[PATCH] audit string fields interface + consumer

 */

#define AUDIT_GET		1000	/* Get status */

#define AUDIT_SET		1001	/* Set status (enable/disable/auditd) */

#define AUDIT_LIST		1002	/* List syscall filtering rules */

#define AUDIT_ADD		1003	/* Add syscall filtering rule */

#define AUDIT_DEL		1004	/* Delete syscall filtering rule */

#define AUDIT_LIST		1002	/* List syscall rules -- deprecated */

#define AUDIT_ADD		1003	/* Add syscall rule -- deprecated */

#define AUDIT_DEL		1004	/* Delete syscall rule -- deprecated */

#define AUDIT_USER		1005	/* Message from userspace -- deprecated */

#define AUDIT_LOGIN		1006	/* Define the login id and information */

#define AUDIT_WATCH_INS		1007	/* Insert file/dir watch entry */

#define AUDIT_WATCH_REM		1008	/* Remove file/dir watch entry */

#define AUDIT_WATCH_LIST	1009	/* List all file/dir watches */

#define AUDIT_SIGNAL_INFO	1010	/* Get info about sender of signal to auditd */

#define AUDIT_ADD_RULE		1011	/* Add syscall filtering rule */

#define AUDIT_DEL_RULE		1012	/* Delete syscall filtering rule */

#define AUDIT_LIST_RULES	1013	/* List syscall filtering rules */

#define AUDIT_FIRST_USER_MSG	1100	/* Userspace messages mostly uninteresting to kernel */

#define AUDIT_USER_AVC		1107	/* We filter this differently */

	__u32		backlog;	/* messages waiting in queue */

};

/* audit_rule_data supports filter rules with both integer and string

 * fields.  It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and

 * AUDIT_LIST_RULES requests.

 */

struct audit_rule_data {

	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */

	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */

	__u32		field_count;

	__u32		mask[AUDIT_BITMASK_SIZE];

	__u32		fields[AUDIT_MAX_FIELDS];

	__u32		values[AUDIT_MAX_FIELDS];

	__u32		fieldflags[AUDIT_MAX_FIELDS];

	__u32		buflen;	/* total length of string fields */

	char		buf[0];	/* string fields buffer */

};

/* audit_rule is supported to maintain backward compatibility with

 * userspace.  It supports integer fields only and corresponds to

 * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests.

 */

struct audit_rule {		/* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */

	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */

	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */

extern int audit_filter_user(struct netlink_skb_parms *cb, int type);

extern int audit_filter_type(int type);

extern int  audit_receive_filter(int type, int pid, int uid, int seq,

				 void *data, uid_t loginuid);

				 void *data, size_t datasz, uid_t loginuid);

#else

#define audit_log(c,g,t,f,...) do { ; } while (0)

#define audit_log_start(c,g,t) ({ NULL; })

#include <linux/audit.h>

#include <net/sock.h>

#include <net/netlink.h>

#include <linux/skbuff.h>

#include <linux/netlink.h>

	switch (msg_type) {

	case AUDIT_GET:

	case AUDIT_LIST:

	case AUDIT_LIST_RULES:

	case AUDIT_SET:

	case AUDIT_ADD:

	case AUDIT_ADD_RULE:

	case AUDIT_DEL:

	case AUDIT_DEL_RULE:

	case AUDIT_SIGNAL_INFO:

		if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))

			err = -EPERM;

		break;

	case AUDIT_ADD:

	case AUDIT_DEL:

		if (nlh->nlmsg_len < sizeof(struct audit_rule))

		if (nlmsg_len(nlh) < sizeof(struct audit_rule))

			return -EINVAL;

		/* fallthrough */

	case AUDIT_LIST:

		err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,

					   uid, seq, data, loginuid);

					   uid, seq, data, nlmsg_len(nlh),

					   loginuid);

		break;

	case AUDIT_ADD_RULE:

	case AUDIT_DEL_RULE:

		if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))

			return -EINVAL;

		/* fallthrough */

	case AUDIT_LIST_RULES:

		err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,

					   uid, seq, data, nlmsg_len(nlh),

					   loginuid);

		break;

	case AUDIT_SIGNAL_INFO:

		sig_data.uid = audit_sig_uid;

};

/* Rule lists */

struct audit_field {

	u32			type;

	u32			val;

	u32			op;

};

struct audit_krule {

	int			vers_ops;

	u32			flags;

	u32			listnr;

	u32			action;

	u32			mask[AUDIT_BITMASK_SIZE];

	u32			buflen; /* for data alloc on list rules */

	u32			field_count;

	struct audit_field	*fields;

};

struct audit_entry {

	struct list_head	list;

	struct rcu_head		rcu;

	struct audit_rule rule;

	struct audit_krule	rule;

};

#endif

};

/* Copy rule from user-space to kernel-space.  Called from 

 * audit_add_rule during AUDIT_ADD. */

static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)

static inline void audit_free_rule(struct audit_entry *e)

{

	kfree(e->rule.fields);

	kfree(e);

}

static inline void audit_free_rule_rcu(struct rcu_head *head)

{

	struct audit_entry *e = container_of(head, struct audit_entry, rcu);

	audit_free_rule(e);

}

/* Unpack a filter field's string representation from user-space

 * buffer. */

static __attribute__((unused)) char *audit_unpack_string(void **bufp, size_t *remain, size_t len)

{

	char *str;

	if (!*bufp || (len == 0) || (len > *remain))

		return ERR_PTR(-EINVAL);

	/* Of the currently implemented string fields, PATH_MAX

	 * defines the longest valid length.

	 */

	if (len > PATH_MAX)

		return ERR_PTR(-ENAMETOOLONG);

	str = kmalloc(len + 1, GFP_KERNEL);

	if (unlikely(!str))

		return ERR_PTR(-ENOMEM);

	memcpy(str, *bufp, len);

	str[len] = 0;

	*bufp += len;

	*remain -= len;

	return str;

}

/* Common user-space to kernel rule translation. */

static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)

{

	unsigned listnr;

	struct audit_entry *entry;

	struct audit_field *fields;

	int i, err;

	err = -EINVAL;

	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;

	switch(listnr) {

	default:

		goto exit_err;

	case AUDIT_FILTER_USER:

	case AUDIT_FILTER_TYPE:

#ifdef CONFIG_AUDITSYSCALL

	case AUDIT_FILTER_ENTRY:

	case AUDIT_FILTER_EXIT:

	case AUDIT_FILTER_TASK:

#endif

		;

	}

	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_POSSIBLE &&

	    rule->action != AUDIT_ALWAYS)

		goto exit_err;

	if (rule->field_count > AUDIT_MAX_FIELDS)

		goto exit_err;

	err = -ENOMEM;

	entry = kmalloc(sizeof(*entry), GFP_KERNEL);

	if (unlikely(!entry))

		goto exit_err;

	fields = kmalloc(sizeof(*fields) * rule->field_count, GFP_KERNEL);

	if (unlikely(!fields)) {

		kfree(entry);

		goto exit_err;

	}

	memset(&entry->rule, 0, sizeof(struct audit_krule));

	memset(fields, 0, sizeof(struct audit_field));

	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;

	entry->rule.listnr = listnr;

	entry->rule.action = rule->action;

	entry->rule.field_count = rule->field_count;

	entry->rule.fields = fields;

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)

		entry->rule.mask[i] = rule->mask[i];

	return entry;

exit_err:

	return ERR_PTR(err);

}

/* Translate struct audit_rule to kernel's rule respresentation.

 * Exists for backward compatibility with userspace. */

static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)

{

	struct audit_entry *entry;

	int err = 0;

	int i;

	if (s->action != AUDIT_NEVER

	    && s->action != AUDIT_POSSIBLE

	    && s->action != AUDIT_ALWAYS)

		return -1;

	if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)

		return -1;

	if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)

		return -1;

	d->flags	= s->flags;

	d->action	= s->action;

	d->field_count	= s->field_count;

	for (i = 0; i < d->field_count; i++) {

		d->fields[i] = s->fields[i];

		d->values[i] = s->values[i];

	}

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];

	return 0;

	entry = audit_to_entry_common(rule);

	if (IS_ERR(entry))

		goto exit_nofree;

	for (i = 0; i < rule->field_count; i++) {

		struct audit_field *f = &entry->rule.fields[i];

		if (rule->fields[i] & AUDIT_UNUSED_BITS) {

			err = -EINVAL;

			goto exit_free;

		}

/* Check to see if two rules are identical.  It is called from

 * audit_add_rule during AUDIT_ADD and 

 * audit_del_rule during AUDIT_DEL. */

static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)

		f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);

		f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);

		f->val = rule->values[i];

		entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1;

		if (f->op & AUDIT_NEGATE)

			f->op |= AUDIT_NOT_EQUAL;

		else if (!(f->op & AUDIT_OPERATORS))

			f->op |= AUDIT_EQUAL;

		f->op &= ~AUDIT_NEGATE;

	}

exit_nofree:

	return entry;

exit_free:

	audit_free_rule(entry);

	return ERR_PTR(err);

}

/* Translate struct audit_rule_data to kernel's rule respresentation. */

static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,

					       size_t datasz)

{

	int err = 0;

	struct audit_entry *entry;

	void *bufp;

	/* size_t remain = datasz - sizeof(struct audit_rule_data); */

	int i;

	if (a->flags != b->flags)

		return 1;

	entry = audit_to_entry_common((struct audit_rule *)data);

	if (IS_ERR(entry))

		goto exit_nofree;

	if (a->action != b->action)

		return 1;

	bufp = data->buf;

	entry->rule.vers_ops = 2;

	for (i = 0; i < data->field_count; i++) {

		struct audit_field *f = &entry->rule.fields[i];

		err = -EINVAL;

		if (!(data->fieldflags[i] & AUDIT_OPERATORS) ||

		    data->fieldflags[i] & ~AUDIT_OPERATORS)

			goto exit_free;

		f->op = data->fieldflags[i] & AUDIT_OPERATORS;

		f->type = data->fields[i];

		switch(f->type) {

		/* call type-specific conversion routines here */

		default:

			f->val = data->values[i];

		}

	}

exit_nofree:

	return entry;

exit_free:

	audit_free_rule(entry);

	return ERR_PTR(err);

}

/* Pack a filter field's string representation into data block. */

static inline size_t audit_pack_string(void **bufp, char *str)

{

	size_t len = strlen(str);

	memcpy(*bufp, str, len);

	*bufp += len;

	return len;

}

/* Translate kernel rule respresentation to struct audit_rule.

 * Exists for backward compatibility with userspace. */

static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)

{

	struct audit_rule *rule;

	int i;

	rule = kmalloc(sizeof(*rule), GFP_KERNEL);

	if (unlikely(!rule))

		return ERR_PTR(-ENOMEM);

	memset(rule, 0, sizeof(*rule));

	rule->flags = krule->flags | krule->listnr;

	rule->action = krule->action;

	rule->field_count = krule->field_count;

	for (i = 0; i < rule->field_count; i++) {

		rule->values[i] = krule->fields[i].val;

		rule->fields[i] = krule->fields[i].type;

		if (krule->vers_ops == 1) {

			if (krule->fields[i].op & AUDIT_NOT_EQUAL)

				rule->fields[i] |= AUDIT_NEGATE;

		} else {

			rule->fields[i] |= krule->fields[i].op;

		}

	}

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];

	return rule;

}

/* Translate kernel rule respresentation to struct audit_rule_data. */

static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)

{

	struct audit_rule_data *data;

	void *bufp;

	int i;

	if (a->field_count != b->field_count)

	data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);

	if (unlikely(!data))

		return ERR_PTR(-ENOMEM);

	memset(data, 0, sizeof(*data));

	data->flags = krule->flags | krule->listnr;

	data->action = krule->action;

	data->field_count = krule->field_count;

	bufp = data->buf;

	for (i = 0; i < data->field_count; i++) {

		struct audit_field *f = &krule->fields[i];

		data->fields[i] = f->type;

		data->fieldflags[i] = f->op;

		switch(f->type) {

		/* call type-specific conversion routines here */

		default:

			data->values[i] = f->val;

		}

	}

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];

	return data;

}

/* Compare two rules in kernel format.  Considered success if rules

 * don't match. */

static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)

{

	int i;

	if (a->flags != b->flags ||

	    a->listnr != b->listnr ||

	    a->action != b->action ||

	    a->field_count != b->field_count)

		return 1;

	for (i = 0; i < a->field_count; i++) {

		if (a->fields[i] != b->fields[i]

		    || a->values[i] != b->values[i])

		if (a->fields[i].type != b->fields[i].type ||

		    a->fields[i].op != b->fields[i].op)

			return 1;

		switch(a->fields[i].type) {

		/* call type-specific comparison routines here */

		default:

			if (a->fields[i].val != b->fields[i].val)

				return 1;

		}

	}

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)

		if (a->mask[i] != b->mask[i])

	return 0;

}

/* Note that audit_add_rule and audit_del_rule are called via

 * audit_receive() in audit.c, and are protected by

/* Add rule to given filterlist if not a duplicate.  Protected by

 * audit_netlink_sem. */

static inline int audit_add_rule(struct audit_rule *rule,

static inline int audit_add_rule(struct audit_entry *entry,

				  struct list_head *list)

{

	struct audit_entry  *entry;

	int i;

	struct audit_entry *e;

	/* Do not use the _rcu iterator here, since this is the only

	 * addition routine. */

	list_for_each_entry(entry, list, list) {

		if (!audit_compare_rule(rule, &entry->rule))

	list_for_each_entry(e, list, list) {

		if (!audit_compare_rule(&entry->rule, &e->rule))

			return -EEXIST;

	}

	for (i = 0; i < rule->field_count; i++) {

		if (rule->fields[i] & AUDIT_UNUSED_BITS)

			return -EINVAL;

		if ( rule->fields[i] & AUDIT_NEGATE)

			rule->fields[i] |= AUDIT_NOT_EQUAL;

		else if ( (rule->fields[i] & AUDIT_OPERATORS) == 0 )

			rule->fields[i] |= AUDIT_EQUAL;

		rule->fields[i] &= ~AUDIT_NEGATE;

	}

	if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))

		return -ENOMEM;

	if (audit_copy_rule(&entry->rule, rule)) {

		kfree(entry);

		return -EINVAL;

	}

	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {

		entry->rule.flags &= ~AUDIT_FILTER_PREPEND;

		list_add_rcu(&entry->list, list);

	} else {

		list_add_tail_rcu(&entry->list, list);

	return 0;

}

static inline void audit_free_rule(struct rcu_head *head)

{

	struct audit_entry *e = container_of(head, struct audit_entry, rcu);

	kfree(e);

}

/* Note that audit_add_rule and audit_del_rule are called via

 * audit_receive() in audit.c, and are protected by

/* Remove an existing rule from filterlist.  Protected by

 * audit_netlink_sem. */

static inline int audit_del_rule(struct audit_rule *rule,

static inline int audit_del_rule(struct audit_entry *entry,

				 struct list_head *list)

{

	struct audit_entry  *e;

	/* Do not use the _rcu iterator here, since this is the only

	 * deletion routine. */

	list_for_each_entry(e, list, list) {

		if (!audit_compare_rule(rule, &e->rule)) {

		if (!audit_compare_rule(&entry->rule, &e->rule)) {

			list_del_rcu(&e->list);

			call_rcu(&e->rcu, audit_free_rule);

			call_rcu(&e->rcu, audit_free_rule_rcu);

			return 0;

		}

	}

	return -ENOENT;		/* No matching rule */

}

static int audit_list_rules(void *_dest)

/* List rules using struct audit_rule.  Exists for backward

 * compatibility with userspace. */

static int audit_list(void *_dest)

{

	int pid, seq;

	int *dest = _dest;

	/* The *_rcu iterators not needed here because we are

	   always called with audit_netlink_sem held. */

	for (i=0; i<AUDIT_NR_FILTERS; i++) {

		list_for_each_entry(entry, &audit_filter_list[i], list)

		list_for_each_entry(entry, &audit_filter_list[i], list) {

			struct audit_rule *rule;

			rule = audit_krule_to_rule(&entry->rule);

			if (unlikely(!rule))

				break;

			audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,

					 &entry->rule, sizeof(entry->rule));

					 rule, sizeof(*rule));

			kfree(rule);

		}

	}

	audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);

	return 0;

}

/* List rules using struct audit_rule_data. */

static int audit_list_rules(void *_dest)

{

	int pid, seq;

	int *dest = _dest;

	struct audit_entry *e;

	int i;

	pid = dest[0];

	seq = dest[1];

	kfree(dest);

	down(&audit_netlink_sem);

	/* The *_rcu iterators not needed here because we are

	   always called with audit_netlink_sem held. */

	for (i=0; i<AUDIT_NR_FILTERS; i++) {

		list_for_each_entry(e, &audit_filter_list[i], list) {

			struct audit_rule_data *data;

			data = audit_krule_to_data(&e->rule);

			if (unlikely(!data))

				break;

			audit_send_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,

					 data, sizeof(*data));

			kfree(data);

		}

	}

	audit_send_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);

	up(&audit_netlink_sem);

	return 0;

}

/**

 * audit_receive_filter - apply all rules to the specified message type

 * @type: audit message type

 * @uid: target uid for netlink audit messages

 * @seq: netlink audit message sequence (serial) number

 * @data: payload data

 * @datasz: size of payload data

 * @loginuid: loginuid of sender

 */

int audit_receive_filter(int type, int pid, int uid, int seq, void *data,

							uid_t loginuid)

			 size_t datasz, uid_t loginuid)

{

	struct task_struct *tsk;

	int *dest;

	int err = 0;

	unsigned listnr;

	struct audit_entry *entry;

	switch (type) {

	case AUDIT_LIST:

	case AUDIT_LIST_RULES:

		/* We can't just spew out the rules here because we might fill

		 * the available socket buffer space and deadlock waiting for

		 * auditctl to read from it... which isn't ever going to

		dest[0] = pid;

		dest[1] = seq;

		tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");

		if (type == AUDIT_LIST)

			tsk = kthread_run(audit_list, dest, "audit_list");

		else

			tsk = kthread_run(audit_list_rules, dest,

					  "audit_list_rules");

		if (IS_ERR(tsk)) {

			kfree(dest);

			err = PTR_ERR(tsk);