audit: comparison on interprocess fields

This allows audit to specify rules in which we compare two fields of a process. Such as is the running process uid != to the running process euid? Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com>
author: Peter Moody <pmoody@google.com> 2012-01-04 15:24:31 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2012-01-17 16:17:03 -0500
commit: 10d68360871657204885371cdf2594412675d2f9 (patch)
tree: 85a4fa8d3b0dc0a7bc525475325f955f75d3881d
parent: 4a6633ed08af5ba67790b4d1adcdeb8ceb55677e (diff)
2 files changed, 62 insertions, 1 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 67113cb4bc15..9ff7a2c48b50 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -193,7 +193,29 @@
 #define AUDIT_COMPARE_FSUID_TO_OBJ_UID  8
 #define AUDIT_COMPARE_FSGID_TO_OBJ_GID  9
-#define AUDIT_MAX_FIELD_COMPARE         AUDIT_COMPARE_FSGID_TO_OBJ_GID
+#define AUDIT_COMPARE_UID_TO_AUID       10
+#define AUDIT_COMPARE_UID_TO_EUID       11
+#define AUDIT_COMPARE_UID_TO_FSUID      12
+#define AUDIT_COMPARE_UID_TO_SUID       13
+#define AUDIT_COMPARE_AUID_TO_FSUID     14
+#define AUDIT_COMPARE_AUID_TO_SUID      15
+#define AUDIT_COMPARE_AUID_TO_EUID      16
+#define AUDIT_COMPARE_EUID_TO_SUID      17
+#define AUDIT_COMPARE_EUID_TO_FSUID     18
+#define AUDIT_COMPARE_SUID_TO_FSUID     19
+#define AUDIT_COMPARE_GID_TO_EGID       20
+#define AUDIT_COMPARE_GID_TO_FSGID      21
+#define AUDIT_COMPARE_GID_TO_SGID       22
+#define AUDIT_COMPARE_EGID_TO_FSGID     23
+#define AUDIT_COMPARE_EGID_TO_SGID      24
+#define AUDIT_COMPARE_SGID_TO_FSGID     25
+#define AUDIT_MAX_FIELD_COMPARE         AUDIT_COMPARE_SGID_TO_FSGID
 /* Rule fields */
                                /* These are useful when checking the
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b8cee462b99e..593237e3654d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -545,6 +545,45 @@ static int audit_field_compare(struct task_struct *tsk,
                return audit_compare_id(cred->fsgid,
                                        name, offsetof(struct audit_names, gid),
                                        f, ctx);
+        /* uid comparisons */
+        case AUDIT_COMPARE_UID_TO_AUID:
+                return audit_comparator(cred->uid, f->op, tsk->loginuid);
+        case AUDIT_COMPARE_UID_TO_EUID:
+                return audit_comparator(cred->uid, f->op, cred->euid);
+        case AUDIT_COMPARE_UID_TO_SUID:
+                return audit_comparator(cred->uid, f->op, cred->suid);
+        case AUDIT_COMPARE_UID_TO_FSUID:
+                return audit_comparator(cred->uid, f->op, cred->fsuid);
+        /* auid comparisons */
+        case AUDIT_COMPARE_AUID_TO_EUID:
+                return audit_comparator(tsk->loginuid, f->op, cred->euid);
+        case AUDIT_COMPARE_AUID_TO_SUID:
+                return audit_comparator(tsk->loginuid, f->op, cred->suid);
+        case AUDIT_COMPARE_AUID_TO_FSUID:
+                return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
+        /* euid comparisons */
+        case AUDIT_COMPARE_EUID_TO_SUID:
+                return audit_comparator(cred->euid, f->op, cred->suid);
+        case AUDIT_COMPARE_EUID_TO_FSUID:
+                return audit_comparator(cred->euid, f->op, cred->fsuid);
+        /* suid comparisons */
+        case AUDIT_COMPARE_SUID_TO_FSUID:
+                return audit_comparator(cred->suid, f->op, cred->fsuid);
+        /* gid comparisons */
+        case AUDIT_COMPARE_GID_TO_EGID:
+                return audit_comparator(cred->gid, f->op, cred->egid);
+        case AUDIT_COMPARE_GID_TO_SGID:
+                return audit_comparator(cred->gid, f->op, cred->sgid);
+        case AUDIT_COMPARE_GID_TO_FSGID:
+                return audit_comparator(cred->gid, f->op, cred->fsgid);
+        /* egid comparisons */
+        case AUDIT_COMPARE_EGID_TO_SGID:
+                return audit_comparator(cred->egid, f->op, cred->sgid);
+        case AUDIT_COMPARE_EGID_TO_FSGID:
+                return audit_comparator(cred->egid, f->op, cred->fsgid);
+        /* sgid comparison */
+        case AUDIT_COMPARE_SGID_TO_FSGID:
+                return audit_comparator(cred->sgid, f->op, cred->fsgid);
        default:
                WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
                return 0;
author	Peter Moody <pmoody@google.com>	2012-01-04 15:24:31 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2012-01-17 16:17:03 -0500
commit	10d68360871657204885371cdf2594412675d2f9 (patch)
tree	85a4fa8d3b0dc0a7bc525475325f955f75d3881d
parent	4a6633ed08af5ba67790b4d1adcdeb8ceb55677e (diff)

diff --git a/include/linux/audit.h b/include/linux/audit.h index 67113cb4bc15..9ff7a2c48b50 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h
@@ -193,7 +193,29 @@
193	#define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8	193	#define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8
194	#define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9	194	#define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9
195		195
196	#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_FSGID_TO_OBJ_GID	196	#define AUDIT_COMPARE_UID_TO_AUID 10
		197	#define AUDIT_COMPARE_UID_TO_EUID 11
		198	#define AUDIT_COMPARE_UID_TO_FSUID 12
		199	#define AUDIT_COMPARE_UID_TO_SUID 13
		200
		201	#define AUDIT_COMPARE_AUID_TO_FSUID 14
		202	#define AUDIT_COMPARE_AUID_TO_SUID 15
		203	#define AUDIT_COMPARE_AUID_TO_EUID 16
		204
		205	#define AUDIT_COMPARE_EUID_TO_SUID 17
		206	#define AUDIT_COMPARE_EUID_TO_FSUID 18
		207
		208	#define AUDIT_COMPARE_SUID_TO_FSUID 19
		209
		210	#define AUDIT_COMPARE_GID_TO_EGID 20
		211	#define AUDIT_COMPARE_GID_TO_FSGID 21
		212	#define AUDIT_COMPARE_GID_TO_SGID 22
		213
		214	#define AUDIT_COMPARE_EGID_TO_FSGID 23
		215	#define AUDIT_COMPARE_EGID_TO_SGID 24
		216	#define AUDIT_COMPARE_SGID_TO_FSGID 25
		217
		218	#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_SGID_TO_FSGID
197		219
198	/* Rule fields */	220	/* Rule fields */
199	/* These are useful when checking the	221	/* These are useful when checking the


diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b8cee462b99e..593237e3654d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -545,6 +545,45 @@ static int audit_field_compare(struct task_struct *tsk,
545	return audit_compare_id(cred->fsgid,	545	return audit_compare_id(cred->fsgid,
546	name, offsetof(struct audit_names, gid),	546	name, offsetof(struct audit_names, gid),
547	f, ctx);	547	f, ctx);
		548	/* uid comparisons */
		549	case AUDIT_COMPARE_UID_TO_AUID:
		550	return audit_comparator(cred->uid, f->op, tsk->loginuid);
		551	case AUDIT_COMPARE_UID_TO_EUID:
		552	return audit_comparator(cred->uid, f->op, cred->euid);
		553	case AUDIT_COMPARE_UID_TO_SUID:
		554	return audit_comparator(cred->uid, f->op, cred->suid);
		555	case AUDIT_COMPARE_UID_TO_FSUID:
		556	return audit_comparator(cred->uid, f->op, cred->fsuid);
		557	/* auid comparisons */
		558	case AUDIT_COMPARE_AUID_TO_EUID:
		559	return audit_comparator(tsk->loginuid, f->op, cred->euid);
		560	case AUDIT_COMPARE_AUID_TO_SUID:
		561	return audit_comparator(tsk->loginuid, f->op, cred->suid);
		562	case AUDIT_COMPARE_AUID_TO_FSUID:
		563	return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
		564	/* euid comparisons */
		565	case AUDIT_COMPARE_EUID_TO_SUID:
		566	return audit_comparator(cred->euid, f->op, cred->suid);
		567	case AUDIT_COMPARE_EUID_TO_FSUID:
		568	return audit_comparator(cred->euid, f->op, cred->fsuid);
		569	/* suid comparisons */
		570	case AUDIT_COMPARE_SUID_TO_FSUID:
		571	return audit_comparator(cred->suid, f->op, cred->fsuid);
		572	/* gid comparisons */
		573	case AUDIT_COMPARE_GID_TO_EGID:
		574	return audit_comparator(cred->gid, f->op, cred->egid);
		575	case AUDIT_COMPARE_GID_TO_SGID:
		576	return audit_comparator(cred->gid, f->op, cred->sgid);
		577	case AUDIT_COMPARE_GID_TO_FSGID:
		578	return audit_comparator(cred->gid, f->op, cred->fsgid);
		579	/* egid comparisons */
		580	case AUDIT_COMPARE_EGID_TO_SGID:
		581	return audit_comparator(cred->egid, f->op, cred->sgid);
		582	case AUDIT_COMPARE_EGID_TO_FSGID:
		583	return audit_comparator(cred->egid, f->op, cred->fsgid);
		584	/* sgid comparison */
		585	case AUDIT_COMPARE_SGID_TO_FSGID:
		586	return audit_comparator(cred->sgid, f->op, cred->fsgid);
548	default:	587	default:
549	WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");	588	WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
550	return 0;	589	return 0;