audit: allow interfield comparison in audit rules

We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com>
author: Eric Paris <eparis@redhat.com> 2012-01-03 14:23:08 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2012-01-17 16:17:01 -0500
commit: 02d86a568c6d2d335256864451ac8ce781bc5652 (patch)
tree: 3ef085bd96cc79733cff28993379dbbd4b855813 /kernel/auditfilter.c
parent: 29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f10605c787e6..a6c3f1abd206 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -526,7 +526,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 				goto exit_free;
 			break;
 		case AUDIT_FILTERKEY:
-			err = -EINVAL;
 			if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
 				goto exit_free;
 			str = audit_unpack_string(&bufp, &remain, f->val);
@@ -543,6 +542,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 			if (f->val & ~S_IFMT)
 				goto exit_free;
 			break;
+		case AUDIT_FIELD_COMPARE:
+			if (f->val > AUDIT_MAX_FIELD_COMPARE)
+				goto exit_free;
+			break;
 		default:
 			goto exit_free;
 		}
author	Eric Paris <eparis@redhat.com>	2012-01-03 14:23:08 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2012-01-17 16:17:01 -0500
commit	02d86a568c6d2d335256864451ac8ce781bc5652 (patch)
tree	3ef085bd96cc79733cff28993379dbbd4b855813 /kernel/auditfilter.c
parent	29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (diff)