[PATCH 1/5] audit: allow interfield comparison in audit rules

[PATCH 1/5] audit: allow interfield comparison in audit rules

[Eric Paris]

We wish to be able to audit when a uid=500 task accesses a file which is
uid=0.  Or vice versa.  This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared.  At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.

Signed-off-by: Eric Paris <eparis@redhat.com>
---
 include/linux/audit.h |    4 ++++
 kernel/auditfilter.c  |    5 ++++-
 kernel/auditsc.c      |   30 +++++++++++++++++++++++++++++-
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index c1048b6..7bf31e2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -182,7 +182,10 @@
  * AUDIT_UNUSED_BITS is updated if need be. */
 #define AUDIT_UNUSED_BITS	0x07FFFC00
 
+/* AUDIT_FIELD_COMPARE rule list */
+#define AUDIT_COMPARE_UID_TO_OBJ_UID	1
 
+#define AUDIT_MAX_FIELD_COMPARE	AUDIT_COMPARE_UID_TO_OBJ_UID
 /* Rule fields */
 				/* These are useful when checking the
 				 * task structure at task creation time
@@ -225,6 +228,7 @@
 #define AUDIT_FILETYPE	108
 #define AUDIT_OBJ_UID	109
 #define AUDIT_OBJ_GID	110
+#define AUDIT_FIELD_COMPARE	111
 
 #define AUDIT_ARG0      200
 #define AUDIT_ARG1      (AUDIT_ARG0+1)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f10605c..a6c3f1a 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -526,7 +526,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 				goto exit_free;
 			break;
 		case AUDIT_FILTERKEY:
-			err = -EINVAL;
 			if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 				goto exit_free;
 			str = audit_unpack_string(&bufp, &remain, f->val);
@@ -543,6 +542,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 			if (f->val & ~S_IFMT)
 				goto exit_free;
 			break;
+		case AUDIT_FIELD_COMPARE:
+			if (f->val > AUDIT_MAX_FIELD_COMPARE)
+				goto exit_free;
+			break;
 		default:
 			goto exit_free;
 		}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 37ad085..efb1763 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -463,6 +463,32 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
 	return 0;
 }
 
+static int audit_field_compare(struct task_struct *tsk,
+			       const struct cred *cred,
+			       struct audit_field *f,
+			       struct audit_context *ctx,
+			       struct audit_names *name)
+{
+	struct audit_names *n;
+
+	switch (f->val) {
+	case AUDIT_COMPARE_UID_TO_OBJ_UID:
+		if (name) {
+			return audit_comparator(cred->uid, f->op, name->uid);
+		} else if (ctx) {
+			list_for_each_entry(n, &ctx->names_list, list) {
+				if (audit_comparator(cred->uid, f->op, n->uid))
+					return 1;
+			}
+		}
+		break;
+	default:
+		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
+		return 0;
+	}
+	return 0;
+}
+
 /* Determine if any context name data matches a rule's watch data */
 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
  * otherwise.
@@ -693,8 +719,10 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_FILETYPE:
 			result = audit_match_filetype(ctx, f->val);
 			break;
+		case AUDIT_FIELD_COMPARE:
+			result = audit_field_compare(tsk, cred, f, ctx, name);
+			break;
 		}
-
 		if (!result)
 			return 0;
 	}
-- 
1.7.1

[PATCH 2/5] audit: complex interfield comparison helper

[Eric Paris]

Rather than code the same loop over and over implement a helper function which
uses some pointer magic to make it generic enough to be used numerous places
as we implement more audit interfield comparisons

Signed-off-by: Eric Paris <eparis@redhat.com>
---
 kernel/auditsc.c |   50 +++++++++++++++++++++++++++++++++++++++-----------
 1 files changed, 39 insertions(+), 11 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index efb1763..45c13c5 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -463,25 +463,53 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
 	return 0;
 }
 
