1
/* auditfilter.c -- filtering of audit events
2
 *
3
 * Copyright 2003-2004 Red Hat, Inc.
4
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
5
 * Copyright 2005 IBM Corporation
6
 *
7
 * This program is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 2 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * This program is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
20
 */
21

22
#include <linux/kernel.h>
23
#include <linux/audit.h>
24
#include <linux/kthread.h>
25
#include <linux/mutex.h>
26
#include <linux/fs.h>
27
#include <linux/namei.h>
28
#include <linux/netlink.h>
29
#include <linux/sched.h>
30
#include <linux/slab.h>
31
#include <linux/security.h>
32
#include "audit.h"
33

34
/*
35
 * Locking model:
36
 *
37
 * audit_filter_mutex:
38
 * 		Synchronizes writes and blocking reads of audit's filterlist
39
 * 		data.  Rcu is used to traverse the filterlist and access
40
 * 		contents of structs audit_entry, audit_watch and opaque
41
 * 		LSM rules during filtering.  If modified, these structures
42
 * 		must be copied and replace their counterparts in the filterlist.
43
 * 		An audit_parent struct is not accessed during filtering, so may
44
 * 		be written directly provided audit_filter_mutex is held.
45
 */
46

47
/* Audit filter lists, defined in <linux/audit.h> */
48
struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
49
	LIST_HEAD_INIT(audit_filter_list[0]),
50
	LIST_HEAD_INIT(audit_filter_list[1]),
51
	LIST_HEAD_INIT(audit_filter_list[2]),
52
	LIST_HEAD_INIT(audit_filter_list[3]),
53
	LIST_HEAD_INIT(audit_filter_list[4]),
54
	LIST_HEAD_INIT(audit_filter_list[5]),
55
#if AUDIT_NR_FILTERS != 6
56
#error Fix audit_filter_list initialiser
57
#endif
58
};
59
static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = {
60
	LIST_HEAD_INIT(audit_rules_list[0]),
61
	LIST_HEAD_INIT(audit_rules_list[1]),
62
	LIST_HEAD_INIT(audit_rules_list[2]),
63
	LIST_HEAD_INIT(audit_rules_list[3]),
64
	LIST_HEAD_INIT(audit_rules_list[4]),
65
	LIST_HEAD_INIT(audit_rules_list[5]),
66
};
67

68
DEFINE_MUTEX(audit_filter_mutex);
69

70
static inline void audit_free_rule(struct audit_entry *e)
71
{
72
	int i;
73
	struct audit_krule *erule = &e->rule;
74

75
	/* some rules don't have associated watches */
76
	if (erule->watch)
77
		audit_put_watch(erule->watch);
78
	if (erule->fields)
79
		for (i = 0; i < erule->field_count; i++) {
80
			struct audit_field *f = &erule->fields[i];
81
			kfree(f->lsm_str);
82
			security_audit_rule_free(f->lsm_rule);
83
		}
84
	kfree(erule->fields);
85
	kfree(erule->filterkey);
86
	kfree(e);
87
}
88

89
void audit_free_rule_rcu(struct rcu_head *head)
90
{
91
	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
92
	audit_free_rule(e);
93
}
94

95
/* Initialize an audit filterlist entry. */
96
static inline struct audit_entry *audit_init_entry(u32 field_count)
97
{
98
	struct audit_entry *entry;
99
	struct audit_field *fields;
100

101
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
102
	if (unlikely(!entry))
103
		return NULL;
104

105
	fields = kzalloc(sizeof(*fields) * field_count, GFP_KERNEL);
106
	if (unlikely(!fields)) {
107
		kfree(entry);
108
		return NULL;
109
	}
110
	entry->rule.fields = fields;
111

112
	return entry;
113
}
114

115
/* Unpack a filter field's string representation from user-space
116
 * buffer. */
117
char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
118
{
119
	char *str;
120

121
	if (!*bufp || (len == 0) || (len > *remain))
122
		return ERR_PTR(-EINVAL);
123

124
	/* Of the currently implemented string fields, PATH_MAX
125
	 * defines the longest valid length.
126
	 */
127
	if (len > PATH_MAX)
128
		return ERR_PTR(-ENAMETOOLONG);
129

130
	str = kmalloc(len + 1, GFP_KERNEL);
131
	if (unlikely(!str))
132
		return ERR_PTR(-ENOMEM);
133

134
	memcpy(str, *bufp, len);
135
	str[len] = 0;
136
	*bufp += len;
137
	*remain -= len;
138

139
	return str;
140
}
141

142
/* Translate an inode field to kernel respresentation. */
143
static inline int audit_to_inode(struct audit_krule *krule,
144
				 struct audit_field *f)
145
{
146
	if (krule->listnr != AUDIT_FILTER_EXIT ||
147
	    krule->watch || krule->inode_f || krule->tree ||
148
	    (f->op != Audit_equal && f->op != Audit_not_equal))
149
		return -EINVAL;
150

151
	krule->inode_f = f;
152
	return 0;
153
}
154

155
static __u32 *classes[AUDIT_SYSCALL_CLASSES];
156

157
int __init audit_register_class(int class, unsigned *list)
158
{
159
	__u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
160
	if (!p)
161
		return -ENOMEM;
162
	while (*list != ~0U) {
163
		unsigned n = *list++;
164
		if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
165
			kfree(p);
166
			return -EINVAL;
167
		}
168
		p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
169
	}
170
	if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
171
		kfree(p);
172
		return -EINVAL;
173
	}
174
	classes[class] = p;
175
	return 0;
176
}
177

178
int audit_match_class(int class, unsigned syscall)
179
{
180
	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
181
		return 0;
182
	if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
183
		return 0;
184
	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
185
}
186

187
#ifdef CONFIG_AUDITSYSCALL
188
static inline int audit_match_class_bits(int class, u32 *mask)
189
{
190
	int i;
191

192
	if (classes[class]) {
193
		for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
194
			if (mask[i] & classes[class][i])
195
				return 0;
196
	}
197
	return 1;
198
}
199

200
static int audit_match_signal(struct audit_entry *entry)
201
{
202
	struct audit_field *arch = entry->rule.arch_f;
203

204
	if (!arch) {
205
		/* When arch is unspecified, we must check both masks on biarch
206
		 * as syscall number alone is ambiguous. */
207
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
208
					       entry->rule.mask) &&
209
			audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
210
					       entry->rule.mask));
211
	}
212

213
	switch(audit_classify_arch(arch->val)) {
214
	case 0: /* native */
215
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
216
					       entry->rule.mask));
217
	case 1: /* 32bit on biarch */
218
		return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
219
					       entry->rule.mask));
220
	default:
221
		return 1;
222
	}
223
}
224
#endif
225

226
/* Common user-space to kernel rule translation. */
227
static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
228
{
229
	unsigned listnr;
230
	struct audit_entry *entry;
231
	int i, err;
232

233
	err = -EINVAL;
234
	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
235
	switch(listnr) {
236
	default:
237
		goto exit_err;
238
	case AUDIT_FILTER_USER:
239
	case AUDIT_FILTER_TYPE:
240
#ifdef CONFIG_AUDITSYSCALL
241
	case AUDIT_FILTER_ENTRY:
242
	case AUDIT_FILTER_EXIT:
243
	case AUDIT_FILTER_TASK:
244
#endif
245
		;
246
	}
247
	if (unlikely(rule->action == AUDIT_POSSIBLE)) {
248
		printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
249
		goto exit_err;
250
	}
251
	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
252
		goto exit_err;
253
	if (rule->field_count > AUDIT_MAX_FIELDS)
254
		goto exit_err;
255

256
	err = -ENOMEM;
257
	entry = audit_init_entry(rule->field_count);
258
	if (!entry)
259
		goto exit_err;
260

261
	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
262
	entry->rule.listnr = listnr;
263
	entry->rule.action = rule->action;
264
	entry->rule.field_count = rule->field_count;
265

266
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
267
		entry->rule.mask[i] = rule->mask[i];
268

269
	for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
270
		int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
271
		__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
272
		__u32 *class;
273

274
		if (!(*p & AUDIT_BIT(bit)))
275
			continue;
276
		*p &= ~AUDIT_BIT(bit);
277
		class = classes[i];
278
		if (class) {
279
			int j;
280
			for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
281
				entry->rule.mask[j] |= class[j];
282
		}
283
	}
284

285
	return entry;
286

287
exit_err:
288
	return ERR_PTR(err);
289
}
290

291
static u32 audit_ops[] =
292
{
293
	[Audit_equal] = AUDIT_EQUAL,
294
	[Audit_not_equal] = AUDIT_NOT_EQUAL,
295
	[Audit_bitmask] = AUDIT_BIT_MASK,
296
	[Audit_bittest] = AUDIT_BIT_TEST,
297
	[Audit_lt] = AUDIT_LESS_THAN,
298
	[Audit_gt] = AUDIT_GREATER_THAN,
299
	[Audit_le] = AUDIT_LESS_THAN_OR_EQUAL,
300
	[Audit_ge] = AUDIT_GREATER_THAN_OR_EQUAL,
301
};
302

303
static u32 audit_to_op(u32 op)
304
{
305
	u32 n;
306
	for (n = Audit_equal; n < Audit_bad && audit_ops[n] != op; n++)
307
		;
308
	return n;
309
}
310

311

312
/* Translate struct audit_rule to kernel's rule respresentation.
313
 * Exists for backward compatibility with userspace. */
314
static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
315
{
316
	struct audit_entry *entry;
317
	int err = 0;
318
	int i;
319

320
	entry = audit_to_entry_common(rule);
321
	if (IS_ERR(entry))
322
		goto exit_nofree;
323

324
	for (i = 0; i < rule->field_count; i++) {
325
		struct audit_field *f = &entry->rule.fields[i];
326
		u32 n;
327

328
		n = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
329

330
		/* Support for legacy operators where
331
		 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
332
		if (n & AUDIT_NEGATE)
333
			f->op = Audit_not_equal;
334
		else if (!n)
335
			f->op = Audit_equal;
336
		else
337
			f->op = audit_to_op(n);
338

339
		entry->rule.vers_ops = (n & AUDIT_OPERATORS) ? 2 : 1;
340

341
		f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
342
		f->val = rule->values[i];
343

344
		err = -EINVAL;
345
		if (f->op == Audit_bad)
346
			goto exit_free;
347

348
		switch(f->type) {
349
		default:
350
			goto exit_free;
351
		case AUDIT_PID:
352
		case AUDIT_UID:
353
		case AUDIT_EUID:
354
		case AUDIT_SUID:
355
		case AUDIT_FSUID:
356
		case AUDIT_GID:
357
		case AUDIT_EGID:
358
		case AUDIT_SGID:
359
		case AUDIT_FSGID:
360
		case AUDIT_LOGINUID:
361
		case AUDIT_PERS:
362
		case AUDIT_MSGTYPE:
363
		case AUDIT_PPID:
364
		case AUDIT_DEVMAJOR:
365
		case AUDIT_DEVMINOR:
366
		case AUDIT_EXIT:
367
		case AUDIT_SUCCESS:
368
			/* bit ops are only useful on syscall args */
369
			if (f->op == Audit_bitmask || f->op == Audit_bittest)
370
				goto exit_free;
371
			break;
372
		case AUDIT_ARG0:
373
		case AUDIT_ARG1:
374
		case AUDIT_ARG2:
375
		case AUDIT_ARG3:
376
			break;
377
		/* arch is only allowed to be = or != */
378
		case AUDIT_ARCH:
379
			if (f->op != Audit_not_equal && f->op != Audit_equal)
380
				goto exit_free;
381
			entry->rule.arch_f = f;
382
			break;
383
		case AUDIT_PERM:
384
			if (f->val & ~15)
385
				goto exit_free;
386
			break;
387
		case AUDIT_FILETYPE:
388
			if ((f->val & ~S_IFMT) > S_IFMT)
389
				goto exit_free;
390
			break;
391
		case AUDIT_INODE:
392
			err = audit_to_inode(&entry->rule, f);
393
			if (err)
394
				goto exit_free;
395
			break;
396
		}
397
	}
398

