Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 10d68360 authored by Peter Moody's avatar Peter Moody Committed by Al Viro
Browse files

audit: comparison on interprocess fields 



This allows audit to specify rules in which we compare two fields of a
process.  Such as is the running process uid != to the running process
euid?

Signed-off-by: default avatarPeter Moody <pmoody@google.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 4a6633ed

include/linux/audit.h

+23 −1
Original line number Diff line number Diff line
@@ -193,7 +193,29 @@ 
#define AUDIT_COMPARE_FSUID_TO_OBJ_UID	8

#define AUDIT_COMPARE_FSGID_TO_OBJ_GID	9



#define AUDIT_MAX_FIELD_COMPARE		AUDIT_COMPARE_FSGID_TO_OBJ_GID

#define AUDIT_COMPARE_UID_TO_AUID	10

#define AUDIT_COMPARE_UID_TO_EUID	11

#define AUDIT_COMPARE_UID_TO_FSUID	12

#define AUDIT_COMPARE_UID_TO_SUID	13



#define AUDIT_COMPARE_AUID_TO_FSUID	14

#define AUDIT_COMPARE_AUID_TO_SUID	15

#define AUDIT_COMPARE_AUID_TO_EUID	16



#define AUDIT_COMPARE_EUID_TO_SUID	17

#define AUDIT_COMPARE_EUID_TO_FSUID	18



#define AUDIT_COMPARE_SUID_TO_FSUID	19



#define AUDIT_COMPARE_GID_TO_EGID	20

#define AUDIT_COMPARE_GID_TO_FSGID	21

#define AUDIT_COMPARE_GID_TO_SGID	22



#define AUDIT_COMPARE_EGID_TO_FSGID	23

#define AUDIT_COMPARE_EGID_TO_SGID	24

#define AUDIT_COMPARE_SGID_TO_FSGID	25



#define AUDIT_MAX_FIELD_COMPARE		AUDIT_COMPARE_SGID_TO_FSGID



/* Rule fields */

				/* These are useful when checking the

kernel/auditsc.c

+39 −0
Original line number Diff line number Diff line
@@ -545,6 +545,45 @@ static int audit_field_compare(struct task_struct *tsk, 
		return audit_compare_id(cred->fsgid,

					name, offsetof(struct audit_names, gid),

					f, ctx);

	/* uid comparisons */

	case AUDIT_COMPARE_UID_TO_AUID:

		return audit_comparator(cred->uid, f->op, tsk->loginuid);

	case AUDIT_COMPARE_UID_TO_EUID:

		return audit_comparator(cred->uid, f->op, cred->euid);

	case AUDIT_COMPARE_UID_TO_SUID:

		return audit_comparator(cred->uid, f->op, cred->suid);

	case AUDIT_COMPARE_UID_TO_FSUID:

		return audit_comparator(cred->uid, f->op, cred->fsuid);

	/* auid comparisons */

	case AUDIT_COMPARE_AUID_TO_EUID:

		return audit_comparator(tsk->loginuid, f->op, cred->euid);

	case AUDIT_COMPARE_AUID_TO_SUID:

		return audit_comparator(tsk->loginuid, f->op, cred->suid);

	case AUDIT_COMPARE_AUID_TO_FSUID:

		return audit_comparator(tsk->loginuid, f->op, cred->fsuid);

	/* euid comparisons */

	case AUDIT_COMPARE_EUID_TO_SUID:

		return audit_comparator(cred->euid, f->op, cred->suid);

	case AUDIT_COMPARE_EUID_TO_FSUID:

		return audit_comparator(cred->euid, f->op, cred->fsuid);

	/* suid comparisons */

	case AUDIT_COMPARE_SUID_TO_FSUID:

		return audit_comparator(cred->suid, f->op, cred->fsuid);

	/* gid comparisons */

	case AUDIT_COMPARE_GID_TO_EGID:

		return audit_comparator(cred->gid, f->op, cred->egid);

	case AUDIT_COMPARE_GID_TO_SGID:

		return audit_comparator(cred->gid, f->op, cred->sgid);

	case AUDIT_COMPARE_GID_TO_FSGID:

		return audit_comparator(cred->gid, f->op, cred->fsgid);

	/* egid comparisons */

	case AUDIT_COMPARE_EGID_TO_SGID:

		return audit_comparator(cred->egid, f->op, cred->sgid);

	case AUDIT_COMPARE_EGID_TO_FSGID:

		return audit_comparator(cred->egid, f->op, cred->fsgid);

	/* sgid comparison */

	case AUDIT_COMPARE_SGID_TO_FSGID:

		return audit_comparator(cred->sgid, f->op, cred->fsgid);

	default:

		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");

		return 0;