mirror of
https://github.com/torvalds/linux.git
synced 2026-04-18 06:44:00 -04:00
audit: add fields to exclude filter by reusing user filter
RFE: add additional fields for use in audit filter exclude rules https://github.com/linux-audit/audit-kernel/issues/5 Re-factor and combine audit_filter_type() with audit_filter_user() to use audit_filter_user_rules() to enable the exclude filter to additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*. The process of combining the similar audit_filter_user() and audit_filter_type() functions, required inverting the meaning and including the ALWAYS action of the latter. Include audit_filter_user_rules() into audit_filter(), removing unneeded logic in the process. Keep the check to quit early if the list is empty. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: checkpatch.pl fixes - whitespace damage, wrapped description] Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Richard Guy Briggs
committed by
Paul Moore
Paul Moore
parent
da7f750c1e
commit
86b2efbe3a
@@ -1290,117 +1290,72 @@ int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
|
||||
return strncmp(p, dname, dlen);
|
||||
}
|
||||
|
||||
static int audit_filter_user_rules(struct audit_krule *rule, int type,
|
||||
enum audit_state *state)
|
||||
int audit_filter(int msgtype, unsigned int listtype)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < rule->field_count; i++) {
|
||||
struct audit_field *f = &rule->fields[i];
|
||||
pid_t pid;
|
||||
int result = 0;
|
||||
u32 sid;
|
||||
|
||||
switch (f->type) {
|
||||
case AUDIT_PID:
|
||||
pid = task_pid_nr(current);
|
||||
result = audit_comparator(pid, f->op, f->val);
|
||||
break;
|
||||
case AUDIT_UID:
|
||||
result = audit_uid_comparator(current_uid(), f->op, f->uid);
|
||||
break;
|
||||
case AUDIT_GID:
|
||||
result = audit_gid_comparator(current_gid(), f->op, f->gid);
|
||||
break;
|
||||
case AUDIT_LOGINUID:
|
||||
result = audit_uid_comparator(audit_get_loginuid(current),
|
||||
f->op, f->uid);
|
||||
break;
|
||||
case AUDIT_LOGINUID_SET:
|
||||
result = audit_comparator(audit_loginuid_set(current),
|
||||
f->op, f->val);
|
||||
break;
|
||||
case AUDIT_MSGTYPE:
|
||||
result = audit_comparator(type, f->op, f->val);
|
||||
break;
|
||||
case AUDIT_SUBJ_USER:
|
||||
case AUDIT_SUBJ_ROLE:
|
||||
case AUDIT_SUBJ_TYPE:
|
||||
case AUDIT_SUBJ_SEN:
|
||||
case AUDIT_SUBJ_CLR:
|
||||
if (f->lsm_rule) {
|
||||
security_task_getsecid(current, &sid);
|
||||
result = security_audit_rule_match(sid,
|
||||
f->type,
|
||||
f->op,
|
||||
f->lsm_rule,
|
||||
NULL);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
if (result <= 0)
|
||||
return result;
|
||||
}
|
||||
switch (rule->action) {
|
||||
case AUDIT_NEVER:
|
||||
*state = AUDIT_DISABLED;
|
||||
break;
|
||||
case AUDIT_ALWAYS:
|
||||
*state = AUDIT_RECORD_CONTEXT;
|
||||
break;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int audit_filter_user(int type)
|
||||
{
|
||||
enum audit_state state = AUDIT_DISABLED;
|
||||
struct audit_entry *e;
|
||||
int rc, ret;
|
||||
|
||||
ret = 1; /* Audit by default */
|
||||
int ret = 1; /* Audit by default */
|
||||
|
||||
rcu_read_lock();
|
||||
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
|
||||
rc = audit_filter_user_rules(&e->rule, type, &state);
|
||||
if (rc) {
|
||||
if (rc > 0 && state == AUDIT_DISABLED)
|
||||
if (list_empty(&audit_filter_list[listtype]))
|
||||
goto unlock_and_return;
|
||||
list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
|
||||
int i, result = 0;
|
||||
|
||||
for (i = 0; i < e->rule.field_count; i++) {
|
||||
struct audit_field *f = &e->rule.fields[i];
|
||||
pid_t pid;
|
||||
u32 sid;
|
||||
|
||||
switch (f->type) {
|
||||
case AUDIT_PID:
|
||||
pid = task_pid_nr(current);
|
||||
result = audit_comparator(pid, f->op, f->val);
|
||||
break;
|
||||
case AUDIT_UID:
|
||||
result = audit_uid_comparator(current_uid(), f->op, f->uid);
|
||||
break;
|
||||
case AUDIT_GID:
|
||||
result = audit_gid_comparator(current_gid(), f->op, f->gid);
|
||||
break;
|
||||
case AUDIT_LOGINUID:
|
||||
result = audit_uid_comparator(audit_get_loginuid(current),
|
||||
f->op, f->uid);
|
||||
break;
|
||||
case AUDIT_LOGINUID_SET:
|
||||
result = audit_comparator(audit_loginuid_set(current),
|
||||
f->op, f->val);
|
||||
break;
|
||||
case AUDIT_MSGTYPE:
|
||||
result = audit_comparator(msgtype, f->op, f->val);
|
||||
break;
|
||||
case AUDIT_SUBJ_USER:
|
||||
case AUDIT_SUBJ_ROLE:
|
||||
case AUDIT_SUBJ_TYPE:
|
||||
case AUDIT_SUBJ_SEN:
|
||||
case AUDIT_SUBJ_CLR:
|
||||
if (f->lsm_rule) {
|
||||
security_task_getsecid(current, &sid);
|
||||
result = security_audit_rule_match(sid,
|
||||
f->type, f->op, f->lsm_rule, NULL);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
goto unlock_and_return;
|
||||
}
|
||||
if (result < 0) /* error */
|
||||
goto unlock_and_return;
|
||||
if (!result)
|
||||
break;
|
||||
}
|
||||
if (result > 0) {
|
||||
if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
}
|
||||
rcu_read_unlock();
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int audit_filter_type(int type)
|
||||
{
|
||||
struct audit_entry *e;
|
||||
int result = 0;
|
||||
|
||||
rcu_read_lock();
|
||||
if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
|
||||
goto unlock_and_return;
|
||||
|
||||
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
|
||||
list) {
|
||||
int i;
|
||||
for (i = 0; i < e->rule.field_count; i++) {
|
||||
struct audit_field *f = &e->rule.fields[i];
|
||||
if (f->type == AUDIT_MSGTYPE) {
|
||||
result = audit_comparator(type, f->op, f->val);
|
||||
if (!result)
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (result)
|
||||
goto unlock_and_return;
|
||||
}
|
||||
unlock_and_return:
|
||||
rcu_read_unlock();
|
||||
return result;
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int update_lsm_rule(struct audit_krule *r)
|
||||
|
||||
Reference in New Issue
Block a user