tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[PATCH] audit: support for object context filters

This patch introduces object audit filters based on the elements
of the SELinux context.

Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

kernel/auditfilter.c | 25 +++++++++++++++++++++++++
kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/selinux/ss/services.c | 18 +++++++++++++++++-
3 files changed, 82 insertions(+), 1 deletion(-)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

authored by

Darrel Goeddel and committed by
Al Viro 6e5a2d1d 3a6b9f85

+82 -1
+25
kernel/auditfilter.c
··· 475 475 case AUDIT_SUBJ_TYPE: 476 476 case AUDIT_SUBJ_SEN: 477 477 case AUDIT_SUBJ_CLR: 478 + case AUDIT_OBJ_USER: 479 + case AUDIT_OBJ_ROLE: 480 + case AUDIT_OBJ_TYPE: 481 + case AUDIT_OBJ_LEV_LOW: 482 + case AUDIT_OBJ_LEV_HIGH: 478 483 str = audit_unpack_string(&bufp, &remain, f->val); 479 484 if (IS_ERR(str)) 480 485 goto exit_free; ··· 621 616 case AUDIT_SUBJ_TYPE: 622 617 case AUDIT_SUBJ_SEN: 623 618 case AUDIT_SUBJ_CLR: 619 + case AUDIT_OBJ_USER: 620 + case AUDIT_OBJ_ROLE: 621 + case AUDIT_OBJ_TYPE: 622 + case AUDIT_OBJ_LEV_LOW: 623 + case AUDIT_OBJ_LEV_HIGH: 624 624 data->buflen += data->values[i] = 625 625 audit_pack_string(&bufp, f->se_str); 626 626 break; ··· 669 659 case AUDIT_SUBJ_TYPE: 670 660 case AUDIT_SUBJ_SEN: 671 661 case AUDIT_SUBJ_CLR: 662 + case AUDIT_OBJ_USER: 663 + case AUDIT_OBJ_ROLE: 664 + case AUDIT_OBJ_TYPE: 665 + case AUDIT_OBJ_LEV_LOW: 666 + case AUDIT_OBJ_LEV_HIGH: 672 667 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 673 668 return 1; 674 669 break; ··· 794 779 case AUDIT_SUBJ_TYPE: 795 780 case AUDIT_SUBJ_SEN: 796 781 case AUDIT_SUBJ_CLR: 782 + case AUDIT_OBJ_USER: 783 + case AUDIT_OBJ_ROLE: 784 + case AUDIT_OBJ_TYPE: 785 + case AUDIT_OBJ_LEV_LOW: 786 + case AUDIT_OBJ_LEV_HIGH: 797 787 err = audit_dupe_selinux_field(&new->fields[i], 798 788 &old->fields[i]); 799 789 break; ··· 1562 1542 case AUDIT_SUBJ_TYPE: 1563 1543 case AUDIT_SUBJ_SEN: 1564 1544 case AUDIT_SUBJ_CLR: 1545 + case AUDIT_OBJ_USER: 1546 + case AUDIT_OBJ_ROLE: 1547 + case AUDIT_OBJ_TYPE: 1548 + case AUDIT_OBJ_LEV_LOW: 1549 + case AUDIT_OBJ_LEV_HIGH: 1565 1550 return 1; 1566 1551 } 1567 1552 }
+40
kernel/auditsc.c
··· 342 342 ctx); 343 343 } 344 344 break; 345 + case AUDIT_OBJ_USER: 346 + case AUDIT_OBJ_ROLE: 347 + case AUDIT_OBJ_TYPE: 348 + case AUDIT_OBJ_LEV_LOW: 349 + case AUDIT_OBJ_LEV_HIGH: 350 + /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 351 + also applies here */ 352 + if (f->se_rule) { 353 + /* Find files that match */ 354 + if (name) { 355 + result = selinux_audit_rule_match( 356 + name->osid, f->type, f->op, 357 + f->se_rule, ctx); 358 + } else if (ctx) { 359 + for (j = 0; j < ctx->name_count; j++) { 360 + if (selinux_audit_rule_match( 361 + ctx->names[j].osid, 362 + f->type, f->op, 363 + f->se_rule, ctx)) { 364 + ++result; 365 + break; 366 + } 367 + } 368 + } 369 + /* Find ipc objects that match */ 370 + if (ctx) { 371 + struct audit_aux_data *aux; 372 + for (aux = ctx->aux; aux; 373 + aux = aux->next) { 374 + if (aux->type == AUDIT_IPC) { 375 + struct audit_aux_data_ipcctl *axi = (void *)aux; 376 + if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { 377 + ++result; 378 + break; 379 + } 380 + } 381 + } 382 + } 383 + } 384 + break; 345 385 case AUDIT_ARG0: 346 386 case AUDIT_ARG1: 347 387 case AUDIT_ARG2:
+17 -1
security/selinux/ss/services.c
··· 1848 1848 case AUDIT_SUBJ_USER: 1849 1849 case AUDIT_SUBJ_ROLE: 1850 1850 case AUDIT_SUBJ_TYPE: 1851 + case AUDIT_OBJ_USER: 1852 + case AUDIT_OBJ_ROLE: 1853 + case AUDIT_OBJ_TYPE: 1851 1854 /* only 'equals' and 'not equals' fit user, role, and type */ 1852 1855 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) 1853 1856 return -EINVAL; 1854 1857 break; 1855 1858 case AUDIT_SUBJ_SEN: 1856 1859 case AUDIT_SUBJ_CLR: 1860 + case AUDIT_OBJ_LEV_LOW: 1861 + case AUDIT_OBJ_LEV_HIGH: 1857 1862 /* we do not allow a range, indicated by the presense of '-' */ 1858 1863 if (strchr(rulestr, '-')) 1859 1864 return -EINVAL; ··· 1880 1875 1881 1876 switch (field) { 1882 1877 case AUDIT_SUBJ_USER: 1878 + case AUDIT_OBJ_USER: 1883 1879 userdatum = hashtab_search(policydb.p_users.table, rulestr); 1884 1880 if (!userdatum) 1885 1881 rc = -EINVAL; ··· 1888 1882 tmprule->au_ctxt.user = userdatum->value; 1889 1883 break; 1890 1884 case AUDIT_SUBJ_ROLE: 1885 + case AUDIT_OBJ_ROLE: 1891 1886 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 1892 1887 if (!roledatum) 1893 1888 rc = -EINVAL; ··· 1896 1889 tmprule->au_ctxt.role = roledatum->value; 1897 1890 break; 1898 1891 case AUDIT_SUBJ_TYPE: 1892 + case AUDIT_OBJ_TYPE: 1899 1893 typedatum = hashtab_search(policydb.p_types.table, rulestr); 1900 1894 if (!typedatum) 1901 1895 rc = -EINVAL; ··· 1905 1897 break; 1906 1898 case AUDIT_SUBJ_SEN: 1907 1899 case AUDIT_SUBJ_CLR: 1900 + case AUDIT_OBJ_LEV_LOW: 1901 + case AUDIT_OBJ_LEV_HIGH: 1908 1902 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 1909 1903 break; 1910 1904 } ··· 1959 1949 without a match */ 1960 1950 switch (field) { 1961 1951 case AUDIT_SUBJ_USER: 1952 + case AUDIT_OBJ_USER: 1962 1953 switch (op) { 1963 1954 case AUDIT_EQUAL: 1964 1955 match = (ctxt->user == rule->au_ctxt.user); ··· 1970 1959 } 1971 1960 break; 1972 1961 case AUDIT_SUBJ_ROLE: 1962 + case AUDIT_OBJ_ROLE: 1973 1963 switch (op) { 1974 1964 case AUDIT_EQUAL: 1975 1965 match = (ctxt->role == rule->au_ctxt.role); ··· 1981 1969 } 1982 1970 break; 1983 1971 case AUDIT_SUBJ_TYPE: 1972 + case AUDIT_OBJ_TYPE: 1984 1973 switch (op) { 1985 1974 case AUDIT_EQUAL: 1986 1975 match = (ctxt->type == rule->au_ctxt.type); ··· 1993 1980 break; 1994 1981 case AUDIT_SUBJ_SEN: 1995 1982 case AUDIT_SUBJ_CLR: 1996 - level = (field == AUDIT_SUBJ_SEN ? 1983 + case AUDIT_OBJ_LEV_LOW: 1984 + case AUDIT_OBJ_LEV_HIGH: 1985 + level = ((field == AUDIT_SUBJ_SEN || 1986 + field == AUDIT_OBJ_LEV_LOW) ? 1997 1987 &ctxt->range.level[0] : &ctxt->range.level[1]); 1998 1988 switch (op) { 1999 1989 case AUDIT_EQUAL: