Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.3.5 2012-01-17T21:17:03Z 2012-01-17T21:17:03Z Peter Moody pmoody@google.com 2012-01-04T20:24:31Z urn:sha1:10d68360871657204885371cdf2594412675d2f9 This allows audit to specify rules in which we compare two fields of a process. Such as is the running process uid != to the running process euid? Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:17:02Z Peter Moody pmoody@google.com 2011-12-14T00:17:51Z urn:sha1:4a6633ed08af5ba67790b4d1adcdeb8ceb55677e This completes the matrix of interfield comparisons between uid/gid information for the current task and the uid/gid information for inodes. aka I can audit based on differences between the euid of the process and the uid of fs objects. Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:17:02Z Eric Paris eparis@redhat.com 2012-01-03T19:23:08Z urn:sha1:c9fe685f7a17a0ee8bf3fbe51e40b1c8b8e65896 Allow audit rules to compare the gid of the running task to the gid of the inode in question. Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:17:01Z Eric Paris eparis@redhat.com 2012-01-03T19:23:08Z urn:sha1:02d86a568c6d2d335256864451ac8ce781bc5652 We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:17:00Z Eric Paris eparis@redhat.com 2012-01-03T19:23:08Z urn:sha1:0a300be6d5be8f66cd96609334710c268d0bfdce The function always deals with current. Don't expose an option pretending one can use it for something. You can't. Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:16:59Z Eric Paris eparis@redhat.com 2012-01-03T19:23:07Z urn:sha1:54d3218b31aee5bc9c859ae60fbde933d922448b Much like the ability to filter audit on the uid of an inode collected, we should be able to filter on the gid of the inode. Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:16:59Z Eric Paris eparis@redhat.com 2012-01-03T19:23:07Z urn:sha1:efaffd6e4417860c67576ac760dd6e8bbd15f006 Allow syscall exit filter matching based on the uid of the owner of an inode used in a syscall. aka: auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:16:59Z Eric Paris eparis@redhat.com 2012-01-03T19:23:07Z urn:sha1:6422e78de6880c66a82af512d9bd0c85eb62e661 Audit entry,always rules are not allowed and are automatically changed in exit,always rules in userspace. The kernel refuses to load such rules. Thus a task in the middle of a syscall (and thus in audit_finish_fork()) can only be in one of two states: AUDIT_BUILD_CONTEXT or AUDIT_DISABLED. Since the current task cannot be in AUDIT_RECORD_CONTEXT we aren't every going to actually use the code in audit_finish_fork() since it will return without doing anything. Thus drop the code. Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:16:58Z Eric Paris eparis@redhat.com 2012-01-03T19:23:07Z urn:sha1:a4ff8dba7d8ce5ceb43fb27df66292251cc73bdc make the conditional a static inline instead of doing it in generic code. Signed-off-by: Eric Paris <eparis@redhat.com> 2012-01-17T21:16:58Z Eric Paris eparis@redhat.com 2012-01-03T19:23:07Z urn:sha1:38cdce53daa0408a61fe6d86fe48f31515c9b840 unused. deleted. Signed-off-by: Eric Paris <eparis@redhat.com>