||
 933                entry->rule.listnr == AUDIT_FILTER_TYPE)
 934                dont_count = 1;
 935#endif
 936
 937        mutex_lock(&audit_filter_mutex);
 938        e = audit_find_rule(entry, &list);
 939        if (!e) {
 940                mutex_unlock(&audit_filter_mutex);
 941                ret = -ENOENT;
 942                goto out;
 943        }
 944
 945        if (e->rule.watch)
 946                audit_remove_watch_rule(&e->rule);
 947
 948        if (e->rule.tree)
 949                audit_remove_tree_rule(&e->rule);
 950
 951        list_del_rcu(&e->list);
 952        list_del(&e->rule.list);
 953        call_rcu(&e->rcu, audit_free_rule_rcu);
 954
 955#ifdef CONFIG_AUDITSYSCALL
 956        if (!dont_count)
 957                audit_n_rules--;
 958
 959        if (!audit_match_signal(entry))
 960                audit_signals--;
 961#endif
 962        mutex_unlock(&audit_filter_mutex);
 963
 964out:
 965        if (watch)
 966                audit_put_watch(watch); /* match initial get */
 967        if (tree)
 968                audit_put_tree(tree);   /* that's the temporary one */
 969
 970        return ret;
 971}
 972
 973/* List rules using struct audit_rule_data. */
 974static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
 975{
 976        struct sk_buff *skb;
 977        struct audit_krule *r;
 978        int i;
 979
 980        /* This is a blocking read, so use audit_filter_mutex instead of rcu
 981         * iterator to sync with list writers. */
 982        for (i=0; i<AUDIT_NR_FILTERS; i++) {
 983                list_for_each_entry(r, &audit_rules_list[i], list) {
 984                        struct audit_rule_data *data;
 985
 986                        data = audit_krule_to_data(r);
 987                        if (unlikely(!data))
 988                                break;
 989                        skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
 990                                         data, sizeof(*data) + data->buflen);
 991                        if (skb)
 992                                skb_queue_tail(q, skb);
 993                        kfree(data);
 994                }
 995        }
 996        skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
 997        if (skb)
 998                skb_queue_tail(q, skb);
 999}
1000
1001/* Log rule additions and removals */
1002static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
1003{
1004        struct audit_buffer *ab;
1005        uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
1006        u32 sessionid = audit_get_sessionid(current);
1007
1008        if (!audit_enabled)
1009                return;
1010
1011        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1012        if (!ab)
1013                return;
1014        audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
1015        audit_log_task_context(ab);
1016        audit_log_format(ab, " op=");
1017        audit_log_string(ab, action);
1018        audit_log_key(ab, rule->filterkey);
1019        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1020        audit_log_end(ab);
1021}
1022
1023/**
1024 * audit_receive_filter - apply all rules to the specified message type
1025 * @type: audit message type
1026 * @pid: target pid for netlink audit messages
1027 * @seq: netlink audit message sequence (serial) number
1028 * @data: payload data
1029 * @datasz: size of payload data
1030 */
1031int audit_receive_filter(int type, int pid, int seq, void *data, size_t datasz)
1032{
1033        struct task_struct *tsk;
1034        struct audit_netlink_list *dest;
1035        int err = 0;
1036        struct audit_entry *entry;
1037
1038        switch (type) {
1039        case AUDIT_LIST_RULES:
1040                /* We can't just spew out the rules here because we might fill
1041                 * the available socket buffer space and deadlock waiting for
1042                 * auditctl to read from it... which isn't ever going to
1043                 * happen if we're actually running in the context of auditctl
1044                 * trying to _send_ the stuff */
1045
1046                dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1047                if (!dest)
1048                        return -ENOMEM;
1049                dest->pid = pid;
1050                skb_queue_head_init(&dest->q);
1051
1052                mutex_lock(&audit_filter_mutex);
1053                audit_list_rules(pid, seq, &dest->q);
1054                mutex_unlock(&audit_filter_mutex);
1055
1056                tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1057                if (IS_ERR(tsk)) {
1058                        skb_queue_purge(&dest->q);
1059                        kfree(dest);
1060                        err = PTR_ERR(tsk);
1061                }
1062                break;
1063        case AUDIT_ADD_RULE:
1064                entry = audit_data_to_entry(data, datasz);
1065                if (IS_ERR(entry))
1066                        return PTR_ERR(entry);
1067
1068                err = audit_add_rule(entry);
1069                audit_log_rule_change("add rule", &entry->rule, !err);
1070                if (err)
1071                        audit_free_rule(entry);
1072                break;
1073        case AUDIT_DEL_RULE:
1074                entry = audit_data_to_entry(data, datasz);
1075                if (IS_ERR(entry))
1076                        return PTR_ERR(entry);
1077
1078                err = audit_del_rule(entry);
1079                audit_log_rule_change("remove rule", &entry->rule, !err);
1080                audit_free_rule(entry);
1081                break;
1082        default:
1083                return -EINVAL;
1084        }
1085
1086        return err;
1087}
1088
1089int audit_comparator(u32 left, u32 op, u32 right)
1090{
1091        switch (op) {
1092        case Audit_equal:
1093                return (left == right);
1094        case Audit_not_equal:
1095                return (left != right);
1096        case Audit_lt:
1097                return (left < right);
1098        case Audit_le:
1099                return (left <= right);
1100        case Audit_gt:
1101                return (left > right);
1102        case Audit_ge:
1103                return (left >= right);
1104        case Audit_bitmask:
1105                return (left & right);
1106        case Audit_bittest:
1107                return ((left & right) == right);
1108        default:
1109                BUG();
1110                return 0;
1111        }
1112}
1113
1114int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
1115{
1116        switch (op) {
1117        case Audit_equal:
1118                return uid_eq(left, right);
1119        case Audit_not_equal:
1120                return !uid_eq(left, right);
1121        case Audit_lt:
1122                return uid_lt(left, right);
1123        case Audit_le:
1124                return uid_lte(left, right);
1125        case Audit_gt:
1126                return uid_gt(left, right);
1127        case Audit_ge:
1128                return uid_gte(left, right);
1129        case Audit_bitmask:
1130        case Audit_bittest:
1131        default:
1132                BUG();
1133                return 0;
1134        }
1135}
1136
1137int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
1138{
1139        switch (op) {
1140        case Audit_equal:
1141                return gid_eq(left, right);
1142        case Audit_not_equal:
1143                return !gid_eq(left, right);
1144        case Audit_lt:
1145                return gid_lt(left, right);
1146        case Audit_le:
1147                return gid_lte(left, right);
1148        case Audit_gt:
1149                return gid_gt(left, right);
1150        case Audit_ge:
1151                return gid_gte(left, right);
1152        case Audit_bitmask:
1153        case Audit_bittest:
1154        default:
1155                BUG();
1156                return 0;
1157        }
1158}
1159
1160/**
1161 * parent_len - find the length of the parent portion of a pathname
1162 * @path: pathname of which to determine length
1163 */
1164int parent_len(const char *path)
1165{
1166        int plen;
1167        const char *p;
1168
1169        plen = strlen(path);
1170
1171        if (plen == 0)
1172                return plen;
1173
1174        /* disregard trailing slashes */
1175        p = path + plen - 1;
1176        while ((*p == '/') && (p > path))
1177                p--;
1178
1179        /* walk backward until we find the next slash or hit beginning */
1180        while ((*p != '/') && (p > path))
1181                p--;
1182
1183        /* did we find a slash? Then increment to include it in path */
1184        if (*p == '/')
1185                p++;
1186
1187        return p - path;
1188}
1189
1190/**
1191 * audit_compare_dname_path - compare given dentry name with last component in
1192 *                            given path. Return of 0 indicates a match.
1193 * @dname:      dentry name that we're comparing
1194 * @path:       full pathname that we're comparing
1195 * @parentlen:  length of the parent if known. Passing in AUDIT_NAME_FULL
1196 *              here indicates that we must compute this value.
1197 */
1198int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
1199{
1200        int dlen, pathlen;
1201        const char *p;
1202
1203        dlen = strlen(dname);
1204        pathlen = strlen(path);
1205        if (pathlen < dlen)
1206                return 1;
1207
1208        parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
1209        if (pathlen - parentlen != dlen)
1210                return 1;
1211
1212        p = path + parentlen;
1213
1214        return strncmp(p, dname, dlen);
1215}
1216
1217static int audit_filter_user_rules(struct audit_krule *rule, int type,
1218                                   enum audit_state *state)
1219{
1220        int i;
1221
1222        for (i = 0; i < rule->field_count; i++) {
1223                struct audit_field *f = &rule->fields[i];
1224                int result = 0;
1225                u32 sid;
1226
1227                switch (f->type) {
1228                case AUDIT_PID:
1229                        result = audit_comparator(task_pid_vnr(current), f->op, f->val);
1230                        break;
1231                case AUDIT_UID:
1232                        result = audit_uid_comparator(current_uid(), f->op, f->uid);
1233                        break;
1234                case AUDIT_GID:
1235                        result = audit_gid_comparator(current_gid(), f->op, f->gid);
1236                        break;
1237                case AUDIT_LOGINUID:
1238                        result = audit_uid_comparator(audit_get_loginuid(current),
1239                                                  f->op, f->uid);
1240                        break;
1241                case AUDIT_LOGINUID_SET:
1242                        result = audit_comparator(audit_loginuid_set(current),
1243                                                  f->op, f->val);
1244                        break;
1245                case AUDIT_MSGTYPE:
1246                        result = audit_comparator(type, f->op, f->val);
1247                        break;
1248                case AUDIT_SUBJ_USER:
1249                case AUDIT_SUBJ_ROLE:
1250                case AUDIT_SUBJ_TYPE:
1251                case AUDIT_SUBJ_SEN:
1252                case AUDIT_SUBJ_CLR:
1253                        if (f->lsm_rule) {
1254                                security_task_getsecid(current, &sid);
1255                                result = security_audit_rule_match(sid,
1256                                                                   f->type,
1257                                                                   f->op,
1258                                                                   f->lsm_rule,
1259                                                                   NULL);
1260                        }
1261                        break;
1262                }
1263
1264                if (!result)
1265                        return 0;
1266        }
1267        switch (rule->action) {
1268        case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
1269        case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
1270        }
1271        return 1;
1272}
1273
1274int audit_filter_user(int type)
1275{
1276        enum audit_state state = AUDIT_DISABLED;
1277        struct audit_entry *e;
1278        int ret = 1;
1279
1280        rcu_read_lock();
1281        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1282                if (audit_filter_user_rules(&e->rule, type, &state)) {
1283                        if (state == AUDIT_DISABLED)
1284                                ret = 0;
1285                        break;
1286                }
1287        }
1288        rcu_read_unlock();
1289
1290        return ret; /* Audit by default */
1291}
1292
1293int audit_filter_type(int type)
1294{
1295        struct audit_entry *e;
1296        int result = 0;
1297
1298        rcu_read_lock();
1299        if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1300                goto unlock_and_return;
1301
1302        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1303                                list) {
1304                int i;
1305                for (i = 0; i < e->rule.field_count; i++) {
1306                        struct audit_field *f = &e->rule.fields[i];
1307                        if (f->type == AUDIT_MSGTYPE) {
1308                                result = audit_comparator(type, f->op, f->val);
1309                                if (!result)
1310                                        break;
1311                        }
1312                }
1313                if (result)
1314                        goto unlock_and_return;
1315        }
1316unlock_and_return:
1317        rcu_read_unlock();
1318        return result;
1319}
1320
1321static int update_lsm_rule(struct audit_krule *r)
1322{
1323        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1324        struct audit_entry *nentry;
1325        int err = 0;
1326
1327        if (!security_audit_rule_known(r))
1328                return 0;
1329
1330        nentry = audit_dupe_rule(r);
1331        if (IS_ERR(nentry)) {
1332                /* save the first error encountered for the
1333                 * return value */
1334                err = PTR_ERR(nentry);
1335                audit_panic("error updating LSM filters");
1336                if (r->watch)
1337                        list_del(&r->rlist);
1338                list_del_rcu(&entry->list);
1339                list_del(&r->list);
1340        } else {
1341                if (r->watch || r->tree)
1342                        list_replace_init(&r->rlist, &nentry->rule.rlist);
1343                list_replace_rcu(&entry->list, &nentry->list);
1344                list_replace(&r->list, &nentry->rule.list);
1345        }
1346        call_rcu(&entry->rcu, audit_free_rule_rcu);
1347
1348        return err;
1349}
1350
1351/* This function will re-initialize the lsm_rule field of all applicable rules.
1352 * It will traverse the filter lists serarching for rules that contain LSM
1353 * specific filter fields.  When such a rule is found, it is copied, the
1354 * LSM field is re-initialized, and the old rule is replaced with the
1355 * updated rule. */
1356int audit_update_lsm_rules(void)
1357{
1358        struct audit_krule *r, *n;
1359        int i, err = 0;
1360
1361        /* audit_filter_mutex synchronizes the writers */
1362        mutex_lock(&audit_filter_mutex);
1363
1364        for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1365                list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1366                        int res = update_lsm_rule(r);
1367                        if (!err)
1368                                err = res;
1369                }
1370        }
1371        mutex_unlock(&audit_filter_mutex);
1372
1373        return err;
1374}
1375
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.