audit: Add typespecific uid and gid comparators

The audit filter code guarantees that uid are always compared with uids and gids are always compared with gids, as the comparason operations are type specific. Take advantage of this proper to define audit_uid_comparator and audit_gid_comparator which use the type safe comparasons from uidgid.h. Build on audit_uid_comparator and audit_gid_comparator and replace audit_compare_id with audit_compare_uid and audit_compare_gid. This is one of those odd cases where being type safe and duplicating code leads to simpler shorter and more concise code. Don't allow bitmask operations in uid and gid comparisons in audit_data_to_entry. Bitmask operations are already denined in audit_rule_to_entry. Convert constants in audit_rule_to_entry and audit_data_to_entry into kuids and kgids when appropriate. Convert the uid and gid field in struct audit_names to be of type kuid_t and kgid_t respectively, so that the new uid and gid comparators can be applied in a type safe manner. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Paris <eparis@redhat.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2012-09-11 05:18:08 -0400
committer: Eric W. Biederman <ebiederm@xmission.com> 2012-09-17 21:08:09 -0400
commit: ca57ec0f00c3f139c41bf6b0a5b9bcc95bbb2ad7 (patch)
tree: 874ac71ed75f3c9b44eca7dbd8efef16d481827d /kernel
parent: 860c0aaff75e714c21d325f32d36a37572b4fffb (diff)
3 files changed, 182 insertions, 89 deletions
diff --git a/kernel/audit.h b/kernel/audit.h
index 816766803371..4b428bb41ea3 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -76,6 +76,8 @@ static inline int audit_hash_ino(u32 ino)
 extern int audit_match_class(int class, unsigned syscall);
 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
+extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
+extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
 extern int audit_compare_dname_path(const char *dname, const char *path,
                                    int *dirlen);
 extern struct sk_buff *     audit_make_reply(int pid, int seq, int type,
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index e242dd9aa2d0..b30320cea26f 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -342,6 +342,8 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
                f->val = rule->values[i];
+                f->uid = INVALID_UID;
+                f->gid = INVALID_GID;
                err = -EINVAL;
                if (f->op == Audit_bad)
@@ -350,16 +352,32 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                switch(f->type) {
                default:
                        goto exit_free;
-                case AUDIT_PID:
                case AUDIT_UID:
                case AUDIT_EUID:
                case AUDIT_SUID:
                case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                        /* bit ops not implemented for uid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+                        f->uid = make_kuid(current_user_ns(), f->val);
+                        if (!uid_valid(f->uid))
+                                goto exit_free;
+                        break;
                case AUDIT_GID:
                case AUDIT_EGID:
                case AUDIT_SGID:
                case AUDIT_FSGID:
-                case AUDIT_LOGINUID:
+                        /* bit ops not implemented for gid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+                        f->gid = make_kgid(current_user_ns(), f->val);
+                        if (!gid_valid(f->gid))
+                                goto exit_free;
+                        break;
+                case AUDIT_PID:
                case AUDIT_PERS:
                case AUDIT_MSGTYPE:
                case AUDIT_PPID:
@@ -437,19 +455,39 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                f->type = data->fields[i];
                f->val = data->values[i];
+                f->uid = INVALID_UID;
+                f->gid = INVALID_GID;
                f->lsm_str = NULL;
                f->lsm_rule = NULL;
                switch(f->type) {
-                case AUDIT_PID:
                case AUDIT_UID:
                case AUDIT_EUID:
                case AUDIT_SUID:
                case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_UID:
+                        /* bit ops not implemented for uid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+                        f->uid = make_kuid(current_user_ns(), f->val);
+                        if (!uid_valid(f->uid))
+                                goto exit_free;
+                        break;
                case AUDIT_GID:
                case AUDIT_EGID:
                case AUDIT_SGID:
                case AUDIT_FSGID:
-                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_GID:
+                        /* bit ops not implemented for gid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+                        f->gid = make_kgid(current_user_ns(), f->val);
+                        if (!gid_valid(f->gid))
+                                goto exit_free;
