aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-01-03 14:23:05 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2012-01-17 16:16:55 -0500
commit16c174bd95cb07c9d0ad3fcd8c70f9cea7214c9d (patch)
tree3264c533da56cc81988331fd0d3f42f3d2ba3183 /kernel/auditsc.c
parent3035c51e8ac0512686ceb9f2bd1d13bdc6e4fb29 (diff)
audit: check current inode and containing object when filtering on major and minor
The audit system has the ability to filter on the major and minor number of the device containing the inode being operated upon. Lets say that /dev/sda1 has major,minor 8,1 and that we mount /dev/sda1 on /boot. Now lets say we add a watch with a filter on 8,1. If we proceed to open an inode inside /boot, such as /vboot/vmlinuz, we will match the major,minor filter. Lets instead assume that one were to use a tool like debugfs and were to open /dev/sda1 directly and to modify it's contents. We might hope that this would also be logged, but it isn't. The rules will check the major,minor of the device containing /dev/sda1. In other words the rule would match on the major/minor of the tmpfs mounted at /dev. I believe these rules should trigger on either device. The man page is devoid of useful information about the intended semantics. It only seems logical that if you want to know everything that happened on a major,minor that would include things that happened to the device itself... Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c24
1 files changed, 14 insertions, 10 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 1a92d61ddd27..7c495147c3d9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -540,12 +540,14 @@ static int audit_filter_rules(struct task_struct *tsk,
540 } 540 }
541 break; 541 break;
542 case AUDIT_DEVMAJOR: 542 case AUDIT_DEVMAJOR:
543 if (name) 543 if (name) {
544 result = audit_comparator(MAJOR(name->dev), 544 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
545 f->op, f->val); 545 audit_comparator(MAJOR(name->rdev), f->op, f->val))
546 else if (ctx) { 546 ++result;
547 } else if (ctx) {
547 list_for_each_entry(n, &ctx->names_list, list) { 548 list_for_each_entry(n, &ctx->names_list, list) {
548 if (audit_comparator(MAJOR(n->dev), f->op, f->val)) { 549 if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
550 audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
549 ++result; 551 ++result;
550 break; 552 break;
551 } 553 }
@@ -553,12 +555,14 @@ static int audit_filter_rules(struct task_struct *tsk,
553 } 555 }
554 break; 556 break;
555 case AUDIT_DEVMINOR: 557 case AUDIT_DEVMINOR:
556 if (name) 558 if (name) {
557 result = audit_comparator(MINOR(name->dev), 559 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
558 f->op, f->val); 560 audit_comparator(MINOR(name->rdev), f->op, f->val))
559 else if (ctx) { 561 ++result;
562 } else if (ctx) {
560 list_for_each_entry(n, &ctx->names_list, list) { 563 list_for_each_entry(n, &ctx->names_list, list) {
561 if (audit_comparator(MINOR(n->dev), f->op, f->val)) { 564 if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
565 audit_comparator(MINOR(n->rdev), f->op, f->val)) {
562 ++result; 566 ++result;
563 break; 567 break;
564 } 568 }