+static int audit_compare_id(uid_t uid1,
+			    struct audit_names *name,
+			    unsigned long name_offset,
+			    struct audit_field *f,
+			    struct audit_context *ctx)
+{
+	struct audit_names *n;
+	unsigned long addr;
+	uid_t uid2;
+	int rc;
+
+	if (name) {
+		addr = (unsigned long)name;
+		addr += name_offset;
+
+		uid2 = *(uid_t *)addr;
+		rc = audit_comparator(uid1, f->op, uid2);
+		if (rc)
+			return rc;
+	}
+
+	if (ctx) {
+		list_for_each_entry(n, &ctx->names_list, list) {
+			addr = (unsigned long)n;
+			addr += name_offset;
+
+			uid2 = *(uid_t *)addr;
+
+			rc = audit_comparator(uid1, f->op, uid2);
+			if (rc)
+				return rc;
+		}
+	}
+	return 0;
+}
+
 static int audit_field_compare(struct task_struct *tsk,
 			       const struct cred *cred,
 			       struct audit_field *f,
 			       struct audit_context *ctx,
 			       struct audit_names *name)
 {
-	struct audit_names *n;
-
 	switch (f->val) {
 	case AUDIT_COMPARE_UID_TO_OBJ_UID:
-		if (name) {
-			return audit_comparator(cred->uid, f->op, name->uid);
-		} else if (ctx) {
-			list_for_each_entry(n, &ctx->names_list, list) {
-				if (audit_comparator(cred->uid, f->op, n->uid))
-					return 1;
-			}
-		}
-		break;
+		return audit_compare_id(cred->uid,
+					name, offsetof(struct audit_names, uid),
+					f, ctx);
 	default:
 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
 		return 0;
-- 
1.7.1

[PATCH 3/5] audit: allow interfield comparison between gid and ogid

[Eric Paris]

Allow audit rules to compare the gid of the running task to the gid of the
inode in question.

Signed-off-by: Eric Paris <eparis@redhat.com>
---
 include/linux/audit.h |    3 ++-
 kernel/auditsc.c      |    6 ++++++
 2 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 7bf31e2..4649506 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -184,8 +184,9 @@
 
 /* AUDIT_FIELD_COMPARE rule list */
 #define AUDIT_COMPARE_UID_TO_OBJ_UID	1
+#define AUDIT_COMPARE_GID_TO_OBJ_GID	2
 
-#define AUDIT_MAX_FIELD_COMPARE	AUDIT_COMPARE_UID_TO_OBJ_UID
+#define AUDIT_MAX_FIELD_COMPARE	AUDIT_COMPARE_GID_TO_OBJ_GID
 /* Rule fields */
 				/* These are useful when checking the
 				 * task structure at task creation time
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 45c13c5..cc1197f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -474,6 +474,8 @@ static int audit_compare_id(uid_t uid1,
 	uid_t uid2;
 	int rc;
 
+	BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
+
 	if (name) {
 		addr = (unsigned long)name;
 		addr += name_offset;
@@ -510,6 +512,10 @@ static int audit_field_compare(struct task_struct *tsk,
 		return audit_compare_id(cred->uid,
 					name, offsetof(struct audit_names, uid),
 					f, ctx);
+	case AUDIT_COMPARE_GID_TO_OBJ_GID:
+		return audit_compare_id(cred->gid,
+					name, offsetof(struct audit_names, gid),
+					f, ctx);
 	default:
 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
 		return 0;
-- 
1.7.1

[PATCH 4/5] audit: implement all object interfield comparisons

[Eric Paris]

From: Peter Moody <pmoody@google.com>

This completes the matrix of interfield comparisons between uid/gid
information for the current task and the uid/gid information for inodes.
aka I can audit based on differences between the euid of the process and
the uid of fs objects.

Signed-off-by: Peter Moody <pmoody@google.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
---
 include/linux/audit.h |   10 +++++++++-
 kernel/auditsc.c      |   29 +++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4649506..e1b949d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -185,8 +185,16 @@
 /* AUDIT_FIELD_COMPARE rule list */
 #define AUDIT_COMPARE_UID_TO_OBJ_UID	1
 #define AUDIT_COMPARE_GID_TO_OBJ_GID	2
+#define AUDIT_COMPARE_EUID_TO_OBJ_UID	3
+#define AUDIT_COMPARE_EGID_TO_OBJ_GID	4
+#define AUDIT_COMPARE_AUID_TO_OBJ_UID	5
+#define AUDIT_COMPARE_SUID_TO_OBJ_UID	6
+#define AUDIT_COMPARE_SGID_TO_OBJ_GID	7
+#define AUDIT_COMPARE_FSUID_TO_OBJ_UID	8
+#define AUDIT_COMPARE_FSGID_TO_OBJ_GID	9
+
+#define AUDIT_MAX_FIELD_COMPARE		AUDIT_COMPARE_FSGID_TO_OBJ_GID
 
-#define AUDIT_MAX_FIELD_COMPARE	AUDIT_COMPARE_GID_TO_OBJ_GID
 /* Rule fields */
 				/* These are useful when checking the
 				 * task structure at task creation time
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cc1197f..913a39b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -508,6 +508,7 @@ static int audit_field_compare(struct task_struct *tsk,
 			       struct audit_names *name)
 {
 	switch (f->val) {
+	/* process to file object comparisons */
 	case AUDIT_COMPARE_UID_TO_OBJ_UID:
 		return audit_compare_id(cred->uid,
 					name, offsetof(struct audit_names, uid),
@@ -516,6 +517,34 @@ static int audit_field_compare(struct task_struct *tsk,
 		return audit_compare_id(cred->gid,
 					name, offsetof(struct audit_names, gid),
 					f, ctx);
+	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
+		return audit_compare_id(cred->euid,
+					name, offsetof(struct audit_names, uid),
+					f, ctx);
+	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
+		return audit_compare_id(cred->egid,
+					name, offsetof(struct audit_names, gid),
+					f, ctx);
+	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
+		return audit_compare_id(tsk->loginuid,
+					name, offsetof(struct audit_names, uid),
+					f, ctx);
+	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
+		return audit_compare_id(cred->suid,
+					name, offsetof(struct audit_names, uid),
+					f, ctx);
+	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
+		return audit_compare_id(cred->sgid,
+					name, offsetof(struct audit_names, gid),
+					f, ctx);
+	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
+		return audit_compare_id(cred->fsuid,
+					name, offsetof(struct audit_names, uid),
+					f, ctx);
+	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
+		return audit_compare_id(cred->fsgid,
+					name, offsetof(struct audit_names, gid),
+					f, ctx);
 	default:
 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
 		return 0;
-- 
1.7.1

[PATCH 5/5] audit: comparison on interprocess fields

[Eric Paris]

This allows audit to specify rules in which we compare two fields of a
process.  Such as is the running process uid != to the running process
euid?

Signed-off-by: Peter Moody <pmoody@google.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
---
 include/linux/audit.h |   24 +++++++++++++++++++++++-
 kernel/auditsc.c      |   39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index e1b949d..adbe9cb 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -193,7 +193,29 @@
 #define AUDIT_COMPARE_FSUID_TO_OBJ_UID	8
 #define AUDIT_COMPARE_FSGID_TO_OBJ_GID	9
 
-#define AUDIT_MAX_FIELD_COMPARE		AUDIT_COMPARE_FSGID_TO_OBJ_GID
+#define AUDIT_COMPARE_UID_TO_AUID	10
+#define AUDIT_COMPARE_UID_TO_EUID	11
+#define AUDIT_COMPARE_UID_TO_FSUID	12
+#define AUDIT_COMPARE_UID_TO_SUID	13
+
+#define AUDIT_COMPARE_AUID_TO_FSUID	14
+#define AUDIT_COMPARE_AUID_TO_SUID	15
+#define AUDIT_COMPARE_AUID_TO_EUID	16
+
+#define AUDIT_COMPARE_EUID_TO_SUID	17
+#define AUDIT_COMPARE_EUID_TO_FSUID	18
+
+#define AUDIT_COMPARE_SUID_TO_FSUID	19
+
+#define AUDIT_COMPARE_GID_TO_EGID	20
+#define AUDIT_COMPARE_GID_TO_FSGID	21
+#define AUDIT_COMPARE_GID_TO_SGID	22
+
+#define AUDIT_COMPARE_EGID_TO_FSGID	23
+#define AUDIT_COMPARE_EGID_TO_SGID	24
+#define AUDIT_COMPARE_SGID_TO_FSGID	25
+
+#define AUDIT_MAX_FIELD_COMPARE		AUDIT_COMPARE_SGID_TO_FSGID
 
 /* Rule fields */
 				/* These are useful when checking the
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 913a39b..a00894c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -545,6 +545,45 @@ static int audit_field_compare(struct task_struct *tsk,
 		return audit_compare_id(cred->fsgid,
 					name, offsetof(struct audit_names, gid),
 					f, ctx);
+	/* uid comparisons */
+	case AUDIT_COMPARE_UID_TO_AUID:
+		return audit_comparator(cred->uid, f->op, tsk->loginuid);
+	case AUDIT_COMPARE_UID_TO_EUID:
+		return audit_comparator(cred->uid, f->op, cred->euid);
+	case AUDIT_COMPARE_UID_TO_SUID:
+		return audit_comparator(cred->uid, f->op, cred->suid);
+	case AUDIT_COMPARE_UID_TO_FSUID:
+		return audit_comparator(cred->uid, f->op, cred->fsuid);
+	/* auid comparisons */
+	case AUDIT_COMPARE_AUID_TO_EUID:
+		return audit_comparator(tsk->loginuid, f->op, cred->euid);
+	case AUDIT_COMPARE_AUID_TO_SUID:
+		return audit_comparator(tsk->loginuid, f->op, cred->suid);
+	case AUDIT_COMPARE_AUID_TO_FSUID:
+		return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
+	/* euid comparisons */
+	case AUDIT_COMPARE_EUID_TO_SUID:
+		return audit_comparator(cred->euid, f->op, cred->suid);
+	case AUDIT_COMPARE_EUID_TO_FSUID:
+		return audit_comparator(cred->euid, f->op, cred->fsuid);
+	/* suid comparisons */
+	case AUDIT_COMPARE_SUID_TO_FSUID:
+		return audit_comparator(cred->suid, f->op, cred->fsuid);
+	/* gid comparisons */
+	case AUDIT_COMPARE_GID_TO_EGID:
+		return audit_comparator(cred->gid, f->op, cred->egid);
+	case AUDIT_COMPARE_GID_TO_SGID:
+		return audit_comparator(cred->gid, f->op, cred->sgid);
+	case AUDIT_COMPARE_GID_TO_FSGID:
+		return audit_comparator(cred->gid, f->op, cred->fsgid);
+	/* egid comparisons */
+	case AUDIT_COMPARE_EGID_TO_SGID:
+		return audit_comparator(cred->egid, f->op, cred->sgid);
+	case AUDIT_COMPARE_EGID_TO_FSGID:
+		return audit_comparator(cred->egid, f->op, cred->fsgid);
+	/* sgid comparison */
+	case AUDIT_COMPARE_SGID_TO_FSGID:
+		return audit_comparator(cred->sgid, f->op, cred->fsgid);
 	default:
 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
 		return 0;
-- 
1.7.1

Re: [PATCH 2/5] audit: complex interfield comparison helper

[Eric Paris]

On Wed, 2012-01-04 at 15:47 -0500, Eric Paris wrote:
> Rather than code the same loop over and over implement a helper function which
> uses some pointer magic to make it generic enough to be used numerous places
> as we implement more audit interfield comparisons
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---

The change from the last version is simply to take a uid_t and a pointer
to a struct audit_name instead of taking two pointers.  This allows us
to get the first uid from either a cred or the task struct.