+                        break;
+                case AUDIT_PID:
                case AUDIT_PERS:
                case AUDIT_MSGTYPE:
                case AUDIT_PPID:
@@ -461,8 +499,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                case AUDIT_ARG1:
                case AUDIT_ARG2:
                case AUDIT_ARG3:
-                case AUDIT_OBJ_UID:
-                case AUDIT_OBJ_GID:
                        break;
                case AUDIT_ARCH:
                        entry->rule.arch_f = f;
@@ -707,6 +743,23 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
                        if (strcmp(a->filterkey, b->filterkey))
                                return 1;
                        break;
+                case AUDIT_UID:
+                case AUDIT_EUID:
+                case AUDIT_SUID:
+                case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_UID:
+                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
+                                return 1;
+                        break;
+                case AUDIT_GID:
+                case AUDIT_EGID:
+                case AUDIT_SGID:
+                case AUDIT_FSGID:
+                case AUDIT_OBJ_GID:
+                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
+                                return 1;
+                        break;
                default:
                        if (a->fields[i].val != b->fields[i].val)
                                return 1;
@@ -1198,6 +1251,52 @@ int audit_comparator(u32 left, u32 op, u32 right)
        }
 }
+int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
+{
+        switch (op) {
+        case Audit_equal:
+                return uid_eq(left, right);
+        case Audit_not_equal:
+                return !uid_eq(left, right);
+        case Audit_lt:
+                return uid_lt(left, right);
+        case Audit_le:
+                return uid_lte(left, right);
+        case Audit_gt:
+                return uid_gt(left, right);
+        case Audit_ge:
+                return uid_gte(left, right);
+        case Audit_bitmask:
+        case Audit_bittest:
+        default:
+                BUG();
+                return 0;
+        }
+}
+int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
+{
+        switch (op) {
+        case Audit_equal:
+                return gid_eq(left, right);
+        case Audit_not_equal:
+                return !gid_eq(left, right);
+        case Audit_lt:
+                return gid_lt(left, right);
+        case Audit_le:
+                return gid_lte(left, right);
+        case Audit_gt:
+                return gid_gt(left, right);
+        case Audit_ge:
+                return gid_gte(left, right);
+        case Audit_bitmask:
+        case Audit_bittest:
+        default:
+                BUG();
+                return 0;
+        }
+}
 /* Compare given dentry name with last component in given path,
 * return of 0 indicates a match. */
 int audit_compare_dname_path(const char *dname, const char *path,
@@ -1251,14 +1350,14 @@ static int audit_filter_user_rules(struct audit_krule *rule,
                        result = audit_comparator(task_pid_vnr(current), f->op, f->val);
                        break;
                case AUDIT_UID:
-                        result = audit_comparator(current_uid(), f->op, f->val);
+                        result = audit_uid_comparator(current_uid(), f->op, f->uid);
                        break;
                case AUDIT_GID:
-                        result = audit_comparator(current_gid(), f->op, f->val);
+                        result = audit_gid_comparator(current_gid(), f->op, f->gid);
                        break;
                case AUDIT_LOGINUID:
-                        result = audit_comparator(audit_get_loginuid(current),
+                        result = audit_uid_comparator(audit_get_loginuid(current),
-                                                  f->op, f->val);
+                                                  f->op, f->uid);
                        break;
                case AUDIT_SUBJ_USER:
                case AUDIT_SUBJ_ROLE:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4b96415527b8..0b5b8a232b55 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -113,8 +113,8 @@ struct audit_names {
        unsigned long   ino;
        dev_t           dev;
        umode_t         mode;
-        uid_t           uid;
+        kuid_t          uid;
-        gid_t           gid;
+        kgid_t          gid;
        dev_t           rdev;
        u32             osid;
        struct audit_cap_data fcap;
@@ -464,37 +464,47 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
        return 0;
 }
-static int audit_compare_id(uid_t uid1,
+static int audit_compare_uid(kuid_t uid,
-                            struct audit_names *name,
+                             struct audit_names *name,
-                            unsigned long name_offset,
+                             struct audit_field *f,
-                            struct audit_field *f,
+                             struct audit_context *ctx)
-                            struct audit_context *ctx)
 {
        struct audit_names *n;
-        unsigned long addr;
-        uid_t uid2;
        int rc;
+ 
-        BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
        if (name) {
-                addr = (unsigned long)name;
+                rc = audit_uid_comparator(uid, f->op, name->uid);
-                addr += name_offset;
-                uid2 = *(uid_t *)addr;
-                rc = audit_comparator(uid1, f->op, uid2);
                if (rc)
                        return rc;
        }
+ 
        if (ctx) {
                list_for_each_entry(n, &ctx->names_list, list) {
-                        addr = (unsigned long)n;
+                        rc = audit_uid_comparator(uid, f->op, n->uid);
-                        addr += name_offset;
+                        if (rc)
+                                return rc;
-                        uid2 = *(uid_t *)addr;
+                }
+        }
+        return 0;
+}
-                        rc = audit_comparator(uid1, f->op, uid2);
+static int audit_compare_gid(kgid_t gid,
+                             struct audit_names *name,
+                             struct audit_field *f,
+                             struct audit_context *ctx)
+{
+        struct audit_names *n;
+        int rc;
+ 
+        if (name) {
+                rc = audit_gid_comparator(gid, f->op, name->gid);
+                if (rc)
+                        return rc;
+        }
+ 
+        if (ctx) {
+                list_for_each_entry(n, &ctx->names_list, list) {
+                        rc = audit_gid_comparator(gid, f->op, n->gid);
                        if (rc)
                                return rc;
                }
@@ -511,80 +521,62 @@ static int audit_field_compare(struct task_struct *tsk,
        switch (f->val) {
        /* process to file object comparisons */
        case AUDIT_COMPARE_UID_TO_OBJ_UID:
-                return audit_compare_id(cred->uid,
+                return audit_compare_uid(cred->uid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_GID_TO_OBJ_GID:
-                return audit_compare_id(cred->gid,
+                return audit_compare_gid(cred->gid, name, f, ctx);
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
        case AUDIT_COMPARE_EUID_TO_OBJ_UID:
-                return audit_compare_id(cred->euid,
+                return audit_compare_uid(cred->euid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_EGID_TO_OBJ_GID:
-                return audit_compare_id(cred->egid,
+                return audit_compare_gid(cred->egid, name, f, ctx);
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
        case AUDIT_COMPARE_AUID_TO_OBJ_UID:
-                return audit_compare_id(tsk->loginuid,
+                return audit_compare_uid(tsk->loginuid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_SUID_TO_OBJ_UID:
-                return audit_compare_id(cred->suid,
+                return audit_compare_uid(cred->suid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_SGID_TO_OBJ_GID:
-                return audit_compare_id(cred->sgid,
+                return audit_compare_gid(cred->sgid, name, f, ctx);
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
        case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
-                return audit_compare_id(cred->fsuid,
+                return audit_compare_uid(cred->fsuid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
-                return audit_compare_id(cred->fsgid,
+                return audit_compare_gid(cred->fsgid, name, f, ctx);
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
        /* uid comparisons */
        case AUDIT_COMPARE_UID_TO_AUID:
-                return audit_comparator(cred->uid, f->op, tsk->loginuid);
+                return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
        case AUDIT_COMPARE_UID_TO_EUID:
-                return audit_comparator(cred->uid, f->op, cred->euid);
+                return audit_uid_comparator(cred->uid, f->op, cred->euid);
        case AUDIT_COMPARE_UID_TO_SUID:
-                return audit_comparator(cred->uid, f->op, cred->suid);
+                return audit_uid_comparator(cred->uid, f->op, cred->suid);
        case AUDIT_COMPARE_UID_TO_FSUID:
-                return audit_comparator(cred->uid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
        /* auid comparisons */
        case AUDIT_COMPARE_AUID_TO_EUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->euid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
        case AUDIT_COMPARE_AUID_TO_SUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->suid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
        case AUDIT_COMPARE_AUID_TO_FSUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
        /* euid comparisons */
        case AUDIT_COMPARE_EUID_TO_SUID:
-                return audit_comparator(cred->euid, f->op, cred->suid);
+                return audit_uid_comparator(cred->euid, f->op, cred->suid);
        case AUDIT_COMPARE_EUID_TO_FSUID:
-                return audit_comparator(cred->euid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
        /* suid comparisons */
        case AUDIT_COMPARE_SUID_TO_FSUID:
-                return audit_comparator(cred->suid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
        /* gid comparisons */
        case AUDIT_COMPARE_GID_TO_EGID:
-                return audit_comparator(cred->gid, f->op, cred->egid);
+                return audit_gid_comparator(cred->gid, f->op, cred->egid);
        case AUDIT_COMPARE_GID_TO_SGID:
-                return audit_comparator(cred->gid, f->op, cred->sgid);
+                return audit_gid_comparator(cred->gid, f->op, cred->sgid);
        case AUDIT_COMPARE_GID_TO_FSGID:
-                return audit_comparator(cred->gid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
        /* egid comparisons */
        case AUDIT_COMPARE_EGID_TO_SGID:
-                return audit_comparator(cred->egid, f->op, cred->sgid);
+                return audit_gid_comparator(cred->egid, f->op, cred->sgid);
        case AUDIT_COMPARE_EGID_TO_FSGID:
-                return audit_comparator(cred->egid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
        /* sgid comparison */
        case AUDIT_COMPARE_SGID_TO_FSGID:
-                return audit_comparator(cred->sgid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
        default:
                WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
                return 0;
@@ -630,28 +622,28 @@ static int audit_filter_rules(struct task_struct *tsk,
                        }
                        break;
                case AUDIT_UID:
-                        result = audit_comparator(cred->uid, f->op, f->val);
+                        result = audit_uid_comparator(cred->uid, f->op, f->uid);
                        break;
                case AUDIT_EUID:
-                        result = audit_comparator(cred->euid, f->op, f->val);
+                        result = audit_uid_comparator(cred->euid, f->op, f->uid);
                        break;
                case AUDIT_SUID:
-                        result = audit_comparator(cred->suid, f->op, f->val);
+                        result = audit_uid_comparator(cred->suid, f->op, f->uid);
                        break;
                case AUDIT_FSUID:
-                        result = audit_comparator(cred->fsuid, f->op, f->val);
+                        result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
                        break;
                case AUDIT_GID:
-                        result = audit_comparator(cred->gid, f->op, f->val);
+                        result = audit_gid_comparator(cred->gid, f->op, f->gid);
                        break;
                case AUDIT_EGID:
-                        result = audit_comparator(cred->egid, f->op, f->val);
+                        result = audit_gid_comparator(cred->egid, f->op, f->gid);
                        break;
                case AUDIT_SGID:
-                        result = audit_comparator(cred->sgid, f->op, f->val);
+                        result = audit_gid_comparator(cred->sgid, f->op, f->gid);
                        break;
                case AUDIT_FSGID:
-                        result = audit_comparator(cred->fsgid, f->op, f->val);
+                        result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
                        break;
                case AUDIT_PERS:
                        result = audit_comparator(tsk->personality, f->op, f->val);
@@ -717,10 +709,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_OBJ_UID:
                        if (name) {
-                                result = audit_comparator(name->uid, f->op, f->val);
+                                result = audit_uid_comparator(name->uid, f->op, f->uid);
                        } else if (ctx) {
                                list_for_each_entry(n, &ctx->names_list, list) {
-                                        if (audit_comparator(n->uid, f->op, f->val)) {
+                                        if (audit_uid_comparator(n->uid, f->op, f->uid)) {
                                                ++result;
                                                break;
                                        }
@@ -729,10 +721,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_OBJ_GID:
                        if (name) {
-                                result = audit_comparator(name->gid, f->op, f->val);
+                                result = audit_gid_comparator(name->gid, f->op, f->gid);
                        } else if (ctx) {
                                list_for_each_entry(n, &ctx->names_list, list) {
-                                        if (audit_comparator(n->gid, f->op, f->val)) {
+                                        if (audit_gid_comparator(n->gid, f->op, f->gid)) {
                                                ++result;
                                                break;
                                        }
@@ -750,7 +742,7 @@ static int audit_filter_rules(struct task_struct *tsk,
                case AUDIT_LOGINUID:
                        result = 0;
                        if (ctx)
-                                result = audit_comparator(tsk->loginuid, f->op, f->val);
+                                result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
                        break;
                case AUDIT_SUBJ_USER:
                case AUDIT_SUBJ_ROLE:
author	Eric W. Biederman <ebiederm@xmission.com>	2012-09-11 05:18:08 -0400
committer	Eric W. Biederman <ebiederm@xmission.com>	2012-09-17 21:08:09 -0400
commit	ca57ec0f00c3f139c41bf6b0a5b9bcc95bbb2ad7 (patch)
tree	874ac71ed75f3c9b44eca7dbd8efef16d481827d /kernel
parent	860c0aaff75e714c21d325f32d36a37572b4fffb (diff)

diff --git a/kernel/audit.h b/kernel/audit.h index 816766803371..4b428bb41ea3 100644 --- a/kernel/audit.h +++ b/kernel/audit.h
@@ -76,6 +76,8 @@ static inline int audit_hash_ino(u32 ino)
76		76
77	extern int audit_match_class(int class, unsigned syscall);	77	extern int audit_match_class(int class, unsigned syscall);
78	extern int audit_comparator(const u32 left, const u32 op, const u32 right);	78	extern int audit_comparator(const u32 left, const u32 op, const u32 right);
		79	extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
		80	extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
79	extern int audit_compare_dname_path(const char dname, const char path,	81	extern int audit_compare_dname_path(const char dname, const char path,
80	int *dirlen);	82	int *dirlen);
81	extern struct sk_buff * audit_make_reply(int pid, int seq, int type,	83	extern struct sk_buff * audit_make_reply(int pid, int seq, int type,


diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index e242dd9aa2d0..b30320cea26f 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -342,6 +342,8 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
342		342
343	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);	343	f->type = rule->fields[i] & ~(AUDIT_NEGATE\|AUDIT_OPERATORS);
344	f->val = rule->values[i];	344	f->val = rule->values[i];
		345	f->uid = INVALID_UID;
		346	f->gid = INVALID_GID;
345		347
346	err = -EINVAL;	348	err = -EINVAL;
347	if (f->op == Audit_bad)	349	if (f->op == Audit_bad)
@@ -350,16 +352,32 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
350	switch(f->type) {	352	switch(f->type) {
351	default:	353	default:
352	goto exit_free;	354	goto exit_free;
353	case AUDIT_PID:
354	case AUDIT_UID:	355	case AUDIT_UID:
355	case AUDIT_EUID:	356	case AUDIT_EUID:
356	case AUDIT_SUID:	357	case AUDIT_SUID:
357	case AUDIT_FSUID:	358	case AUDIT_FSUID:
		359	case AUDIT_LOGINUID:
		360	/* bit ops not implemented for uid comparisons */
		361	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
		362	goto exit_free;
		363
		364	f->uid = make_kuid(current_user_ns(), f->val);
		365	if (!uid_valid(f->uid))
		366	goto exit_free;
		367	break;
358	case AUDIT_GID:	368	case AUDIT_GID:
359	case AUDIT_EGID:	369	case AUDIT_EGID:
360	case AUDIT_SGID:	370	case AUDIT_SGID:
361	case AUDIT_FSGID:	371	case AUDIT_FSGID:
362	case AUDIT_LOGINUID:	372	/* bit ops not implemented for gid comparisons */
		373	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
		374	goto exit_free;
		375
		376	f->gid = make_kgid(current_user_ns(), f->val);
		377	if (!gid_valid(f->gid))
		378	goto exit_free;
		379	break;
		380	case AUDIT_PID:
363	case AUDIT_PERS:	381	case AUDIT_PERS:
364	case AUDIT_MSGTYPE:	382	case AUDIT_MSGTYPE:
365	case AUDIT_PPID:	383	case AUDIT_PPID:
@@ -437,19 +455,39 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
437		455
438	f->type = data->fields[i];	456	f->type = data->fields[i];
439	f->val = data->values[i];	457	f->val = data->values[i];
		458	f->uid = INVALID_UID;
		459	f->gid = INVALID_GID;
440	f->lsm_str = NULL;	460	f->lsm_str = NULL;
441	f->lsm_rule = NULL;	461	f->lsm_rule = NULL;
442	switch(f->type) {	462	switch(f->type) {
443	case AUDIT_PID:
444	case AUDIT_UID:	463	case AUDIT_UID:
445	case AUDIT_EUID:	464	case AUDIT_EUID:
446	case AUDIT_SUID:	465	case AUDIT_SUID:
447	case AUDIT_FSUID:	466	case AUDIT_FSUID:
		467	case AUDIT_LOGINUID:
		468	case AUDIT_OBJ_UID:
		469	/* bit ops not implemented for uid comparisons */
		470	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
		471	goto exit_free;
		472
		473	f->uid = make_kuid(current_user_ns(), f->val);
		474	if (!uid_valid(f->uid))
		475	goto exit_free;
		476	break;
448	case AUDIT_GID:	477	case AUDIT_GID:
449	case AUDIT_EGID:	478	case AUDIT_EGID:
450	case AUDIT_SGID:	479	case AUDIT_SGID:
451	case AUDIT_FSGID:	480	case AUDIT_FSGID:
452	case AUDIT_LOGINUID:	481	case AUDIT_OBJ_GID:
		482	/* bit ops not implemented for gid comparisons */
		483	if (f->op == Audit_bitmask \|\| f->op == Audit_bittest)
		484	goto exit_free;
		485
		486	f->gid = make_kgid(current_user_ns(), f->val);
		487	if (!gid_valid(f->gid))
		488	goto exit_free;
		489	break;
		490	case AUDIT_PID:
453	case AUDIT_PERS:	491	case AUDIT_PERS:
454	case AUDIT_MSGTYPE:	492	case AUDIT_MSGTYPE:
455	case AUDIT_PPID:	493	case AUDIT_PPID:
@@ -461,8 +499,6 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
461	case AUDIT_ARG1:	499	case AUDIT_ARG1:
462	case AUDIT_ARG2:	500	case AUDIT_ARG2:
463	case AUDIT_ARG3:	501	case AUDIT_ARG3:
464	case AUDIT_OBJ_UID:
465	case AUDIT_OBJ_GID:
466	break;	502	break;
467	case AUDIT_ARCH:	503	case AUDIT_ARCH:
468	entry->rule.arch_f = f;	504	entry->rule.arch_f = f;
@@ -707,6 +743,23 @@ static int audit_compare_rule(struct audit_krule a, struct audit_krule b)
707	if (strcmp(a->filterkey, b->filterkey))	743	if (strcmp(a->filterkey, b->filterkey))
708	return 1;	744	return 1;
709	break;	745	break;
		746	case AUDIT_UID:
		747	case AUDIT_EUID:
		748	case AUDIT_SUID:
		749	case AUDIT_FSUID:
		750	case AUDIT_LOGINUID:
		751	case AUDIT_OBJ_UID:
		752	if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
		753	return 1;
		754	break;
		755	case AUDIT_GID:
		756	case AUDIT_EGID:
		757	case AUDIT_SGID:
		758	case AUDIT_FSGID:
		759	case AUDIT_OBJ_GID:
		760	if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
		761	return 1;
		762	break;
710	default:	763	default:
711	if (a->fields[i].val != b->fields[i].val)	764	if (a->fields[i].val != b->fields[i].val)
712	return 1;	765	return 1;
@@ -1198,6 +1251,52 @@ int audit_comparator(u32 left, u32 op, u32 right)
1198	}	1251	}
1199	}	1252	}
1200		1253
		1254	int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
		1255	{
		1256	switch (op) {
		1257	case Audit_equal:
		1258	return uid_eq(left, right);
		1259	case Audit_not_equal:
		1260	return !uid_eq(left, right);
		1261	case Audit_lt:
		1262	return uid_lt(left, right);
		1263	case Audit_le:
		1264	return uid_lte(left, right);
		1265	case Audit_gt:
		1266	return uid_gt(left, right);
		1267	case Audit_ge:
		1268	return uid_gte(left, right);
		1269	case Audit_bitmask:
		1270	case Audit_bittest:
		1271	default:
		1272	BUG();
		1273	return 0;
		1274	}
		1275	}
		1276
		1277	int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
		1278	{
		1279	switch (op) {
		1280	case Audit_equal:
		1281	return gid_eq(left, right);
		1282	case Audit_not_equal:
		1283	return !gid_eq(left, right);
		1284	case Audit_lt:
		1285	return gid_lt(left, right);
		1286	case Audit_le:
		1287	return gid_lte(left, right);
		1288	case Audit_gt:
		1289	return gid_gt(left, right);
		1290	case Audit_ge:
		1291	return gid_gte(left, right);
		1292	case Audit_bitmask:
		1293	case Audit_bittest:
		1294	default:
		1295	BUG();
		1296	return 0;
		1297	}
		1298	}
		1299
1201	/* Compare given dentry name with last component in given path,	1300	/* Compare given dentry name with last component in given path,
1202	* return of 0 indicates a match. */	1301	* return of 0 indicates a match. */
1203	int audit_compare_dname_path(const char dname, const char path,	1302	int audit_compare_dname_path(const char dname, const char path,
@@ -1251,14 +1350,14 @@ static int audit_filter_user_rules(struct audit_krule *rule,
1251	result = audit_comparator(task_pid_vnr(current), f->op, f->val);	1350	result = audit_comparator(task_pid_vnr(current), f->op, f->val);
1252	break;	1351	break;
1253	case AUDIT_UID:	1352	case AUDIT_UID:
1254	result = audit_comparator(current_uid(), f->op, f->val);	1353	result = audit_uid_comparator(current_uid(), f->op, f->uid);
1255	break;	1354	break;
1256	case AUDIT_GID:	1355	case AUDIT_GID:
1257	result = audit_comparator(current_gid(), f->op, f->val);	1356	result = audit_gid_comparator(current_gid(), f->op, f->gid);
1258	break;	1357	break;
1259	case AUDIT_LOGINUID:	1358	case AUDIT_LOGINUID:
1260	result = audit_comparator(audit_get_loginuid(current),	1359	result = audit_uid_comparator(audit_get_loginuid(current),
1261	f->op, f->val);	1360	f->op, f->uid);
1262	break;	1361	break;
1263	case AUDIT_SUBJ_USER:	1362	case AUDIT_SUBJ_USER:
1264	case AUDIT_SUBJ_ROLE:	1363	case AUDIT_SUBJ_ROLE:


diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4b96415527b8..0b5b8a232b55 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -113,8 +113,8 @@ struct audit_names {
113	unsigned long ino;	113	unsigned long ino;
114	dev_t dev;	114	dev_t dev;
115	umode_t mode;	115	umode_t mode;
116	uid_t uid;	116	kuid_t uid;
117	gid_t gid;	117	kgid_t gid;
118	dev_t rdev;	118	dev_t rdev;
119	u32 osid;	119	u32 osid;
120	struct audit_cap_data fcap;	120	struct audit_cap_data fcap;
@@ -464,37 +464,47 @@ static int match_tree_refs(struct audit_context ctx, struct audit_tree tree)
464	return 0;	464	return 0;
465	}	465	}
466		466
467	static int audit_compare_id(uid_t uid1,	467	static int audit_compare_uid(kuid_t uid,
468	struct audit_names *name,	468	struct audit_names *name,
469	unsigned long name_offset,	469	struct audit_field *f,
470	struct audit_field *f,	470	struct audit_context *ctx)
471	struct audit_context *ctx)
472	{	471	{
473	struct audit_names *n;	472	struct audit_names *n;
474	unsigned long addr;
475	uid_t uid2;
476	int rc;	473	int rc;
477		474
478	BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
479
480	if (name) {	475	if (name) {
481	addr = (unsigned long)name;	476	rc = audit_uid_comparator(uid, f->op, name->uid);
482	addr += name_offset;
483
484	uid2 = (uid_t )addr;
485	rc = audit_comparator(uid1, f->op, uid2);
486	if (rc)	477	if (rc)
487	return rc;	478	return rc;
488	}	479	}
489		480
490	if (ctx) {	481	if (ctx) {
491	list_for_each_entry(n, &ctx->names_list, list) {	482	list_for_each_entry(n, &ctx->names_list, list) {
492	addr = (unsigned long)n;	483	rc = audit_uid_comparator(uid, f->op, n->uid);
