From: Eric Paris <eparis@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH 5/5] audit: comparison on interprocess fields
Date: Wed, 04 Jan 2012 15:55:22 -0500 [thread overview]
Message-ID: <1325710522.17118.6.camel@localhost> (raw)
In-Reply-To: <1325710033-32133-5-git-send-email-eparis@redhat.com>
On Wed, 2012-01-04 at 15:47 -0500, Eric Paris wrote:
> This allows audit to specify rules in which we compare two fields of a
> process. Such as is the running process uid != to the running process
> euid?
>
> Signed-off-by: Peter Moody <pmoody@google.com>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
I broke this into a separate patch and didn't try to use the 'helper'
function. Using the helper would be wrong since the comparison was not
supposed to involve fs objects. Thus things which were passing it a
task_struct and offset as the second pointer were walking the
audit_names list dereferencing some random distance (distance of
loginuid inside a task_struct) from the found name and using that memory
location as a uid. Opps.
> include/linux/audit.h | 24 +++++++++++++++++++++++-
> kernel/auditsc.c | 39 +++++++++++++++++++++++++++++++++++++++
> 2 files changed, 62 insertions(+), 1 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index e1b949d..adbe9cb 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -193,7 +193,29 @@
> #define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8
> #define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9
>
> -#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_FSGID_TO_OBJ_GID
> +#define AUDIT_COMPARE_UID_TO_AUID 10
> +#define AUDIT_COMPARE_UID_TO_EUID 11
> +#define AUDIT_COMPARE_UID_TO_FSUID 12
> +#define AUDIT_COMPARE_UID_TO_SUID 13
> +
> +#define AUDIT_COMPARE_AUID_TO_FSUID 14
> +#define AUDIT_COMPARE_AUID_TO_SUID 15
> +#define AUDIT_COMPARE_AUID_TO_EUID 16
> +
> +#define AUDIT_COMPARE_EUID_TO_SUID 17
> +#define AUDIT_COMPARE_EUID_TO_FSUID 18
> +
> +#define AUDIT_COMPARE_SUID_TO_FSUID 19
> +
> +#define AUDIT_COMPARE_GID_TO_EGID 20
> +#define AUDIT_COMPARE_GID_TO_FSGID 21
> +#define AUDIT_COMPARE_GID_TO_SGID 22
> +
> +#define AUDIT_COMPARE_EGID_TO_FSGID 23
> +#define AUDIT_COMPARE_EGID_TO_SGID 24
> +#define AUDIT_COMPARE_SGID_TO_FSGID 25
> +
> +#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_SGID_TO_FSGID
>
> /* Rule fields */
> /* These are useful when checking the
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 913a39b..a00894c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -545,6 +545,45 @@ static int audit_field_compare(struct task_struct *tsk,
> return audit_compare_id(cred->fsgid,
> name, offsetof(struct audit_names, gid),
> f, ctx);
> + /* uid comparisons */
> + case AUDIT_COMPARE_UID_TO_AUID:
> + return audit_comparator(cred->uid, f->op, tsk->loginuid);
> + case AUDIT_COMPARE_UID_TO_EUID:
> + return audit_comparator(cred->uid, f->op, cred->euid);
> + case AUDIT_COMPARE_UID_TO_SUID:
> + return audit_comparator(cred->uid, f->op, cred->suid);
> + case AUDIT_COMPARE_UID_TO_FSUID:
> + return audit_comparator(cred->uid, f->op, cred->fsuid);
> + /* auid comparisons */
> + case AUDIT_COMPARE_AUID_TO_EUID:
> + return audit_comparator(tsk->loginuid, f->op, cred->euid);
> + case AUDIT_COMPARE_AUID_TO_SUID:
> + return audit_comparator(tsk->loginuid, f->op, cred->suid);
> + case AUDIT_COMPARE_AUID_TO_FSUID:
> + return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
> + /* euid comparisons */
> + case AUDIT_COMPARE_EUID_TO_SUID:
> + return audit_comparator(cred->euid, f->op, cred->suid);
> + case AUDIT_COMPARE_EUID_TO_FSUID:
> + return audit_comparator(cred->euid, f->op, cred->fsuid);
> + /* suid comparisons */
> + case AUDIT_COMPARE_SUID_TO_FSUID:
> + return audit_comparator(cred->suid, f->op, cred->fsuid);
> + /* gid comparisons */
> + case AUDIT_COMPARE_GID_TO_EGID:
> + return audit_comparator(cred->gid, f->op, cred->egid);
> + case AUDIT_COMPARE_GID_TO_SGID:
> + return audit_comparator(cred->gid, f->op, cred->sgid);
> + case AUDIT_COMPARE_GID_TO_FSGID:
> + return audit_comparator(cred->gid, f->op, cred->fsgid);
> + /* egid comparisons */
> + case AUDIT_COMPARE_EGID_TO_SGID:
> + return audit_comparator(cred->egid, f->op, cred->sgid);
> + case AUDIT_COMPARE_EGID_TO_FSGID:
> + return audit_comparator(cred->egid, f->op, cred->fsgid);
> + /* sgid comparison */
> + case AUDIT_COMPARE_SGID_TO_FSGID:
> + return audit_comparator(cred->sgid, f->op, cred->fsgid);
> default:
> WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
> return 0;
next prev parent reply other threads:[~2012-01-04 20:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-04 20:47 [PATCH 1/5] audit: allow interfield comparison in audit rules Eric Paris
2012-01-04 20:47 ` [PATCH 2/5] audit: complex interfield comparison helper Eric Paris
2012-01-04 20:51 ` Eric Paris
2012-01-04 20:47 ` [PATCH 3/5] audit: allow interfield comparison between gid and ogid Eric Paris
2012-01-04 20:47 ` [PATCH 4/5] audit: implement all object interfield comparisons Eric Paris
2012-01-04 20:47 ` [PATCH 5/5] audit: comparison on interprocess fields Eric Paris
2012-01-04 20:55 ` Eric Paris [this message]
2012-01-04 21:12 ` Peter Moody
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1325710522.17118.6.camel@localhost \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox