1:04 p.m.
Not sure if this is the right way to go about this, but I've got a couple
of patches I'd like to be considered for inclusion.
This builds off of Eric's patches from November. Specifically the following
patches:
[01/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00019.html)
[02/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00020.html)
[16/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00034.html)
[17/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00035.html)
[18/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00036.html)
[19/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00037.html)
[20/26] (
http://www.redhat.com/archives/linux-audit/2011-November/msg00038.html)
Signed-off-by: Peter Moody <pmoody(a)google.com>
---
include/linux/audit.h | 4 +++-
kernel/auditsc.c | 18 ++++++++++++++++++
2 files changed, 21 insertions(+), 1 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4c5437f..cce8f35 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -182,8 +182,10 @@
/* AUDIT_FIELD_COMPARE rule list */
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#define AUDIT_COMPARE_GID_TO_OBJ_GID 2
+#define AUDIT_COMPARE_UID_TO_EUID 3
+#define AUDIT_COMPARE_GID_TO_EGID 4
-#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_GID_TO_OBJ_GID
+#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_GID_TO_EGID
/* Rule fields */
/* These are useful when checking the
* task structure at task creation time
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2be8bf3..08c8736 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -514,6 +514,24 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_compare_id(cred, offsetof(struct cred, gid),
name, offsetof(struct audit_names, gid),
f, ctx);
+ case AUDIT_COMPARE_UID_TO_EUID:
+ if(name)
+ return audit_comparator(cred->euid, f->op, cred->uid);
+ else if(ctx) {
+ struct audit_names *n;
+ list_for_each_entry(n, &ctx->names_list, list)
+ return audit_comparator(cred->euid, f->op, cred->uid);
+ }
+ break;
+ case AUDIT_COMPARE_GID_TO_EGID:
+ if(name)
+ return audit_comparator(cred->egid, f->op, cred->gid);
+ else if(ctx) {
+ struct audit_names *n;
+ list_for_each_entry(n, &ctx->names_list, list)
+ return audit_comparator(cred->egid, f->op, cred->gid);
+ }
+ break;
default:
return 0;
}
--
1.7.3.1
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
8:27 a.m.
On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote:
Not sure if this is the right way to go about this, but I've got
a couple
of patches I'd like to be considered for inclusion.
I think we really want all permutations covered so we don't revisit this every
month or two.
-Steve
10:35 a.m.
On Mon, Dec 12, 2011 at 6:27 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote:
> Not sure if this is the right way to go about this, but I've got a couple
> of patches I'd like to be considered for inclusion.
I think we really want all permutations covered so we don't revisit this
every
month or two.
Ok. Do you want me to include subj_user/obj_user, subj_role/obj_role,
subj_type/obj_type as well or just the uid/fsuid, gid/fsgid, uid/suid,
gid/sgid?
Cheers,
peter
-Steve
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
11:48 a.m.
On Monday, December 12, 2011 11:35:25 AM Peter Moody wrote:
On Mon, Dec 12, 2011 at 6:27 AM, Steve Grubb
<sgrubb(a)redhat.com> wrote:
> On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote:
> > Not sure if this is the right way to go about this, but I've got a
> > couple of patches I'd like to be considered for inclusion.
>
> I think we really want all permutations covered so we don't revisit this
> every
> month or two.
Ok. Do you want me to include subj_user/obj_user, subj_role/obj_role,
subj_type/obj_type as well
No, the MAC subsystems should be able to log that themselves.
or just the uid/fsuid, gid/fsgid, uid/suid, gid/sgid?
Closer. All permutations of uid and gid being able to compare against either
object or process credentials. Like auid!=ouid or auid!=uid.
Thanks,
-Steve
6:17 p.m.
On Mon, Dec 12, 2011 at 9:48 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
Closer. All permutations of uid and gid being able to compare against
either
object or process credentials. Like auid!=ouid or auid!=uid.
Ok, I think I got them all.
This is the kernel change to allow comparison between the various uids
(uid, euid, suid, fsuid, loginuid, obj_uid) and the various gids (gid,
egid, sgid, fsgid). One other possible catch is that loginuid and auid
seem to already be used interchangeably. I've referred to as auid
where I could just because it's shorter. I hope that isn't too
confusing.
I've got a little more work to do on the user-land component, and I
haven't been able to get the LIST_RULES to list the first field of the
interfield comparisons. I'll keep poking at that, but I suspect it
requires deeper auditd knowledge than I can muster (at least for now).
