audit: comparison on interprocess fields

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This allows audit to specify rules in which we compare two fields of a
process. Such as is the running process uid != to the running process
euid?

Signed-off-by: Peter Moody <pmoody@google.com>
Signed-off-by: Eric Paris <eparis@redhat.com>

authored by

Peter Moody and committed by

Al Viro 14 years ago 10d68360 4a6633ed

+62 -1

2 changed files

expand all

include

linux

audit.h

kernel

auditsc.c

+23 -1

include/linux/audit.h

··· 193 193 #define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8 194 194 #define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9 195 195 196 - #define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_FSGID_TO_OBJ_GID 196 + #define AUDIT_COMPARE_UID_TO_AUID 10 197 + #define AUDIT_COMPARE_UID_TO_EUID 11 198 + #define AUDIT_COMPARE_UID_TO_FSUID 12 199 + #define AUDIT_COMPARE_UID_TO_SUID 13 200 + 201 + #define AUDIT_COMPARE_AUID_TO_FSUID 14 202 + #define AUDIT_COMPARE_AUID_TO_SUID 15 203 + #define AUDIT_COMPARE_AUID_TO_EUID 16 204 + 205 + #define AUDIT_COMPARE_EUID_TO_SUID 17 206 + #define AUDIT_COMPARE_EUID_TO_FSUID 18 207 + 208 + #define AUDIT_COMPARE_SUID_TO_FSUID 19 209 + 210 + #define AUDIT_COMPARE_GID_TO_EGID 20 211 + #define AUDIT_COMPARE_GID_TO_FSGID 21 212 + #define AUDIT_COMPARE_GID_TO_SGID 22 213 + 214 + #define AUDIT_COMPARE_EGID_TO_FSGID 23 215 + #define AUDIT_COMPARE_EGID_TO_SGID 24 216 + #define AUDIT_COMPARE_SGID_TO_FSGID 25 217 + 218 + #define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_SGID_TO_FSGID 197 219 198 220 /* Rule fields */ 199 221 /* These are useful when checking the

+39

kernel/auditsc.c

··· 545 545 return audit_compare_id(cred->fsgid, 546 546 name, offsetof(struct audit_names, gid), 547 547 f, ctx); 548 + /* uid comparisons */ 549 + case AUDIT_COMPARE_UID_TO_AUID: 550 + return audit_comparator(cred->uid, f->op, tsk->loginuid); 551 + case AUDIT_COMPARE_UID_TO_EUID: 552 + return audit_comparator(cred->uid, f->op, cred->euid); 553 + case AUDIT_COMPARE_UID_TO_SUID: 554 + return audit_comparator(cred->uid, f->op, cred->suid); 555 + case AUDIT_COMPARE_UID_TO_FSUID: 556 + return audit_comparator(cred->uid, f->op, cred->fsuid); 557 + /* auid comparisons */ 558 + case AUDIT_COMPARE_AUID_TO_EUID: 559 + return audit_comparator(tsk->loginuid, f->op, cred->euid); 560 + case AUDIT_COMPARE_AUID_TO_SUID: 561 + return audit_comparator(tsk->loginuid, f->op, cred->suid); 562 + case AUDIT_COMPARE_AUID_TO_FSUID: 563 + return audit_comparator(tsk->loginuid, f->op, cred->fsuid); 564 + /* euid comparisons */ 565 + case AUDIT_COMPARE_EUID_TO_SUID: 566 + return audit_comparator(cred->euid, f->op, cred->suid); 567 + case AUDIT_COMPARE_EUID_TO_FSUID: 568 + return audit_comparator(cred->euid, f->op, cred->fsuid); 569 + /* suid comparisons */ 570 + case AUDIT_COMPARE_SUID_TO_FSUID: 571 + return audit_comparator(cred->suid, f->op, cred->fsuid); 572 + /* gid comparisons */ 573 + case AUDIT_COMPARE_GID_TO_EGID: 574 + return audit_comparator(cred->gid, f->op, cred->egid); 575 + case AUDIT_COMPARE_GID_TO_SGID: 576 + return audit_comparator(cred->gid, f->op, cred->sgid); 577 + case AUDIT_COMPARE_GID_TO_FSGID: 578 + return audit_comparator(cred->gid, f->op, cred->fsgid); 579 + /* egid comparisons */ 580 + case AUDIT_COMPARE_EGID_TO_SGID: 581 + return audit_comparator(cred->egid, f->op, cred->sgid); 582 + case AUDIT_COMPARE_EGID_TO_FSGID: 583 + return audit_comparator(cred->egid, f->op, cred->fsgid); 584 + /* sgid comparison */ 585 + case AUDIT_COMPARE_SGID_TO_FSGID: 586 + return audit_comparator(cred->sgid, f->op, cred->fsgid); 548 587 default: 549 588 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n"); 550 589 return 0;