399
	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
400
		entry->rule.inode_f = NULL;
401

402
exit_nofree:
403
	return entry;
404

405
exit_free:
406
	audit_free_rule(entry);
407
	return ERR_PTR(err);
408
}
409

410
/* Translate struct audit_rule_data to kernel's rule respresentation. */
411
static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
412
					       size_t datasz)
413
{
414
	int err = 0;
415
	struct audit_entry *entry;
416
	void *bufp;
417
	size_t remain = datasz - sizeof(struct audit_rule_data);
418
	int i;
419
	char *str;
420

421
	entry = audit_to_entry_common((struct audit_rule *)data);
422
	if (IS_ERR(entry))
423
		goto exit_nofree;
424

425
	bufp = data->buf;
426
	entry->rule.vers_ops = 2;
427
	for (i = 0; i < data->field_count; i++) {
428
		struct audit_field *f = &entry->rule.fields[i];
429

430
		err = -EINVAL;
431

432
		f->op = audit_to_op(data->fieldflags[i]);
433
		if (f->op == Audit_bad)
434
			goto exit_free;
435

436
		f->type = data->fields[i];
437
		f->val = data->values[i];
438
		f->lsm_str = NULL;
439
		f->lsm_rule = NULL;
440
		switch(f->type) {
441
		case AUDIT_PID:
442
		case AUDIT_UID:
443
		case AUDIT_EUID:
444
		case AUDIT_SUID:
445
		case AUDIT_FSUID:
446
		case AUDIT_GID:
447
		case AUDIT_EGID:
448
		case AUDIT_SGID:
449
		case AUDIT_FSGID:
450
		case AUDIT_LOGINUID:
451
		case AUDIT_PERS:
452
		case AUDIT_MSGTYPE:
453
		case AUDIT_PPID:
454
		case AUDIT_DEVMAJOR:
455
		case AUDIT_DEVMINOR:
456
		case AUDIT_EXIT:
457
		case AUDIT_SUCCESS:
458
		case AUDIT_ARG0:
459
		case AUDIT_ARG1:
460
		case AUDIT_ARG2:
461
		case AUDIT_ARG3:
462
			break;
463
		case AUDIT_ARCH:
464
			entry->rule.arch_f = f;
465
			break;
466
		case AUDIT_SUBJ_USER:
467
		case AUDIT_SUBJ_ROLE:
468
		case AUDIT_SUBJ_TYPE:
469
		case AUDIT_SUBJ_SEN:
470
		case AUDIT_SUBJ_CLR:
471
		case AUDIT_OBJ_USER:
472
		case AUDIT_OBJ_ROLE:
473
		case AUDIT_OBJ_TYPE:
474
		case AUDIT_OBJ_LEV_LOW:
475
		case AUDIT_OBJ_LEV_HIGH:
476
			str = audit_unpack_string(&bufp, &remain, f->val);
477
			if (IS_ERR(str))
478
				goto exit_free;
479
			entry->rule.buflen += f->val;
480

481
			err = security_audit_rule_init(f->type, f->op, str,
482
						       (void **)&f->lsm_rule);
483
			/* Keep currently invalid fields around in case they
484
			 * become valid after a policy reload. */
485
			if (err == -EINVAL) {
486
				printk(KERN_WARNING "audit rule for LSM "
487
				       "\'%s\' is invalid\n",  str);
488
				err = 0;
489
			}
490
			if (err) {
491
				kfree(str);
492
				goto exit_free;
493
			} else
494
				f->lsm_str = str;
495
			break;
496
		case AUDIT_WATCH:
497
			str = audit_unpack_string(&bufp, &remain, f->val);
498
			if (IS_ERR(str))
499
				goto exit_free;
500
			entry->rule.buflen += f->val;
501

502
			err = audit_to_watch(&entry->rule, str, f->val, f->op);
503
			if (err) {
504
				kfree(str);
505
				goto exit_free;
506
			}
507
			break;
508
		case AUDIT_DIR:
509
			str = audit_unpack_string(&bufp, &remain, f->val);
510
			if (IS_ERR(str))
511
				goto exit_free;
512
			entry->rule.buflen += f->val;
513

514
			err = audit_make_tree(&entry->rule, str, f->op);
515
			kfree(str);
516
			if (err)
517
				goto exit_free;
518
			break;
519
		case AUDIT_INODE:
520
			err = audit_to_inode(&entry->rule, f);
521
			if (err)
522
				goto exit_free;
523
			break;
524
		case AUDIT_FILTERKEY:
525
			err = -EINVAL;
526
			if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
527
				goto exit_free;
528
			str = audit_unpack_string(&bufp, &remain, f->val);
529
			if (IS_ERR(str))
530
				goto exit_free;
531
			entry->rule.buflen += f->val;
532
			entry->rule.filterkey = str;
533
			break;
534
		case AUDIT_PERM:
535
			if (f->val & ~15)
536
				goto exit_free;
537
			break;
538
		case AUDIT_FILETYPE:
539
			if ((f->val & ~S_IFMT) > S_IFMT)
540
				goto exit_free;
541
			break;
542
		default:
543
			goto exit_free;
544
		}
545
	}
546

547
	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)
548
		entry->rule.inode_f = NULL;
549

550
exit_nofree:
551
	return entry;
552

553
exit_free:
554
	audit_free_rule(entry);
555
	return ERR_PTR(err);
556
}
557

558
/* Pack a filter field's string representation into data block. */
559
static inline size_t audit_pack_string(void **bufp, const char *str)
560
{
561
	size_t len = strlen(str);
562

563
	memcpy(*bufp, str, len);
564
	*bufp += len;
565

566
	return len;
567
}
568

569
/* Translate kernel rule respresentation to struct audit_rule.
570
 * Exists for backward compatibility with userspace. */
571
static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
572
{
573
	struct audit_rule *rule;
574
	int i;
575

576
	rule = kzalloc(sizeof(*rule), GFP_KERNEL);
577
	if (unlikely(!rule))
578
		return NULL;
579

580
	rule->flags = krule->flags | krule->listnr;
581
	rule->action = krule->action;
582
	rule->field_count = krule->field_count;
583
	for (i = 0; i < rule->field_count; i++) {
584
		rule->values[i] = krule->fields[i].val;
585
		rule->fields[i] = krule->fields[i].type;
586

587
		if (krule->vers_ops == 1) {
588
			if (krule->fields[i].op == Audit_not_equal)
589
				rule->fields[i] |= AUDIT_NEGATE;
590
		} else {
591
			rule->fields[i] |= audit_ops[krule->fields[i].op];
592
		}
593
	}
594
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
595

596
	return rule;
597
}
598

599
/* Translate kernel rule respresentation to struct audit_rule_data. */
600
static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
601
{
602
	struct audit_rule_data *data;
603
	void *bufp;
604
	int i;
605

606
	data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
607
	if (unlikely(!data))
608
		return NULL;
609
	memset(data, 0, sizeof(*data));
610

611
	data->flags = krule->flags | krule->listnr;
612
	data->action = krule->action;
613
	data->field_count = krule->field_count;
614
	bufp = data->buf;
615
	for (i = 0; i < data->field_count; i++) {
616
		struct audit_field *f = &krule->fields[i];
617

618
		data->fields[i] = f->type;
619
		data->fieldflags[i] = audit_ops[f->op];
620
		switch(f->type) {
621
		case AUDIT_SUBJ_USER:
622
		case AUDIT_SUBJ_ROLE:
623
		case AUDIT_SUBJ_TYPE:
624
		case AUDIT_SUBJ_SEN:
625
		case AUDIT_SUBJ_CLR:
626
		case AUDIT_OBJ_USER:
627
		case AUDIT_OBJ_ROLE:
628
		case AUDIT_OBJ_TYPE:
629
		case AUDIT_OBJ_LEV_LOW:
630
		case AUDIT_OBJ_LEV_HIGH:
631
			data->buflen += data->values[i] =
632
				audit_pack_string(&bufp, f->lsm_str);
633
			break;
634
		case AUDIT_WATCH:
635
			data->buflen += data->values[i] =
636
				audit_pack_string(&bufp,
637
						  audit_watch_path(krule->watch));
638
			break;
639
		case AUDIT_DIR:
640
			data->buflen += data->values[i] =
641
				audit_pack_string(&bufp,
642
						  audit_tree_path(krule->tree));
643
			break;
644
		case AUDIT_FILTERKEY:
645
			data->buflen += data->values[i] =
646
				audit_pack_string(&bufp, krule->filterkey);
647
			break;
648
		default:
649
			data->values[i] = f->val;
650
		}
651
	}
652
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
653

654
	return data;
655
}
656

657
/* Compare two rules in kernel format.  Considered success if rules
658
 * don't match. */
659
static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
660
{
661
	int i;
662

663
	if (a->flags != b->flags ||
664
	    a->listnr != b->listnr ||
665
	    a->action != b->action ||
666
	    a->field_count != b->field_count)
667
		return 1;
668

669
	for (i = 0; i < a->field_count; i++) {
670
		if (a->fields[i].type != b->fields[i].type ||
671
		    a->fields[i].op != b->fields[i].op)
672
			return 1;
673

674
		switch(a->fields[i].type) {
675
		case AUDIT_SUBJ_USER:
676
		case AUDIT_SUBJ_ROLE:
677
		case AUDIT_SUBJ_TYPE:
678
		case AUDIT_SUBJ_SEN:
679
		case AUDIT_SUBJ_CLR:
680
		case AUDIT_OBJ_USER:
681
		case AUDIT_OBJ_ROLE:
682
		case AUDIT_OBJ_TYPE:
683
		case AUDIT_OBJ_LEV_LOW:
684
		case AUDIT_OBJ_LEV_HIGH:
685
			if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
686
				return 1;
687
			break;
688
		case AUDIT_WATCH:
689
			if (strcmp(audit_watch_path(a->watch),
690
				   audit_watch_path(b->watch)))
691
				return 1;
692
			break;
693
		case AUDIT_DIR:
694
			if (strcmp(audit_tree_path(a->tree),
695
				   audit_tree_path(b->tree)))
696
				return 1;
697
			break;
698
		case AUDIT_FILTERKEY:
699
			/* both filterkeys exist based on above type compare */
700
			if (strcmp(a->filterkey, b->filterkey))
701
				return 1;
702
			break;
703
		default:
704
			if (a->fields[i].val != b->fields[i].val)
705
				return 1;
706
		}
707
	}
708

709
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
710
		if (a->mask[i] != b->mask[i])
711
			return 1;
712

713
	return 0;
714
}
715

716
/* Duplicate LSM field information.  The lsm_rule is opaque, so must be
717
 * re-initialized. */
718
static inline int audit_dupe_lsm_field(struct audit_field *df,
719
					   struct audit_field *sf)
720
{
721
	int ret = 0;
722
	char *lsm_str;
723

724
	/* our own copy of lsm_str */
725
	lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
726
	if (unlikely(!lsm_str))
727
		return -ENOMEM;
728
	df->lsm_str = lsm_str;
729

730
	/* our own (refreshed) copy of lsm_rule */
731
	ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
732
				       (void **)&df->lsm_rule);
733
	/* Keep currently invalid fields around in case they
734
	 * become valid after a policy reload. */
735
	if (ret == -EINVAL) {
736
		printk(KERN_WARNING "audit rule for LSM \'%s\' is "
737
		       "invalid\n", df->lsm_str);
738
		ret = 0;
739
	}
740

741
	return ret;
742
}
743

744
/* Duplicate an audit rule.  This will be a deep copy with the exception
745
 * of the watch - that pointer is carried over.  The LSM specific fields
746
 * will be updated in the copy.  The point is to be able to replace the old
747
 * rule with the new rule in the filterlist, then free the old rule.
748
 * The rlist element is undefined; list manipulations are handled apart from
749
 * the initial copy. */
750
struct audit_entry *audit_dupe_rule(struct audit_krule *old)
751
{
752
	u32 fcount = old->field_count;
753
	struct audit_entry *entry;
754
	struct audit_krule *new;
755
	char *fk;
756
	int i, err = 0;
757

758
	entry = audit_init_entry(fcount);
759
	if (unlikely(!entry))
760
		return ERR_PTR(-ENOMEM);
761

762
	new = &entry->rule;
763
	new->vers_ops = old->vers_ops;
764
	new->flags = old->flags;
765
	new->listnr = old->listnr;
766
	new->action = old->action;
767
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
768
		new->mask[i] = old->mask[i];
769
	new->prio = old->prio;
770
	new->buflen = old->buflen;
771
	new->inode_f = old->inode_f;
772
	new->field_count = old->field_count;
773

774
	/*
775
	 * note that we are OK with not refcounting here; audit_match_tree()
776
	 * never dereferences tree and we can't get false positives there
777
	 * since we'd have to have rule gone from the list *and* removed
778
	 * before the chunks found by lookup had been allocated, i.e. before
779
	 * the beginning of list scan.
780
	 */
781
	new->tree = old->tree;
782
	memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
783

784
	/* deep copy this information, updating the lsm_rule fields, because
785
	 * the originals will all be freed when the old rule is freed. */
786
	for (i = 0; i < fcount; i++) {
787
		switch (new->fields[i].type) {
788
		case AUDIT_SUBJ_USER:
789
		case AUDIT_SUBJ_ROLE:
790
		case AUDIT_SUBJ_TYPE:
791
		case AUDIT_SUBJ_SEN:
792
		case AUDIT_SUBJ_CLR:
793
		case AUDIT_OBJ_USER:
794
		case AUDIT_OBJ_ROLE:
795
		case AUDIT_OBJ_TYPE:
796
		case AUDIT_OBJ_LEV_LOW:
797
		case AUDIT_OBJ_LEV_HIGH:
798
			err = audit_dupe_lsm_field(&new->fields[i],
799
						       &old->fields[i]);
800
			break;
801
		case AUDIT_FILTERKEY:
802
			fk = kstrdup(old->filterkey, GFP_KERNEL);
803
			if (unlikely(!fk))
804
				err = -ENOMEM;
805
			else
806
				new->filterkey = fk;
807
		}
808
		if (err) {
809
			audit_free_rule(entry);
810
			return ERR_PTR(err);
811
		}
812
	}
813

814
	if (old->watch) {
815
		audit_get_watch(old->watch);
816
		new->watch = old->watch;
817
	}
818

819
	return entry;
820
}
821

822
/* Find an existing audit rule.
823
 * Caller must hold audit_filter_mutex to prevent stale rule data. */
824
static struct audit_entry *audit_find_rule(struct audit_entry *entry,
825
					   struct list_head **p)
826
{
827
	struct audit_entry *e, *found = NULL;
828
	struct list_head *list;
829
	int h;
830

831
	if (entry->rule.inode_f) {
832
		h = audit_hash_ino(entry->rule.inode_f->val);
833
		*p = list = &audit_inode_hash[h];
834
	} else if (entry->rule.watch) {
835
		/* we don't know the inode number, so must walk entire hash */
836
		for (h = 0; h < AUDIT_INODE_BUCKETS; h++) {
837
			list = &audit_inode_hash[h];
838
			list_for_each_entry(e, list, list)
839
				if (!audit_compare_rule(&entry->rule, &e->rule)) {
840
					found = e;
841
					goto out;
842
				}
843
		}
844
		goto out;
845
	} else {
846
		*p = list = &audit_filter_list[entry->rule.listnr];
847
	}
848

849
	list_for_each_entry(e, list, list)
850
		if (!audit_compare_rule(&entry->rule, &e->rule)) {
851
			found = e;
852
			goto out;
853
		}
854

855
out:
856
	return found;
857
}
858

859
static u64 prio_low = ~0ULL/2;
860
static u64 prio_high = ~0ULL/2 - 1;
861

862
/* Add rule to given filterlist if not a duplicate. */
863
static inline int audit_add_rule(struct audit_entry *entry)
864
{
865
	struct audit_entry *e;
866
	struct audit_watch *watch = entry->rule.watch;
867
	struct audit_tree *tree = entry->rule.tree;
868
	struct list_head *list;
869
	int err;
870
#ifdef CONFIG_AUDITSYSCALL
871
	int dont_count = 0;
872