>  kernel/auditsc.c |   50 +++++++++++++++++++++++++++++++++++++++-----------
>  1 files changed, 39 insertions(+), 11 deletions(-)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index efb1763..45c13c5 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -463,25 +463,53 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
>  	return 0;
>  }
>  
> +static int audit_compare_id(uid_t uid1,
> +			    struct audit_names *name,
> +			    unsigned long name_offset,
> +			    struct audit_field *f,
> +			    struct audit_context *ctx)
> +{
> +	struct audit_names *n;
> +	unsigned long addr;
> +	uid_t uid2;
> +	int rc;
> +
> +	if (name) {
> +		addr = (unsigned long)name;
> +		addr += name_offset;
> +
> +		uid2 = *(uid_t *)addr;
> +		rc = audit_comparator(uid1, f->op, uid2);
> +		if (rc)
> +			return rc;
> +	}
> +
> +	if (ctx) {
> +		list_for_each_entry(n, &ctx->names_list, list) {
> +			addr = (unsigned long)n;
> +			addr += name_offset;
> +
> +			uid2 = *(uid_t *)addr;
> +
> +			rc = audit_comparator(uid1, f->op, uid2);
> +			if (rc)
> +				return rc;
> +		}
> +	}
> +	return 0;
> +}
> +
>  static int audit_field_compare(struct task_struct *tsk,
>  			       const struct cred *cred,
>  			       struct audit_field *f,
>  			       struct audit_context *ctx,
>  			       struct audit_names *name)
>  {
> -	struct audit_names *n;
> -
>  	switch (f->val) {
>  	case AUDIT_COMPARE_UID_TO_OBJ_UID:
> -		if (name) {
> -			return audit_comparator(cred->uid, f->op, name->uid);
> -		} else if (ctx) {
> -			list_for_each_entry(n, &ctx->names_list, list) {
> -				if (audit_comparator(cred->uid, f->op, n->uid))
> -					return 1;
> -			}
> -		}
> -		break;
> +		return audit_compare_id(cred->uid,
> +					name, offsetof(struct audit_names, uid),
> +					f, ctx);
>  	default:
>  		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
>  		return 0;

Re: [PATCH 5/5] audit: comparison on interprocess fields

[Eric Paris]

On Wed, 2012-01-04 at 15:47 -0500, Eric Paris wrote:
> This allows audit to specify rules in which we compare two fields of a
> process.  Such as is the running process uid != to the running process
> euid?
> 
> Signed-off-by: Peter Moody <pmoody@google.com>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---

I broke this into a separate patch and didn't try to use the 'helper'
function.  Using the helper would be wrong since the comparison was not
supposed to involve fs objects.  Thus things which were passing it a
task_struct and offset as the second pointer were walking the
audit_names list dereferencing some random distance (distance of
loginuid inside a task_struct) from the found name and using that memory
location as a uid.  Opps.

>  include/linux/audit.h |   24 +++++++++++++++++++++++-
>  kernel/auditsc.c      |   39 +++++++++++++++++++++++++++++++++++++++
>  2 files changed, 62 insertions(+), 1 deletions(-)
> 
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index e1b949d..adbe9cb 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -193,7 +193,29 @@
>  #define AUDIT_COMPARE_FSUID_TO_OBJ_UID	8
>  #define AUDIT_COMPARE_FSGID_TO_OBJ_GID	9
>  
> -#define AUDIT_MAX_FIELD_COMPARE		AUDIT_COMPARE_FSGID_TO_OBJ_GID
> +#define AUDIT_COMPARE_UID_TO_AUID	10
> +#define AUDIT_COMPARE_UID_TO_EUID	11
> +#define AUDIT_COMPARE_UID_TO_FSUID	12
> +#define AUDIT_COMPARE_UID_TO_SUID	13
> +
> +#define AUDIT_COMPARE_AUID_TO_FSUID	14
> +#define AUDIT_COMPARE_AUID_TO_SUID	15
> +#define AUDIT_COMPARE_AUID_TO_EUID	16
> +
> +#define AUDIT_COMPARE_EUID_TO_SUID	17
> +#define AUDIT_COMPARE_EUID_TO_FSUID	18
> +
> +#define AUDIT_COMPARE_SUID_TO_FSUID	19
> +
> +#define AUDIT_COMPARE_GID_TO_EGID	20
> +#define AUDIT_COMPARE_GID_TO_FSGID	21
> +#define AUDIT_COMPARE_GID_TO_SGID	22
> +
> +#define AUDIT_COMPARE_EGID_TO_FSGID	23
> +#define AUDIT_COMPARE_EGID_TO_SGID	24
> +#define AUDIT_COMPARE_SGID_TO_FSGID	25
> +
> +#define AUDIT_MAX_FIELD_COMPARE		AUDIT_COMPARE_SGID_TO_FSGID
>  
>  /* Rule fields */
>  				/* These are useful when checking the
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 913a39b..a00894c 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -545,6 +545,45 @@ static int audit_field_compare(struct task_struct *tsk,
>  		return audit_compare_id(cred->fsgid,
>  					name, offsetof(struct audit_names, gid),
>  					f, ctx);
> +	/* uid comparisons */
> +	case AUDIT_COMPARE_UID_TO_AUID:
> +		return audit_comparator(cred->uid, f->op, tsk->loginuid);
> +	case AUDIT_COMPARE_UID_TO_EUID:
> +		return audit_comparator(cred->uid, f->op, cred->euid);
> +	case AUDIT_COMPARE_UID_TO_SUID:
> +		return audit_comparator(cred->uid, f->op, cred->suid);
> +	case AUDIT_COMPARE_UID_TO_FSUID:
> +		return audit_comparator(cred->uid, f->op, cred->fsuid);
> +	/* auid comparisons */
> +	case AUDIT_COMPARE_AUID_TO_EUID:
> +		return audit_comparator(tsk->loginuid, f->op, cred->euid);
> +	case AUDIT_COMPARE_AUID_TO_SUID:
> +		return audit_comparator(tsk->loginuid, f->op, cred->suid);
> +	case AUDIT_COMPARE_AUID_TO_FSUID:
> +		return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
> +	/* euid comparisons */
> +	case AUDIT_COMPARE_EUID_TO_SUID:
> +		return audit_comparator(cred->euid, f->op, cred->suid);
> +	case AUDIT_COMPARE_EUID_TO_FSUID:
> +		return audit_comparator(cred->euid, f->op, cred->fsuid);
> +	/* suid comparisons */
> +	case AUDIT_COMPARE_SUID_TO_FSUID:
> +		return audit_comparator(cred->suid, f->op, cred->fsuid);
> +	/* gid comparisons */
> +	case AUDIT_COMPARE_GID_TO_EGID:
> +		return audit_comparator(cred->gid, f->op, cred->egid);
> +	case AUDIT_COMPARE_GID_TO_SGID:
> +		return audit_comparator(cred->gid, f->op, cred->sgid);
> +	case AUDIT_COMPARE_GID_TO_FSGID:
> +		return audit_comparator(cred->gid, f->op, cred->fsgid);
> +	/* egid comparisons */
> +	case AUDIT_COMPARE_EGID_TO_SGID:
> +		return audit_comparator(cred->egid, f->op, cred->sgid);
> +	case AUDIT_COMPARE_EGID_TO_FSGID:
> +		return audit_comparator(cred->egid, f->op, cred->fsgid);
> +	/* sgid comparison */
> +	case AUDIT_COMPARE_SGID_TO_FSGID:
> +		return audit_comparator(cred->sgid, f->op, cred->fsgid);
>  	default:
>  		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
>  		return 0;

Re: [PATCH 5/5] audit: comparison on interprocess fields

[Peter Moody]

[-- Attachment #1.1: Type: text/plain, Size: 984 bytes --]

On Wed, Jan 4, 2012 at 12:55 PM, Eric Paris <eparis@redhat.com> wrote:

> On Wed, 2012-01-04 at 15:47 -0500, Eric Paris wrote:
> > This allows audit to specify rules in which we compare two fields of a
> > process.  Such as is the running process uid != to the running process
> > euid?
> >
> > Signed-off-by: Peter Moody <pmoody@google.com>
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> > ---
>
> I broke this into a separate patch and didn't try to use the 'helper'
> function.  Using the helper would be wrong since the comparison was not
> supposed to involve fs objects.  Thus things which were passing it a
> task_struct and offset as the second pointer were walking the
> audit_names list dereferencing some random distance (distance of
> loginuid inside a task_struct) from the found name and using that memory
> location as a uid.  Opps.
>

Whoops.

thanks for this Eric.

Cheers,
peter


-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

[-- Attachment #1.2: Type: text/html, Size: 1585 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]