493	addr += name_offset;	484	if (rc)
494		485	return rc;
495	uid2 = (uid_t )addr;	486	}
		487	}
		488	return 0;
		489	}
496		490
497	rc = audit_comparator(uid1, f->op, uid2);	491	static int audit_compare_gid(kgid_t gid,
		492	struct audit_names *name,
		493	struct audit_field *f,
		494	struct audit_context *ctx)
		495	{
		496	struct audit_names *n;
		497	int rc;
		498
		499	if (name) {
		500	rc = audit_gid_comparator(gid, f->op, name->gid);
		501	if (rc)
		502	return rc;
		503	}
		504
		505	if (ctx) {
		506	list_for_each_entry(n, &ctx->names_list, list) {
		507	rc = audit_gid_comparator(gid, f->op, n->gid);
498	if (rc)	508	if (rc)
499	return rc;	509	return rc;
500	}	510	}
@@ -511,80 +521,62 @@ static int audit_field_compare(struct task_struct *tsk,
511	switch (f->val) {	521	switch (f->val) {
512	/* process to file object comparisons */	522	/* process to file object comparisons */
513	case AUDIT_COMPARE_UID_TO_OBJ_UID:	523	case AUDIT_COMPARE_UID_TO_OBJ_UID:
514	return audit_compare_id(cred->uid,	524	return audit_compare_uid(cred->uid, name, f, ctx);
515	name, offsetof(struct audit_names, uid),
516	f, ctx);
517	case AUDIT_COMPARE_GID_TO_OBJ_GID:	525	case AUDIT_COMPARE_GID_TO_OBJ_GID:
518	return audit_compare_id(cred->gid,	526	return audit_compare_gid(cred->gid, name, f, ctx);
519	name, offsetof(struct audit_names, gid),
520	f, ctx);
521	case AUDIT_COMPARE_EUID_TO_OBJ_UID:	527	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
522	return audit_compare_id(cred->euid,	528	return audit_compare_uid(cred->euid, name, f, ctx);
523	name, offsetof(struct audit_names, uid),
524	f, ctx);
525	case AUDIT_COMPARE_EGID_TO_OBJ_GID:	529	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
526	return audit_compare_id(cred->egid,	530	return audit_compare_gid(cred->egid, name, f, ctx);
527	name, offsetof(struct audit_names, gid),
528	f, ctx);
529	case AUDIT_COMPARE_AUID_TO_OBJ_UID:	531	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
530	return audit_compare_id(tsk->loginuid,	532	return audit_compare_uid(tsk->loginuid, name, f, ctx);
531	name, offsetof(struct audit_names, uid),
532	f, ctx);
533	case AUDIT_COMPARE_SUID_TO_OBJ_UID:	533	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
534	return audit_compare_id(cred->suid,	534	return audit_compare_uid(cred->suid, name, f, ctx);
535	name, offsetof(struct audit_names, uid),
536	f, ctx);
537	case AUDIT_COMPARE_SGID_TO_OBJ_GID:	535	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
538	return audit_compare_id(cred->sgid,	536	return audit_compare_gid(cred->sgid, name, f, ctx);
539	name, offsetof(struct audit_names, gid),
540	f, ctx);
541	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:	537	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
542	return audit_compare_id(cred->fsuid,	538	return audit_compare_uid(cred->fsuid, name, f, ctx);
543	name, offsetof(struct audit_names, uid),
544	f, ctx);
545	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:	539	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
546	return audit_compare_id(cred->fsgid,	540	return audit_compare_gid(cred->fsgid, name, f, ctx);
547	name, offsetof(struct audit_names, gid),
548	f, ctx);
549	/* uid comparisons */	541	/* uid comparisons */
550	case AUDIT_COMPARE_UID_TO_AUID:	542	case AUDIT_COMPARE_UID_TO_AUID:
551	return audit_comparator(cred->uid, f->op, tsk->loginuid);	543	return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
552	case AUDIT_COMPARE_UID_TO_EUID:	544	case AUDIT_COMPARE_UID_TO_EUID:
553	return audit_comparator(cred->uid, f->op, cred->euid);	545	return audit_uid_comparator(cred->uid, f->op, cred->euid);
554	case AUDIT_COMPARE_UID_TO_SUID:	546	case AUDIT_COMPARE_UID_TO_SUID:
555	return audit_comparator(cred->uid, f->op, cred->suid);	547	return audit_uid_comparator(cred->uid, f->op, cred->suid);
556	case AUDIT_COMPARE_UID_TO_FSUID:	548	case AUDIT_COMPARE_UID_TO_FSUID:
557	return audit_comparator(cred->uid, f->op, cred->fsuid);	549	return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
558	/* auid comparisons */	550	/* auid comparisons */
559	case AUDIT_COMPARE_AUID_TO_EUID:	551	case AUDIT_COMPARE_AUID_TO_EUID:
560	return audit_comparator(tsk->loginuid, f->op, cred->euid);	552	return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
561	case AUDIT_COMPARE_AUID_TO_SUID:	553	case AUDIT_COMPARE_AUID_TO_SUID:
562	return audit_comparator(tsk->loginuid, f->op, cred->suid);	554	return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
563	case AUDIT_COMPARE_AUID_TO_FSUID:	555	case AUDIT_COMPARE_AUID_TO_FSUID:
564	return audit_comparator(tsk->loginuid, f->op, cred->fsuid);	556	return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
565	/* euid comparisons */	557	/* euid comparisons */
566	case AUDIT_COMPARE_EUID_TO_SUID:	558	case AUDIT_COMPARE_EUID_TO_SUID:
567	return audit_comparator(cred->euid, f->op, cred->suid);	559	return audit_uid_comparator(cred->euid, f->op, cred->suid);
568	case AUDIT_COMPARE_EUID_TO_FSUID:	560	case AUDIT_COMPARE_EUID_TO_FSUID:
569	return audit_comparator(cred->euid, f->op, cred->fsuid);	561	return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
570	/* suid comparisons */	562	/* suid comparisons */
571	case AUDIT_COMPARE_SUID_TO_FSUID:	563	case AUDIT_COMPARE_SUID_TO_FSUID:
572	return audit_comparator(cred->suid, f->op, cred->fsuid);	564	return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
573	/* gid comparisons */	565	/* gid comparisons */
574	case AUDIT_COMPARE_GID_TO_EGID:	566	case AUDIT_COMPARE_GID_TO_EGID:
575	return audit_comparator(cred->gid, f->op, cred->egid);	567	return audit_gid_comparator(cred->gid, f->op, cred->egid);
576	case AUDIT_COMPARE_GID_TO_SGID:	568	case AUDIT_COMPARE_GID_TO_SGID:
577	return audit_comparator(cred->gid, f->op, cred->sgid);	569	return audit_gid_comparator(cred->gid, f->op, cred->sgid);
578	case AUDIT_COMPARE_GID_TO_FSGID:	570	case AUDIT_COMPARE_GID_TO_FSGID:
579	return audit_comparator(cred->gid, f->op, cred->fsgid);	571	return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
580	/* egid comparisons */	572	/* egid comparisons */
581	case AUDIT_COMPARE_EGID_TO_SGID:	573	case AUDIT_COMPARE_EGID_TO_SGID:
582	return audit_comparator(cred->egid, f->op, cred->sgid);	574	return audit_gid_comparator(cred->egid, f->op, cred->sgid);
583	case AUDIT_COMPARE_EGID_TO_FSGID:	575	case AUDIT_COMPARE_EGID_TO_FSGID:
584	return audit_comparator(cred->egid, f->op, cred->fsgid);	576	return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
585	/* sgid comparison */	577	/* sgid comparison */
586	case AUDIT_COMPARE_SGID_TO_FSGID:	578	case AUDIT_COMPARE_SGID_TO_FSGID:
587	return audit_comparator(cred->sgid, f->op, cred->fsgid);	579	return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
588	default:	580	default:
589	WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");	581	WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
590	return 0;	582	return 0;
@@ -630,28 +622,28 @@ static int audit_filter_rules(struct task_struct *tsk,
630	}	622	}
631	break;	623	break;
632	case AUDIT_UID:	624	case AUDIT_UID:
633	result = audit_comparator(cred->uid, f->op, f->val);	625	result = audit_uid_comparator(cred->uid, f->op, f->uid);
634	break;	626	break;
635	case AUDIT_EUID:	627	case AUDIT_EUID:
636	result = audit_comparator(cred->euid, f->op, f->val);	628	result = audit_uid_comparator(cred->euid, f->op, f->uid);
637	break;	629	break;
638	case AUDIT_SUID:	630	case AUDIT_SUID:
639	result = audit_comparator(cred->suid, f->op, f->val);	631	result = audit_uid_comparator(cred->suid, f->op, f->uid);
640	break;	632	break;
641	case AUDIT_FSUID:	633	case AUDIT_FSUID:
642	result = audit_comparator(cred->fsuid, f->op, f->val);	634	result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
643	break;	635	break;
644	case AUDIT_GID:	636	case AUDIT_GID:
645	result = audit_comparator(cred->gid, f->op, f->val);	637	result = audit_gid_comparator(cred->gid, f->op, f->gid);
646	break;	638	break;
647	case AUDIT_EGID:	639	case AUDIT_EGID:
648	result = audit_comparator(cred->egid, f->op, f->val);	640	result = audit_gid_comparator(cred->egid, f->op, f->gid);
649	break;	641	break;
650	case AUDIT_SGID:	642	case AUDIT_SGID:
651	result = audit_comparator(cred->sgid, f->op, f->val);	643	result = audit_gid_comparator(cred->sgid, f->op, f->gid);
652	break;	644	break;
653	case AUDIT_FSGID:	645	case AUDIT_FSGID:
654	result = audit_comparator(cred->fsgid, f->op, f->val);	646	result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
655	break;	647	break;
656	case AUDIT_PERS:	648	case AUDIT_PERS:
657	result = audit_comparator(tsk->personality, f->op, f->val);	649	result = audit_comparator(tsk->personality, f->op, f->val);
@@ -717,10 +709,10 @@ static int audit_filter_rules(struct task_struct *tsk,
717	break;	709	break;
718	case AUDIT_OBJ_UID:	710	case AUDIT_OBJ_UID:
719	if (name) {	711	if (name) {
720	result = audit_comparator(name->uid, f->op, f->val);	712	result = audit_uid_comparator(name->uid, f->op, f->uid);
721	} else if (ctx) {	713	} else if (ctx) {
722	list_for_each_entry(n, &ctx->names_list, list) {	714	list_for_each_entry(n, &ctx->names_list, list) {
723	if (audit_comparator(n->uid, f->op, f->val)) {	715	if (audit_uid_comparator(n->uid, f->op, f->uid)) {
724	++result;	716	++result;
725	break;	717	break;
726	}	718	}
@@ -729,10 +721,10 @@ static int audit_filter_rules(struct task_struct *tsk,
729	break;	721	break;
730	case AUDIT_OBJ_GID:	722	case AUDIT_OBJ_GID:
731	if (name) {	723	if (name) {
732	result = audit_comparator(name->gid, f->op, f->val);	724	result = audit_gid_comparator(name->gid, f->op, f->gid);
733	} else if (ctx) {	725	} else if (ctx) {
734	list_for_each_entry(n, &ctx->names_list, list) {	726	list_for_each_entry(n, &ctx->names_list, list) {
735	if (audit_comparator(n->gid, f->op, f->val)) {	727	if (audit_gid_comparator(n->gid, f->op, f->gid)) {
736	++result;	728	++result;
737	break;	729	break;
738	}	730	}
@@ -750,7 +742,7 @@ static int audit_filter_rules(struct task_struct *tsk,
750	case AUDIT_LOGINUID:	742	case AUDIT_LOGINUID:
751	result = 0;	743	result = 0;
752	if (ctx)	744	if (ctx)
753	result = audit_comparator(tsk->loginuid, f->op, f->val);	745	result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
754	break;	746	break;
755	case AUDIT_SUBJ_USER:	747	case AUDIT_SUBJ_USER:
756	case AUDIT_SUBJ_ROLE:	748	case AUDIT_SUBJ_ROLE: