diff options
author | Eric Paris <eparis@redhat.com> | 2012-01-03 14:23:08 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2012-01-17 16:17:01 -0500 |
commit | 02d86a568c6d2d335256864451ac8ce781bc5652 (patch) | |
tree | 3ef085bd96cc79733cff28993379dbbd4b855813 /include/linux | |
parent | 29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (diff) |
audit: allow interfield comparison in audit rules
We wish to be able to audit when a uid=500 task accesses a file which is
uid=0. Or vice versa. This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared. At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/audit.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 7cbd6fe41573..838e05fc0582 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -182,7 +182,10 @@ | |||
182 | * AUDIT_UNUSED_BITS is updated if need be. */ | 182 | * AUDIT_UNUSED_BITS is updated if need be. */ |
183 | #define AUDIT_UNUSED_BITS 0x07FFFC00 | 183 | #define AUDIT_UNUSED_BITS 0x07FFFC00 |
184 | 184 | ||
185 | /* AUDIT_FIELD_COMPARE rule list */ | ||
186 | #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 | ||
185 | 187 | ||
188 | #define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_UID_TO_OBJ_UID | ||
186 | /* Rule fields */ | 189 | /* Rule fields */ |
187 | /* These are useful when checking the | 190 | /* These are useful when checking the |
188 | * task structure at task creation time | 191 | * task structure at task creation time |
@@ -225,6 +228,7 @@ | |||
225 | #define AUDIT_FILETYPE 108 | 228 | #define AUDIT_FILETYPE 108 |
226 | #define AUDIT_OBJ_UID 109 | 229 | #define AUDIT_OBJ_UID 109 |
227 | #define AUDIT_OBJ_GID 110 | 230 | #define AUDIT_OBJ_GID 110 |
231 | #define AUDIT_FIELD_COMPARE 111 | ||
228 | 232 | ||
229 | #define AUDIT_ARG0 200 | 233 | #define AUDIT_ARG0 200 |
230 | #define AUDIT_ARG1 (AUDIT_ARG0+1) | 234 | #define AUDIT_ARG1 (AUDIT_ARG0+1) |