diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2008-04-28 04:15:49 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-04-28 06:28:37 -0400 |
commit | 8b67dca9420474623709e00d72a066068a502b20 (patch) | |
tree | 9d4dc19d849dd23cf00cee0851fd402062cdf1ea | |
parent | 4a761b8c1d7a3a4ee7ccf92ce255d986f601e067 (diff) |
[PATCH] new predicate - AUDIT_FILETYPE
Argument is S_IF... | <index>, where index is normally 0 or 1.
Triggers if chosen element of ctx->names[] is present and the
mode of object in question matches the upper bits of argument.
I.e. for things like "is the argument of that chmod a directory",
etc.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | include/linux/audit.h | 1 | ||||
-rw-r--r-- | kernel/auditfilter.c | 8 | ||||
-rw-r--r-- | kernel/auditsc.c | 16 |
3 files changed, 25 insertions, 0 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index dcd5395b400d..63c3bb98558f 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -209,6 +209,7 @@ | |||
209 | #define AUDIT_WATCH 105 | 209 | #define AUDIT_WATCH 105 |
210 | #define AUDIT_PERM 106 | 210 | #define AUDIT_PERM 106 |
211 | #define AUDIT_DIR 107 | 211 | #define AUDIT_DIR 107 |
212 | #define AUDIT_FILETYPE 108 | ||
212 | 213 | ||
213 | #define AUDIT_ARG0 200 | 214 | #define AUDIT_ARG0 200 |
214 | #define AUDIT_ARG1 (AUDIT_ARG0+1) | 215 | #define AUDIT_ARG1 (AUDIT_ARG0+1) |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 7c3450d063fe..9435d9392df5 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -478,6 +478,10 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | |||
478 | if (f->val & ~15) | 478 | if (f->val & ~15) |
479 | goto exit_free; | 479 | goto exit_free; |
480 | break; | 480 | break; |
481 | case AUDIT_FILETYPE: | ||
482 | if ((f->val & ~S_IFMT) > S_IFMT) | ||
483 | goto exit_free; | ||
484 | break; | ||
481 | case AUDIT_INODE: | 485 | case AUDIT_INODE: |
482 | err = audit_to_inode(&entry->rule, f); | 486 | err = audit_to_inode(&entry->rule, f); |
483 | if (err) | 487 | if (err) |
@@ -649,6 +653,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
649 | if (f->val & ~15) | 653 | if (f->val & ~15) |
650 | goto exit_free; | 654 | goto exit_free; |
651 | break; | 655 | break; |
656 | case AUDIT_FILETYPE: | ||
657 | if ((f->val & ~S_IFMT) > S_IFMT) | ||
658 | goto exit_free; | ||
659 | break; | ||
652 | default: | 660 | default: |
653 | goto exit_free; | 661 | goto exit_free; |
654 | } | 662 | } |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 091409996577..c10e7aae04d7 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -280,6 +280,19 @@ static int audit_match_perm(struct audit_context *ctx, int mask) | |||
280 | } | 280 | } |
281 | } | 281 | } |
282 | 282 | ||
283 | static int audit_match_filetype(struct audit_context *ctx, int which) | ||
284 | { | ||
285 | unsigned index = which & ~S_IFMT; | ||
286 | mode_t mode = which & S_IFMT; | ||
287 | if (index >= ctx->name_count) | ||
288 | return 0; | ||
289 | if (ctx->names[index].ino == -1) | ||
290 | return 0; | ||
291 | if ((ctx->names[index].mode ^ mode) & S_IFMT) | ||
292 | return 0; | ||
293 | return 1; | ||
294 | } | ||
295 | |||
283 | /* | 296 | /* |
284 | * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *; | 297 | * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *; |
285 | * ->first_trees points to its beginning, ->trees - to the current end of data. | 298 | * ->first_trees points to its beginning, ->trees - to the current end of data. |
@@ -589,6 +602,9 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
589 | case AUDIT_PERM: | 602 | case AUDIT_PERM: |
590 | result = audit_match_perm(ctx, f->val); | 603 | result = audit_match_perm(ctx, f->val); |
591 | break; | 604 | break; |
605 | case AUDIT_FILETYPE: | ||
606 | result = audit_match_filetype(ctx, f->val); | ||
607 | break; | ||
592 | } | 608 | } |
593 | 609 | ||
594 | if (!result) | 610 | if (!result) |