[PATCH] audit syscall classes

Allow to tie upper bits of syscall bitmap in audit rules to kernel-defined sets of syscalls. Infrastructure, a couple of classes (with 32bit counterparts for biarch targets) and actual tie-in on i386, amd64 and ia64. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Al Viro <viro@zeniv.linux.org.uk> 2006-07-01 03:56:16 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2006-07-01 07:44:10 -0400
commit: b915543b46a2aa599fdd2169e51bcfd88812a12b (patch)
tree: 8025e6654829d4c245b5b6b6f47a84543ebffb7b /kernel/auditfilter.c
parent: 6e5a2d1d32596850a0ebf7fb3e54c0d69901dabd (diff)
1 files changed, 39 insertions, 0 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7f2ea8b84a2..5b4e16276ca 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -279,6 +279,29 @@ static int audit_to_watch(struct audit_krule *krule, char *path, int len,
        return 0;
 }
+static __u32 *classes[AUDIT_SYSCALL_CLASSES];
+int __init audit_register_class(int class, unsigned *list)
+{
+        __u32 *p = kzalloc(AUDIT_BITMASK_SIZE * sizeof(__u32), GFP_KERNEL);
+        if (!p)
+                return -ENOMEM;
+        while (*list != ~0U) {
+                unsigned n = *list++;
+                if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
+                        kfree(p);
+                        return -EINVAL;
+                }
+                p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
+        }
+        if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
+                kfree(p);
+                return -EINVAL;
+        }
+        classes[class] = p;
+        return 0;
+}
 /* Common user-space to kernel rule translation. */
 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
 {
@@ -322,6 +345,22 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
        for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
                entry->rule.mask[i] = rule->mask[i];
+        for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
+                int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
+                __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
+                __u32 *class;
+                if (!(*p & AUDIT_BIT(bit)))
+                        continue;
+                *p &= ~AUDIT_BIT(bit);
+                class = classes[i];
+                if (class) {
+                        int j;
+                        for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
+                                entry->rule.mask[j] |= class[j];
+                }
+        }
        return entry;
 exit_err:
author	Al Viro <viro@zeniv.linux.org.uk>	2006-07-01 03:56:16 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2006-07-01 07:44:10 -0400
commit	b915543b46a2aa599fdd2169e51bcfd88812a12b (patch)
tree	8025e6654829d4c245b5b6b6f47a84543ebffb7b /kernel/auditfilter.c
parent	6e5a2d1d32596850a0ebf7fb3e54c0d69901dabd (diff)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 7f2ea8b84a2..5b4e16276ca 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -279,6 +279,29 @@ static int audit_to_watch(struct audit_krule krule, char path, int len,
279	return 0;	279	return 0;
280	}	280	}
281		281
		282	static __u32 *classes[AUDIT_SYSCALL_CLASSES];
		283
		284	int __init audit_register_class(int class, unsigned *list)
		285	{
		286	__u32 p = kzalloc(AUDIT_BITMASK_SIZE sizeof(__u32), GFP_KERNEL);
		287	if (!p)
		288	return -ENOMEM;
		289	while (*list != ~0U) {
		290	unsigned n = *list++;
		291	if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
		292	kfree(p);
		293	return -EINVAL;
		294	}
		295	p[AUDIT_WORD(n)] \|= AUDIT_BIT(n);
		296	}
		297	if (class >= AUDIT_SYSCALL_CLASSES \|\| classes[class]) {
		298	kfree(p);
		299	return -EINVAL;
		300	}
		301	classes[class] = p;
		302	return 0;
		303	}
		304
282	/* Common user-space to kernel rule translation. */	305	/* Common user-space to kernel rule translation. */
283	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)	306	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)
284	{	307	{
@@ -322,6 +345,22 @@ static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)
322	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)	345	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
323	entry->rule.mask[i] = rule->mask[i];	346	entry->rule.mask[i] = rule->mask[i];
324		347
		348	for (i = 0; i < AUDIT_SYSCALL_CLASSES; i++) {
		349	int bit = AUDIT_BITMASK_SIZE * 32 - i - 1;
		350	__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];
		351	__u32 *class;
		352
		353	if (!(*p & AUDIT_BIT(bit)))
		354	continue;
		355	*p &= ~AUDIT_BIT(bit);
		356	class = classes[i];
		357	if (class) {
		358	int j;
		359	for (j = 0; j < AUDIT_BITMASK_SIZE; j++)
		360	entry->rule.mask[j] \|= class[j];
		361	}
		362	}
		363
325	return entry;	364	return entry;
326		365
327	exit_err:	366	exit_err: