[PATCH] Inter-field comparisons between uid/euid and gid/egid

[PATCH] Inter-field comparisons between uid/euid and gid/egid

[Peter Moody]

[-- Attachment #1.1: Type: text/plain, Size: 2564 bytes --]

Not sure if this is the right way to go about this, but I've got a couple
of patches I'd like to be considered for inclusion.

This builds off of Eric's patches from November. Specifically the following
patches:

[01/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00019.html)
[02/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00020.html)
[16/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00034.html)
[17/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00035.html)
[18/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00036.html)
[19/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00037.html)
[20/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00038.html)


Signed-off-by: Peter Moody <pmoody@google.com>
---
 include/linux/audit.h |    4 +++-
 kernel/auditsc.c      |   18 ++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4c5437f..cce8f35 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -182,8 +182,10 @@
 /* AUDIT_FIELD_COMPARE rule list */
 #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
 #define AUDIT_COMPARE_GID_TO_OBJ_GID   2
+#define AUDIT_COMPARE_UID_TO_EUID      3
+#define AUDIT_COMPARE_GID_TO_EGID      4

-#define AUDIT_MAX_FIELD_COMPARE        AUDIT_COMPARE_GID_TO_OBJ_GID
+#define AUDIT_MAX_FIELD_COMPARE        AUDIT_COMPARE_GID_TO_EGID
 /* Rule fields */
  /* These are useful when checking the
  * task structure at task creation time
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2be8bf3..08c8736 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -514,6 +514,24 @@ static int audit_field_compare(struct task_struct *tsk,
        return audit_compare_id(cred, offsetof(struct cred, gid),
        name, offsetof(struct audit_names, gid),
        f, ctx);
+ case AUDIT_COMPARE_UID_TO_EUID:
+ if(name)
+ return audit_comparator(cred->euid, f->op, cred->uid);
+ else if(ctx) {
+ struct audit_names *n;
+ list_for_each_entry(n, &ctx->names_list, list)
+ return audit_comparator(cred->euid, f->op, cred->uid);
+ }
+ break;
+ case AUDIT_COMPARE_GID_TO_EGID:
+ if(name)
+ return audit_comparator(cred->egid, f->op, cred->gid);
+ else if(ctx) {
+ struct audit_names *n;
+ list_for_each_entry(n, &ctx->names_list, list)
+ return audit_comparator(cred->egid, f->op, cred->gid);
+ }
+ break;
  default:
  return 0;
  }
-- 
1.7.3.1


-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

[-- Attachment #1.2: Type: text/html, Size: 5480 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid

[Steve Grubb]

On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote:
> Not sure if this is the right way to go about this, but I've got a couple
> of patches I'd like to be considered for inclusion.

I think we really want all permutations covered so we don't revisit this every 
month or two.

-Steve

Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid

[Peter Moody]

[-- Attachment #1.1: Type: text/plain, Size: 635 bytes --]

On Mon, Dec 12, 2011 at 6:27 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote:
> > Not sure if this is the right way to go about this, but I've got a couple
> > of patches I'd like to be considered for inclusion.
>
> I think we really want all permutations covered so we don't revisit this
> every
> month or two.
>

Ok. Do you want me to include subj_user/obj_user, subj_role/obj_role,
subj_type/obj_type as well or just the uid/fsuid, gid/fsgid, uid/suid,
gid/sgid?

Cheers,
peter


> -Steve
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

[-- Attachment #1.2: Type: text/html, Size: 1273 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid

[Steve Grubb]

On Monday, December 12, 2011 11:35:25 AM Peter Moody wrote:
> On Mon, Dec 12, 2011 at 6:27 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote:
> > > Not sure if this is the right way to go about this, but I've got a
> > > couple of patches I'd like to be considered for inclusion.
> > 
> > I think we really want all permutations covered so we don't revisit this
> > every
> > month or two.
> 
> Ok. Do you want me to include subj_user/obj_user, subj_role/obj_role,
> subj_type/obj_type as well 

No, the MAC subsystems should be able to log that themselves.


> or just the uid/fsuid, gid/fsgid, uid/suid, gid/sgid?

Closer. All permutations of uid and gid being able to compare against either 
object or process credentials. Like auid!=ouid or auid!=uid.

Thanks,
-Steve

Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid

[Peter Moody]

On Mon, Dec 12, 2011 at 9:48 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> Closer. All permutations of uid and gid being able to compare against either
> object or process credentials. Like auid!=ouid or auid!=uid.

Ok, I think I got them all.

This is the kernel change to allow comparison between the various uids
(uid, euid, suid, fsuid, loginuid, obj_uid) and the various gids (gid,
egid, sgid, fsgid). One other possible catch is that loginuid and auid
seem to already be used interchangeably. I've referred to as auid
where I could just because it's shorter. I hope that isn't too
confusing.

I've got a little more work to do on the user-land component, and I
haven't been able to get the LIST_RULES to list the first field of the
interfield comparisons. I'll keep poking at that, but I suspect it
requires deeper auditd knowledge than I can muster (at least for now).

This still requires the same patches from Eric that I mentioned in my
first email

Cheers,
peter

Signed-off-by: Peter Moody <pmoody@google.com>
---
 include/linux/audit.h |   37 ++++++++++++++--
 kernel/auditsc.c      |  114 ++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 140 insertions(+), 11 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4c5437f..72f00d2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -180,10 +180,39 @@
 #define AUDIT_UNUSED_BITS	0x07FFFC00

 /* AUDIT_FIELD_COMPARE rule list */
-#define AUDIT_COMPARE_UID_TO_OBJ_UID   1
-#define AUDIT_COMPARE_GID_TO_OBJ_GID   2
-
-#define AUDIT_MAX_FIELD_COMPARE        AUDIT_COMPARE_GID_TO_OBJ_GID
+#define AUDIT_COMPARE_UID_TO_OBJ_UID	1
+#define AUDIT_COMPARE_GID_TO_OBJ_GID	2
+#define AUDIT_COMPARE_EUID_TO_OBJ_UID	3
+#define AUDIT_COMPARE_EGID_TO_OBJ_GID	4
+#define AUDIT_COMPARE_AUID_TO_OBJ_UID	5
+#define AUDIT_COMPARE_SUID_TO_OBJ_UID	6
+#define AUDIT_COMPARE_SGID_TO_OBJ_GID	7
+#define AUDIT_COMPARE_FSUID_TO_OBJ_UID	8
+#define AUDIT_COMPARE_FSGID_TO_OBJ_GID	9
+
+#define AUDIT_COMPARE_UID_TO_AUID	10
+#define AUDIT_COMPARE_UID_TO_EUID	11
+#define AUDIT_COMPARE_UID_TO_FSUID	12
+#define AUDIT_COMPARE_UID_TO_SUID	13
+
+#define AUDIT_COMPARE_AUID_TO_FSUID	14
+#define AUDIT_COMPARE_AUID_TO_SUID	15
+#define AUDIT_COMPARE_AUID_TO_EUID	16
+
+#define AUDIT_COMPARE_EUID_TO_SUID	17
+#define AUDIT_COMPARE_EUID_TO_FSUID	18
+
+#define AUDIT_COMPARE_SUID_TO_FSUID	19
+
+#define AUDIT_COMPARE_GID_TO_EGID	20
+#define AUDIT_COMPARE_GID_TO_FSGID	21
+#define AUDIT_COMPARE_GID_TO_SGID	22
+
+#define AUDIT_COMPARE_EGID_TO_FSGID	23
+#define AUDIT_COMPARE_EGID_TO_SGID	24
+#define AUDIT_COMPARE_SGID_TO_FSGID	25
+
+#define AUDIT_MAX_FIELD_COMPARE        AUDIT_COMPARE_SGID_TO_FSGID
 /* Rule fields */
 				/* These are useful when checking the
 				 * task structure at task creation time
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2be8bf3..a1ead88 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -458,9 +458,9 @@ static int match_tree_refs(struct audit_context
*ctx, struct audit_tree *tree)
 	return 0;
 }

-static int audit_compare_id(const struct cred *cred,
+static int audit_compare_id(const void *cred,
 			    unsigned long cred_offset,
-			    struct audit_names *name,
+			    void *name,
 			    unsigned long name_offset,
 			    struct audit_field *f,
 			    struct audit_context *ctx)
@@ -506,14 +506,114 @@ static int audit_field_compare(struct task_struct *tsk,


 	switch (f->val) {
+		/* obj_uid/obj_gid comparisons */
 	case AUDIT_COMPARE_UID_TO_OBJ_UID:
-		return audit_compare_id(cred, offsetof(struct cred, uid),
-					name, offsetof(struct audit_names, uid),
+		return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+					(void*)name, offsetof(struct audit_names, uid),
 					f, ctx);
 	case AUDIT_COMPARE_GID_TO_OBJ_GID:
-		       return audit_compare_id(cred, offsetof(struct cred, gid),
-					       name, offsetof(struct audit_names, gid),
-					       f, ctx);
+		return audit_compare_id((void*)cred, offsetof(struct cred, gid),
+					(void*)name, offsetof(struct audit_names, gid),
+					f, ctx);
+	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, euid),
+					(void*)name, offsetof(struct audit_names, uid),
+					f, ctx);
+	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, egid),
+					(void*)name, offsetof(struct audit_names, gid),
+					f, ctx);
+	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
+		return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid),
+					(void*)name, offsetof(struct audit_names, uid),
+					f, ctx);
+	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, suid),
+					(void*)name, offsetof(struct audit_names, uid),
+					f, ctx);
+	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, sgid),
+					(void*)name, offsetof(struct audit_names, gid),
+					f, ctx);
+	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, fsuid),
+					(void*)name, offsetof(struct audit_names, uid),
+					f, ctx);
+	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, fsgid),
+					(void*)name, offsetof(struct audit_names, gid),
+					f, ctx);
+		/* uid comparisons */
+	case AUDIT_COMPARE_UID_TO_AUID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+					(void*)tsk, offsetof(struct task_struct, loginuid),
+					f, ctx);
+	case AUDIT_COMPARE_UID_TO_EUID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+					(void*)cred, offsetof(struct cred, euid),
+					f, ctx);
+	case AUDIT_COMPARE_UID_TO_FSUID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+					(void*)cred, offsetof(struct cred, fsuid),
+					f, ctx);
+	case AUDIT_COMPARE_UID_TO_SUID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+					(void*)cred, offsetof(struct cred, suid),
+					f, ctx);
+		/* auid comparisons */
+	case AUDIT_COMPARE_AUID_TO_FSUID:
+		return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid),
+					(void*)cred, offsetof(struct cred, fsuid),
+					f, ctx);
+	case AUDIT_COMPARE_AUID_TO_SUID:
+		return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid),
+					(void*)cred, offsetof(struct cred, suid),
+					f, ctx);
+	case AUDIT_COMPARE_AUID_TO_EUID:
+		return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid),
+					(void*)cred, offsetof(struct cred, euid),
+					f, ctx);
+		/* euid comparisons */
+	case AUDIT_COMPARE_EUID_TO_SUID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, euid),
+					(void*)cred, offsetof(struct cred, suid),
+					f, ctx);
+	case AUDIT_COMPARE_EUID_TO_FSUID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, euid),
+					(void*)cred, offsetof(struct cred, fsuid),
+					f, ctx);
+		/* suid comparisons */
+	case AUDIT_COMPARE_SUID_TO_FSUID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, suid),
+					(void*)cred, offsetof(struct cred, fsuid),
+					f, ctx);
+		/* gd comparisons */
+	case AUDIT_COMPARE_GID_TO_EGID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, gid),
+					(void*)cred, offsetof(struct cred, egid),
+					f, ctx);
+	case AUDIT_COMPARE_GID_TO_FSGID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, gid),
+					(void*)cred, offsetof(struct cred, fsgid),
+					f, ctx);
+	case AUDIT_COMPARE_GID_TO_SGID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, gid),
+					(void*)cred, offsetof(struct cred, sgid),
+					f, ctx);
+		/* egid comparisons */
+	case AUDIT_COMPARE_EGID_TO_FSGID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, egid),
+					(void*)cred, offsetof(struct cred, fsgid),
+					f, ctx);
+	case AUDIT_COMPARE_EGID_TO_SGID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, egid),
+					(void*)cred, offsetof(struct cred, sgid),
+					f, ctx);
+		/* sgid comparison */
+	case AUDIT_COMPARE_SGID_TO_FSGID:
+		return audit_compare_id((void*)cred, offsetof(struct cred, sgid),
+					(void*)cred, offsetof(struct cred, fsgid),
+					f, ctx);
 	default:
 		return 0;
 	}
-- 
1.7.3.1

-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid

[Steve Grubb]

On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote:
> > Closer. All permutations of uid and gid being able to compare against
> > either object or process credentials. Like auid!=ouid or auid!=uid.
> 
> Ok, I think I got them all.

Thanks.  Eric, any comments?

-Steve

Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid

[Peter Moody]

[-- Attachment #1.1: Type: text/plain, Size: 712 bytes --]

On Wed, Dec 14, 2011 at 12:32 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote:
> > > Closer. All permutations of uid and gid being able to compare against
> > > either object or process credentials. Like auid!=ouid or auid!=uid.
> >
> > Ok, I think I got them all.
>
> Thanks.  Eric, any comments?
>

Is there anything else that I can do to help the case for this patch (and
did you want the updated version that allowed auditctl -l to work with the
interfield comparisons? the only change to kernel land was to put these in
range of the other audit fields)

Cheers,
peter

-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

[-- Attachment #1.2: Type: text/html, Size: 1143 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid

[Steve Grubb]

On Thursday, December 22, 2011 11:32:11 AM Peter Moody wrote:
> On Wed, Dec 14, 2011 at 12:32 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote:
> > > > Closer. All permutations of uid and gid being able to compare against
> > > > either object or process credentials. Like auid!=ouid or auid!=uid.
> > > 
> > > Ok, I think I got them all.
> > 
> > Thanks.  Eric, any comments?
> 
> Is there anything else that I can do to help the case for this patch (and
> did you want the updated version that allowed auditctl -l to work with the
> interfield comparisons?

Not really, I think its just a bad time of the year to get quick results. :) 

> the only change to kernel land was to put these in range of the other audit
> fields)

I'll be doing some more testing on this in January. Consider the patch more or 
less accepted. We want that functionality.

-Steve