873
	/* If either of these, don't count towards total */
874
	if (entry->rule.listnr == AUDIT_FILTER_USER ||
875
		entry->rule.listnr == AUDIT_FILTER_TYPE)
876
		dont_count = 1;
877
#endif
878

879
	mutex_lock(&audit_filter_mutex);
880
	e = audit_find_rule(entry, &list);
881
	if (e) {
882
		mutex_unlock(&audit_filter_mutex);
883
		err = -EEXIST;
884
		/* normally audit_add_tree_rule() will free it on failure */
885
		if (tree)
886
			audit_put_tree(tree);
887
		goto error;
888
	}
889

890
	if (watch) {
891
		/* audit_filter_mutex is dropped and re-taken during this call */
892
		err = audit_add_watch(&entry->rule, &list);
893
		if (err) {
894
			mutex_unlock(&audit_filter_mutex);
895
			goto error;
896
		}
897
	}
898
	if (tree) {
899
		err = audit_add_tree_rule(&entry->rule);
900
		if (err) {
901
			mutex_unlock(&audit_filter_mutex);
902
			goto error;
903
		}
904
	}
905

906
	entry->rule.prio = ~0ULL;
907
	if (entry->rule.listnr == AUDIT_FILTER_EXIT) {
908
		if (entry->rule.flags & AUDIT_FILTER_PREPEND)
909
			entry->rule.prio = ++prio_high;
910
		else
911
			entry->rule.prio = --prio_low;
912
	}
913

914
	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
915
		list_add(&entry->rule.list,
916
			 &audit_rules_list[entry->rule.listnr]);
917
		list_add_rcu(&entry->list, list);
918
		entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
919
	} else {
920
		list_add_tail(&entry->rule.list,
921
			      &audit_rules_list[entry->rule.listnr]);
922
		list_add_tail_rcu(&entry->list, list);
923
	}
924
#ifdef CONFIG_AUDITSYSCALL
925
	if (!dont_count)
926
		audit_n_rules++;
927

928
	if (!audit_match_signal(entry))
929
		audit_signals++;
930
#endif
931
	mutex_unlock(&audit_filter_mutex);
932

933
 	return 0;
934

935
error:
936
	if (watch)
937
		audit_put_watch(watch); /* tmp watch, matches initial get */
938
	return err;
939
}
940

941
/* Remove an existing rule from filterlist. */
942
static inline int audit_del_rule(struct audit_entry *entry)
943
{
944
	struct audit_entry  *e;
945
	struct audit_watch *watch = entry->rule.watch;
946
	struct audit_tree *tree = entry->rule.tree;
947
	struct list_head *list;
948
	int ret = 0;
949
#ifdef CONFIG_AUDITSYSCALL
950
	int dont_count = 0;
951

952
	/* If either of these, don't count towards total */
953
	if (entry->rule.listnr == AUDIT_FILTER_USER ||
954
		entry->rule.listnr == AUDIT_FILTER_TYPE)
955
		dont_count = 1;
956
#endif
957

958
	mutex_lock(&audit_filter_mutex);
959
	e = audit_find_rule(entry, &list);
960
	if (!e) {
961
		mutex_unlock(&audit_filter_mutex);
962
		ret = -ENOENT;
963
		goto out;
964
	}
965

966
	if (e->rule.watch)
967
		audit_remove_watch_rule(&e->rule);
968

969
	if (e->rule.tree)
970
		audit_remove_tree_rule(&e->rule);
971

972
	list_del_rcu(&e->list);
973
	list_del(&e->rule.list);
974
	call_rcu(&e->rcu, audit_free_rule_rcu);
975

976
#ifdef CONFIG_AUDITSYSCALL
977
	if (!dont_count)
978
		audit_n_rules--;
979

980
	if (!audit_match_signal(entry))
981
		audit_signals--;
982
#endif
983
	mutex_unlock(&audit_filter_mutex);
984

985
out:
986
	if (watch)
987
		audit_put_watch(watch); /* match initial get */
988
	if (tree)
989
		audit_put_tree(tree);	/* that's the temporary one */
990

991
	return ret;
992
}
993

994
/* List rules using struct audit_rule.  Exists for backward
995
 * compatibility with userspace. */
996
static void audit_list(int pid, int seq, struct sk_buff_head *q)
997
{
998
	struct sk_buff *skb;
999
	struct audit_krule *r;
1000
	int i;
1001

1002
	/* This is a blocking read, so use audit_filter_mutex instead of rcu
1003
	 * iterator to sync with list writers. */
1004
	for (i=0; i<AUDIT_NR_FILTERS; i++) {
1005
		list_for_each_entry(r, &audit_rules_list[i], list) {
1006
			struct audit_rule *rule;
1007

1008
			rule = audit_krule_to_rule(r);
1009
			if (unlikely(!rule))
1010
				break;
1011
			skb = audit_make_reply(pid, seq, AUDIT_LIST, 0, 1,
1012
					 rule, sizeof(*rule));
1013
			if (skb)
1014
				skb_queue_tail(q, skb);
1015
			kfree(rule);
1016
		}
1017
	}
1018
	skb = audit_make_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
1019
	if (skb)
1020
		skb_queue_tail(q, skb);
1021
}
1022

1023
/* List rules using struct audit_rule_data. */
1024
static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1025
{
1026
	struct sk_buff *skb;
1027
	struct audit_krule *r;
1028
	int i;
1029

1030
	/* This is a blocking read, so use audit_filter_mutex instead of rcu
1031
	 * iterator to sync with list writers. */
1032
	for (i=0; i<AUDIT_NR_FILTERS; i++) {
1033
		list_for_each_entry(r, &audit_rules_list[i], list) {
1034
			struct audit_rule_data *data;
1035

