audit: implement all object interfield comparisons

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This completes the matrix of interfield comparisons between uid/gid
information for the current task and the uid/gid information for inodes.
aka I can audit based on differences between the euid of the process and
the uid of fs objects.

Signed-off-by: Peter Moody <pmoody@google.com>
Signed-off-by: Eric Paris <eparis@redhat.com>

authored by

Peter Moody and committed by

Al Viro 14 years ago 4a6633ed c9fe685f

+38 -1

2 changed files

expand all

include

linux

audit.h

kernel

auditsc.c

+9 -1

include/linux/audit.h

··· 185 185 /* AUDIT_FIELD_COMPARE rule list */ 186 186 #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 187 187 #define AUDIT_COMPARE_GID_TO_OBJ_GID 2 188 + #define AUDIT_COMPARE_EUID_TO_OBJ_UID 3 189 + #define AUDIT_COMPARE_EGID_TO_OBJ_GID 4 190 + #define AUDIT_COMPARE_AUID_TO_OBJ_UID 5 191 + #define AUDIT_COMPARE_SUID_TO_OBJ_UID 6 192 + #define AUDIT_COMPARE_SGID_TO_OBJ_GID 7 193 + #define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8 194 + #define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9 188 195 189 - #define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_GID_TO_OBJ_GID 196 + #define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_FSGID_TO_OBJ_GID 197 + 190 198 /* Rule fields */ 191 199 /* These are useful when checking the 192 200 * task structure at task creation time

+29

kernel/auditsc.c

··· 508 508 struct audit_names *name) 509 509 { 510 510 switch (f->val) { 511 + /* process to file object comparisons */ 511 512 case AUDIT_COMPARE_UID_TO_OBJ_UID: 512 513 return audit_compare_id(cred->uid, 513 514 name, offsetof(struct audit_names, uid), 514 515 f, ctx); 515 516 case AUDIT_COMPARE_GID_TO_OBJ_GID: 516 517 return audit_compare_id(cred->gid, 518 + name, offsetof(struct audit_names, gid), 519 + f, ctx); 520 + case AUDIT_COMPARE_EUID_TO_OBJ_UID: 521 + return audit_compare_id(cred->euid, 522 + name, offsetof(struct audit_names, uid), 523 + f, ctx); 524 + case AUDIT_COMPARE_EGID_TO_OBJ_GID: 525 + return audit_compare_id(cred->egid, 526 + name, offsetof(struct audit_names, gid), 527 + f, ctx); 528 + case AUDIT_COMPARE_AUID_TO_OBJ_UID: 529 + return audit_compare_id(tsk->loginuid, 530 + name, offsetof(struct audit_names, uid), 531 + f, ctx); 532 + case AUDIT_COMPARE_SUID_TO_OBJ_UID: 533 + return audit_compare_id(cred->suid, 534 + name, offsetof(struct audit_names, uid), 535 + f, ctx); 536 + case AUDIT_COMPARE_SGID_TO_OBJ_GID: 537 + return audit_compare_id(cred->sgid, 538 + name, offsetof(struct audit_names, gid), 539 + f, ctx); 540 + case AUDIT_COMPARE_FSUID_TO_OBJ_UID: 541 + return audit_compare_id(cred->fsuid, 542 + name, offsetof(struct audit_names, uid), 543 + f, ctx); 544 + case AUDIT_COMPARE_FSGID_TO_OBJ_GID: 545 + return audit_compare_id(cred->fsgid, 517 546 name, offsetof(struct audit_names, gid), 518 547 f, ctx); 519 548 default: