RHEL4/kernel/auditfs.c
<<
>>
Prefs 
   1/* auditfs.c -- Filesystem auditing support
   2 * Implements filesystem auditing support, depends on kernel/auditsc.c
   3 *
   4 * Copyright 2005 International Business Machines Corp. (IBM)
   5 * Copyright 2005 Red Hat, Inc.
   6 *
   7 * All Rights Reserved.
   8 *
   9 * This program is free software; you can redistribute it and/or modify
  10 * it under the terms of the GNU General Public License as published by
  11 * the Free Software Foundation; either version 2 of the License, or
  12 * (at your option) any later version.
  13 *
  14 * This program is distributed in the hope that it will be useful,
  15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17 * GNU General Public License for more details.
  18 *
  19 * You should have received a copy of the GNU General Public License
  20 * along with this program; if not, write to the Free Software
  21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
  22 * 02111-1307  USA
  23 *
  24 * Written by:          Timothy R. Chavez <chavezt@us.ibm.com>
  25 *                      David Woodhouse <dwmw2@infradead.org>
  26 */
  27
  28#include <linux/init.h>
  29#include <linux/fs.h>
  30#include <linux/sched.h>
  31#include <linux/kernel.h>
  32#include <linux/namei.h>
  33#include <linux/mount.h>
  34#include <linux/list.h>
  35#include <linux/hash.h>
  36#include <linux/slab.h>
  37#include <linux/audit.h>
  38#include <linux/module.h>
  39#include <linux/kthread.h>
  40#include <asm/uaccess.h>
  41
  42#if 1
  43#define dprintk(...) do { } while(0)
  44#define __print_symbol(x, y) do { } while(0)
  45#else
  46#define dprintk(...) printk(KERN_DEBUG  __VA_ARGS__);
  47extern void __print_symbol(char *, void *);
  48#define inline
  49#endif
  50
  51extern int audit_enabled;
  52
  53static kmem_cache_t *audit_watch_cache;
  54
  55static HLIST_HEAD(master_watchlist);
  56spinlock_t auditfs_lock = SPIN_LOCK_UNLOCKED;
  57
  58struct audit_skb_list {
  59        struct hlist_node list;
  60        void *memblk;
  61        size_t size;
  62};
  63
  64extern spinlock_t inode_lock;
  65
  66static int audit_nr_watches;
  67static int audit_pool_size;
  68static struct audit_inode_data *audit_data_pool;
  69static struct audit_inode_data **auditfs_hash_table;
  70static spinlock_t auditfs_hash_lock = SPIN_LOCK_UNLOCKED;
  71static int auditfs_hash_bits;
  72static int auditfs_cache_buckets = 16384;
  73module_param(auditfs_cache_buckets, int, 0);
  74MODULE_PARM_DESC(auditfs_cache_buckets, "Number of auditfs cache entries to allocate (default 16384)\n");
  75
  76static void audit_data_put(struct audit_inode_data *data);
  77
  78static int audit_data_pool_grow(void)
  79{
  80        struct audit_inode_data *new;
  81
  82        new = kmalloc(sizeof(*new), GFP_KERNEL);
  83        if (!new)
  84                return -ENOMEM;
  85        new->next_hash = kmalloc(sizeof(*new), GFP_KERNEL);
  86        if (!new->next_hash) {
  87                kfree(new);
  88                return -ENOMEM;
  89        }
  90                
  91        spin_lock(&auditfs_hash_lock);
  92        new->next_hash->next_hash = audit_data_pool;
  93        audit_data_pool = new;
  94        audit_nr_watches++;
  95        audit_pool_size += 2;
  96        spin_unlock(&auditfs_hash_lock);
  97        return 0;
  98}
  99static void audit_data_pool_shrink(void)
 100{
 101        spin_lock(&auditfs_hash_lock);
 102        audit_nr_watches--;
 103
 104        while (audit_pool_size > audit_nr_watches + 1) {
 105                struct audit_inode_data *old = audit_data_pool;
 106                audit_data_pool = old->next_hash;
 107                audit_pool_size--;
 108                kfree(old);
 109        }
 110        spin_unlock(&auditfs_hash_lock);
 111}
 112
 113static struct audit_inode_data *audit_data_get(struct inode *inode, int allocate,
 114                                                int remove)
 115{
 116        struct audit_inode_data **list;
 117        struct audit_inode_data *ret = NULL;
 118        int h;
 119
 120        /* Short-circuit _without_ getting the lock. Even if i_state is being
 121           modified, it won't affect the I_AUDIT bit, unless the I_AUDIT
 122           bit itself is actually being changed -- which is fine. Either
 123           we tested before or after the change; either is fine. */
 124        if (!allocate && !(inode->i_state & I_AUDIT))
 125                return NULL;
 126
 127        spin_lock(&auditfs_hash_lock);
 128
 129        /* If we think there are audit data attached, double-check that
 130           now we have the lock */
 131        if (!allocate && !(inode->i_state & I_AUDIT))
 132                goto out;
 133
 134        h = hash_ptr(inode, auditfs_hash_bits);
 135        list = &auditfs_hash_table[h];
 136
 137        while (*list && (unsigned long)((*list)->inode) < (unsigned long)inode) {
 138                dprintk("list %p -> %p\n", list, *list);
 139                list = &(*list)->next_hash;
 140        }
 141        if (*list && (*list)->inode == inode)
 142                ret = *list;
 143
 144        if (ret) {
 145                ret->count++;
 146        } else if (allocate && !remove) {
 147                ret = audit_data_pool;
 148                audit_data_pool = ret->next_hash;
 149                audit_pool_size--;
 150                dprintk("allocate from pool. %d left\n", audit_pool_size);
 151
 152                INIT_HLIST_HEAD(&ret->watchlist);
 153                INIT_HLIST_HEAD(&ret->watches);
 154                ret->inode = inode;
 155                ret->next_hash = *list;
 156                ret->count = 2;
 157                *list = ret;
 158
 159                spin_lock(&inode_lock);
 160                inode->i_state |= I_AUDIT;
 161                spin_unlock(&inode_lock);
 162        }
 163        if (ret) {
 164                dprintk("Got audit data %p for inode %p (%lu), count++ now %d. From %p: ", 
 165                        ret, ret->inode, ret->inode->i_ino, ret->count, __builtin_return_address(0));
 166                __print_symbol("%s\n", __builtin_return_address(0));
 167        }
 168 out:
 169        spin_unlock(&auditfs_hash_lock);
 170
 171        return ret;
 172}
 173
 174/* Private Interface */
 175
 176/* Caller should be holding auditfs_lock */
 177static inline struct audit_watch *audit_fetch_watch(const char *name,
 178                                                    struct audit_inode_data *data)
 179{
 180        struct audit_watch *watch, *ret = NULL;
 181        struct hlist_node *pos;
 182
 183        hlist_for_each_entry(watch, pos, &data->watchlist, w_node)
 184                if (!strcmp(watch->w_name, name)) {
 185                        ret = audit_watch_get(watch);
 186                        break;
 187                }
 188
 189        return ret;
 190}
 191
 192static inline struct audit_watch *audit_fetch_watch_lock(const char *name,
 193                                                         struct audit_inode_data *data)
 194{
 195        struct audit_watch *ret = NULL;
 196
 197        if (name && data) {
 198                spin_lock(&auditfs_lock);
 199                ret = audit_fetch_watch(name, data);
 200                spin_unlock(&auditfs_lock);
 201        }
 202
 203        return ret;
 204}
 205
 206static inline struct audit_watch *audit_watch_alloc(void)
 207{
 208        struct audit_watch *watch;
 209
 210        watch = kmem_cache_alloc(audit_watch_cache, GFP_KERNEL);
 211        if (watch) {
 212                memset(watch, 0, sizeof(*watch));
 213                atomic_set(&watch->w_count, 1);
 214        }
 215
 216        return watch;
 217}
 218
 219static inline void audit_watch_free(struct audit_watch *watch)
 220{
 221        if (watch) {
 222                kfree(watch->w_name);
 223                kfree(watch->w_path);
 224                kfree(watch->w_filterkey);
 225                BUG_ON(!hlist_unhashed(&watch->w_node));
 226                BUG_ON(!hlist_unhashed(&watch->w_master));
 227                BUG_ON(!hlist_unhashed(&watch->w_watched));
 228                kmem_cache_free(audit_watch_cache, watch);
 229        }
 230}
 231
 232
 233/* Convert a watch_transport structure into a kernel audit_watch structure. */
 234static inline struct audit_watch *audit_to_watch(void *memblk)
 235{
 236        unsigned int offset;
 237        struct watch_transport *t;
 238        struct audit_watch *watch;
 239
 240        watch = audit_watch_alloc();
 241        if (!watch)
 242                goto audit_to_watch_fail;
 243
 244        t = memblk;
 245
 246        watch->w_perms = t->perms;
 247
 248        offset = sizeof(struct watch_transport);
 249        watch->w_filterkey = kmalloc(t->fklen+1, GFP_KERNEL);
 250        if (!watch->w_filterkey)
 251                goto audit_to_watch_fail;
 252        watch->w_filterkey[t->fklen] = 0;
 253        memcpy(watch->w_filterkey, memblk + offset, t->fklen);
 254
 255        offset += t->fklen;
 256        watch->w_path = kmalloc(t->pathlen+1, GFP_KERNEL);
 257        if (!watch->w_path)
 258                goto audit_to_watch_fail;
 259        watch->w_path[t->pathlen] = 0;
 260        memcpy(watch->w_path, memblk + offset, t->pathlen);
 261
 262        return watch;
 263
 264audit_to_watch_fail:
 265        audit_watch_free(watch);
 266        return NULL;
 267}
 268
 269/*
 270 * Convert a kernel audit_watch structure into a watch_transport structure.
 271 * We do this to send watch information back to user space.
 272 */
 273static inline void *audit_to_transport(struct audit_watch *watch, size_t size)
 274{
 275        struct watch_transport *t;
 276        char *p;
 277
 278        t = kmalloc(size, GFP_KERNEL);
 279        if (!t)
 280                goto audit_to_transport_exit;
 281
 282        memset(t, 0, sizeof(*t));
 283
 284        t->dev_major = MAJOR(watch->w_dev);
 285        t->dev_minor = MINOR(watch->w_dev);
 286        t->perms = watch->w_perms;
 287        t->pathlen = strlen(watch->w_path) + 1;
 288
 289        p = (char *)&t[1];
 290
 291        if (watch->w_filterkey) {
 292                t->fklen = strlen(watch->w_filterkey) + 1;
 293                memcpy(p, watch->w_filterkey, t->fklen);
 294                p += t->fklen;
 295        }
 296        memcpy(p, watch->w_path, t->pathlen);
 297
 298audit_to_transport_exit:
 299        return t;
 300}
 301
 302static inline void audit_destroy_watch(struct audit_watch *watch)
 303{
 304        if (watch) {
 305                if (!hlist_unhashed(&watch->w_watched)) {
 306                        hlist_del_init(&watch->w_watched);
 307                        audit_watch_put(watch);
 308                }
 309        
 310                if (!hlist_unhashed(&watch->w_master)) {
 311                        hlist_del_init(&watch->w_master);
 312                        audit_watch_put(watch);
 313                }
 314
 315                if (!hlist_unhashed(&watch->w_node)) {
 316                        hlist_del_init(&watch->w_node);
 317                        audit_watch_put(watch);
 318                }
 319        }
 320}
 321
 322static inline void audit_drain_watchlist(struct audit_inode_data *data)
 323{
 324        struct audit_watch *watch;
 325        struct hlist_node *pos, *tmp;
 326
 327        spin_lock(&auditfs_lock);
 328        hlist_for_each_entry_safe(watch, pos, tmp, &data->watchlist, w_node) {
 329                audit_destroy_watch(watch);
 330                audit_data_pool_shrink();
 331                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "auid=%u removed watch implicitly", -1);
 332        }
 333        spin_unlock(&auditfs_lock);
 334}
 335
 336static void audit_data_unhash(struct audit_inode_data *data)
 337{
 338        int h = hash_ptr(data->inode, auditfs_hash_bits);
 339        struct audit_inode_data **list = &auditfs_hash_table[h];
 340
 341        while (*list && (unsigned long)((*list)->inode) < (unsigned long)data->inode)
 342                list = &(*list)->next_hash;
 343
 344        BUG_ON(*list != data);
 345        *list = data->next_hash;
 346
 347        spin_lock(&inode_lock);
 348        data->inode->i_state &= ~I_AUDIT;
 349        spin_unlock(&inode_lock);
 350        data->inode = NULL;
 351}
 352
 353static void audit_data_put(struct audit_inode_data *data)
 354{
 355        if (!data)
 356                return;
 357
 358        spin_lock(&auditfs_hash_lock);
 359        data->count--;
 360        dprintk("Put audit_data %p for inode %p (%lu), count-- now %d. From %p:", data,
 361               data->inode, data->inode?data->inode->i_ino:0, data->count, __builtin_return_address(0));
 362        __print_symbol("%s\n", __builtin_return_address(0));
 363
 364        if (data->count == 1 && data->inode && 
 365            hlist_empty(&data->watches) && hlist_empty(&data->watchlist)) {
 366                dprintk("Last put.\n");
 367                data->count--;
 368        }
 369
 370        if (!data->count) {
 371                /* We are last user. Remove it from the hash table to
 372                   disassociate it from its inode */
 373                if (data->inode)
 374                        audit_data_unhash(data);
 375                spin_unlock(&auditfs_hash_lock);
 376
 377                audit_drain_watchlist(data);
 378
 379                spin_lock(&auditfs_hash_lock);
 380                /* Check whether to free it or return it to the pool */
 381                if (audit_nr_watches > audit_pool_size) {
 382                        dprintk("Back to pool. %d watches, %d in pool\n", audit_nr_watches, audit_pool_size);
 383                        data->next_hash = audit_data_pool;
 384                        audit_data_pool = data;
 385                        audit_pool_size++;
 386                } else {
 387                        dprintk("Freed. %d watches, %d in pool\n", audit_nr_watches, audit_pool_size);
 388                        kfree(data);
 389                }
 390        }
 391        spin_unlock(&auditfs_hash_lock);
 392}
 393
 394static inline int audit_insert_watch(struct audit_watch *watch, uid_t loginuid)
 395{
 396        int ret;
 397        struct nameidata nd;
 398        struct audit_inode_data *pdata;
 399        struct audit_watch *lookup;
 400
 401        /* Grow the pool by two -- one for the watch itself, and
 402           one for the parent directory */
 403        if (audit_data_pool_grow())
 404                return -ENOMEM;
 405
 406        ret = path_lookup(watch->w_path, LOOKUP_PARENT, &nd);
 407        if (ret < 0)
 408                goto out;
 409
 410        ret = -EPERM;
 411        if (nd.last_type != LAST_NORM || !nd.last.name)
 412                goto release;
 413
 414        pdata = audit_data_get(nd.dentry->d_inode, 1, 0);
 415        if (!pdata)
 416                goto put_pdata;
 417
 418        ret = -EEXIST;
 419        lookup = audit_fetch_watch_lock(nd.last.name, pdata);
 420        if (lookup) {
 421                audit_watch_put(lookup);
 422                goto put_pdata;
 423        }
 424
 425        ret = -ENOMEM;
 426        watch->w_name = kmalloc(strlen(nd.last.name)+1, GFP_KERNEL);
 427        if (!watch->w_name)
 428                goto put_pdata;
 429        strcpy(watch->w_name, nd.last.name);
 430
 431        watch->w_dev = nd.dentry->d_inode->i_sb->s_dev;
 432
 433        ret = 0;
 434        spin_lock(&auditfs_lock);
 435        hlist_add_head(&watch->w_node, &pdata->watchlist);
 436        audit_watch_get(watch);
 437        hlist_add_head(&watch->w_master, &master_watchlist);
 438        spin_unlock(&auditfs_lock);
 439
 440        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "auid=%u inserted watch", loginuid);
 441
 442        /* __d_lookup will attach the audit data, if nd.last exists. */
 443        dput(d_lookup(nd.dentry, &nd.last));
 444
 445 put_pdata:
 446        audit_data_put(pdata);
 447 release:
 448        path_release(&nd);
 449 out:
 450        if (ret)
 451                audit_data_pool_shrink();
 452
 453        return ret;
 454}
 455
 456static inline int audit_remove_watch(struct audit_watch *watch, uid_t loginuid)
 457{
 458        int ret = 0;
 459        struct nameidata nd;
 460        struct audit_inode_data *data = NULL;
 461        struct audit_watch *real, *this;
 462        struct hlist_node *pos, *tmp;
 463
 464        /* Let's try removing via the master watchlist first */
 465        spin_lock(&auditfs_lock);
 466        hlist_for_each_entry_safe(this, pos, tmp, &master_watchlist, w_master)
 467                if (!strcmp(this->w_path, watch->w_path)) {
 468                        audit_destroy_watch(this);
 469                        spin_unlock(&auditfs_lock);
 470                        goto audit_remove_watch_exit;
 471                }
 472        spin_unlock(&auditfs_lock);
 473
 474        ret = path_lookup(watch->w_path, LOOKUP_PARENT, &nd);
 475        if (ret < 0)
 476                goto audit_remove_watch_exit;
 477
 478        ret = -ENOENT;
 479        if (nd.last_type != LAST_NORM || !nd.last.name)
 480                goto audit_remove_watch_release;
 481
 482        data = audit_data_get(nd.dentry->d_inode, 0, 1);
 483        if (!data)
 484                goto audit_remove_watch_release;
 485
 486        spin_lock(&auditfs_lock);
 487        real = audit_fetch_watch(nd.last.name, data);
 488        if (!real) {
 489                spin_unlock(&auditfs_lock);
 490                goto audit_remove_watch_release;
 491        }
 492        ret = 0;
 493        audit_destroy_watch(real);
 494        spin_unlock(&auditfs_lock);
 495        audit_watch_put(real);
 496
 497audit_remove_watch_release:
 498        path_release(&nd);
 499audit_remove_watch_exit:
 500        audit_data_put(data);
 501        if (!ret) {
 502                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "auid=%u removed watch", loginuid);
 503                audit_data_pool_shrink();
 504        }
 505
 506        return ret;
 507}
 508
 509struct audit_watch *audit_watch_get(struct audit_watch *watch)
 510{
 511        int new;
 512
 513        if (watch) {
 514                new = atomic_inc_return(&watch->w_count);
 515                BUG_ON(new == 1);
 516                dprintk("Increase count on watch %p to %d\n",
 517                       watch, new);
 518        }
 519
 520        return watch;
 521}
 522
 523void audit_watch_put(struct audit_watch *watch)
 524{
 525        int new;
 526
 527        if (watch) {
 528                new = atomic_dec_return(&watch->w_count);
 529                if (!new)
 530                        audit_watch_free(watch);
 531                dprintk("Reduce count on watch %p to %d\n",
 532                       watch, new);
 533        }
 534}
 535
 536/*
 537 * The update hook is responsible for watching and unwatching d_inodes during
 538 * their lifetimes in dcache.  Each d_inode being watched is pinned in memory.
 539 * As soon as a d_inode becomes unwatched (ie: dentry is destroyed, watch is
 540 * unhashed / removed from watchlist, dentry is moved out of watch path).
 541 *
 542 * Hook appears in fs/dcache.c:
 543 *      d_move(),
 544 *      dentry_iput(),
 545 *      d_instantiate(),
 546 *      d_splice_alias()
 547 *      __d_lookup()
 548 */
 549void audit_update_watch(struct dentry *dentry, int remove)
 550{
 551        struct audit_watch *this, *watch;
 552        struct audit_inode_data *data, *parent;
 553        struct hlist_node *pos, *tmp;
 554
 555        if (likely(!audit_enabled))
 556                return;
 557
 558        if (!dentry || !dentry->d_inode)
 559                return;
 560
 561        if (!dentry->d_parent || !dentry->d_parent->d_inode)
 562                return;
 563
 564        /* If there's no audit data on the parent inode, then there can
 565           be no watches to add or remove */
 566        parent = audit_data_get(dentry->d_parent->d_inode, 0, 0);
 567        if (!parent)
 568                return;
 569
 570        watch = audit_fetch_watch_lock(dentry->d_name.name, parent);
 571
 572        /* Fetch audit data, using the preallocated one from the watch if
 573           there is actually a relevant watch and the inode didn't already
 574           have any audit data */
 575        data = audit_data_get(dentry->d_inode, !!watch, remove);
 576
 577        /* If there's no data, then there wasn't a watch either.
 578           Nothing to see here; move along */
 579        if (!data)
 580                goto put_watch;
 581
 582        spin_lock(&auditfs_lock);
 583        if (remove) {
 584                if (watch && !hlist_unhashed(&watch->w_watched)) {
 585                        hlist_del_init(&watch->w_watched);
 586                        audit_watch_put(watch);
 587                }
 588        } else {
 589                hlist_for_each_entry_safe(this, pos, tmp, &data->watches, w_watched)
 590                        if (hlist_unhashed(&this->w_node)) {
 591                                hlist_del_init(&this->w_watched);
 592                                audit_watch_put(this);
 593                        }
 594                if (watch && hlist_unhashed(&watch->w_watched)) {
 595                        audit_watch_get(watch);
 596                        hlist_add_head(&watch->w_watched, &data->watches);
 597                }
 598        }
 599        spin_unlock(&auditfs_lock);
 600        audit_data_put(data);
 601
 602 put_watch:
 603        audit_watch_put(watch);
 604        audit_data_put(parent);
 605}
 606
 607/* Convert a watch to a audit_skb_list */
 608struct audit_skb_list *audit_to_skb(struct audit_watch *watch)
 609{
 610        size_t size;
 611        void *memblk;
 612        struct audit_skb_list *entry;
 613
 614        /* We must include space for both "\0" */
 615        size = sizeof(struct watch_transport) + strlen(watch->w_path) +
 616               strlen(watch->w_filterkey) + 2;
 617
 618        entry = ERR_PTR(-ENOMEM);
 619        memblk = audit_to_transport(watch, size);
 620        if (!memblk)
 621                goto audit_queue_watch_exit;
 622
 623        entry = kmalloc(sizeof(*entry), GFP_KERNEL);
 624        if (!entry) {
 625                entry = ERR_PTR(-ENOMEM);
 626                goto audit_queue_watch_exit;
 627        }
 628
 629        entry->memblk = memblk;
 630        entry->size = size;
 631
 632audit_queue_watch_exit:
 633        return entry;
 634}
 635
 636/*
 637 * Read the "master watchlist" which is a watchlist of all watches in the
 638 * file system and send it to user space.  There will never be concurrent
 639 * readers of this list.
 640 *
 641 * The reference to watch will not be put back during a read upon a
 642 * watch removal, until after we're done reading.  So, the potential
 643 * for the rug being pulled out from under us is NIL.
 644 *
 645 * This list is only a "snapshot in time".  It is not gospel.
 646 */
 647static int audit_list_watches_fn(void *_dest)
 648{
 649        int ret;
 650        int pid, seq;
 651        struct hlist_head skb_list;
 652        struct hlist_node *tmp, *pos;
 653        struct audit_skb_list *entry;
 654        struct audit_watch *watch;
 655        int *dest = _dest;
 656
 657        pid = dest[0];
 658        seq = dest[1];
 659        kfree(dest);
 660
 661        down(&audit_netlink_sem);
 662
 663 restart:
 664        INIT_HLIST_HEAD(&skb_list);
 665        spin_lock(&auditfs_lock);
 666
 667        hlist_for_each_entry(watch, pos, &master_watchlist, w_master) {
 668                audit_watch_get(watch);
 669                spin_unlock(&auditfs_lock);
 670                entry = audit_to_skb(watch);
 671                if (IS_ERR(entry)) {
 672                        ret = PTR_ERR(entry);
 673                        audit_watch_put(watch);
 674                        goto audit_list_watches_fail;
 675                }
 676
 677                hlist_add_head(&entry->list, &skb_list);
 678                spin_lock(&auditfs_lock);
 679                if (hlist_unhashed(&watch->w_master)) {
 680                        /* This watch was removed from the list while we 
 681                           pondered it. We could play tricks to find how far
 682                           we'd got, but we might as well just start again
 683                           from scratch. There's no real chance of livelock,
 684                           as the number of watches in the system has 
 685                           decreased, and the netlink sem prevents new watches
 686                           from being added while we're looping */
 687                        audit_watch_put(watch);
 688                        hlist_for_each_entry_safe(entry, pos, tmp, &skb_list, list) {
 689                                hlist_del(&entry->list);
 690                                kfree(entry->memblk);
 691                                kfree(entry);
 692                        }
 693                        spin_unlock(&auditfs_lock);
 694                        goto restart;
 695                }
 696                audit_watch_put(watch);
 697        }
 698        spin_unlock(&auditfs_lock);
 699
 700        hlist_for_each_entry_safe(entry, pos, tmp, &skb_list, list) {
 701                audit_send_reply(pid, seq, AUDIT_WATCH_LIST, 0, 1, 
 702                                 entry->memblk, entry->size);
 703                hlist_del(&entry->list);
 704                kfree(entry->memblk);
 705                kfree(entry);
 706        }
 707        audit_send_reply(pid, seq, AUDIT_WATCH_LIST, 1, 1, NULL, 0);
 708        
 709        up(&audit_netlink_sem);
 710        return 0;
 711
 712audit_list_watches_fail:
 713        hlist_for_each_entry_safe(entry, pos, tmp, &skb_list, list) {
 714                hlist_del(&entry->list);
 715                kfree(entry->memblk);
 716                kfree(entry);
 717        }
 718        up(&audit_netlink_sem);
 719        return ret;
 720}
 721
 722int audit_list_watches(int pid, int seq)
 723{
 724        struct task_struct *tsk;
 725        int *dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
 726        if (!dest)
 727                return -ENOMEM;
 728        dest[0] = pid;
 729        dest[1] = seq;
 730
 731        tsk = kthread_run(audit_list_watches_fn, dest, "audit_list_watches");
 732        if (IS_ERR(tsk)) {
 733                kfree(dest);
 734                return PTR_ERR(tsk);
 735        }
 736        return 0;
 737}
 738
 739int audit_receive_watch(int type, int pid, int uid, int seq,
 740                        struct watch_transport *req, uid_t loginuid)
 741{
 742        int ret = 0;
 743        struct audit_watch *watch = NULL;
 744        char *payload = (char *)&req[1];
 745
 746        ret = -ENAMETOOLONG;
 747        if (req->pathlen >= PATH_MAX)
 748                goto audit_receive_watch_exit;
 749
 750        if (req->fklen >= AUDIT_FILTERKEY_MAX)
 751                goto audit_receive_watch_exit;
 752        
 753        ret = -EINVAL;
 754        if (req->pathlen == 0)
 755                goto audit_receive_watch_exit;
 756
 757        if (payload[req->fklen] != '/')
 758                goto audit_receive_watch_exit;
 759
 760        if (req->perms > (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND))
 761                goto audit_receive_watch_exit;
 762
 763        ret = -ENOMEM;
 764        watch = audit_to_watch(req);
 765        if (!watch)
 766                goto audit_receive_watch_exit;
 767
 768        switch (type) {
 769        case AUDIT_WATCH_INS:
 770                ret = audit_insert_watch(watch, loginuid);
 771                break;
 772        case AUDIT_WATCH_REM:
 773                ret = audit_remove_watch(watch, loginuid);
 774                break;
 775        default:
 776                ret = -EINVAL;
 777        }
 778
 779        if (ret < 0 || type == AUDIT_WATCH_REM)
 780                audit_watch_put(watch);
 781
 782audit_receive_watch_exit:
 783        return ret;
 784}
 785
 786void audit_inode_free(struct inode *inode)
 787{
 788        struct audit_watch *watch;
 789        struct hlist_node *pos, *tmp;
 790        struct audit_inode_data *data = audit_data_get(inode, 0, 1);
 791
 792        if (data) {
 793                spin_lock(&auditfs_hash_lock);
 794                audit_data_unhash(data);
 795                spin_unlock(&auditfs_hash_lock);
 796
 797                audit_drain_watchlist(data);
 798                /* Release all our references to any watches we may have on us */
 799                spin_lock(&auditfs_lock);
 800                hlist_for_each_entry_safe(watch, pos, tmp, &data->watches, w_watched) {
 801                        hlist_del_init(&watch->w_watched);
 802                        audit_watch_put(watch);
 803                }
 804                spin_unlock(&auditfs_lock);
 805                audit_data_put(data);
 806        }
 807}
 808
 809int audit_filesystem_init(void)
 810{
 811
 812        audit_watch_cache =
 813            kmem_cache_create("audit_watch_cache",
 814                              sizeof(struct audit_watch), 0, 0, NULL, NULL);
 815        if (!audit_watch_cache)
 816                goto audit_filesystem_init_fail;
 817
 818        /* Set up hash table for inode objects */
 819        auditfs_hash_bits = long_log2(auditfs_cache_buckets);
 820        if (auditfs_cache_buckets != (1 << auditfs_hash_bits)) {
 821                auditfs_hash_bits++;
 822                auditfs_cache_buckets = 1 << auditfs_hash_bits;
 823                printk(KERN_NOTICE
 824                       "%s: auditfs_cache_buckets set to %d (bits %d)\n",
 825                       __FUNCTION__, auditfs_cache_buckets, auditfs_hash_bits);
 826        }
 827
 828        auditfs_hash_table = kmalloc(auditfs_cache_buckets * sizeof(void *), GFP_KERNEL);
 829
 830        if (!auditfs_hash_table) {
 831                printk(KERN_NOTICE "No memory to initialize auditfs cache.\n");
 832                goto audit_filesystem_init_fail;
 833        }
 834
 835        memset(auditfs_hash_table, 0, auditfs_cache_buckets * sizeof(void *));
 836
 837        return 0;
 838
 839audit_filesystem_init_fail:
 840        kmem_cache_destroy(audit_watch_cache);
 841        return -ENOMEM;
 842}
 843
 844
 845void audit_notify_watch(struct inode *inode, int mask)
 846{
 847        struct audit_inode_data *data;
 848
 849        if (likely(!audit_enabled))
 850                return;
 851
 852        if (!inode || !current->audit_context)
 853                return;
 854
 855        data = audit_data_get(inode, 0, 0);
 856        if (!data)
 857                return;
 858
 859        if (hlist_empty(&data->watches))
 860                goto out;
 861
 862        auditfs_attach_wdata(inode, &data->watches, mask);
 863
 864out:
 865        audit_data_put(data);
 866}
 867
 868
The original LXR software by the LXR community, this experimental version by lxr@linux.no.