1036
			data = audit_krule_to_data(r);
1037
			if (unlikely(!data))
1038
				break;
1039
			skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
1040
					 data, sizeof(*data) + data->buflen);
1041
			if (skb)
1042
				skb_queue_tail(q, skb);
1043
			kfree(data);
1044
		}
1045
	}
1046
	skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
1047
	if (skb)
1048
		skb_queue_tail(q, skb);
1049
}
1050

1051
/* Log rule additions and removals */
1052
static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
1053
				  char *action, struct audit_krule *rule,
1054
				  int res)
1055
{
1056
	struct audit_buffer *ab;
1057

1058
	if (!audit_enabled)
1059
		return;
1060

1061
	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1062
	if (!ab)
1063
		return;
1064
	audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
1065
	if (sid) {
1066
		char *ctx = NULL;
1067
		u32 len;
1068
		if (security_secid_to_secctx(sid, &ctx, &len))
1069
			audit_log_format(ab, " ssid=%u", sid);
1070
		else {
1071
			audit_log_format(ab, " subj=%s", ctx);
1072
			security_release_secctx(ctx, len);
1073
		}
1074
	}
1075
	audit_log_format(ab, " op=");
1076
	audit_log_string(ab, action);
1077
	audit_log_key(ab, rule->filterkey);
1078
	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
1079
	audit_log_end(ab);
1080
}
1081

1082
/**
1083
 * audit_receive_filter - apply all rules to the specified message type
1084
 * @type: audit message type
1085
 * @pid: target pid for netlink audit messages
1086
 * @uid: target uid for netlink audit messages
1087
 * @seq: netlink audit message sequence (serial) number
1088
 * @data: payload data
1089
 * @datasz: size of payload data
1090
 * @loginuid: loginuid of sender
1091
 * @sessionid: sessionid for netlink audit message
1092
 * @sid: SE Linux Security ID of sender
1093
 */
1094
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1095
			 size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
1096
{
1097
	struct task_struct *tsk;
1098
	struct audit_netlink_list *dest;
1099
	int err = 0;
1100
	struct audit_entry *entry;
1101

1102
	switch (type) {
1103
	case AUDIT_LIST:
1104
	case AUDIT_LIST_RULES:
1105
		/* We can't just spew out the rules here because we might fill
1106
		 * the available socket buffer space and deadlock waiting for
1107
		 * auditctl to read from it... which isn't ever going to
1108
		 * happen if we're actually running in the context of auditctl
1109
		 * trying to _send_ the stuff */
1110

1111
		dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
1112
		if (!dest)
1113
			return -ENOMEM;
1114
		dest->pid = pid;
1115
		skb_queue_head_init(&dest->q);
1116

1117
		mutex_lock(&audit_filter_mutex);
1118
		if (type == AUDIT_LIST)
1119
			audit_list(pid, seq, &dest->q);
1120
		else
1121
			audit_list_rules(pid, seq, &dest->q);
1122
		mutex_unlock(&audit_filter_mutex);
1123

1124
		tsk = kthread_run(audit_send_list, dest, "audit_send_list");
1125
		if (IS_ERR(tsk)) {
1126
			skb_queue_purge(&dest->q);
1127
			kfree(dest);
1128
			err = PTR_ERR(tsk);
1129
		}
1130
		break;
1131
	case AUDIT_ADD:
1132
	case AUDIT_ADD_RULE:
1133
		if (type == AUDIT_ADD)
1134
			entry = audit_rule_to_entry(data);
1135
		else
1136
			entry = audit_data_to_entry(data, datasz);
1137
		if (IS_ERR(entry))
1138
			return PTR_ERR(entry);
1139

1140
		err = audit_add_rule(entry);
1141
		audit_log_rule_change(loginuid, sessionid, sid, "add rule",
1142
				      &entry->rule, !err);
1143

1144
		if (err)
1145
			audit_free_rule(entry);
1146
		break;
1147
	case AUDIT_DEL:
1148
	case AUDIT_DEL_RULE:
1149
		if (type == AUDIT_DEL)
1150
			entry = audit_rule_to_entry(data);
1151
		else
1152
			entry = audit_data_to_entry(data, datasz);
1153
		if (IS_ERR(entry))
1154
			return PTR_ERR(entry);
1155

1156
		err = audit_del_rule(entry);
1157
		audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
1158
				      &entry->rule, !err);
1159

1160
		audit_free_rule(entry);
1161
		break;
1162
	default:
1163
		return -EINVAL;
1164
	}
1165

1166
	return err;
1167
}
1168

1169
int audit_comparator(u32 left, u32 op, u32 right)
1170
{
1171
	switch (op) {
1172
	case Audit_equal:
1173
		return (left == right);
1174
	case Audit_not_equal:
1175
		return (left != right);
1176
	case Audit_lt:
1177
		return (left < right);
1178
	case Audit_le:
1179
		return (left <= right);
1180
	case Audit_gt:
1181
		return (left > right);
1182
	case Audit_ge:
1183
		return (left >= right);
1184
	case Audit_bitmask:
1185
		return (left & right);
1186
	case Audit_bittest:
1187
		return ((left & right) == right);
1188
	default:
1189
		BUG();
1190
		return 0;
1191
	}
1192
}
1193

1194
/* Compare given dentry name with last component in given path,
1195
 * return of 0 indicates a match. */
1196
int audit_compare_dname_path(const char *dname, const char *path,
1197
			     int *dirlen)
1198
{
1199
	int dlen, plen;
1200
	const char *p;
1201

1202
	if (!dname || !path)
1203
		return 1;
1204

1205
	dlen = strlen(dname);
1206
	plen = strlen(path);
1207
	if (plen < dlen)
1208
		return 1;
1209

1210
	/* disregard trailing slashes */
1211
	p = path + plen - 1;
1212
	while ((*p == '/') && (p > path))
1213
		p--;
1214

1215
	/* find last path component */
1216
	p = p - dlen + 1;
1217
	if (p < path)
1218
		return 1;
1219
	else if (p > path) {
1220
		if (*--p != '/')
1221
			return 1;
1222
		else
1223
			p++;
1224
	}
1225

1226
	/* return length of path's directory component */
1227
	if (dirlen)
1228
		*dirlen = p - path;
1229
	return strncmp(p, dname, dlen);
1230
}
1231

1232
static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1233
				   struct audit_krule *rule,
1234
				   enum audit_state *state)
1235
{
1236
	int i;
1237

1238
	for (i = 0; i < rule->field_count; i++) {
1239
		struct audit_field *f = &rule->fields[i];
1240
		int result = 0;
1241
		u32 sid;
1242

1243
		switch (f->type) {
1244
		case AUDIT_PID:
1245
			result = audit_comparator(cb->creds.pid, f->op, f->val);
1246
			break;
1247
		case AUDIT_UID:
1248
			result = audit_comparator(cb->creds.uid, f->op, f->val);
1249
			break;
1250
		case AUDIT_GID:
1251
			result = audit_comparator(cb->creds.gid, f->op, f->val);
1252
			break;
1253
		case AUDIT_LOGINUID:
1254
			result = audit_comparator(audit_get_loginuid(current),
1255
						  f->op, f->val);
1256
			break;
1257
		case AUDIT_SUBJ_USER:
1258
		case AUDIT_SUBJ_ROLE:
1259
		case AUDIT_SUBJ_TYPE:
1260
		case AUDIT_SUBJ_SEN:
1261
		case AUDIT_SUBJ_CLR:
1262
			if (f->lsm_rule) {
1263
				security_task_getsecid(current, &sid);
1264
				result = security_audit_rule_match(sid,
1265
								   f->type,
1266
								   f->op,
1267
								   f->lsm_rule,
1268
								   NULL);
1269
			}
1270
			break;
1271
		}
1272

1273
		if (!result)
1274
			return 0;
1275
	}
1276
	switch (rule->action) {
1277
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
1278
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
1279
	}
1280
	return 1;
1281
}
1282

1283
int audit_filter_user(struct netlink_skb_parms *cb)
1284
{
1285
	enum audit_state state = AUDIT_DISABLED;
1286
	struct audit_entry *e;
1287
	int ret = 1;
1288

1289
	rcu_read_lock();
1290
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
1291
		if (audit_filter_user_rules(cb, &e->rule, &state)) {
1292
			if (state == AUDIT_DISABLED)
1293
				ret = 0;
1294
			break;
1295
		}
1296
	}
1297
	rcu_read_unlock();
1298

1299
	return ret; /* Audit by default */
1300
}
1301

1302
int audit_filter_type(int type)
1303
{
1304
	struct audit_entry *e;
1305
	int result = 0;
1306

1307
	rcu_read_lock();
1308
	if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
1309
		goto unlock_and_return;
1310

1311
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
1312
				list) {
1313
		int i;
1314
		for (i = 0; i < e->rule.field_count; i++) {
1315
			struct audit_field *f = &e->rule.fields[i];
1316
			if (f->type == AUDIT_MSGTYPE) {
1317
				result = audit_comparator(type, f->op, f->val);
1318
				if (!result)
1319
					break;
1320
			}
1321
		}
1322
		if (result)
1323
			goto unlock_and_return;
1324
	}
1325
unlock_and_return:
1326
	rcu_read_unlock();
1327
	return result;
1328
}
1329

1330
static int update_lsm_rule(struct audit_krule *r)
1331
{
1332
	struct audit_entry *entry = container_of(r, struct audit_entry, rule);
1333
	struct audit_entry *nentry;
1334
	int err = 0;
1335

1336
	if (!security_audit_rule_known(r))
1337
		return 0;
1338

1339
	nentry = audit_dupe_rule(r);
1340
	if (IS_ERR(nentry)) {
1341
		/* save the first error encountered for the
1342
		 * return value */
1343
		err = PTR_ERR(nentry);
1344
		audit_panic("error updating LSM filters");
1345
		if (r->watch)
1346
			list_del(&r->rlist);
1347
		list_del_rcu(&entry->list);
1348
		list_del(&r->list);
1349
	} else {
1350
		if (r->watch || r->tree)
1351
			list_replace_init(&r->rlist, &nentry->rule.rlist);
1352
		list_replace_rcu(&entry->list, &nentry->list);
1353
		list_replace(&r->list, &nentry->rule.list);
1354
	}
1355
	call_rcu(&entry->rcu, audit_free_rule_rcu);
1356

1357
	return err;
1358
}
1359

1360
/* This function will re-initialize the lsm_rule field of all applicable rules.
1361
 * It will traverse the filter lists serarching for rules that contain LSM
1362
 * specific filter fields.  When such a rule is found, it is copied, the
1363
 * LSM field is re-initialized, and the old rule is replaced with the
1364
 * updated rule. */
1365
int audit_update_lsm_rules(void)
1366
{
1367
	struct audit_krule *r, *n;
1368
	int i, err = 0;
1369

1370
	/* audit_filter_mutex synchronizes the writers */
1371
	mutex_lock(&audit_filter_mutex);
1372

1373
	for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1374
		list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
1375
			int res = update_lsm_rule(r);
1376
			if (!err)
1377
				err = res;
1378
		}
1379
	}
1380
	mutex_unlock(&audit_filter_mutex);
1381

1382
	return err;
1383
}
1384

1385