[PATCH] audit: AUDIT_PERM support

add support for AUDIT_PERM predicate Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Al Viro <viro@zeniv.linux.org.uk> 2006-08-31 19:26:40 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2006-09-11 13:32:30 -0400
commit: 55669bfa141b488be865341ed12e188967d11308 (patch)
tree: efeec37a93f46c48937eb849c083da9a42ed3709 /kernel
parent: dc104fb3231f11e95b5a0f09ae3ab27a8fd5b2e8 (diff)
3 files changed, 69 insertions, 0 deletions
diff --git a/kernel/audit.h b/kernel/audit.h
index 6aa33b848cf2..a3370232a390 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -104,6 +104,7 @@ static inline int audit_hash_ino(u32 ino)
        return (ino & (AUDIT_INODE_BUCKETS-1));
 }
+extern int audit_match_class(int class, unsigned syscall);
 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
 extern int audit_compare_dname_path(const char *dname, const char *path,
                                    int *dirlen);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index e4cafc11c510..a44879b0c72f 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -302,6 +302,15 @@ int __init audit_register_class(int class, unsigned *list)
        return 0;
 }
+int audit_match_class(int class, unsigned syscall)
+{
+        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32)))
+                return 0;
+        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
+                return 0;
+        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
+}
 /* Common user-space to kernel rule translation. */
 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
 {
@@ -414,6 +423,10 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                case AUDIT_ARG2:
                case AUDIT_ARG3:
                        break;
+                case AUDIT_PERM:
+                        if (f->val & ~15)
+                                goto exit_free;
+                        break;
                case AUDIT_INODE:
                        err = audit_to_inode(&entry->rule, f);
                        if (err)
@@ -568,6 +581,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                        entry->rule.buflen += f->val;
                        entry->rule.filterkey = str;
                        break;
+                case AUDIT_PERM:
+                        if (f->val & ~15)
+                                goto exit_free;
+                        break;
                default:
                        goto exit_free;
                }
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index efc1b74bebf3..1bd8827a0102 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -209,6 +209,54 @@ struct audit_context {
 #endif
 };
+#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
+static inline int open_arg(int flags, int mask)
+{
+        int n = ACC_MODE(flags);
+        if (flags & (O_TRUNC | O_CREAT))
+                n |= AUDIT_PERM_WRITE;
+        return n & mask;
+}
+static int audit_match_perm(struct audit_context *ctx, int mask)
+{
+        unsigned n = ctx->major;
+        switch (audit_classify_syscall(ctx->arch, n)) {
+        case 0: /* native */
+                if ((mask & AUDIT_PERM_WRITE) &&
+                     audit_match_class(AUDIT_CLASS_WRITE, n))
+                        return 1;
+                if ((mask & AUDIT_PERM_READ) &&
+                     audit_match_class(AUDIT_CLASS_READ, n))
+                        return 1;
+                if ((mask & AUDIT_PERM_ATTR) &&
+                     audit_match_class(AUDIT_CLASS_CHATTR, n))
+                        return 1;
+                return 0;
+        case 1: /* 32bit on biarch */
+                if ((mask & AUDIT_PERM_WRITE) &&
+                     audit_match_class(AUDIT_CLASS_WRITE_32, n))
+                        return 1;
+                if ((mask & AUDIT_PERM_READ) &&
+                     audit_match_class(AUDIT_CLASS_READ_32, n))
+                        return 1;
+                if ((mask & AUDIT_PERM_ATTR) &&
+                     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
+                        return 1;
+                return 0;
+        case 2: /* open */
+                return mask & ACC_MODE(ctx->argv[1]);
+        case 3: /* openat */
+                return mask & ACC_MODE(ctx->argv[2]);
+        case 4: /* socketcall */
+                return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
+        case 5: /* execve */
+                return mask & AUDIT_PERM_EXEC;
+        default:
+                return 0;
+        }
+}
 /* Determine if any context name data matches a rule's watch data */
 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 * otherwise. */
@@ -397,6 +445,9 @@ static int audit_filter_rules(struct task_struct *tsk,
                        /* ignore this field for filtering */
                        result = 1;
                        break;
+                case AUDIT_PERM:
+                        result = audit_match_perm(ctx, f->val);
+                        break;
                }
                if (!result)
author	Al Viro <viro@zeniv.linux.org.uk>	2006-08-31 19:26:40 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2006-09-11 13:32:30 -0400
commit	55669bfa141b488be865341ed12e188967d11308 (patch)
tree	efeec37a93f46c48937eb849c083da9a42ed3709 /kernel
parent	dc104fb3231f11e95b5a0f09ae3ab27a8fd5b2e8 (diff)

diff --git a/kernel/audit.h b/kernel/audit.h index 6aa33b848cf2..a3370232a390 100644 --- a/kernel/audit.h +++ b/kernel/audit.h
@@ -104,6 +104,7 @@ static inline int audit_hash_ino(u32 ino)
104	return (ino & (AUDIT_INODE_BUCKETS-1));	104	return (ino & (AUDIT_INODE_BUCKETS-1));
105	}	105	}
106		106
		107	extern int audit_match_class(int class, unsigned syscall);
107	extern int audit_comparator(const u32 left, const u32 op, const u32 right);	108	extern int audit_comparator(const u32 left, const u32 op, const u32 right);
108	extern int audit_compare_dname_path(const char dname, const char path,	109	extern int audit_compare_dname_path(const char dname, const char path,
109	int *dirlen);	110	int *dirlen);


diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index e4cafc11c510..a44879b0c72f 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -302,6 +302,15 @@ int __init audit_register_class(int class, unsigned *list)
302	return 0;	302	return 0;
303	}	303	}
304		304
		305	int audit_match_class(int class, unsigned syscall)
		306	{
		307	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32)))
		308	return 0;
		309	if (unlikely(class >= AUDIT_SYSCALL_CLASSES \|\| !classes[class]))
		310	return 0;
		311	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
		312	}
		313
305	/* Common user-space to kernel rule translation. */	314	/* Common user-space to kernel rule translation. */
306	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)	315	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)
307	{	316	{
@@ -414,6 +423,10 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
414	case AUDIT_ARG2:	423	case AUDIT_ARG2:
415	case AUDIT_ARG3:	424	case AUDIT_ARG3:
416	break;	425	break;
		426	case AUDIT_PERM:
		427	if (f->val & ~15)
		428	goto exit_free;
		429	break;
417	case AUDIT_INODE:	430	case AUDIT_INODE:
418	err = audit_to_inode(&entry->rule, f);	431	err = audit_to_inode(&entry->rule, f);
419	if (err)	432	if (err)
@@ -568,6 +581,10 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
568	entry->rule.buflen += f->val;	581	entry->rule.buflen += f->val;
569	entry->rule.filterkey = str;	582	entry->rule.filterkey = str;
570	break;	583	break;
		584	case AUDIT_PERM:
		585	if (f->val & ~15)
		586	goto exit_free;
		587	break;
571	default:	588	default:
572	goto exit_free;	589	goto exit_free;
573	}	590	}


diff --git a/kernel/auditsc.c b/kernel/auditsc.c index efc1b74bebf3..1bd8827a0102 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -209,6 +209,54 @@ struct audit_context {
209	#endif	209	#endif
210	};	210	};
211		211
		212	#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
		213	static inline int open_arg(int flags, int mask)
		214	{
		215	int n = ACC_MODE(flags);
		216	if (flags & (O_TRUNC \| O_CREAT))
		217	n \|= AUDIT_PERM_WRITE;
		218	return n & mask;
		219	}
		220
		221	static int audit_match_perm(struct audit_context *ctx, int mask)
		222	{
		223	unsigned n = ctx->major;
		224	switch (audit_classify_syscall(ctx->arch, n)) {
		225	case 0: /* native */
		226	if ((mask & AUDIT_PERM_WRITE) &&
		227	audit_match_class(AUDIT_CLASS_WRITE, n))
		228	return 1;
		229	if ((mask & AUDIT_PERM_READ) &&
		230	audit_match_class(AUDIT_CLASS_READ, n))
		231	return 1;
		232	if ((mask & AUDIT_PERM_ATTR) &&
		233	audit_match_class(AUDIT_CLASS_CHATTR, n))
		234	return 1;
		235	return 0;
		236	case 1: /* 32bit on biarch */
		237	if ((mask & AUDIT_PERM_WRITE) &&
		238	audit_match_class(AUDIT_CLASS_WRITE_32, n))
		239	return 1;
		240	if ((mask & AUDIT_PERM_READ) &&
		241	audit_match_class(AUDIT_CLASS_READ_32, n))
		242	return 1;
		243	if ((mask & AUDIT_PERM_ATTR) &&
		244	audit_match_class(AUDIT_CLASS_CHATTR_32, n))
		245	return 1;
		246	return 0;
		247	case 2: /* open */
		248	return mask & ACC_MODE(ctx->argv[1]);
		249	case 3: /* openat */
		250	return mask & ACC_MODE(ctx->argv[2]);
		251	case 4: /* socketcall */
		252	return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
		253	case 5: /* execve */
		254	return mask & AUDIT_PERM_EXEC;
		255	default:
		256	return 0;
		257	}
		258	}
		259
212	/* Determine if any context name data matches a rule's watch data */	260	/* Determine if any context name data matches a rule's watch data */
213	/* Compare a task_struct with an audit_rule. Return 1 on match, 0	261	/* Compare a task_struct with an audit_rule. Return 1 on match, 0
214	* otherwise. */	262	* otherwise. */
@@ -397,6 +445,9 @@ static int audit_filter_rules(struct task_struct *tsk,
397	/* ignore this field for filtering */	445	/* ignore this field for filtering */
398	result = 1;	446	result = 1;
399	break;	447	break;
		448	case AUDIT_PERM:
		449	result = audit_match_perm(ctx, f->val);
		450	break;
400	}	451	}
401		452
402	if (!result)	453	if (!result)