lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

audit: allow interfield comparison in audit rules

Browse Source 
We wish to be able to audit when a uid=500 task accesses a file which is
uid=0.  Or vice versa.  This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared.  At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.

Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Eric Paris
2012-01-03 14:23:08 -05:00
committed by Al Viro
parent 29ef73b7a8
commit 02d86a568c
3 changed files with 37 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kernel/auditfilter.c
View File

@ -526,7 +526,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
goto exit_free;
break;
case AUDIT_FILTERKEY:
err = -EINVAL;
if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
goto exit_free;
str = audit_unpack_string(&bufp, &remain, f->val);
@ -543,6 +542,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (f->val & ~S_IFMT)
goto exit_free;
break;
case AUDIT_FIELD_COMPARE:
if (f->val > AUDIT_MAX_FIELD_COMPARE)
goto exit_free;
break;
default:
goto exit_free;
}