diff options
| author | Eric Paris <eparis@redhat.com> | 2012-01-03 14:23:08 -0500 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2012-01-17 16:17:01 -0500 |
| commit | 02d86a568c6d2d335256864451ac8ce781bc5652 (patch) | |
| tree | 3ef085bd96cc79733cff28993379dbbd4b855813 /kernel/auditsc.c | |
| parent | 29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (diff) | |
audit: allow interfield comparison in audit rules
We wish to be able to audit when a uid=500 task accesses a file which is
uid=0. Or vice versa. This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared. At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'kernel/auditsc.c')
| -rw-r--r-- | kernel/auditsc.c | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9161e70a4379..8fb2c8e6d624 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -463,6 +463,32 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree) | |||
| 463 | return 0; | 463 | return 0; |
| 464 | } | 464 | } |
| 465 | 465 | ||
| 466 | static int audit_field_compare(struct task_struct *tsk, | ||
| 467 | const struct cred *cred, | ||
| 468 | struct audit_field *f, | ||
| 469 | struct audit_context *ctx, | ||
| 470 | struct audit_names *name) | ||
| 471 | { | ||
| 472 | struct audit_names *n; | ||
| 473 | |||
| 474 | switch (f->val) { | ||
| 475 | case AUDIT_COMPARE_UID_TO_OBJ_UID: | ||
| 476 | if (name) { | ||
| 477 | return audit_comparator(cred->uid, f->op, name->uid); | ||
| 478 | } else if (ctx) { | ||
| 479 | list_for_each_entry(n, &ctx->names_list, list) { | ||
| 480 | if (audit_comparator(cred->uid, f->op, n->uid)) | ||
| 481 | return 1; | ||
| 482 | } | ||
| 483 | } | ||
| 484 | break; | ||
| 485 | default: | ||
| 486 | WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n"); | ||
| 487 | return 0; | ||
| 488 | } | ||
| 489 | return 0; | ||
| 490 | } | ||
| 491 | |||
| 466 | /* Determine if any context name data matches a rule's watch data */ | 492 | /* Determine if any context name data matches a rule's watch data */ |
| 467 | /* Compare a task_struct with an audit_rule. Return 1 on match, 0 | 493 | /* Compare a task_struct with an audit_rule. Return 1 on match, 0 |
| 468 | * otherwise. | 494 | * otherwise. |
| @@ -693,8 +719,10 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
| 693 | case AUDIT_FILETYPE: | 719 | case AUDIT_FILETYPE: |
| 694 | result = audit_match_filetype(ctx, f->val); | 720 | result = audit_match_filetype(ctx, f->val); |
| 695 | break; | 721 | break; |
| 722 | case AUDIT_FIELD_COMPARE: | ||
| 723 | result = audit_field_compare(tsk, cred, f, ctx, name); | ||
| 724 | break; | ||
| 696 | } | 725 | } |
| 697 | |||
| 698 | if (!result) | 726 | if (!result) |
| 699 | return 0; | 727 | return 0; |
| 700 | } | 728 | } |