audit: allow interfield comparison in audit rules

We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com>
author: Eric Paris <eparis@redhat.com> 2012-01-03 14:23:08 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2012-01-17 16:17:01 -0500
commit: 02d86a568c6d2d335256864451ac8ce781bc5652 (patch)
tree: 3ef085bd96cc79733cff28993379dbbd4b855813 /include
parent: 29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 7cbd6fe41573..838e05fc0582 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -182,7 +182,10 @@
 * AUDIT_UNUSED_BITS is updated if need be. */
 #define AUDIT_UNUSED_BITS       0x07FFFC00
+/* AUDIT_FIELD_COMPARE rule list */
+#define AUDIT_COMPARE_UID_TO_OBJ_UID    1
+#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_UID_TO_OBJ_UID
 /* Rule fields */
                                /* These are useful when checking the
                                 * task structure at task creation time
@@ -225,6 +228,7 @@
 #define AUDIT_FILETYPE  108
 #define AUDIT_OBJ_UID   109
 #define AUDIT_OBJ_GID   110
+#define AUDIT_FIELD_COMPARE     111
 #define AUDIT_ARG0      200
 #define AUDIT_ARG1      (AUDIT_ARG0+1)
author	Eric Paris <eparis@redhat.com>	2012-01-03 14:23:08 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2012-01-17 16:17:01 -0500
commit	02d86a568c6d2d335256864451ac8ce781bc5652 (patch)
tree	3ef085bd96cc79733cff28993379dbbd4b855813 /include
parent	29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (diff)