Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 74c3cbe3 authored Jul 22, 2007 by Al Viro

[PATCH] audit: watching subtrees



New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is.  Limitations:
	* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
	* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
	* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there.  New command
tells audit to recalculate the trees, trimming such sources of false
positives.

Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent 455434d4

fs/dcache.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -38,7 +38,7 @@ int sysctl_vfs_cache_pressure __read_mostly = 100;
		EXPORT_SYMBOL_GPL(sysctl_vfs_cache_pressure);

		__cacheline_aligned_in_smp DEFINE_SPINLOCK(dcache_lock);
		static __cacheline_aligned_in_smp DEFINE_SEQLOCK(rename_lock);
		__cacheline_aligned_in_smp DEFINE_SEQLOCK(rename_lock);

		EXPORT_SYMBOL(dcache_lock);

include/linux/audit.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -63,6 +63,8 @@
		#define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */
		#define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */
		#define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */
		#define AUDIT_TRIM 1014 /* Trim junk from watched tree */
		#define AUDIT_MAKE_EQUIV 1015 /* Append to watched tree */
		#define AUDIT_TTY_GET 1016 /* Get TTY auditing status */
		#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */

		@@ -203,6 +205,7 @@
		#define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */
		#define AUDIT_WATCH 105
		#define AUDIT_PERM 106
		#define AUDIT_DIR 107

		#define AUDIT_ARG0 200
		#define AUDIT_ARG1 (AUDIT_ARG0+1)

include/linux/dcache.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -178,6 +178,7 @@ d_iput: no no no yes
		#define DCACHE_INOTIFY_PARENT_WATCHED 0x0020 /* Parent inode is watched */

		extern spinlock_t dcache_lock;
		extern seqlock_t rename_lock;

		/**
		* d_drop - drop a dentry

init/Kconfig

+4 −0

Original line number	Diff line number	Diff line
		@@ -234,6 +234,10 @@ config AUDITSYSCALL
		such as SELinux. To use audit's filesystem watch feature, please
		ensure that INOTIFY is configured.

		config AUDIT_TREE
		def_bool y
		depends on AUDITSYSCALL && INOTIFY

		config IKCONFIG
		tristate "Kernel .config support"
		---help---

kernel/Makefile

+1 −0

Original line number	Diff line number	Diff line
		@@ -46,6 +46,7 @@ obj-$(CONFIG_IKCONFIG) += configs.o
		obj-$(CONFIG_STOP_MACHINE) += stop_machine.o
		obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
		obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
		obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
		obj-$(CONFIG_KPROBES) += kprobes.o
		obj-$(CONFIG_SYSFS) += ksysfs.o
		obj-$(CONFIG_DETECT_SOFTLOCKUP) += softlockup.o