audit: allow interfield comparison in audit rules

We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com>
author: Eric Paris <eparis@redhat.com> 2012-01-03 14:23:08 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2012-01-17 16:17:01 -0500
commit: 02d86a568c6d2d335256864451ac8ce781bc5652 (patch)
tree: 3ef085bd96cc79733cff28993379dbbd4b855813 /kernel
parent: 29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (diff)
2 files changed, 33 insertions, 2 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f10605c787e6..a6c3f1abd206 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -526,7 +526,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                                goto exit_free;
                        break;
                case AUDIT_FILTERKEY:
-                        err = -EINVAL;
                        if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
                                goto exit_free;
                        str = audit_unpack_string(&bufp, &remain, f->val);
@@ -543,6 +542,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                        if (f->val & ~S_IFMT)
                                goto exit_free;
                        break;
+                case AUDIT_FIELD_COMPARE:
+                        if (f->val > AUDIT_MAX_FIELD_COMPARE)
+                                goto exit_free;
+                        break;
                default:
                        goto exit_free;
                }
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9161e70a4379..8fb2c8e6d624 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -463,6 +463,32 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
        return 0;
 }
+static int audit_field_compare(struct task_struct *tsk,
+                               const struct cred *cred,
+                               struct audit_field *f,
+                               struct audit_context *ctx,
+                               struct audit_names *name)
+{
+        struct audit_names *n;
+        switch (f->val) {
+        case AUDIT_COMPARE_UID_TO_OBJ_UID:
+                if (name) {
+                        return audit_comparator(cred->uid, f->op, name->uid);
+                } else if (ctx) {
+                        list_for_each_entry(n, &ctx->names_list, list) {
+                                if (audit_comparator(cred->uid, f->op, n->uid))
+                                        return 1;
+                        }
+                }
+                break;
+        default:
+                WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
+                return 0;
+        }
+        return 0;
+}
 /* Determine if any context name data matches a rule's watch data */
 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 * otherwise.
@@ -693,8 +719,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                case AUDIT_FILETYPE:
                        result = audit_match_filetype(ctx, f->val);
                        break;
+                case AUDIT_FIELD_COMPARE:
+                        result = audit_field_compare(tsk, cred, f, ctx, name);
+                        break;
                }
                if (!result)
                        return 0;
        }
author	Eric Paris <eparis@redhat.com>	2012-01-03 14:23:08 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2012-01-17 16:17:01 -0500
commit	02d86a568c6d2d335256864451ac8ce781bc5652 (patch)
tree	3ef085bd96cc79733cff28993379dbbd4b855813 /kernel
parent	29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (diff)

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index f10605c787e6..a6c3f1abd206 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -526,7 +526,6 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
526	goto exit_free;	526	goto exit_free;
527	break;	527	break;
528	case AUDIT_FILTERKEY:	528	case AUDIT_FILTERKEY:
529	err = -EINVAL;
530	if (entry->rule.filterkey \|\| f->val > AUDIT_MAX_KEY_LEN)	529	if (entry->rule.filterkey \|\| f->val > AUDIT_MAX_KEY_LEN)
531	goto exit_free;	530	goto exit_free;
532	str = audit_unpack_string(&bufp, &remain, f->val);	531	str = audit_unpack_string(&bufp, &remain, f->val);
@@ -543,6 +542,10 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
543	if (f->val & ~S_IFMT)	542	if (f->val & ~S_IFMT)
544	goto exit_free;	543	goto exit_free;
545	break;	544	break;
		545	case AUDIT_FIELD_COMPARE:
		546	if (f->val > AUDIT_MAX_FIELD_COMPARE)
		547	goto exit_free;
		548	break;
546	default:	549	default:
547	goto exit_free;	550	goto exit_free;
548	}	551	}


diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9161e70a4379..8fb2c8e6d624 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -463,6 +463,32 @@ static int match_tree_refs(struct audit_context ctx, struct audit_tree tree)
463	return 0;	463	return 0;
464	}	464	}
465		465
		466	static int audit_field_compare(struct task_struct *tsk,
		467	const struct cred *cred,
		468	struct audit_field *f,
		469	struct audit_context *ctx,
		470	struct audit_names *name)
		471	{
		472	struct audit_names *n;
		473
		474	switch (f->val) {
		475	case AUDIT_COMPARE_UID_TO_OBJ_UID:
		476	if (name) {
		477	return audit_comparator(cred->uid, f->op, name->uid);
		478	} else if (ctx) {
		479	list_for_each_entry(n, &ctx->names_list, list) {
		480	if (audit_comparator(cred->uid, f->op, n->uid))
		481	return 1;
		482	}
		483	}
		484	break;
		485	default:
		486	WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
		487	return 0;
		488	}
		489	return 0;
		490	}
		491
466	/* Determine if any context name data matches a rule's watch data */	492	/* Determine if any context name data matches a rule's watch data */
467	/* Compare a task_struct with an audit_rule. Return 1 on match, 0	493	/* Compare a task_struct with an audit_rule. Return 1 on match, 0
468	* otherwise.	494	* otherwise.
@@ -693,8 +719,10 @@ static int audit_filter_rules(struct task_struct *tsk,
693	case AUDIT_FILETYPE:	719	case AUDIT_FILETYPE:
694	result = audit_match_filetype(ctx, f->val);	720	result = audit_match_filetype(ctx, f->val);
695	break;	721	break;
		722	case AUDIT_FIELD_COMPARE:
		723	result = audit_field_compare(tsk, cred, f, ctx, name);
		724	break;
696	}	725	}
697
698	if (!result)	726	if (!result)
699	return 0;	727	return 0;
700	}	728	}