Merge branch 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa...
[linux/fpc-iii.git] / kernel / audit_fsnotify.c
blob3596448bfdabc605590e326c05ef6c67cdbe807d
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* audit_fsnotify.c -- tracking inodes
4 * Copyright 2003-2009,2014-2015 Red Hat, Inc.
5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6 * Copyright 2005 IBM Corporation
7 */
9 #include <linux/kernel.h>
10 #include <linux/audit.h>
11 #include <linux/kthread.h>
12 #include <linux/mutex.h>
13 #include <linux/fs.h>
14 #include <linux/fsnotify_backend.h>
15 #include <linux/namei.h>
16 #include <linux/netlink.h>
17 #include <linux/sched.h>
18 #include <linux/slab.h>
19 #include <linux/security.h>
20 #include "audit.h"
23 * this mark lives on the parent directory of the inode in question.
24 * but dev, ino, and path are about the child
26 struct audit_fsnotify_mark {
27 dev_t dev; /* associated superblock device */
28 unsigned long ino; /* associated inode number */
29 char *path; /* insertion path */
30 struct fsnotify_mark mark; /* fsnotify mark on the inode */
31 struct audit_krule *rule;
34 /* fsnotify handle. */
35 static struct fsnotify_group *audit_fsnotify_group;
37 /* fsnotify events we care about. */
38 #define AUDIT_FS_EVENTS (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
39 FS_MOVE_SELF | FS_EVENT_ON_CHILD)
41 static void audit_fsnotify_mark_free(struct audit_fsnotify_mark *audit_mark)
43 kfree(audit_mark->path);
44 kfree(audit_mark);
47 static void audit_fsnotify_free_mark(struct fsnotify_mark *mark)
49 struct audit_fsnotify_mark *audit_mark;
51 audit_mark = container_of(mark, struct audit_fsnotify_mark, mark);
52 audit_fsnotify_mark_free(audit_mark);
55 char *audit_mark_path(struct audit_fsnotify_mark *mark)
57 return mark->path;
60 int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev)
62 if (mark->ino == AUDIT_INO_UNSET)
63 return 0;
64 return (mark->ino == ino) && (mark->dev == dev);
67 static void audit_update_mark(struct audit_fsnotify_mark *audit_mark,
68 const struct inode *inode)
70 audit_mark->dev = inode ? inode->i_sb->s_dev : AUDIT_DEV_UNSET;
71 audit_mark->ino = inode ? inode->i_ino : AUDIT_INO_UNSET;
74 struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len)
76 struct audit_fsnotify_mark *audit_mark;
77 struct path path;
78 struct dentry *dentry;
79 struct inode *inode;
80 int ret;
82 if (pathname[0] != '/' || pathname[len-1] == '/')
83 return ERR_PTR(-EINVAL);
85 dentry = kern_path_locked(pathname, &path);
86 if (IS_ERR(dentry))
87 return (void *)dentry; /* returning an error */
88 inode = path.dentry->d_inode;
89 inode_unlock(inode);
91 audit_mark = kzalloc(sizeof(*audit_mark), GFP_KERNEL);
92 if (unlikely(!audit_mark)) {
93 audit_mark = ERR_PTR(-ENOMEM);
94 goto out;
97 fsnotify_init_mark(&audit_mark->mark, audit_fsnotify_group);
98 audit_mark->mark.mask = AUDIT_FS_EVENTS;
99 audit_mark->path = pathname;
100 audit_update_mark(audit_mark, dentry->d_inode);
101 audit_mark->rule = krule;
103 ret = fsnotify_add_inode_mark(&audit_mark->mark, inode, true);
104 if (ret < 0) {
105 fsnotify_put_mark(&audit_mark->mark);
106 audit_mark = ERR_PTR(ret);
108 out:
109 dput(dentry);
110 path_put(&path);
111 return audit_mark;
114 static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, char *op)
116 struct audit_buffer *ab;
117 struct audit_krule *rule = audit_mark->rule;
119 if (!audit_enabled)
120 return;
121 ab = audit_log_start(audit_context(), GFP_NOFS, AUDIT_CONFIG_CHANGE);
122 if (unlikely(!ab))
123 return;
124 audit_log_session_info(ab);
125 audit_log_format(ab, " op=%s path=", op);
126 audit_log_untrustedstring(ab, audit_mark->path);
127 audit_log_key(ab, rule->filterkey);
128 audit_log_format(ab, " list=%d res=1", rule->listnr);
129 audit_log_end(ab);
132 void audit_remove_mark(struct audit_fsnotify_mark *audit_mark)
134 fsnotify_destroy_mark(&audit_mark->mark, audit_fsnotify_group);
135 fsnotify_put_mark(&audit_mark->mark);
138 void audit_remove_mark_rule(struct audit_krule *krule)
140 struct audit_fsnotify_mark *mark = krule->exe;
142 audit_remove_mark(mark);
145 static void audit_autoremove_mark_rule(struct audit_fsnotify_mark *audit_mark)
147 struct audit_krule *rule = audit_mark->rule;
148 struct audit_entry *entry = container_of(rule, struct audit_entry, rule);
150 audit_mark_log_rule_change(audit_mark, "autoremove_rule");
151 audit_del_rule(entry);
154 /* Update mark data in audit rules based on fsnotify events. */
155 static int audit_mark_handle_event(struct fsnotify_group *group,
156 struct inode *to_tell,
157 u32 mask, const void *data, int data_type,
158 const struct qstr *dname, u32 cookie,
159 struct fsnotify_iter_info *iter_info)
161 struct fsnotify_mark *inode_mark = fsnotify_iter_inode_mark(iter_info);
162 struct audit_fsnotify_mark *audit_mark;
163 const struct inode *inode = fsnotify_data_inode(data, data_type);
165 audit_mark = container_of(inode_mark, struct audit_fsnotify_mark, mark);
167 BUG_ON(group != audit_fsnotify_group);
169 if (WARN_ON(!inode))
170 return 0;
172 if (mask & (FS_CREATE|FS_MOVED_TO|FS_DELETE|FS_MOVED_FROM)) {
173 if (audit_compare_dname_path(dname, audit_mark->path, AUDIT_NAME_FULL))
174 return 0;
175 audit_update_mark(audit_mark, inode);
176 } else if (mask & (FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF))
177 audit_autoremove_mark_rule(audit_mark);
179 return 0;
182 static const struct fsnotify_ops audit_mark_fsnotify_ops = {
183 .handle_event = audit_mark_handle_event,
184 .free_mark = audit_fsnotify_free_mark,
187 static int __init audit_fsnotify_init(void)
189 audit_fsnotify_group = fsnotify_alloc_group(&audit_mark_fsnotify_ops);
190 if (IS_ERR(audit_fsnotify_group)) {
191 audit_fsnotify_group = NULL;
192 audit_panic("cannot create audit fsnotify group");
194 return 0;
196 device_initcall(audit_fsnotify_init);