This still requires the same patches from Eric that I mentioned in my
first email
Cheers,
peter
Signed-off-by: Peter Moody <pmoody(a)google.com>
---
include/linux/audit.h | 37 ++++++++++++++--
kernel/auditsc.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 140 insertions(+), 11 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4c5437f..72f00d2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -180,10 +180,39 @@
#define AUDIT_UNUSED_BITS 0x07FFFC00
/* AUDIT_FIELD_COMPARE rule list */
-#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
-#define AUDIT_COMPARE_GID_TO_OBJ_GID 2
-
-#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_GID_TO_OBJ_GID
+#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
+#define AUDIT_COMPARE_GID_TO_OBJ_GID 2
+#define AUDIT_COMPARE_EUID_TO_OBJ_UID 3
+#define AUDIT_COMPARE_EGID_TO_OBJ_GID 4
+#define AUDIT_COMPARE_AUID_TO_OBJ_UID 5
+#define AUDIT_COMPARE_SUID_TO_OBJ_UID 6
+#define AUDIT_COMPARE_SGID_TO_OBJ_GID 7
+#define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8
+#define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9
+
+#define AUDIT_COMPARE_UID_TO_AUID 10
+#define AUDIT_COMPARE_UID_TO_EUID 11
+#define AUDIT_COMPARE_UID_TO_FSUID 12
+#define AUDIT_COMPARE_UID_TO_SUID 13
+
+#define AUDIT_COMPARE_AUID_TO_FSUID 14
+#define AUDIT_COMPARE_AUID_TO_SUID 15
+#define AUDIT_COMPARE_AUID_TO_EUID 16
+
+#define AUDIT_COMPARE_EUID_TO_SUID 17
+#define AUDIT_COMPARE_EUID_TO_FSUID 18
+
+#define AUDIT_COMPARE_SUID_TO_FSUID 19
+
+#define AUDIT_COMPARE_GID_TO_EGID 20
+#define AUDIT_COMPARE_GID_TO_FSGID 21
+#define AUDIT_COMPARE_GID_TO_SGID 22
+
+#define AUDIT_COMPARE_EGID_TO_FSGID 23
+#define AUDIT_COMPARE_EGID_TO_SGID 24
+#define AUDIT_COMPARE_SGID_TO_FSGID 25
+
+#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_SGID_TO_FSGID
/* Rule fields */
/* These are useful when checking the
* task structure at task creation time
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2be8bf3..a1ead88 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -458,9 +458,9 @@ static int match_tree_refs(struct audit_context
*ctx, struct audit_tree *tree)
return 0;
}
-static int audit_compare_id(const struct cred *cred,
+static int audit_compare_id(const void *cred,
unsigned long cred_offset,
- struct audit_names *name,
+ void *name,
unsigned long name_offset,
struct audit_field *f,
struct audit_context *ctx)
@@ -506,14 +506,114 @@ static int audit_field_compare(struct task_struct *tsk,
switch (f->val) {
+ /* obj_uid/obj_gid comparisons */
case AUDIT_COMPARE_UID_TO_OBJ_UID:
- return audit_compare_id(cred, offsetof(struct cred, uid),
- name, offsetof(struct audit_names, uid),
+ return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+ (void*)name, offsetof(struct audit_names, uid),
f, ctx);
case AUDIT_COMPARE_GID_TO_OBJ_GID:
- return audit_compare_id(cred, offsetof(struct cred, gid),
- name, offsetof(struct audit_names, gid),
- f, ctx);
+ return audit_compare_id((void*)cred, offsetof(struct cred, gid),
+ (void*)name, offsetof(struct audit_names, gid),
+ f, ctx);
+ case AUDIT_COMPARE_EUID_TO_OBJ_UID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, euid),
+ (void*)name, offsetof(struct audit_names, uid),
+ f, ctx);
+ case AUDIT_COMPARE_EGID_TO_OBJ_GID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, egid),
+ (void*)name, offsetof(struct audit_names, gid),
+ f, ctx);
+ case AUDIT_COMPARE_AUID_TO_OBJ_UID:
+ return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid),
+ (void*)name, offsetof(struct audit_names, uid),
+ f, ctx);
+ case AUDIT_COMPARE_SUID_TO_OBJ_UID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, suid),
+ (void*)name, offsetof(struct audit_names, uid),
+ f, ctx);
+ case AUDIT_COMPARE_SGID_TO_OBJ_GID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, sgid),
+ (void*)name, offsetof(struct audit_names, gid),
+ f, ctx);
+ case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, fsuid),
+ (void*)name, offsetof(struct audit_names, uid),
+ f, ctx);
+ case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, fsgid),
+ (void*)name, offsetof(struct audit_names, gid),
+ f, ctx);
+ /* uid comparisons */
+ case AUDIT_COMPARE_UID_TO_AUID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+ (void*)tsk, offsetof(struct task_struct, loginuid),
+ f, ctx);
+ case AUDIT_COMPARE_UID_TO_EUID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+ (void*)cred, offsetof(struct cred, euid),
+ f, ctx);
+ case AUDIT_COMPARE_UID_TO_FSUID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+ (void*)cred, offsetof(struct cred, fsuid),
+ f, ctx);
+ case AUDIT_COMPARE_UID_TO_SUID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, uid),
+ (void*)cred, offsetof(struct cred, suid),
+ f, ctx);
+ /* auid comparisons */
+ case AUDIT_COMPARE_AUID_TO_FSUID:
+ return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid),
+ (void*)cred, offsetof(struct cred, fsuid),
+ f, ctx);
+ case AUDIT_COMPARE_AUID_TO_SUID:
+ return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid),
+ (void*)cred, offsetof(struct cred, suid),
+ f, ctx);
+ case AUDIT_COMPARE_AUID_TO_EUID:
+ return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid),
+ (void*)cred, offsetof(struct cred, euid),
+ f, ctx);
+ /* euid comparisons */
+ case AUDIT_COMPARE_EUID_TO_SUID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, euid),
+ (void*)cred, offsetof(struct cred, suid),
+ f, ctx);
+ case AUDIT_COMPARE_EUID_TO_FSUID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, euid),
+ (void*)cred, offsetof(struct cred, fsuid),
+ f, ctx);
+ /* suid comparisons */
+ case AUDIT_COMPARE_SUID_TO_FSUID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, suid),
+ (void*)cred, offsetof(struct cred, fsuid),
+ f, ctx);
+ /* gd comparisons */
+ case AUDIT_COMPARE_GID_TO_EGID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, gid),
+ (void*)cred, offsetof(struct cred, egid),
+ f, ctx);
+ case AUDIT_COMPARE_GID_TO_FSGID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, gid),
+ (void*)cred, offsetof(struct cred, fsgid),
+ f, ctx);
+ case AUDIT_COMPARE_GID_TO_SGID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, gid),
+ (void*)cred, offsetof(struct cred, sgid),
+ f, ctx);
+ /* egid comparisons */
+ case AUDIT_COMPARE_EGID_TO_FSGID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, egid),
+ (void*)cred, offsetof(struct cred, fsgid),
+ f, ctx);
+ case AUDIT_COMPARE_EGID_TO_SGID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, egid),
+ (void*)cred, offsetof(struct cred, sgid),
+ f, ctx);
+ /* sgid comparison */
+ case AUDIT_COMPARE_SGID_TO_FSGID:
+ return audit_compare_id((void*)cred, offsetof(struct cred, sgid),
+ (void*)cred, offsetof(struct cred, fsgid),
+ f, ctx);
default:
return 0;
}
--
1.7.3.1
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
10:32 a.m.
On Wed, Dec 14, 2011 at 12:32 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote:
> > Closer. All permutations of uid and gid being able to compare against
> > either object or process credentials. Like auid!=ouid or auid!=uid.
>
> Ok, I think I got them all.
Thanks. Eric, any comments?
Is there anything else that I can do to help the case for this patch (and
did you want the updated version that allowed auditctl -l to work with the
interfield comparisons? the only change to kernel land was to put these in
range of the other audit fields)
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
3:51 p.m.
On Thursday, December 22, 2011 11:32:11 AM Peter Moody wrote:
On Wed, Dec 14, 2011 at 12:32 PM, Steve Grubb
<sgrubb(a)redhat.com> wrote:
> On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote:
> > > Closer. All permutations of uid and gid being able to compare against
> > > either object or process credentials. Like auid!=ouid or auid!=uid.
> >
> > Ok, I think I got them all.
>
> Thanks. Eric, any comments?
Is there anything else that I can do to help the case for this patch (and
did you want the updated version that allowed auditctl -l to work with the
interfield comparisons?
Not really, I think its just a bad time of the year to get quick results. :)
the only change to kernel land was to put these in range of the other
audit
fields)
I'll be doing some more testing on this in January. Consider the patch more or
less accepted. We want that functionality.
-Steve
4746
days inactive
4759
days old
linux-audit@lists.linux-audit.osci.io
7 comments
2 participants
participants (2)
-
Peter Moody -
Steve Grubb