[PATCH] Filter rule comparators

Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.

This patch reworks the support for "=" and "!=", and adds support
for ">", ">=", "<", and "<=".

This turned out to be a pretty clean, and simply process.  I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.

The patch adds a new function, audit_comparator(left, op, right).
This function will perform the specified comparison (op, which defaults
to "==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was.  This
value is returned.

Signed-off-by: Dustin Kirkland <dustin.kirkland@us.ibm.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This commit is contained in:
Dustin Kirkland 2005-11-03 15:41:46 +00:00 committed by Al Viro
parent b0dd25a826
commit b63862f465
2 changed files with 102 additions and 42 deletions

View File

@ -98,6 +98,13 @@
#define AUDIT_WORD(nr) ((__u32)((nr)/32)) #define AUDIT_WORD(nr) ((__u32)((nr)/32))
#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
/* This bitmask is used to validate user input. It represents all bits that
* are currently used in an audit field constant understood by the kernel.
* If you are adding a new #define AUDIT_<whatever>, please ensure that
* AUDIT_UNUSED_BITS is updated if need be. */
#define AUDIT_UNUSED_BITS 0x0FFFFC00
/* Rule fields */ /* Rule fields */
/* These are useful when checking the /* These are useful when checking the
* task structure at task creation time * task structure at task creation time
@ -128,8 +135,28 @@
#define AUDIT_ARG2 (AUDIT_ARG0+2) #define AUDIT_ARG2 (AUDIT_ARG0+2)
#define AUDIT_ARG3 (AUDIT_ARG0+3) #define AUDIT_ARG3 (AUDIT_ARG0+3)
#define AUDIT_NEGATE 0x80000000 #define AUDIT_NEGATE 0x80000000
/* These are the supported operators.
* 4 2 1
* = > <
* -------
* 0 0 0 0 nonsense
* 0 0 1 1 <
* 0 1 0 2 >
* 0 1 1 3 !=
* 1 0 0 4 =
* 1 0 1 5 <=
* 1 1 0 6 >=
* 1 1 1 7 all operators
*/
#define AUDIT_LESS_THAN 0x10000000
#define AUDIT_GREATER_THAN 0x20000000
#define AUDIT_NOT_EQUAL 0x30000000
#define AUDIT_EQUAL 0x40000000
#define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL)
#define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL)
#define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL)
/* Status symbols */ /* Status symbols */
/* Mask values */ /* Mask values */

View File

@ -2,6 +2,7 @@
* Handles all system-call specific auditing features. * Handles all system-call specific auditing features.
* *
* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
* Copyright (C) 2005 IBM Corporation
* All Rights Reserved. * All Rights Reserved.
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
@ -27,6 +28,9 @@
* this file -- see entry.S) is based on a GPL'd patch written by * this file -- see entry.S) is based on a GPL'd patch written by
* okir@suse.de and Copyright 2003 SuSE Linux AG. * okir@suse.de and Copyright 2003 SuSE Linux AG.
* *
* The support of additional filter rules compares (>, <, >=, <=) was
* added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
*
*/ */
#include <linux/init.h> #include <linux/init.h>
@ -252,6 +256,7 @@ static inline int audit_add_rule(struct audit_rule *rule,
struct list_head *list) struct list_head *list)
{ {
struct audit_entry *entry; struct audit_entry *entry;
int i;
/* Do not use the _rcu iterator here, since this is the only /* Do not use the _rcu iterator here, since this is the only
* addition routine. */ * addition routine. */
@ -261,6 +266,16 @@ static inline int audit_add_rule(struct audit_rule *rule,
} }
} }
for (i = 0; i < rule->field_count; i++) {
if (rule->fields[i] & AUDIT_UNUSED_BITS)
return -EINVAL;
if ( rule->fields[i] & AUDIT_NEGATE )
rule->fields[i] |= AUDIT_NOT_EQUAL;
else if ( (rule->fields[i] & AUDIT_OPERATORS) == 0 )
rule->fields[i] |= AUDIT_EQUAL;
rule->fields[i] &= (~AUDIT_NEGATE);
}
if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
return -ENOMEM; return -ENOMEM;
if (audit_copy_rule(&entry->rule, rule)) { if (audit_copy_rule(&entry->rule, rule)) {
@ -394,6 +409,26 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
return err; return err;
} }
static int audit_comparator(const u32 left, const u32 op, const u32 right)
{
switch (op) {
case AUDIT_EQUAL:
return (left == right);
case AUDIT_NOT_EQUAL:
return (left != right);
case AUDIT_LESS_THAN:
return (left < right);
case AUDIT_LESS_THAN_OR_EQUAL:
return (left <= right);
case AUDIT_GREATER_THAN:
return (left > right);
case AUDIT_GREATER_THAN_OR_EQUAL:
return (left >= right);
default:
return -EINVAL;
}
}
/* Compare a task_struct with an audit_rule. Return 1 on match, 0 /* Compare a task_struct with an audit_rule. Return 1 on match, 0
* otherwise. */ * otherwise. */
static int audit_filter_rules(struct task_struct *tsk, static int audit_filter_rules(struct task_struct *tsk,
@ -404,62 +439,63 @@ static int audit_filter_rules(struct task_struct *tsk,
int i, j; int i, j;
for (i = 0; i < rule->field_count; i++) { for (i = 0; i < rule->field_count; i++) {
u32 field = rule->fields[i] & ~AUDIT_NEGATE; u32 field = rule->fields[i] & ~AUDIT_OPERATORS;
u32 op = rule->fields[i] & AUDIT_OPERATORS;
u32 value = rule->values[i]; u32 value = rule->values[i];
int result = 0; int result = 0;
switch (field) { switch (field) {
case AUDIT_PID: case AUDIT_PID:
result = (tsk->pid == value); result = audit_comparator(tsk->pid, op, value);
break; break;
case AUDIT_UID: case AUDIT_UID:
result = (tsk->uid == value); result = audit_comparator(tsk->uid, op, value);
break; break;
case AUDIT_EUID: case AUDIT_EUID:
result = (tsk->euid == value); result = audit_comparator(tsk->euid, op, value);
break; break;
case AUDIT_SUID: case AUDIT_SUID:
result = (tsk->suid == value); result = audit_comparator(tsk->suid, op, value);
break; break;
case AUDIT_FSUID: case AUDIT_FSUID:
result = (tsk->fsuid == value); result = audit_comparator(tsk->fsuid, op, value);
break; break;
case AUDIT_GID: case AUDIT_GID:
result = (tsk->gid == value); result = audit_comparator(tsk->gid, op, value);
break; break;
case AUDIT_EGID: case AUDIT_EGID:
result = (tsk->egid == value); result = audit_comparator(tsk->egid, op, value);
break; break;
case AUDIT_SGID: case AUDIT_SGID:
result = (tsk->sgid == value); result = audit_comparator(tsk->sgid, op, value);
break; break;
case AUDIT_FSGID: case AUDIT_FSGID:
result = (tsk->fsgid == value); result = audit_comparator(tsk->fsgid, op, value);
break; break;
case AUDIT_PERS: case AUDIT_PERS:
result = (tsk->personality == value); result = audit_comparator(tsk->personality, op, value);
break; break;
case AUDIT_ARCH: case AUDIT_ARCH:
if (ctx) if (ctx)
result = (ctx->arch == value); result = audit_comparator(ctx->arch, op, value);
break; break;
case AUDIT_EXIT: case AUDIT_EXIT:
if (ctx && ctx->return_valid) if (ctx && ctx->return_valid)
result = (ctx->return_code == value); result = audit_comparator(ctx->return_code, op, value);
break; break;
case AUDIT_SUCCESS: case AUDIT_SUCCESS:
if (ctx && ctx->return_valid) { if (ctx && ctx->return_valid) {
if (value) if (value)
result = (ctx->return_valid == AUDITSC_SUCCESS); result = audit_comparator(ctx->return_valid, op, AUDITSC_SUCCESS);
else else
result = (ctx->return_valid == AUDITSC_FAILURE); result = audit_comparator(ctx->return_valid, op, AUDITSC_FAILURE);
} }
break; break;
case AUDIT_DEVMAJOR: case AUDIT_DEVMAJOR:
if (ctx) { if (ctx) {
for (j = 0; j < ctx->name_count; j++) { for (j = 0; j < ctx->name_count; j++) {
if (MAJOR(ctx->names[j].dev)==value) { if (audit_comparator(MAJOR(ctx->names[j].dev), op, value)) {
++result; ++result;
break; break;
} }
@ -469,7 +505,7 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_DEVMINOR: case AUDIT_DEVMINOR:
if (ctx) { if (ctx) {
for (j = 0; j < ctx->name_count; j++) { for (j = 0; j < ctx->name_count; j++) {
if (MINOR(ctx->names[j].dev)==value) { if (audit_comparator(MINOR(ctx->names[j].dev), op, value)) {
++result; ++result;
break; break;
} }
@ -479,7 +515,7 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_INODE: case AUDIT_INODE:
if (ctx) { if (ctx) {
for (j = 0; j < ctx->name_count; j++) { for (j = 0; j < ctx->name_count; j++) {
if (ctx->names[j].ino == value) { if (audit_comparator(ctx->names[j].ino, op, value)) {
++result; ++result;
break; break;
} }
@ -489,19 +525,17 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_LOGINUID: case AUDIT_LOGINUID:
result = 0; result = 0;
if (ctx) if (ctx)
result = (ctx->loginuid == value); result = audit_comparator(ctx->loginuid, op, value);
break; break;
case AUDIT_ARG0: case AUDIT_ARG0:
case AUDIT_ARG1: case AUDIT_ARG1:
case AUDIT_ARG2: case AUDIT_ARG2:
case AUDIT_ARG3: case AUDIT_ARG3:
if (ctx) if (ctx)
result = (ctx->argv[field-AUDIT_ARG0]==value); result = audit_comparator(ctx->argv[field-AUDIT_ARG0], op, value);
break; break;
} }
if (rule->fields[i] & AUDIT_NEGATE)
result = !result;
if (!result) if (!result)
return 0; return 0;
} }
@ -550,49 +584,48 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
rcu_read_lock(); rcu_read_lock();
if (!list_empty(list)) { if (!list_empty(list)) {
int word = AUDIT_WORD(ctx->major); int word = AUDIT_WORD(ctx->major);
int bit = AUDIT_BIT(ctx->major); int bit = AUDIT_BIT(ctx->major);
list_for_each_entry_rcu(e, list, list) { list_for_each_entry_rcu(e, list, list) {
if ((e->rule.mask[word] & bit) == bit if ((e->rule.mask[word] & bit) == bit
&& audit_filter_rules(tsk, &e->rule, ctx, &state)) { && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
rcu_read_unlock(); rcu_read_unlock();
return state; return state;
} }
} }
} }
rcu_read_unlock(); rcu_read_unlock();
return AUDIT_BUILD_CONTEXT; return AUDIT_BUILD_CONTEXT;
} }
static int audit_filter_user_rules(struct netlink_skb_parms *cb, static int audit_filter_user_rules(struct netlink_skb_parms *cb,
struct audit_rule *rule, struct audit_rule *rule,
enum audit_state *state) enum audit_state *state)
{ {
int i; int i;
for (i = 0; i < rule->field_count; i++) { for (i = 0; i < rule->field_count; i++) {
u32 field = rule->fields[i] & ~AUDIT_NEGATE; u32 field = rule->fields[i] & ~AUDIT_OPERATORS;
u32 op = rule->fields[i] & AUDIT_OPERATORS;
u32 value = rule->values[i]; u32 value = rule->values[i];
int result = 0; int result = 0;
switch (field) { switch (field) {
case AUDIT_PID: case AUDIT_PID:
result = (cb->creds.pid == value); result = audit_comparator(cb->creds.pid, op, value);
break; break;
case AUDIT_UID: case AUDIT_UID:
result = (cb->creds.uid == value); result = audit_comparator(cb->creds.uid, op, value);
break; break;
case AUDIT_GID: case AUDIT_GID:
result = (cb->creds.gid == value); result = audit_comparator(cb->creds.gid, op, value);
break; break;
case AUDIT_LOGINUID: case AUDIT_LOGINUID:
result = (cb->loginuid == value); result = audit_comparator(cb->loginuid, op, value);
break; break;
} }
if (rule->fields[i] & AUDIT_NEGATE)
result = !result;
if (!result) if (!result)
return 0; return 0;
} }