audit: allow interfield comparison in audit rules
We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
parent
29ef73b7a8
commit
02d86a568c
@ -182,7 +182,10 @@
|
||||
* AUDIT_UNUSED_BITS is updated if need be. */
|
||||
#define AUDIT_UNUSED_BITS 0x07FFFC00
|
||||
|
||||
/* AUDIT_FIELD_COMPARE rule list */
|
||||
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
|
||||
|
||||
#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_UID_TO_OBJ_UID
|
||||
/* Rule fields */
|
||||
/* These are useful when checking the
|
||||
* task structure at task creation time
|
||||
@ -225,6 +228,7 @@
|
||||
#define AUDIT_FILETYPE 108
|
||||
#define AUDIT_OBJ_UID 109
|
||||
#define AUDIT_OBJ_GID 110
|
||||
#define AUDIT_FIELD_COMPARE 111
|
||||
|
||||
#define AUDIT_ARG0 200
|
||||
#define AUDIT_ARG1 (AUDIT_ARG0+1)
|
||||
|
@ -526,7 +526,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
|
||||
goto exit_free;
|
||||
break;
|
||||
case AUDIT_FILTERKEY:
|
||||
err = -EINVAL;
|
||||
if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
|
||||
goto exit_free;
|
||||
str = audit_unpack_string(&bufp, &remain, f->val);
|
||||
@ -543,6 +542,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
|
||||
if (f->val & ~S_IFMT)
|
||||
goto exit_free;
|
||||
break;
|
||||
case AUDIT_FIELD_COMPARE:
|
||||
if (f->val > AUDIT_MAX_FIELD_COMPARE)
|
||||
goto exit_free;
|
||||
break;
|
||||
default:
|
||||
goto exit_free;
|
||||
}
|
||||
|
@ -463,6 +463,32 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int audit_field_compare(struct task_struct *tsk,
|
||||
const struct cred *cred,
|
||||
struct audit_field *f,
|
||||
struct audit_context *ctx,
|
||||
struct audit_names *name)
|
||||
{
|
||||
struct audit_names *n;
|
||||
|
||||
switch (f->val) {
|
||||
case AUDIT_COMPARE_UID_TO_OBJ_UID:
|
||||
if (name) {
|
||||
return audit_comparator(cred->uid, f->op, name->uid);
|
||||
} else if (ctx) {
|
||||
list_for_each_entry(n, &ctx->names_list, list) {
|
||||
if (audit_comparator(cred->uid, f->op, n->uid))
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
break;
|
||||
default:
|
||||
WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
|
||||
return 0;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Determine if any context name data matches a rule's watch data */
|
||||
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
|
||||
* otherwise.
|
||||
@ -693,8 +719,10 @@ static int audit_filter_rules(struct task_struct *tsk,
|
||||
case AUDIT_FILETYPE:
|
||||
result = audit_match_filetype(ctx, f->val);
|
||||
break;
|
||||
case AUDIT_FIELD_COMPARE:
|
||||
result = audit_field_compare(tsk, cred, f, ctx, name);
|
||||
break;
|
||||
}
|
||||
|
||||
if (!result)
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user