cgroups: fix a css_set not found bug in cgroup_attach_proc
[linux-2.6.git] / kernel / auditfilter.c
index 21b6235..f8277c8 100644 (file)
@@ -27,6 +27,7 @@
 #include <linux/namei.h>
 #include <linux/netlink.h>
 #include <linux/sched.h>
+#include <linux/slab.h>
 #include <linux/security.h>
 #include "audit.h"
 
@@ -70,6 +71,7 @@ static inline void audit_free_rule(struct audit_entry *e)
 {
        int i;
        struct audit_krule *erule = &e->rule;
+
        /* some rules don't have associated watches */
        if (erule->watch)
                audit_put_watch(erule->watch);
@@ -745,8 +747,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df,
  * rule with the new rule in the filterlist, then free the old rule.
  * The rlist element is undefined; list manipulations are handled apart from
  * the initial copy. */
-struct audit_entry *audit_dupe_rule(struct audit_krule *old,
-                                   struct audit_watch *watch)
+struct audit_entry *audit_dupe_rule(struct audit_krule *old)
 {
        u32 fcount = old->field_count;
        struct audit_entry *entry;
@@ -768,8 +769,8 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old,
        new->prio = old->prio;
        new->buflen = old->buflen;
        new->inode_f = old->inode_f;
-       new->watch = NULL;
        new->field_count = old->field_count;
+
        /*
         * note that we are OK with not refcounting here; audit_match_tree()
         * never dereferences tree and we can't get false positives there
@@ -810,9 +811,9 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old,
                }
        }
 
-       if (watch) {
-               audit_get_watch(watch);
-               new->watch = watch;
+       if (old->watch) {
+               audit_get_watch(old->watch);
+               new->watch = old->watch;
        }
 
        return entry;
@@ -865,7 +866,7 @@ static inline int audit_add_rule(struct audit_entry *entry)
        struct audit_watch *watch = entry->rule.watch;
        struct audit_tree *tree = entry->rule.tree;
        struct list_head *list;
-       int h, err;
+       int err;
 #ifdef CONFIG_AUDITSYSCALL
        int dont_count = 0;
 
@@ -888,15 +889,11 @@ static inline int audit_add_rule(struct audit_entry *entry)
 
        if (watch) {
                /* audit_filter_mutex is dropped and re-taken during this call */
-               err = audit_add_watch(&entry->rule);
+               err = audit_add_watch(&entry->rule, &list);
                if (err) {
                        mutex_unlock(&audit_filter_mutex);
                        goto error;
                }
-               /* entry->rule.watch may have changed during audit_add_watch() */
-               watch = entry->rule.watch;
-               h = audit_hash_ino((u32)audit_watch_inode(watch));
-               list = &audit_inode_hash[h];
        }
        if (tree) {
                err = audit_add_tree_rule(&entry->rule);
@@ -948,7 +945,6 @@ static inline int audit_del_rule(struct audit_entry *entry)
        struct audit_watch *watch = entry->rule.watch;
        struct audit_tree *tree = entry->rule.tree;
        struct list_head *list;
-       LIST_HEAD(inotify_list);
        int ret = 0;
 #ifdef CONFIG_AUDITSYSCALL
        int dont_count = 0;
@@ -968,7 +964,7 @@ static inline int audit_del_rule(struct audit_entry *entry)
        }
 
        if (e->rule.watch)
-               audit_remove_watch_rule(&e->rule, &inotify_list);
+               audit_remove_watch_rule(&e->rule);
 
        if (e->rule.tree)
                audit_remove_tree_rule(&e->rule);
@@ -986,9 +982,6 @@ static inline int audit_del_rule(struct audit_entry *entry)
 #endif
        mutex_unlock(&audit_filter_mutex);
 
-       if (!list_empty(&inotify_list))
-               audit_inotify_unregister(&inotify_list);
-
 out:
        if (watch)
                audit_put_watch(watch); /* match initial get */
@@ -1079,11 +1072,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
                        security_release_secctx(ctx, len);
                }
        }
-       audit_log_format(ab, " op=%s rule key=", action);
-       if (rule->filterkey)
-               audit_log_untrustedstring(ab, rule->filterkey);
-       else
-               audit_log_format(ab, "(null)");
+       audit_log_format(ab, " op=");
+       audit_log_string(ab, action);
+       audit_log_key(ab, rule->filterkey);
        audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
        audit_log_end(ab);
 }
@@ -1147,7 +1138,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
                        return PTR_ERR(entry);
 
                err = audit_add_rule(entry);
-               audit_log_rule_change(loginuid, sessionid, sid, "add",
+               audit_log_rule_change(loginuid, sessionid, sid, "add rule",
                                      &entry->rule, !err);
 
                if (err)
@@ -1163,7 +1154,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
                        return PTR_ERR(entry);
 
                err = audit_del_rule(entry);
-               audit_log_rule_change(loginuid, sessionid, sid, "remove",
+               audit_log_rule_change(loginuid, sessionid, sid, "remove rule",
                                      &entry->rule, !err);
 
                audit_free_rule(entry);
@@ -1247,6 +1238,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
        for (i = 0; i < rule->field_count; i++) {
                struct audit_field *f = &rule->fields[i];
                int result = 0;
+               u32 sid;
 
                switch (f->type) {
                case AUDIT_PID:
@@ -1259,7 +1251,22 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
                        result = audit_comparator(cb->creds.gid, f->op, f->val);
                        break;
                case AUDIT_LOGINUID:
-                       result = audit_comparator(cb->loginuid, f->op, f->val);
+                       result = audit_comparator(audit_get_loginuid(current),
+                                                 f->op, f->val);
+                       break;
+               case AUDIT_SUBJ_USER:
+               case AUDIT_SUBJ_ROLE:
+               case AUDIT_SUBJ_TYPE:
+               case AUDIT_SUBJ_SEN:
+               case AUDIT_SUBJ_CLR:
+                       if (f->lsm_rule) {
+                               security_task_getsecid(current, &sid);
+                               result = security_audit_rule_match(sid,
+                                                                  f->type,
+                                                                  f->op,
+                                                                  f->lsm_rule,
+                                                                  NULL);
+                       }
                        break;
                }
 
@@ -1324,30 +1331,23 @@ static int update_lsm_rule(struct audit_krule *r)
 {
        struct audit_entry *entry = container_of(r, struct audit_entry, rule);
        struct audit_entry *nentry;
-       struct audit_watch *watch;
-       struct audit_tree *tree;
        int err = 0;
 
        if (!security_audit_rule_known(r))
                return 0;
 
-       watch = r->watch;
-       tree = r->tree;
-       nentry = audit_dupe_rule(r, watch);
+       nentry = audit_dupe_rule(r);
        if (IS_ERR(nentry)) {
                /* save the first error encountered for the
                 * return value */
                err = PTR_ERR(nentry);
                audit_panic("error updating LSM filters");
-               if (watch)
+               if (r->watch)
                        list_del(&r->rlist);
                list_del_rcu(&entry->list);
                list_del(&r->list);
        } else {
-               if (watch) {
-                       list_add(&nentry->rule.rlist, audit_watch_rules(watch));
-                       list_del(&r->rlist);
-               } else if (tree)
+               if (r->watch || r->tree)
                        list_replace_init(&r->rlist, &nentry->rule.rlist);
                list_replace_rcu(&entry->list, &nentry->list);
                list_replace(&r->list, &nentry->rule.list);